What Is Azure Sentinel?
Microsoft Sentinel is a cloud native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. It provides security analytics, threat intelligence, threat visibility, attack detection, proactive hunting, and threat response.
It builds on Azure services, natively incorporating proven foundations, such as Logic Apps and Log Analytics. It enriches investigation and detection with artificial intelligence (AI) and Microsoft’s threat intelligence stream and also allows you to use your threat intelligence.
Enterprises employ Azure Sentinel to get a centralized overview of the threat landscape. Sentinel collects data across all users, applications, infrastructure, and devices on-premises and in multiple clouds.
Sentinel leverages Microsoft’s analytics and threat intelligence to detect threats and minimize false positives and uses AI to investigate threats and hunt for suspicious activities. It responds to incidents quickly using built-in orchestration and automation of common tasks.
What Is Azure Kubernetes Service (AKS)?
Azure Kubernetes Service (AKS) offloads the operational overhead of deploying a Kubernetes cluster to Azure. This hosted Kubernetes service handles operational tasks such as health monitoring and maintenance and managing Kubernetes. Customers only need to manage and maintain agent nodes.
AKS is free, billing customers only for agent nodes within a cluster. Once you deploy an AKS cluster, Azure configures and deploys a Kubernetes master and nodes. You can configure various features during the Kubernetes deployment process, including advanced networking, monitoring, and Azure Active Directory (Azure AD) integration.
Monitoring Azure Kubernetes Service (AKS) with Microsoft Sentinel
You can set up AKS monitoring with Microsoft Sentinel by applying the following steps:
Enable Sentinel and connect your data sources
Sentinel provides connectors for Microsoft solutions, making them available out of the box with real-time integration, including:
- Microsoft 365 Defender
- Microsoft 365 sources
- Azure AD
- Microsoft Defender for Identity
- Microsoft Cloud App Security
To connect non-Microsoft solutions and various data sources, you can use built-in connectors, the common event format (CEF), REST-API, or Syslog.
Choose expertly created workbooks
Once you connect your data sources, you can choose from various workbooks that help surface insights according to your data. You can easily customize these workbooks to your needs.
Use templates for threat detection
Sentinel sifts through your data sources and notifies you of a suspicious event. You can use built-in templates to create threat detection rules designed by Microsoft security experts and analysts according to known threats, suspicious activity escalation chains, and common attack vectors.
Rules created from threat detection templates automatically search across the environment for suspicious activities. You can customize the templates to search for certain activities or filter them out. These rules generate alerts that create incidents, which you can assign and investigate in your own environment.
Monitoring your AKS cluster
You can use various sources to monitor your AKS cluster. Here is a diagram that illustrates how different sources integrate into Sentinel:
Azure Security Center (ASC) AKS Threat Protection
Azure Security Center Standard includes built-in threat protection for the resources it monitors. It provides an optional Kubernetes bundle. Once you enable the bundle, ASC threat protection monitors the AKS cluster for suspicious activity. You can enable the bundle in ASC by following these steps:
- Navigate to Pricing & settings
- Choose a subscription
- Ensure Kubernetes is enabled as a resource type (see the image below)
If you already connected ASC threat alerts to your Sentinel workspace using the native ASC connector, these AKS alerts are sent directly into Sentinel. ASC can detect various threats in AKS clusters, including containers with a sensitive volume mount, an exposed Kubernetes dashboard, and digital currency mining containers.
Azure Diagnostics Logs
Azure Diagnostic Logs are logs that are emitted by resources in Azure and provide insights into the operation of those resources. Diagnostic logs can be used to troubleshoot issues, monitor the health of resources, and identify patterns of usage.
There are several types of diagnostic logs that can be collected in Azure:
- Activity logs: These logs provide information about the operations that have been performed on a resource.
- Metric logs: These logs provide information about the performance and health of a resource.
- Resource logs: These logs are specific to a resource type and provide resource-specific information.
Diagnostic logs can be collected using Azure Monitor, which is a service that enables you to collect, analyze, and act on data from a wide range of sources. Alternatively, you can forward these logs to your Log Analytics workspace. You can retrieve logs from AKS for Kubernetes components such as kube-apiserver, kube-controller-manager, kube-scheduler, kube-audit, and cluster-autoscaler.
Once the logs are visible in your AzureDiagnostics table, you can run detections. .
Here is a basic query that you can use in Azure Sentinel to look at NGINX logs for a specific pod:
| where PodName contains “nginx”
| extend Pod = parse_json(Pod)
| extend Container = parse_json(Pod.spec.containers)
| extend Image = Container.image
| extend ImageName = extract(“(.+):.+”, 1, Image)
| project PodName, ImageName
This query will search the KubernetesPodInventory table for rows where the PodName field contains the string “nginx”, and it will extract the PodName and ImageName fields for those rows. The extend clauses are used to parse the JSON objects in the Pod and Container fields, and extract the image field from the Container object. The extract function is then used to extract the image name from the Image field.
Here is an example of a security-focused query that you can run on logs collected from Azure Kubernetes Service (AKS):
| where Level == “Warning”
| where EventType == “Exec”
| extend User = parse_json(User)
| project TimeGenerated, User.username, Namespace, Resource, Action
This query will search the KubernetesAudit table for rows where the Level field is “Warning” and the EventType field is “Exec”. It will then extract the TimeGenerated, username, Namespace, Resource, and Action fields for those rows, and parse the User field into a JSON object so that the username field can be extracted.
This query will return a list of audit events that correspond to warning-level exec events, which could include things like attempts to execute a command in a container or access a shell in a pod. You can use this query to identify suspicious activity and investigate further.
In conclusion, Azure Sentinel is a powerful tool for protecting Kubernetes deployments. Its advanced security analytics capabilities and integration with a wide range of data sources make it well-suited for detecting and responding to threats in Kubernetes environments. By collecting logs and other data from your Kubernetes cluster and using Azure Sentinel to monitor and analyze that data, you can gain valuable insights into the operation of your cluster and identify potential security issues before they become a problem.
Additionally, the ability to create alerts and take automated actions based on the data in your logs can help you to respond to threats in a timely and effective manner, reducing the risk of a breach or other security incident.