Deploy Defender Sensor

Implementation Effort: Medium – Requires enabling Defender for Containers and deploying the sensor across Kubernetes clusters using Azure portal, CLI, or templates.

User Impact: Low – Sensor deployment is handled by platform and security teams; end users are not directly affected.

Overview

Deploying the Defender sensor is a critical step in enabling runtime protection, telemetry collection, and threat detection in Microsoft Defender for Containers. The sensor runs as a DaemonSet on each node in your Kubernetes cluster and sends security data to Microsoft Defender for Cloud via a connected Log Analytics workspace.

Supported Environments

• Azure Kubernetes Service (AKS)
• Amazon EKS (via connected AWS account)
• Google GKE (via connected GCP project)
• On-premises or IaaS Kubernetes clusters (via Azure Arc) 1

Deployment Steps

1. Enable Defender for Containers:

   • Go to Microsoft Defender for Cloud > Environment settings.
   • Select your environment (Azure, AWS, GCP, or Arc-enabled).
   • Enable the Defender for Containers plan.

2. Auto-provision the Defender sensor:

   • In the Containers plan, ensure Auto provision Defender's sensor is set to On.
   • This ensures the sensor is automatically deployed to supported clusters 1.

3. Manual deployment options:

   • Use Azure CLI, ARM templates, or REST API for custom deployments 2.

4. Network configuration:

   • Ensure the sensor can send data to the configured Log Analytics workspace.
   • If using Azure Monitor Private Link Scope (AMPLS), configure private endpoints and DNS zones accordingly 1.

This capability supports the "Assume Breach" and "Verify Explicitly" principles of Zero Trust by ensuring continuous monitoring and telemetry collection from all container workloads.

Reference

• Configure Microsoft Defender for Containers components
• Protect your Azure containers with Defender for Containers
• Overview of Microsoft Defender for Containers