Azure Kubernetes Service

Version: Azure Kubernetes Service.

Azure Kubernetes Service (AKS) deploys and manages the containerized applications easily with a fully-managed Kubernetes service. It offers serverless Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance. Unite your development and operations teams on a single platform to rapidly build, deliver, and scale the applications with confidence.

Netsurion Open XDR monitors events from the Azure Kubernetes Service. Dashboards and reports in Netsurion Open XDR will help you track, delete and update action for the Azure Kubernetes instances; unauthorized deletion could lead to data loss and/or potential denial of service or potentially compromised credentials, and create an action that helps you understand the cluster building with resources.

Netsurion Data Source Integration for  Azure Kubernetes Service allows you to monitor the following components: 

  • Security – Information related to the deletion of deployments, nodes, pods, and the cluster which indicates that instance is likely compromised.

After the Azure Kubernetes Service is configured to deliver events to the Netsurion Open XDR, the dashboards and reports can be configured into Netsurion Open XDR .

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type Name Description
Security Azure Kubernetes Service – Deployment deleted Containerized applications can be deployed in the Azure Kubernetes Service cluster to render services. When deployments delete action is performed, the host will no longer be found. A malicious attempt to delete a deployment could lead to operational issues or potential denial of service. This alert indicates that a delete action was successful on Azure Kubernetes Deployments.
Security Azure Kubernetes Service – Indication of cluster deletion Azure Kubernetes Service cluster has instances such as nodes, pods, deployments, namespaces, etc. Deleting a cluster leads to the deletion of all the dependencies of the cluster. Unauthorized cluster deletions could lead to data loss and operational issues for its rendering services. This alert indicates that a cluster deletion has occurred on Azure Kubernetes Service.
Security Azure Kubernetes Service – Node deleted Azure Kubernetes Service cluster, which has nodes (which run applications), are mapped grouped into node pools. There are no recovery options for data loss that may occur when a node pool is deleted. This alert indicates that an Azure Kubernetes node deletion has occurred on Azure Kubernetes Service.
Security Azure Kubernetes Service – Pods deleted Azure Kubernetes Service cluster is an instance Pods subset of namespace; Pods contain container image used to deploy the end-user applications on the node. This alert indicates successful deletion action on the Azure Kubernetes node.
Security Azure Kubernetes Service – Successful node update Azure Kubernetes Service cluster as instance Node, which was mapped to node pool, when a user performs the node pool update action, mapped nodes will get updated. This alert indicates that an Azure Kubernetes node is updated on Azure Kubernetes Service.
Security Azure Kubernetes Service – Unsuccessful deletion action This alert indicates an unsuccessful deletion action performed on the Azure Kubernetes instance/resource.
Security Azure Kubernetes Service – Pod created on Kube system This alert indicates that a pod was created under the Kube system namespace in Azure Kubernetes Service.

Reports

Type Name Description
Security Azure Kubernetes Service – Cluster activity This report provides a detailed summary of creating and deleting actions performed /triggered on cluster instances in Azure Kubernetes Service. It contains a source IP address, username, request URL, resource, user groups, action, and more.
Security Azure Kubernetes Service – Cluster update activity This report provides a detailed summary of update actions performed /triggered on cluster instances in Azure Kubernetes Service. It contains a source IP address, username, request URL, resource, user groups, action, and more.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.3 or later, and Azure Kubernetes Service.

Download Integration Guide and How-to Guide for configuration instructions and more information.