Monitoring Kubernetes Clusters, Image Build Environment and Container Registries with Sentinel
A guide to using Microsoft Sentinel for monitoring the security of your containerized applications and orchestration platforms.
Part 1 of 3 part series about security monitoring of your Kubernetes Clusters and CI/CD pipelines by @singhabhi and @Umesh_Nagdev
Introduction
Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that provides comprehensive threat detection and response capabilities across your hybrid environment. Microsoft Sentinel can help you monitor and protect your containerized applications by collecting and analyzing data from various sources, such as Kubernetes clusters, image build environment, and container registries. In this document, you will learn how to use Microsoft Sentinel to monitor your containerized applications and respond to potential threats.
Prerequisites
Before you start, you need to have the following:
An Azure subscription. If you don’t have one, you can create one for free here
An Microsoft Sentinel workspace. If you don’t have one, you can create one by following the steps here
A Kubernetes cluster. You can use any Kubernetes cluster, such as Azure Kubernetes Service (AKS)
An image build environment. You can use any image build tool, such as Azure DevOps, GitHub Actions, or Docker Hub
A container registry. You can use any container registry, such as Azure Container Registry (ACR), or one On-Premises
Type of Logs to monitor in Kubernetes
We will discuss the logs sources and corresponding use cases in Part 2 of this blog series.
Kubernetes Audit Logs – Detailed audit trail of user and system actions like API requests, authentication, authorization etc.
Kubernetes Controller Manager Logs – Internal operations of Kubernetes controller processes.
Kubernetes Scheduler Logs – Details of pod scheduling decisions and events.
Kubelet Logs – Node level operations and container lifecycle events.
Kubernetes API Server Logs – All API requests and responses.
etcd Logs – Changes to cluster configuration and state stored in etcd.
Container Runtime Logs (Docker, containerd etc.) – Logs from the container runtimes on each node.
Ingress Controller Logs (nginx etc.) – Access logs for traffic entering the cluster.
Cluster Network Logs – Logs from cluster networking plugins like Calico, Flannel etc.
Workload Logs – Logs emitted by the applications and services running in pods.
Node OS Logs – Traditional OS and security logs for insight into host events.
Monitoring System Logs – Logs from Prometheus, Elastic etc. for availability issues.
CI/CD Pipeline Logs – Build logs for container images to check for anomalies
Figure 1. Log sources to monitor for Kubernetes
Connectors
To enable Microsoft Sentinel to collect and analyze data from your containerized applications, you need to configure the following data connectors:
Azure Kubernetes Service (AKS) connector This connector allows you to collect Kubernetes audit logs and events from your Kubernetes cluster. To configure this connector, follow the steps https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/azure-kubernetes-service-aks
Microsoft Defender for Cloud connector This connector will allow you to ingest security alerts related to your Pod and Nodes, image vulnerability scans, and recommendations for your Kubernetes Cluster
GitHub Connector In case you are using a non-Microsoft code scan solution, you can ingest the scan data using a built-in data connector for GitHub events. This connector also allows you to bring GitHub audit data that contains security events https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log
Use Workbooks and Analytics
After you configure the data connectors, you can use the following workbooks and analytics to monitor and investigate your containerized applications:
Kubernetes Monitoring. This workbook provides an overview of your Kubernetes cluster, such as node status, pod status, deployment status, and network activity. To access this workbook, go to Microsoft Sentinel > Workbooks > Templates > Kubernetes Monitoring.
Container Registry Monitoring. This workbook provides an overview of your container registry, such as image push and pull events, image vulnerabilities, and image anomalies. To access this workbook, go to Microsoft Sentinel > Workbooks > Templates > Container Registry Monitoring.
Image Build Monitoring. This workbook provides an overview of your image build environment, such as build status, build duration, build errors, and build anomalies. To access this workbook, go to Microsoft Sentinel > Workbooks > Templates > Image Build Monitoring.
Kubernetes Threat Detection. This analytic rule detects suspicious activities on your Kubernetes cluster, such as unauthorized access, privilege escalation, and malicious commands. To enable this rule, go to Microsoft Sentinel > Analytics > Rule templates > Kubernetes Threat Detection.
Container Registry Threat Detection. This analytic rule detects suspicious activities on your container registry, such as unauthorized access, image tampering, and image theft. To enable this rule, go to Microsoft Sentinel > Analytics > Rule templates > Container Registry Threat Detection.
Conclusion
In this document, you learned how to use Microsoft Sentinel to monitor and protect your containerized applications by collecting and analyzing data from Kubernetes clusters, image build environment, and container registries. You also learned how to use workbooks and analytics to gain insights and detect threats on your containerized applications. For more information on Microsoft Sentinel, visit the https://azure.microsoft.com/en-us/products/microsoft-sentinel/
Microsoft Tech Community – Latest Blogs –Read More