KINTO Tech Blog
Cloud

Protecting Workloads on Azure Container Apps: A Practical Approach with Sysdig Serverless Agent

Tomoaki Tada
Tomoaki Tada
Cover Image for Protecting Workloads on Azure Container Apps: A Practical Approach with Sysdig Serverless Agent

This article is the entry for day 7 in the KINTO Technologies Advent Calendar 2025 🎅🎄

Introduction

Hello, I'm Tada from the Cloud Security Group at KINTO Technologies. I usually work at the Osaka Tech Lab.

Many of the services we develop are built on Amazon Web Services. However, with the growing adoption of generative AI, we're increasingly using Microsoft Azure alongside OpenAI.

In this article, I'll explain the need for workload protection in Azure Container Apps, the limitations of Microsoft Defender for Cloud, and a practical protection approach using Sysdig Serverless Agent.

What Is Azure Container Apps?

Azure Container Apps (ACA) is a serverless container execution environment provided by Microsoft. For more details about ACA, please refer to Microsoft's documentation.

From a security perspective, ACA is a Kubernetes-based managed service where Microsoft is responsible for securing the infrastructure layer (nodes, network, OS). However, security at the application layer (container workloads) is the user's responsibility.

This article focuses on how to achieve workload protection at the application layer within this shared responsibility model.

Why Is Workload Protection Necessary?

Even in serverless environments, the following security risks still exist:

  • Vulnerabilities in container images
  • Runtime threats
  • Misconfigurations and excessive permissions

In particular, for runtime threats, you need to detect and respond to threats such as:

  • Detecting and preventing cryptocurrency mining
  • Preventing container drift (unauthorized changes)
  • Detecting and preventing unauthorized network communications
  • Blocking reverse shell execution
  • Detecting fileless execution

To address these threats, continuous monitoring and threat detection at runtime are essential.

For more information about ACA's security features, please refer to this documentation.

Can Microsoft Defender for Cloud Provide Workload Protection?

The short answer is: As of November 2025, Defender for Containers does not support ACA.

Microsoft Defender for Containers supports Azure Kubernetes Service, Azure Container Registry, AWS EKS, Google GKE, and more. For detailed support coverage, please refer to this page.

This means that to achieve workload protection at the application layer, adopting third-party products is recommended.

Workload Protection with Sysdig Serverless Agent

At KINTO Technologies, we use Sysdig Secure for cloud security operations, including detective guardrails (CSPM).
We've published several blog posts about how we use Sysdig Secure, so feel free to search for them. The most recent one is AI-SPM Initiatives for Securing LLM Applications.

We're also working on protecting ACA workloads using the Serverless Agent provided by Sysdig Secure.

What Is Sysdig Serverless Agent?

Sysdig Serverless Agent is a runtime security agent designed for serverless environments. It can monitor container workloads and detect threats.

For installation and configuration of Serverless Agent on ACA, please refer to SCSK Corporation's blog, which provides a detailed explanation. It will give you a good understanding of the Serverless Agent.

The Serverless Agent performs user-space level monitoring in serverless environments where it cannot access the host kernel.

For detailed architecture information, please refer to Sysdig's documentation.

An important point about this mechanism is that only the process tree started by the container's ENTRYPOINT is monitored. Therefore, shells or child processes spawned via docker exec are created outside this monitored tree and are not detected at the system call level.

Blind Spots in Serverless Agent Detection

As mentioned above, Serverless Agent monitors the process tree started by ENTRYPOINT. If an attacker gains access to the Azure console or CLI through some method (vulnerability exploitation, credential theft, etc.), they can access the container interior with the following command:

az containerapp exec --name hogehoge-containerapp --resource-group hogehoge-resourcegroup --exec-command "/bin/bash"

Once inside the container, unauthorized activities can be performed without being detected by the Serverless Agent.

How Do We Detect Attacks via exec?

Since attacks via exec cannot be detected by the Serverless Agent, we detect signs of attacks by monitoring the exec operations themselves recorded in Azure Activity Log (audit logs).

Sysdig Secure has a feature called Cloud Detection and Response that can monitor audit logs in real time.

Sysdig's Cloud Detection and Response performs threat detection using Falco. When the az containerapp exec command is executed or exec is performed via the Azure console, the following event is recorded in Azure Activity Log:

Microsoft.App/containerApps/getAuthToken/action

By detecting this event with a Falco rule, you can detect exec operations in real time. The Falco rule is as follows, and since it can detect exec via both the Azure console and CLI, you can respond by implementing operational procedures such as checking for unauthorized exec operations.

rules:
  - rule: Detect Azure ContainerApp AuthToken Succeeded
    desc: Detect when Azure Activity Log shows Microsoft.App/containerApps/getAuthToken/action with status Succeeded
    condition: >
      evt.type = "open" and
      json.value["operationName.value"] = "Microsoft.App/containerApps/getAuthToken/action" and
      json.value["status.value"] = "Succeeded"
    output: >
      Azure ContainerApp AuthToken request succeeded
      (operation=%json.value["operationName.value"], status=%json.value["status.value"], caller=%json.value["caller"])
    priority: WARNING
    source: json
    tags: [azure, containerapp, auth, security]

Summary

In this article, I explained a practical approach to workload protection in Azure Container Apps.

  • Defender for Cloud does not support Azure Container Apps
  • Workload protection with third-party products like Sysdig Serverless Agent is effective
  • It's important to understand that Serverless Agent may have detection blind spots due to its architecture
  • For blind spots, it's crucial to detect threats through defense in depth and increase coverage

This article covered workload protection in Azure Container Apps.

Our Cloud Security Group practices security in multi-cloud environments on a daily basis. We will continue to share our group's initiatives in the future.

Thank you for reading to the end.

Facebook

関連記事 | Related Posts

Tomoaki Tada
Tomoaki Tada
Cover Image for Protecting Workloads on Azure Container Apps: A Practical Approach with Sysdig Serverless Agent

Protecting Workloads on Azure Container Apps: A Practical Approach with Sysdig Serverless Agent

Tomoaki Tada
Tomoaki Tada
Cover Image for Azure サブスクリプションの初期セキュリティベストプラクティスを考える

Azure サブスクリプションの初期セキュリティベストプラクティスを考える

Tanachu
Tanachu
Cover Image for Sysdig Kraken Hunter ワークショップ 参加レポート

Sysdig Kraken Hunter ワークショップ 参加レポート

Kazuki Otaka
Kazuki Otaka
Cover Image for Hardening Designers Conference 2025 参加レポート

Hardening Designers Conference 2025 参加レポート

Tomoaki Tada
Tomoaki Tada
Cover Image for CCoE活動とGoogle Cloudセキュリティプリセット環境の提供

CCoE活動とGoogle Cloudセキュリティプリセット環境の提供

Tanachu
Tanachu
Cover Image for Reporting Back from the Sysdig Kraken Hunter Workshop

Reporting Back from the Sysdig Kraken Hunter Workshop

We are hiring!

【クラウドエンジニア】Cloud Infrastructure G/東京・大阪・福岡

KINTO Tech BlogWantedlyストーリーCloud InfrastructureグループについてAWSを主としたクラウドインフラの設計、構築、運用を主に担当しています。

【クラウドエンジニア(クラウド活用の推進)】Cloud Infrastructure G/東京・大阪・福岡

KINTO Tech BlogCloud InfrastructureグループについてAWSを主としたクラウドインフラの設計、構築、運用を主に担当しています。

イベント情報

CO-LAB Tech Night vol.8 届けるためのエンジニアリング~共創と巻き込みの実践~