![Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]](https://www.ineedhack.com/wp-content/uploads/2023/01/Course-content-16-360x180.png)
Azure Sentinel: What is it?
Microsoft Sentinel, a cloud-native (SIEM), and security orchestration automation and response (SOAR), is a solution. You can access threat intelligence, threat detection, proactive hunting and threat response.
This service builds upon Azure services and natively incorporates proven foundations such as Log Analytics and Logic Apps. This tool enriches the investigation and detection process with artificial intelligence (AI), and Microsoft’s threat Intelligence stream. It also lets you use your threat intelligence.
To get an overview of all threats, . Sentinel gathers data from all devices, users, applications and infrastructure on-premises as well as in multiple cloud locations.
Sentinel uses Microsoft’s threat intelligence and analytics to identify threats and reduce false positives. It also employs AI to search for suspicious activity and investigate potential threats . The built-in orchestration allows it to quickly respond to incidents and automate common tasks.
What Is Azure Kubernetes Service (AKS)?
Azure Kubernetes Service is a service that offloads all the overhead involved in deploying Kubernetes clusters to Azure. The Kubernetes hosting service manages operational tasks like Kubernetes management, health monitoring, maintenance, and maintenance. Only the agent nodes need to be managed and maintained by customers.
AKS is completely free and customers are only charged for the agent nodes in a cluster. Azure will configure and deploy a Kubernetes master cluster once you have deployed an AKS cluster. During the Kubernetes deployment including monitoring and advanced networking.
Monitoring Azure Kubernetes Service with Microsoft Sentinel
The following steps will help you set up AKS monitoring using Microsoft Sentinel:
Enable Sentinel to connect data sources
Sentinel offers connectors to Microsoft solutions. They are available right out of the box, with real-time integration.
- Microsoft 365 Defender
- Microsoft 365 sources
- Azure AD
- Microsoft Defender for Identity
- Microsoft Cloud App Security
You can connect non-Microsoft products and different data sources using built-in connectors such as the common event format, REST-API or Syslog.
Get professionally created workbooks
After connecting your data sources you will be able to choose from a variety of workbooks which can help you surface insights based on your data. These workbooks can be easily customized to meet your specific needs.
Threat detection Templates
Sentinel scans your data and alerts you if it finds any suspicious events. Microsoft security analysts and experts can create custom threat detection rules using built-in templates. These rules are based on known threats and suspicious activity escalation chain chains.
Threat detection templates are used to create rules that automatically scan the surrounding environment for suspicious activity. The templates can be customized to look for specific activities and filter out those that are not. You can create alerts and assign incidents to these rules.
Monitoring your AKS cluster
Monitoring your AKS cluster can be done using multiple sources. This diagram shows how Sentinel integrates different sources.
Azure Security Center ASC Threat Protection
Azure Security Center Standard provides built-in threat prevention for all resources that it monitors. You can also add a Kubernetes bundle to your Azure Security Center Standard. After you have enabled the bundle, ASC threat prevention monitors AKS cluster for suspicious activities. These steps will allow you to enable the bundle within ASC:
- Navigate to Prices & Settings
- Subscribe to our newsletter
- Check that Kubernetes has been enabled as a resource (see image below).
These ASC alerts can be sent to Sentinel directly if you have already connected ASC threat alarms to Sentinel’s workspace via the native ASC connector. ASC is able to detect many threats within AKS clusters including sensitive volumes, exposed Kubernetes dashboard containers, and containers that mine digital currency.
Azure Diagnostics Logs
Azure Diagnostic logs provide insight into Azure resources’ operation by logging what they emit. Diagnose logs are useful for diagnosing issues and monitoring the health of resources. They can also be used to identify patterns in usage.
Azure can collect a variety of diagnostic logs:
- Activity logs These logs give information on the operations performed on a resource.
- Metric logs: These logs give information about performance and health for a resource.
- Resources logs: These logs provide specific information about a particular resource type.
Azure Monitor allows you to gather diagnostic logs from many sources. You can also forward the logs to your Log Analytics workspace. You can retrieve logs from AKS for Kubernetes components such as kube-apiserver, kube-controller-manager, kube-scheduler, kube-audit, and cluster-autoscaler.
Once you have the logs visible in AzureDiagnostics, you are able to run detections. .
This is an example query you can run in Azure Sentinel that will allow you to view NGINX logs of a particular pod.
KubernetesPodInventory
where PodName contains “nginx”
extend Pod = parse_json(Pod)
| extend Container = parse_json(Pod.spec.containers)
extend Image = Container.image
extend ImageName = extract(“(.+):.+”, 1, Image)
project PodName, ImageName
This query will search the KubernetesPodInventory table for rows where the PodName field contains the string “nginx”, and it will extract the PodName and ImageName fields for those rows. Extended clauses allow you to extract the container object’s image field and parse JSON objects within the Container and Pod fields. To extract the image name, the extract function can be used.
This is an example security-focused query you could run using logs from Azure Kubernetes Service.
KubernetesAudit
where Level == “Warning”
where EventType == “Exec”
extend User = parse_json(User)
project TimeGenerated, User.username, Namespace, Resource, Action
This query searches the KubernetesAudit database for rows where EventType is “Exec” and Level is “Warning”. The query will extract TimeGenerated and Namespace fields, as well as Resource and EventType fields. It also parses the User field to create a JSON object that can hold the username.
The query returns a list of audit event that match warning-level executable events. This could be anything from attempts to access shells in pods or execute commands in containers. This query can be used to detect suspicious activity or investigate further.
Conclusion
Azure Sentinel, in conclusion, is an effective tool to protect Kubernetes infrastructures. Azure Sentinel’s integration with many data sources and advanced security analytics make it highly suitable for responding to and detecting threats within Kubernetes environments. Azure Sentinel can be used to collect logs from Kubernetes clusters. This will allow you valuable insight into their operation and help identify security problems before they escalate.
You can also create alerts and automate actions using data from your logs to help you respond quickly to security threats and reduce the chance of an incident such as a breach.
