Defender for Containers: what's needed for log analysis?

Question

Looking for some info on Defender for containers and specifically how it gets the logs that it analyzes.

Documentation says the following (doc link):

To protect your Kubernetes containers, Defender for Containers receives and analyzes:

    Audit logs and security events from the API server
    Cluster configuration information from the control plane
    Workload configuration from Azure Policy
    Security signals and events from the node level

1. Where/how does it get the audit logs? Does it matter if they are sent to log analytics workspaces or to a storage account?

2. Which audit logs does it use? Following types are configurable:

• Kubernetes API Server
• Kubernetes Audit
• Kubernetes Controller Manager
• Kubernetes Scheduler
• Kubernetes Cluster Autoscaler
• Kubernetes Audit Admin Logs
• guard
• Kubernetes Cloud Controller Manager
• csi-azuredisk-controller
• csi-azurefile-controller
• csi-snapshot-controller

Can I assume defender only uses the Kubernetes API Server type logs? Or are the other tiers also analyzed?

Thanks!

Dove into the documentation but didn't find a definitive answer.

Answer 1

I have created the AKS cluster for that one node pool created For this cluster one new node pool created we can check the logs for the cluster and also find the logs in Microsoft defender for cloud

Getting the logs from Microsoft defender cloud

Where/how does it get the audit logs

You have to enable the categories of logs required from the AKS Cluster > Diagnostic Settings:

Based on the type of logs requirement, enable the category of we can select all categories.

Which audit logs does it use? Following types are configurable:

kube-audit gives the all-audit log data which are security category audit logs from the Kubernetes cluster.

Does it matter if they are sent to log analytics workspaces or to a storage account?

In Storage Account, you cannot get querying feature for filtering the logs but in Log Analytics workspaces, you can query the logs based on filters like time duration of logs where you can also increase the retention period of data.

Can I assume defender only uses the Kubernetes API Server type logs?

As you can see in the above screenshot, Microsoft defender showing all the logs like Kubernetes API Server, Security related logs and you can do deep by selecting each of the log along with the remediation steps.