Description:

Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.


Rationale:

Enabling Azure Defender for Container Registries allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).


Impact:

By enabling Azure Defender for container registries, it scan all images when they’re pushed to the registry, imported into the registry, or pulled within the last 30 days. You’ll be charged for every image that gets scanned – once per image.

Note: Turning on Azure Defender in Azure Security Center incurs an additional cost per resource.


Default Value:

By default, Azure Defender off is selected.


Audit:

  1. Signin into your Azure account.

  2. Go to Security Center

  3. Select Pricing & settings blade

  4. Click on the appropriate subscription name for which you wanted to turned on the defender on

  5. Select the Azure Defender plans blade

  6. Review the chosen pricing tier. For the Container Registries resource type Plan should be set to On


Using Azure Command Line Interface 2.0

Ensure the output of the below command is Standard

az account get-access-token --query 
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" 
https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pr icings?api-version=2018-06-01' | jq '.|.value[] | select(.name=="ContainerRegistry")'|jq '.properties.pricingTier'

Using Powershell:

Get-AzAccount
Get-AzSecurityPricing | Where-Object {$_.Name -eq 'ContainerRegistry'} | Select-Object Name, PricingTier

Ensure output for Name PricingTier is ContainerRegistry Standard


Remediation:

Pre-requisites:

  1. An Azure account

  2. An Azure Defender plan for Enhanced security plan (Azure Defender is free for the first 30 days. At the end of 30 days, if you choose to continue using the service, you’ll automatically charged for usage).

Implementation Steps:

  1. Go to Security Center

  2. Select Pricing & settings blade

  3. Click on the subscription name

  4. Select the Azure Defender plans blade

  5. Review the chosen pricing tier. For the Container Registries type Plan should be set to On. Click on save


Using Azure Command Line Interface 2.0

Use the below command to enable Standard pricing tier for Storage

az account get-access-token --query 
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" 
https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pr icings/StorageAccounts?api-version=2018-06-01 -d@"input.json"'

Where input.json contains the Request body json data as mentioned below

{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/pricings/ StorageAccounts",
"name": "ContainerRegistry",
"type": "Microsoft.Security/pricings", "properties": {
"pricingTier": "Standard"
}
}


Backout Plan:

  1. Go to Security Center

  2. Select Pricing & settings blade

  3. Click on the subscription name

  4. Select the Azure Defender plans blade

  5. Ensure that Azure Defender is set to Off for Container Registries(how we can revoke the changes)


References:

  1. https://docs.microsoft.com/en-us/azure/security-center/security-center- detection-capabilities

  2. Pricings - List - REST API (Azure Security Center) 

  3. Pricings - Update - REST API (Azure Security Center) 

  4. https://docs.microsoft.com/en-us/powershell/module/az.security/get- azsecuritypricing

  5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-endpoint-security#es-1-use-endpoint-detection-and-response-edr