Configure Binary Drift Policy

Implementation Effort: Medium – Requires enabling Defender for Containers, configuring drift detection rules, and tuning alert logic across Kubernetes environments.

User Impact: Low – Alerts and policy configurations are handled by security teams; end users are not directly affected.

Overview

Binary drift detection in Microsoft Defender for Containers identifies when a container is running executables that were not part of the original image. This can indicate unauthorized changes or potential attacks, as containers are expected to be immutable. Binary drift detection helps detect runtime threats by comparing the running workload against the original container image.

To configure binary drift policies:

1. Navigate to Microsoft Defender for Cloud > Environment settings.

2. Select Containers drift policy.

3. You will see two default rules:

   • Alert on Kube-System namespace – a suggested rule that can be modified.
   • Default binary drift rule – applies globally if no other rule matches; its action can be set to either Drift detection alert or Ignore drift detection.

4. To create a new rule:

   • Select Add rule.
   • Define:
     • Rule name – a descriptive label.
     • Action – choose Drift detection alert or Ignore drift detection.
     • Scope description – define the scope (e.g., specific clusters, images, namespaces, or Kubernetes labels).

5. Apply the rule to activate it.

This capability supports the "Assume Breach" principle of Zero Trust by detecting unauthorized changes in container workloads, helping security teams respond to potential threats in real time.

Reference

• Binary drift detection – Microsoft Defender for Cloud
• Binary drift detection in Defender for Containers – Microsoft Learn