User group management – Exploring Environment Settings

Challenges in activity logging – Exploring Environment Settings

August 13th, 2024

Let’s look at some challenges:

Log volume and storage: CSPM tools generate a significant volume of log data, especially in large-scale environments. Managing and storing this data can be a challenge, requiring adequate storage capacity and efficient log management practices.
Log integrity and protection: Ensuring the integrity and protection of log data is essential. Unauthorized access or tampering with logs can undermine the reliability and accuracy of the audit trail.
Log retention and compliance: Compliance requirements may dictate specific log retention periods. Managing long retention policies and ensuring compliance with regulatory guidelines can be challenging, especially in complex or highly regulated environments.

Best practices for activity logging

Here are a few best practices:

Log aggregation and centralization: Aggregate logs from various sources within the CSPM environment into a centralized logging system. Centralized logging simplifies log management, analysis, and correlation.
Log format standardization: Standardize log formats and structures to facilitate log analysis and correlation across different CSPM tools and systems. Adhering to common log formats simplifies log management and enables better interoperability with log analysis tools.
Secure log storage: Implement secure log storage mechanisms to protect log data from unauthorized access or tampering. Encrypt log data at rest and in transit and restrict access to logs based on PoLP.
Log retention and rotation: Define and adhere to log retention policies based on compliance requirements. Implement log rotation practices to manage log volume and ensure optimal storage utilization.
Log analysis and monitoring: Establish processes and tools for log analysis and real-time monitoring. Proactively analyze log data for anomalies, security incidents, or policy violations to identify potential threats or vulnerabilities.
Integration with SIEM/log management systems: Integrate the CSPM tool’s activity logs with SIEM or log management systems. This integration enhances the correlation and analysis of log data with other security events across the infrastructure.
Regular log reviews and audits: Conduct regular log reviews and audits to detect any suspicious activities, identify patterns, and ensure compliance with security policies and regulatory requirements.
IR and forensics: Leverage activity logs for IR and forensic investigations. Detailed logs can provide critical information for root cause analysis (RCA), impact assessment, and identifying remediation actions.

By carefully considering the aforementioned challenges and best practices, you can gain valuable insights into the cloud environment, identify potential security threats or compliance issues, and respond effectively to incidents or breaches. These logs are essential for security monitoring, IR, forensic investigations, and overall cloud infrastructure governance.

Summary

Setting the CSPM environment is a crucial procedure for tools as it establishes the foundation for effective CSM. In this chapter, we delved into crucial topics such as user management, permissions settings, integrations with other tools, reporting capabilities, challenges, and best practices to overcome challenges. In the next chapter, we will deep dive into cloud asset inventory.

Data governance – Exploring Environment Settings

March 29th, 2024

Integrating a CSPM tool with other tools can introduce various data governance challenges. Data governance is essential for ensuring DQ, security, and compliance, and these challenges can impact the overall effectiveness of the integration. Let us take a look at some common data governance challenges:

Data ownership: Determining data ownership responsibilities for data used by integrated tools can be complex, leading to ambiguities regarding who is accountable for DQ and data security.
Data privacy and compliance: Maintaining data privacy and compliance with data protection regulations is critical. Integrating tools may expose sensitive data, increasing the risk of non-compliance and privacy breaches.
Data access control: Coordinating and enforcing consistent data access control policies across integrated tools can be challenging, potentially leading to unauthorized access or data leakage.
Metadata management: Creating and maintaining a comprehensive metadata management system to track data sources, definitions, lineage, and attributes across integrated tools can be resource-intensive.
Data lineage: Ensuring data lineage is tracked accurately and consistently as data flows between integrated tools can be difficult, making it challenging to trace the origin and transformations of data.
Data governance policies: Integrating tools may require adapting or aligning data governance policies across different systems, which can result in conflicts or gaps in policy enforcement.
Compatibility: Ensuring compatibility between the CSPM tool and the target tool or system can be challenging. Differences in data formats, APIs, authentication mechanisms, or protocols may require additional configuration or customization for seamless integration.
Data collection: Collecting data from various cloud services, such as virtual machines (VMs), storage accounts, databases, and containers, can be complex due to differences in data formats, access controls, and logging mechanisms across providers.
Data synchronization: Keeping data synchronized and up to date between the CSPM tool and other tools can be a challenge. Changes or updates made in one system may need to be reflected in the integrated systems in a timely and accurate manner.
Security and access control: Integrating multiple tools introduces potential security risks, such as exposing sensitive data or creating new attack vectors. Ensuring proper access controls, secure data transmission, and encryption measures is crucial to maintaining a secure integration environment.
Complexity and scalability: Managing integrations between multiple tools can become complex, especially as the number of integrated systems increases.

