Control: Azure > CIS v5.0 > 8 - Security Services > 8.01 - Microsoft Defender for Cloud > 8.01.04 - Defender Plan: Containers > 8.01.04.01 - Ensure That Microsoft Defender for Containers Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

Microsoft Defender for Containers helps improve, monitor, and maintain the security of containerized assets—including Kubernetes clusters, nodes, workloads, container registries, and images—across multi-cloud and on-premises environments.

By default, when enabling the plan through the Azure Portal, Microsoft Defender for Containers automatically configures the following components: - Agentless scanning for machines - Defender sensor for runtime protection - Azure Policy for enforcing security best practices - K8S API access for monitoring and threat detection - Registry access for vulnerability assessment

Note: Microsoft Defender for Container Registries ('ContainerRegistry') is deprecated and has been replaced by Microsoft Defender for Containers ('Containers').

Enabling Microsoft Defender for Containers enhances defense-in-depth by providing advanced threat detection, vulnerability assessment, and security monitoring for containerized environments, leveraging insights from the Microsoft Security Response Center (MSRC).

Resource Types

This control targets the following resource types:

Azure > Security Center > Security Center

Policies

This control type relies on these other policies when running actions:

In Your Workspace

Developers

Control Type URI

tmod:@turbot/azure-cisv5-0#/control/types/r08010401

Category URI

tmod:@turbot/cis#/control/categories/v070301

GraphQL

query controlType(id: "tmod:@turbot/azure-cisv5-0#/control/types/r08010401") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/azure-cisv5-0#/control/types/r08010401'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/azure-cisv5-0#/control/types/r08010401"