Description:

Enable automatic provisioning of the Microsoft Defender for Containers components.


Rationale:

As with any compute resource, Container environments require hardening and run-time protection to ensure safe operations and detection of threats and vulnerabilities.


Impact:

Microsoft Defender for Containers will require additional licensing.


Audit:

From Azure Portal

1. From Azure Home select the Portal Menu

2. Select Microsoft Defender for Cloud

3. Then Environment Settings

4. Select a subscription

5. Then Auto Provisioning in the left column.

6. Ensure that Microsoft Defender for Containers components is set to On

Repeat the above for any additional subscriptions.


Remediation:

From Azure Portal

1. From Azure Home select the Portal Menu

2. Select Microsoft Defender for Cloud

3. Then Environment Settings

4. Select a subscription

5. Then Auto Provisioning in the left column.

6. Set Microsoft Defender for Containers components to On


Default Value:

By default, Microsoft Defender for Containers is disabled. If Defender for Containers is enabled from the Microsoft Defender for Cloud portal, auto provisioning will be enabled.


References:

1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-forcontainers-introduction

2. https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-datacollection?tabs=autoprovision-containers

3. https://msdn.microsoft.com/en-us/library/mt704062.aspx

4. https://msdn.microsoft.com/en-us/library/mt704063.aspx

5. https://docs.microsoft.com/enus/rest/api/securitycenter/autoprovisioningsettings/list

6. https://docs.microsoft.com/enus/rest/api/securitycenter/autoprovisioningsettings/create

7.https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-incident-response#ir-2-preparation--setup-incident-notification