Mitigating data governance challenges during the integration of CSPM tools with other tools involves the following best practices:

Establish clear data ownership roles and responsibilities to ensure accountability for DQ and data security
Implement robust data privacy and compliance measures to protect sensitive data, such as encryption, access controls, and data masking
Create a centralized data catalog and metadata management system to document data sources, definitions, lineage, and attributes
Implement data access controls consistently across integrated tools to prevent unauthorized access
Maintain data lineage tracking to ensure that the path of data is clearly understood and documented
Review and adapt data governance policies and standards to align with integrated tools while maintaining DQ and data security
Monitor and audit data governance practices continuously, ensuring adherence to policies and standards

IMPORTANT NOTE – Exploring Environment Settings

November 13th, 2023

It is important for organizations to make sure the various tools (SIEM, ticketing, SSO, and so on) used within the organization are also part of the tools offered by CSPM vendors. CSPM vendors also must provide comprehensive guidance and support for the integration type they offer.

Let us now understand the most common integrations offered by CSPM tools.

SSO integration

SSO integration enables users to access the CSPM tool using their existing login credentials from a central IM system. This integration eliminates the need for separate login credentials, simplifies user management, and improves the user experience. Most CSPM tools are leveraged to integrate with industry-wide identity providers (IDPs) such as Okta, OneLogin, Azure Active Directory (AAD), AWS, SSO, Google Workspace, JumpCloud, Auth0, Ping Identity, and more. CSPM vendors usually also provide generic integration features for SSO integrations that are not offered directly by them.

SSO integration is a crucial step for modern security concepts such as zero-trust architecture (ZTA). Let us now understand another important topic, which is CSPM integration with ticketing tools.

Ticketing system integration

Integration with a ticketing or IM system allows the CSPM tool to automatically generate tickets or incidents when security findings or alerts are detected. This integration streamlines IR processes, ensures proper tracking and resolution of security issues, and provides a centralized view of security events. An effective CSPM tool should be able to integrate with a commonly used and wide range of ticketing tools such as BMC Remedy and ServiceNow, and agile tools such as Jira and Azure DevOps.

Ticketing tool integration is a crucial step for the remediation of security issues such as misconfigurations in the cloud environment. Let us now understand the integration of CSPM tools with communications tools.

Collaboration and communication (notifications) integrations

Integration with collaboration and communication platforms, such as Slack or Microsoft Teams, allows the CSPM tool to send real-time notifications, alerts, or reports to designated channels or individuals. This integration ensures that stakeholders are promptly informed about security events and can collaborate effectively to address them. Some of the most common notification integrations offered by CSPM tools are Slack, Microsoft Teams, PagerDuty, Opsgenie, Google Cloud Platform (GCP) Publish/Subscribe (Pub/Sub), Amazon Simple Queue Service (Amazon SQS), and Amazon Simple Notification Service (Amazon SNS).

By leveraging Webhook integration, you can automate the transmission of alerts to external applications. This functionality is particularly useful in client-side object model (CSOM) automations, where alerts from the CSPM tool can be seamlessly pushed to your application when specific automation conditions are fulfilled. Typically, CSPM tools send alert data to a designated Webhook endpoint through a POST HTTP request in JSON format. Webhook integrations offer distinct advantages over API token-based integrations as they are event-driven, triggering actions as opposed to scheduled API requests.

