Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Azure Kubernetes Service

Azure Kubernetes Service
Azure Kubernetes Service icon

Coralogix Extension For Azure Kubernetes Service Includes:

Alerts - 5

Stay on top of Azure Kubernetes Service key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

A node pool has been created

This alert detects when a new Kubernetes node pool has been created. Node pools are a set of nodes within an AKS cluster. They allow you to create groups of nodes with different capabilities, such as different hardware configurations, different operating system versions, or different labels. Node pools allow you to scale your cluster up or down quickly and easily. Impact Creating node pools by an adversary as a malicious activity can have a significant impact on the security of an AKS cluster. An adversary could use node pools to gain access to sensitive data or resources, or to launch malicious attacks against other nodes in the cluster or the cluster itself. Additionally, node pools could be used to bypass security measures, such as network firewalls or container security policies, or to deploy malicious code that can spread across the cluster. Finally, node pools could be used to gain access to privileged user accounts and/or services. Mitigation Verify that the node pool creation was authorized and investigate further if not. The best way to mitigate the risks associated with node pool creation by adversaries is to monitor network traffic, detect suspicious activity, and respond quickly and effectively. Additionally, organizations should ensure that all nodes in a node pool are running the same version of the operating system and that user accounts are secure. Finally, organizations should ensure that all nodes in a node pool have the same security settings and that access to the nodes is restricted to only those who need it. MITRE Tactic: TA0005 MITRE Technique: T1578

A cluster have been deleted

This alert detects when a Kubernetes cluster have been deleted. In AKS, a cluster refers to a group of compute resources that are used to run your applications. These compute resources can include any combination of Kubernetes nodes, and other Azure services. The cluster is the core unit of organization in AKS, and it is used to manage the deployment and scaling of your applications. Impact Deleting a cluster in AKS can have significant consequences, depending on how the cluster is being used. If the cluster is being used to run critical applications, deleting the cluster could cause those applications to become unavailable, which could in turn impact the users of those applications. Additionally, if the cluster is being used to store important data, that data could be lost if the cluster is deleted. Finally, if the cluster is being used for resource-intensive tasks, deleting the cluster could cause a sudden drop in computing power, which could affect the performance of other applications running on the same AKS instance. Mitigation Verify that the cluster deletion was authorized, revert changes and investigate further if not. Here are some additional recommendations for mitigation: Enable cluster autoscaling: This will ensure that your cluster can automatically scale up or down to meet the demands of your applications, which can help prevent disruptions caused by sudden changes in cluster size. Use cluster monitoring and alerting: By monitoring the status of your cluster and setting up alerts, you can quickly detect if your cluster is being deleted and take action to prevent further damage. Use multiple clusters: Running your applications on multiple clusters can help ensure that if one cluster is deleted, your applications will continue to be available on the other cluster. Enable cluster backup and restore: By regularly backing up your cluster, you can quickly restore it if it is deleted, minimizing the impact on your applications and data. MITRE Tactic: TA00040 MITRE Technique: T1485

A node pool has been deleted

This alert detects when a Kubernetes node pool has been deleted. Node pools are a set of nodes within an AKS cluster. They allow you to create groups of nodes with different capabilities, such as different hardware configurations, different operating system versions, or different labels. Node pools allow you to scale your cluster up or down quickly and easily. Impact The impact of node pool deletion by an adversary as a malicious activity could be significant. Node pools can be used to store sensitive data and resources, so deleting them could lead to data loss or disruption of services. Additionally, deleting a node pool could lead to instability in the cluster, as other nodes may not be able to communicate with each other or access the resources they need. Finally, deleting a node pool could also lead to unauthorized access to the cluster, as any user accounts or services associated with the deleted node pool would no longer be accessible. Mitigation Verify that the node pool deletion was authorized and investigate further if not. The best way to mitigate the risks associated with node pool deletion by adversaries is to monitor network traffic and detect suspicious activity. Additionally, organizations should ensure that user accounts and services associated with node pools are secure, and that access to the nodes is restricted to only those who need it. Finally, organizations should have a backup and restore plan in place in case of node pool deletion. MITRE Tactic: TA00040 MITRE Technique: T1485

A cluster have been created

This alert detects when a new Kubernetes cluster have been created. Kubernetes clusters are groups of resources that include one or more pods. Pods are groups of containers. In a pod, containers are dedicated to specific functions and can share data or communicate with other containers in the pod. Impact Creating a cluster in AKS could allow the adversary to gain access to computing resources and potentially sensitive data that is being managed by the cluster. This could potentially be used to launch further attacks or to steal sensitive information. Mitigation Verify that the cluster creation was authorized and investigate further if not. MITRE Tactic: TA0005 MITRE Technique: T1578

Azure AKS - No logs from Azure AKS

This rule detects if there are no logs in the last 4 hours for Azure AKS in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Integration

Learn more about Coralogix's out-of-the-box integration with Azure Kubernetes Service in our documentation.

Read More
Schedule Demo