cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

AKS Sentinel analytics rules

Tobias_Moe
Copper Contributor

‎Nov 13 2023 04:31 AM

‎Nov 13 2023 04:31 AM

AKS Sentinel analytics rules

Hello, I have enabled diagnostic settings on AKS clusters and are sending data to a Sentinel workspace according to article here: Monitoring Azure Kubernetes Service (AKS) with Microsoft Sentinel - Microsoft Community Hub

 

I can see that there are some query rules examples in the article, but obviously we need more than those examples. I have tried searching around different Github repositories for some examples, but I am not able to find anything. 

From the same article, I can see that there is a possibility to enable container defender plans and then stream Defender for Cloud security alerts into Sentinel. This also certinately seem like a good option.

 

Do any of you have AKS connector enabled? If so, can you share some rules that you have running? Also, please let me know if best practice is to use container defender plans.

850 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Tobias_Moe (Copper Contributor)
BillClarksonAntill

‎Dec 11 2023 11:27 PM

‎Dec 11 2023 11:27 PM

Solution

Re: AKS Sentinel analytics rules

Hey @Tobias_Moe 

 

Best way to go here is use Defender Plans - Containers

 

Streaming logs into Sentinel especially from an AKS cluster can be costly and the Defender Plan is a much cheaper approach especially if you are running a large cluster instance

 

Defender for Cloud will automatically generate any security alerts based on MITRE ATT&CK that can be streamed into Sentinel without the hassle of creating use-cases for monitoring an AKS using logs only. Most of the logs will be useless to you.

 

But in saying this if there is a requirement to stream logs from an AKS into Sentinel, check out this the containers MITRE ATT&CK Framework for alerting that could be created here

 

This should give you some good ideas

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Tobias_Moe (Copper Contributor)
BillClarksonAntill

‎Dec 11 2023 11:27 PM

‎Dec 11 2023 11:27 PM

Solution

Re: AKS Sentinel analytics rules

Hey @Tobias_Moe 

 

Best way to go here is use Defender Plans - Containers

 

Streaming logs into Sentinel especially from an AKS cluster can be costly and the Defender Plan is a much cheaper approach especially if you are running a large cluster instance

 

Defender for Cloud will automatically generate any security alerts based on MITRE ATT&CK that can be streamed into Sentinel without the hassle of creating use-cases for monitoring an AKS using logs only. Most of the logs will be useless to you.

 

But in saying this if there is a requirement to stream logs from an AKS into Sentinel, check out this the containers MITRE ATT&CK Framework for alerting that could be created here

 

This should give you some good ideas

View solution in original post

1 Like
Reply