The integration of CSPM tools with communications tools is a very important step for the remediation of severe security issues as it enables us to inform the right stakeholders at runtime. Let us now understand the integration of CSPM tools that enrich reporting capabilities.

Environment settings overview – Exploring Environment Settings

August 24th, 2023

Environment settings typically refer to configurations and parameters that are specific to the environment in which the CSPM tool is deployed. This allows you to customize the CSPM tool to fit the specific requirements and characteristics of your cloud environment. Every organization’s cloud setup is unique, and these settings enable you to adapt the tool to your infrastructure, compliance standards, and security policies. Also, every CSPM tool is different, and hence no one explanation fits for every tool.

Note

There are dozens of CSPM tools on the market; for example, Prisma Cloud by Palo Alto Networks, Wiz, Orca, Microsoft Defender for Cloud, Amazon Web Services (AWS) Security Hub, Google Cloud Security Command Center, and Dome9, to name a few. Some of them are discussed in Chapter 3 at a very high level. Every tool comes with a distinct set of integration features and different ways of communicating with cloud environments and other tools. Some of the most critical aspects associated with setting up or fine-tuning CSPM tools are discussed in a generic manner without going into many details about a particular CSPM tool, deliberately.

Let us explore the various aspects of environment settings:

Cloud provider-specific settings: These settings are specific to the cloud provider you are using, and they configure how the CSPM tool interacts with and retrieves information from your cloud environment. For example, to connect to your AWS environment, you would need to configure the CSPM tool with AWS access keys or identity and access management (IAM) roles.
Compliance standards: CSPM tools often allow you to specify the compliance standards or frameworks that your organization needs to adhere to, such as the Center for Internet Security (CIS) benchmarks, the National Institute of Standards and Technology (NIST), the Health Insurance Portability and Accountability Act (HIPAA), or the General Data Protection Regulation (GDPR). For example, you can set your CSPM tool to check for the CIS AWS Foundations Benchmark or Payment Card Industry Data Security Standard (PCI DSS) compliance and configure the desired compliance level.
Notification and alerting settings: You can configure how the CSPM tool notifies you about security issues or policy violations. This includes email notifications, integrations with incident management (IM) tools, or other alerting mechanisms. For example, you can specify which email addresses or IM systems should receive notifications when a security issue is detected.
Scanning schedule: You can define/customize how often the CSPM tool should scan your cloud environment for security issues. This involves setting up regular scans, immediate scans after specific events, or custom schedules based on your organization’s requirements; for example, daily scans during off-peak hours or real-time scans triggered by specific cloud events.
Policy definitions: You can define and customize security policies or rules that the CSPM tool should enforce in your environment. These policies cover aspects such as proper data encryption, access control, network configurations, and more. For example, you can create custom policies to ensure that your resources are configured in alignment with your organization’s specific security requirements.
Remediation actions: CSPM tools often include automated remediation capabilities, allowing you to specify actions to be taken automatically when a security violation is detected. For example, the tool might automatically close a security group rule that is deemed too permissive or set up automated actions, such as closing unused security groups or rotating access keys, when violations are found.

Environment settings in a CSPM tool allow you to tailor the tool’s behavior to your specific cloud environment and security needs, ensuring that it effectively monitors, reports, and helps remediate security issues in your cloud infrastructure. Let us now explore those key aspects one by one, starting with user access management (UAM).

