Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossaryContacting Support and Reporting Bugs
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidanceDetermining Control Applicability
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: AzureAuto Checks: GCPAuto Checks: GitHubEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations
Verify that Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database ServerVerify that server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database ServerVerify that server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database ServerVerify that server parameter 'log_connections' is set to 'ON' for PostgreSQL Database ServerVerify that 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database ServerVerify that Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database ServerVerify that Activity Log Alert exists for Create Policy AssignmentVerify that Activity Log Alert exists for Create or Update Public IP Address ruleVerify that no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)Verify that Activity Log Alert exists for Delete SQL Server Firewall RuleVerify that Activity Log Alert exists for Create or Update SQL Server Firewall RuleVerify that Activity Log Alert exists for Delete Network Security GroupVerify that the storage account containing the container with activity logs is encrypted with Customer Managed KeyVerify that Activity Log Alert exists for Delete Policy AssignmentVerify that Activity Log Alert exists for Create or Update Network Security GroupVerify that Diagnostic Setting captures appropriate categoriesVerify that Activity Log Alert exists for Create or Update Security SolutionVerify that Activity Log Alert exists for Delete Public IP Address ruleVerify that logging for Azure AppService 'HTTP logs' is enabledVerify that logging for Azure Key Vault is 'Enabled'Verify that the Expiration Date is set for all Keys in RBAC Key VaultsEnable Role Based Access Control for Azure Key VaultVerify that Private Endpoints are Used for Azure Key VaultVerify that the Key Vault is RecoverableVerify that HTTP(S) access from the Internet is evaluated and restrictedVerify that SSH access from the Internet is evaluated and restrictedVerify that Network Security Group Flow Log retention period is 'greater than 90 days'Verify that Network Watcher is 'Enabled' for all locations in the Azure subscriptionVerify that RDP access from the Internet is evaluated and restrictedVerify that That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All NetworksVerify that That Private Endpoints Are Used Where PossibleVerify that 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database ServerVerify that 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database ServerVerify that SQL server's Transparent Data Encryption (TDE) protector is encryptedVerify that 'Auditing' Retention is 'greater than 90 days'Verify that Application Insights are Configured.Verify that 'Restrict non-admin users from creating tenants' is set to 'Yes'Verify that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'Verify that That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'Ensure Microsoft Defender for open-source relational databases is enabledVerify that That Microsoft Defender for App Services Is Set To 'On' Verify that That 'Notify about alerts with the following severity' is Set to 'High'Verify that 'Additional email addresses' is Configured with a Security Contact EmailVerify that That Microsoft Defender for SQL Servers on Machines Is Set To 'On' Verify that That 'All users with the following roles' is set to 'Owner'Verify that That Microsoft Defender for Storage Is Set To 'On' Verify That Microsoft Defender for IoT Hub Is Set To 'On'Verify that Microsoft Defender for Containers Is Set To 'On' Verify that That 'Users Can Register Applications' Is Set to 'No'Verify that the Expiration Date is set for all Secrets in RBAC Key VaultsVerify that Activity Log Alert exists for Delete Security Solution
GitHub Auto Checks Detailed Explanations
Settings
Authentication and 2FA settingsProfile settingsCompany settingsLegal Entities settingsPlatform settingsOutbound E-Mail settings

Verify that Microsoft Defender for Containers Is Set To 'On'

Framework Reference: 9.1.4.1 Microsoft Defender for Containers – Azure Defender for Cloud (Level 2)

Why this matters

Containerized workloads—such as Kubernetes clusters, container registries, and running container images—introduce dynamic and distributed attack surfaces. Without dedicated runtime protection and vulnerability management, misconfigurations and exploitable images can remain undetected.

Microsoft Defender for Containers strengthens defense-in-depth by providing:

  • Vulnerability assessment for container images
  • Runtime threat detection for Kubernetes workloads
  • Security posture management via Azure Policy
  • Agentless scanning and discovery capabilities

If this plan is disabled, container workloads may lack centralized threat detection, vulnerability insights, and continuous monitoring. This increases the risk of undetected compromises, supply chain attacks, and compliance violations.

Note: Microsoft Defender for Container Registries (ContainerRegistry) is deprecated and replaced by Microsoft Defender for Containers (Containers).

What this check does

This Auto Check verifies that Microsoft Defender for Containers is enabled at the subscription level and that all required protection components are active.

Check Logic

Passes if:

  • Pricing tier for Containers is set to Standard, and
  • The following extensions are enabled (isEnabled = True):
  • ContainerRegistriesVulnerabilityAssessments
  • AgentlessDiscoveryForKubernetes
  • AgentlessVmScanning
  • ContainerSensor

Fails if:

  • Pricing tier is Free, Disabled, or unset, or
  • Any required extension is disabled.

Applies to:

  • All Azure subscriptions
  • Kubernetes clusters (AKS and connected clusters)
  • Azure Container Registries
  • Multi-cloud and hybrid container workloads connected to Defender for Cloud

The check queries Microsoft Defender for Cloud pricing configuration via Azure Security APIs.

How to fix it

Enable Microsoft Defender for Containers and all required extensions.

Azure Portal

  1. Go to Microsoft Defender for Cloud.
  2. Select Environment settings.
  3. Choose the relevant subscription.
  4. Open Defender plans.
  5. Under Cloud Workload Protection (CWP), locate Containers.
  6. Set Status to On.
  7. If Monitoring coverage shows Partial, open Settings.
  8. Enable all components.
  9. Click Save.
  10. Repeat for each subscription.

Azure CLI

Run:

az security pricing create \  -n 'Containers' \  --tier 'standard' \  --extensions name=ContainerRegistriesVulnerabilityAssessments isEnabled=True \  --extensions name=AgentlessDiscoveryForKubernetes isEnabled=True \  --extensions name=AgentlessVmScanning isEnabled=True \  --extensions name=ContainerSensor isEnabled=True

Repeat for each subscription as needed.

PowerShell

Run:

Set-AzSecurityPricing -Name 'Containers' -PricingTier 'Standard' -Extension ` '[{"name":"ContainerRegistriesVulnerabilityAssessments","isEnabled":"True"}, {"name":"AgentlessDiscoveryForKubernetes","isEnabled":"True"}, {"name":"AgentlessVmScanning","isEnabled":"True"}, {"name":"ContainerSensor","isEnabled":"True"}]'

Repeat for each subscription.

Default value

Microsoft Defender for Containers is disabled by default.

Impact

Incurs additional cost per vCore.

Pricing depends on monitored workloads and enabled extensions.

Cost estimation should be reviewed before enabling across multiple subscriptions.

Exceptions

  • No standard exceptions are recommended for production environments.
  • If Defender for Containers must remain disabled:
  • Document the business justification.
  • Implement alternative runtime protection and vulnerability scanning controls.
  • Ensure centralized logging and threat detection is in place.

Further resources

  1. https://learn.microsoft.com/en-us/cli/azure/security/pricing
  2. https://learn.microsoft.com/en-us/powershell/module/az.security/get-azsecuritypricing 
  3. https://learn.microsoft.com/en-us/powershell/module/az.security/set-azsecuritypricing 
  4. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction
  5. https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-containers-azure
  6. https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-1-enable-threat-detection-capabilities 

Was this article helpful?

Powered by Product Fruits