One click to cover containers & Kubernetes in Defender CSPM (agentless)

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Defender CSPM contextual security capabilities assists security teams in the reduction of the risk of impactful breaches. Defender CSPM uses environment context to perform a risk assessment of your security issues. Defender CSPM identifies the biggest security risk issues, while distinguishing them from less risky issues.

With attack path analysis and cloud security explorer Defender DCSPM customers can address the security issues that pose immediate threats with the greatest potential of being exploited and proactively identify security risks in their cloud environment by running graph-based queries on the cloud security graph, which is Defender for Cloud's context engine.


Agentless containers coverage as part of DCSPM is now available in public preview. It only takes one click to benefit from adding containers’ context to the security graph:

  • Agentless visibility – discover Kubernetes and container registry estate across SDLC and runtime, seamlessly with no footprint on the workloads.
  • Container vulnerability assessment – out of the box container image scanning, including registry and runtime.
  • Attach path analysis – prioritize and zoom into container vulnerabilities and posture risks that matter most.
  • Graph based queries – uncover security insights in their cloud context, such as vulnerabilities, internet exposure, sensitive data and more.

How to benefit from agentless container security in Defender CSPM:

Customers who enabled Defender CSPM after April 17th already enjoy agentless container capabilities - no need to take any further action.


Customers who enabled before Defender CSPM after April 17th   - such customers need to manually enable the “Agentless discovery for Kubernetes and “Container registries vulnerability assessments” extensions for their Defender CSPM environments.

This is a one-time manual effort as newly onboarded subscriptions, the relevant extensions will be default enabled.

To enable these, the following permissions on the subscription are required:

  • Subscription Owner, or
  • User Access Admin + Security Admin
  1. In the Azure portal, navigate to the Defender for Cloud's Environment Settings page.
  2. Select the subscription that's onboarded to the Defender CSPM plan, then select Settings.
  3. Ensure the Agentless discovery for Kubernetes and Container registries vulnerability assessments extensions are toggled to On.

Screenshot 2023-05-16 141512.png

  1. Click save.






Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.