Latest trends and advancements in container security – Onboarding Containers

May 17th, 2023

Container security and CSPM are areas that continue to evolve and advance as technology progresses. Here are some of the most recent trends and future advancements to watch for in container security and CSPM:

Enhanced container image security: There has been an increased focus on improving container image security by integrating advanced scanning techniques, machine learning, and artificial intelligence (AI). This will help identify even more complex vulnerabilities, malware, and supply chain attacks.
Runtime protection and behavioral analysis: Container runtime protection will evolve to include more advanced behavioral analysis and anomaly detection capabilities. This will enable the detection of suspicious activities and real-time mitigation of threats during container runtime.
Kubernetes-native security solutions: As Kubernetes remains the dominant container orchestration platform, there will be a rise in Kubernetes-native security solutions. These solutions will provide tighter integration with Kubernetes, offering enhanced visibility, configuration management, and automated remediation for Kubernetes-specific security risks.
Immutable infrastructure: The concept of immutable infrastructure, where containers are treated as disposable and immutable, will gain more traction. This approach simplifies security management by minimizing the attack surface and reducing the impact of security incidents.
Compliance automation: CSPM tools will increasingly automate compliance monitoring and reporting processes. This will help organizations align with various regulatory frameworks by continuously assessing the security posture of their container environments and generating compliance reports.
Integration with DevSecOps: Container security and CSPM solutions have seamlessly integrated with DevSecOps practices and toolchains. This integration enables security to be embedded throughout the software development life cycle, ensuring security and compliance from the initial stages of application development.
Zero trust architecture: Zero trust architecture, which assumes no implicit trust for any user or container, will be adopted more widely. Container security solutions and CSPM tools will incorporate zero trust principles to enforce strict access controls, authentication, and authorization mechanisms.
Serverless security: As serverless computing gains popularity, container security solutions and CSPM tools will adapt to address the unique security challenges of serverless environments. This includes securing serverless functions, managing access rights, and monitoring functions for vulnerabilities or misconfigurations.
Threat intelligence and threat hunting: Container security solutions and CSPM tools will leverage threat intelligence feeds and advanced threat hunting techniques to proactively identify emerging threats and indicators of compromise. This proactive approach will help organizations stay ahead of potential attacks.
Continuous integration and continuous delivery (CI/CD): Container security and CSPM solutions will integrate more seamlessly with CI/CD pipelines to enable automated security testing, vulnerability scanning, and configuration checks during the application build and deployment stages.

Staying current with the latest developments in container security is essential to maintaining the security of containerized applications and infrastructure.

Summary

In this chapter, we understood containerization and explored its benefits in the context of CSPM by explaining the concept of containerization, which involves encapsulating an application and its dependencies into a portable and isolated unit called a container. We also discussed unique container security challenges, onboarding containers to CSPM tools, particularly in the context of Microsoft Defender for Cloud, and challenges that may arise in the onboarding process. We also delved into security best practices for containers and the most recent trends and advancements in container security in the context of CSPM.

In the next chapter, we will discuss CSPM tool environment settings and integration with other IT tools.

Managing users and permissions – Exploring Environment Settings

April 8th, 2023

A user is a member of your organization whom you would like to grant access to your CSPM tool. Usually, you can invite a user from the CSPM tool with specific permissions to define the scope of their activities and create groups consisting of multiple users with a single set of permissions, and you can also create custom roles defining specific user permissions. User and group permissions settings refer to the configuration and management of user accounts, groups, and their associated access permissions within the CSPM environment. These settings play a crucial role in maintaining a secure and well-controlled access control framework. Let us now understand how user management works in most CSPM tools.

User management

User management involves the management of individual user accounts within the CSPM environment. This includes creating user accounts, assigning unique identifiers (such as usernames or email addresses), and defining authentication mechanisms (for example, passwords or multi-factor authentication (MFA)). Managing users’ permissions in CSPM tools involves configuring and controlling access to the tool’s functionalities and resources. Let us look at the process involved in managing users’ permissions in CSPM tools:

User account creation: The first step in managing users is creating user accounts within the CSPM tool. This typically involves providing necessary details such as usernames, email addresses, and authentication credentials. CSPM tools also integrate with existing identity management systems, allowing administrators to synchronize user accounts or authenticate users through SSO mechanisms.
Role assignment: After user accounts are created, roles are assigned to determine the level of access and permissions for each user. Roles typically correspond to predefined sets of permissions within the CSPM tool. Common roles include super-admins, administrators, viewers, security analysts, compliance managers, and resource owners. The selection of roles depends on the tool’s capabilities and the organization’s requirements.
Permission configuration: Once roles are assigned to users, administrators configure permissions associated with each role. Permissions define the actions and operations a user can perform within the CSPM tool. This includes accessing specific features, viewing security findings, generating reports, modifying settings, and managing resources. Permission configuration ensures that users have appropriate access levels based on their responsibilities and requirements.
Access control management (ACM): Managing access control involves defining rules and policies to control user access to the CSPM tool and its resources. This includes configuring MFA requirements, password policies, and session timeouts. Access control settings help ensure secure user authentication and prevent unauthorized access to sensitive information within the CSPM tool.
User life cycle management: Over time, the user landscape may change within an organization. Managing users also includes handling tasks such as user onboarding, offboarding, and role changes. When a user joins a security team, and their responsibility includes working on the CSPM tool, their account is created and assigned appropriate roles and permissions. When a user leaves or moves to another department, their account is disabled or removed to prevent unauthorized access. Role changes may also occur as users’ responsibilities evolve, requiring adjustments to their permissions.
Auditing and monitoring: CSPM tools often provide auditing and monitoring capabilities to track user activities and permission changes. Auditing logs can help identify any suspicious or unauthorized actions within the tool. Regular monitoring of user accounts and permissions helps maintain the integrity and security of the CSPM environment.
Regular access reviews and updates: It is important to conduct periodic access reviews of user accounts and permissions to ensure they remain aligned with the organization’s evolving needs and security requirements. This includes removing unnecessary access, adjusting permissions based on role changes, and identifying potential security gaps or excessive privileges.

Managing users’ permissions in CSPM tools is a crucial aspect of maintaining an effective and secure cloud security posture. Let us understand how user group management works.

Managing API tokens – Exploring Environment Settings

March 31st, 2023

Managing API tokens involves the administration and control of access tokens used to authenticate and authorize API-based interactions between the CSPM tool and cloud service providers (CSPs) or other external systems. API tokens serve as credentials to establish secure communication and enable the tool to gather security-related information, analyze cloud configurations, and assess the security posture of the cloud environment.

Let us understand how managing API tokens works in most CSPM tools:

Token generation and configuration: In CSPM, you can generate more than one API token and use them for different purposes. For example, you can create API tokens that are used in different automations to request different data from the CSPM tool. After generating API tokens, administrators define access control policies and permissions associated with each token. This determines the level of access the CSPM tool has to various cloud resources and services. Access control ensures that the tool only accesses the necessary information and resources required for security assessments and monitoring.
Token usage: Once you have configured the API token, you can use it for integration with other applications. You can make requests from your application to the CSPM tool API to receive data on alerts, assets, vulnerabilities, and other objects. The API tokens can be used in CSPM automations. When you create an automation, you can select the API token created for your application in the tool integrations; for example, with the integration of the CSPM tool with the security information and event management (SIEM)/security orchestration, automation and response (SOAR) section.
Token life cycle management: Managing API tokens involves handling their life cycle, including creation, rotation, and revocation. Periodic token rotation is recommended as a security best practice to minimize the risk of compromised tokens. When a token is no longer needed or if there are concerns about its security, administrators should promptly revoke or disable the token to prevent unauthorized access.
Secure storage: API tokens should be stored securely within the CSPM tool’s infrastructure. Proper measures such as encryption and access controls should be implemented to protect tokens from unauthorized access or accidental exposure. Additionally, it is crucial to follow security best practices for securing the storage system that holds the tokens, such as strong access controls, monitoring, and auditing.
Token usage tracking and auditing: Administrators should track and audit the usage of API tokens within the CSPM tool. This helps identify any suspicious or unauthorized activities associated with tokens. By monitoring token usage, administrators can detect potential security incidents or misuse of privileges, enabling timely response and mitigation.
Integration with IAM: CSPM tools often integrate with IAM systems or cloud provider IAM services. This integration enables the seamless management and synchronization of API tokens with existing user accounts and access control policies. It ensures that the tokens align with the organization’s broader IAM framework and security policies.

Effective management of API tokens in CSPM tool management helps ensure secure and controlled access to cloud resources and enables accurate security assessments.

EFFECTIVE COST MANAGEMENT USING TBAC, SHOWBACKS, AND CHARGEBACKS – Exploring Environment Settings

February 25th, 2023

Cost management in cloud environments is crucial to optimizing expenditure and ensuring efficient resource allocation. TBAC can play a vital role in controlling costs by allowing organizations to categorize and manage resources based on their attributes. By tagging resources with attributes such as department, project, or environment, it becomes easier to track costs associated with each category. This enables more accurate showback and chargeback practices, where the costs of cloud resources are transparently attributed to specific departments or teams. Showback allows you to provide insights to various stakeholders on their resource consumption, while chargeback enables you to bill the respective departments or teams for their resource usage. Implementing TBAC alongside showback and chargeback concepts ensures that cost management is both effective and transparent, facilitating better decision-making and cost optimization.

Regular access reviews, adherence to PoLP, and robust processes for user life cycle management are essential for maintaining a secure and well-managed CSPM environment. Let us now understand another important aspect of environment setting, which is the integration of CSPM tools with other tools.

CSPM integrations with other tools

Most CSPM tools offer integration with other tools to improve overall security management processes. Integration is nothing but the process of connecting and combining the functionalities of different software tools or systems to achieve enhanced functionality, streamlined workflows, and improved data exchange. Integration allows tools to work together seamlessly, leveraging each other’s capabilities and data to create a more comprehensive and efficient solution.

Tool integration provides several benefits, including the following:

Streamlined workflows: Integration reduces manual effort, improves data accuracy, and streamlines processes by enabling data and actions to flow seamlessly between tools. This enhances productivity and reduces the potential for errors.
Enhanced functionality: By combining the capabilities of different tools, integration extends the functionality and effectiveness of each individual tool. This allows organizations to leverage the strengths of multiple tools and create a more comprehensive solution.
Data synchronization: Integration ensures that data remains consistent and up to date across different systems. For example, integrating a CSPM tool with a configuration management database (CMDB) ensures that security assessments are based on the most accurate and recent configuration data.
Automation and efficiency: Integration enables automated workflows and actions triggered by events or conditions in one tool. This reduces manual intervention, improves response times, and increases overall operational efficiency.

Implementing tool integrations requires understanding APIs, protocols, or interfaces provided by the tools involved and configuring them to work together. Integration capabilities can vary depending on the tools and the availability of pre-built connectors or APIs for integration purposes.

Reporting and analytics integration – Exploring Environment Settings

February 13th, 2023

Integration with reporting and analytics platforms enables the CSPM tool to generate comprehensive security reports, visualizations, and insights. This integration allows security teams to analyze trends, track compliance status, and present the organization’s security posture to stakeholders effectively. Integration can be with Microsoft Power BI and Grafana, which are the most common tools used in the industry. Using a wide range of API offerings by CSPM tools, it becomes possible to integrate these with reporting. We will discuss reporting in detail in the next section of this chapter. Let us now understand CSPM tool integration with SIEM/SOAR tools.

Monitoring (SIEM/SOAR) tool integration

Integrating SIEM and SOAR tools with CSPM solutions is a crucial part of monitoring the security of cloud infrastructure. This integration helps you centralize and automate security monitoring, incident detection, and response in your cloud environment. Let’s take a closer look at this:

SIEM integration: Integration between a CSPM tool and an SIEM system allows the exchange of security-related data and events. CSPM tools can feed security findings, alerts, and configuration data to the SIEM system, enriching overall security event monitoring and analysis. SIEM integration provides a broader context to CSPM data, enabling correlation with other security events across the infrastructure and enhancing threat detection capabilities.
SOAR integration: CSPM tools can integrate with SOAR platforms to automate IR workflows. By exchanging data and alerts between the CSPM tool and the SOAR platform, security teams can automate response actions based on predefined playbooks or workflows. This integration streamlines IR, enables the rapid containment and remediation of security incidents, and enhances overall operational efficiency.

Using CSPM data in your applications is a key reason for configuring integration with the CSPM tool. Once the CSPM tool is integrated with your application, you can receive data from it, including data on alerts, assets, and other objects. This data can be utilized for diverse purposes such as in-depth analysis, storage, ticket creation, and more.

You can integrate your application with CSPM tools using the API and Webhooks:

Using API integration: The API functionality of the CSPM tool enables you to retrieve data and perform actions within the tool, such as initiating asset scans or verifying alerts. To utilize the API, you need to set up an API token within the tool. Once the API token is configured, you can send API requests from your application to interact with the CSPM tool, accessing the desired data or triggering specific actions.
Using Webhook integration: Webhooks enable the real-time pushing of alert data from the CSPM tool to your system as soon as specific alerts are identified. By incorporating Webhooks into notification integrations, you can promptly send messages or emails when critical alerts are detected, requiring immediate response actions. This ensures timely awareness and enables swift IM.

An effective CSPM tool should be able to integrate with a commonly used and wide range of SIEM/SOAR tools such as Splunk, Microsoft Sentinel, Sumo Logic, IBM QRadar, Cribl, JupiterOne, Vulcan, Chronicle, Swimlane, and more.

Azure Kubernetes Service (AKS) – Onboarding Containers

December 2nd, 2022

AKS is a managed service for developing, deploying, and managing containerized applications offered by Microsoft. To onboard AKS to Microsoft Defender for Cloud, the following provides important steps to take and the relevant documentation from Microsoft:

Network requirement: It is important to note that by default, AKS clusters have unrestricted outbound (egress) internet access. To understand more about outbound network rules and FQDNs for AKS clusters, refer to the Microsoft documentation (https://learn.microsoft.com/en-us/azure/aks/outbound-rules-control-egress#required-outbound-network-rules-and-fqdns-for-aks-clusters).
Enable the Defender plan: To follow the steps to enable the Defender plans for containers, refer to the Microsoft documentation (https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#enable-the-plan).
Deploy the Defender profile: You can enable the Defender for Containers plan and deploy all of the relevant components from the Azure portal, the REST API, or with a Resource Manager template. A default workspace is automatically assigned once the Defender profile is deployed. It is also possible to assign a custom workspace in place of the default workspace through Azure Policy, which is a helpful feature for collecting logs in one centralized workspace. To learn more about the detailed and updated steps, follow the Microsoft documentation (https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#deploy-the-defender-profile).
View scan results: After vulnerability scanning is enabled and configured, Microsoft Defender for Cloud will automatically scan the registry images based on the specified settings. You can view the scan results in the Azure portal. Navigate to the Container Registry and select Vulnerabilities in the Security section to see the scan results and any identified vulnerabilities.
Take remediation actions: If any vulnerabilities are detected, review the details provided by Microsoft Defender for Cloud and take the necessary remediation actions. This may involve updating the vulnerable images, applying patches, or implementing other security measures.

Similar to the preceding example, you can follow CSPM documentation and in this case, Microsoft documentation, for onboarding Kubernetes clusters hosted in another environment. Refer to the following document to understand the onboarding process for on-premises/IaaS (Arc), Amazon EKS, and GKE clusters: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-portal%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#deploy-the-defender-extension.

Now you understand the process of onboarding containers to the CSPM tool with the help of an example using Microsoft Defender for Cloud. Let us now understand the challenges and issues that may arise while onboarding Kubernetes clusters to the CSPM tool.