Container
Use the JSA Container Content Extension to closely monitor containers in your deployment.
This content extension does not install when the Parent Filename custom property is present from Cisco AMP V.1.0.0. Delete Parent Filename before you install this content extension.
JSA Container Content Extension V1.1.1
The following table shows the custom properties in JSA Container Content Extension V1.1.1.
Table 1: Custom Properties in JSA Container Content Extension V1.1.0
Name | Optimized | Found in |
|---|---|---|
Container Image | No | |
Container Image ID | No | |
Container Name | No |
JSA Container Content Extension V1.1.0
The following table shows the custom properties in JSA Container Content Extension V1.1.0.
Table 2: Custom Properties in JSA Container Content Extension V1.1.0
Name | Optimized | Found in |
|---|---|---|
Namespace | Yes | |
Privileged Container | Yes | |
Process CommandLine | Yes | |
Reason | Yes | |
Resource | Yes | |
Resource Name | Yes | |
Role | Yes | |
Role Actions | Yes | |
Role Assigned Resources | Yes |
The following table shows the rules and building blocks in JSA Container Content Extension V1.1.0.
Table 3: Rules and Building Blocks in JSA Container Content Extension V1.1.0
Type | Name | Description |
|---|---|---|
Building Block | BB:BehaviourDefinition: Unauthorized User Creating Namespaces | Identifies unauthorized users creating namespaces. |
Building Block | BB:CategoryDefinition: Resource Creation Events | Detects when components are created under critical namespaces, such as kube-system or kube-public. The namespace kube-system should only be used by objects created from Kubernetes system. The namespace kube-public is readable by all users, which must be used with caution. |
Building Block | BB:DeviceDefinition: Containers | Defines all container log sources on the system. |
Rule | Command Execution in Critical Namespaces by Non-System User | Detects execution of a command in a critical namespace, for example kube-system in Kerbernetes, by a non-system user. Normal users should not interact with system resources. Note: Edit the rule to replace "system:serviceaccount" with typical service accounts on the system. |
Rule | Communication from an Insecure Port | Detects detects communication from an insecure port (2379, 8080, or 10250). The insecure port is disabled by default from Kubernetes v.1.14, but it's possible to enable it explicitly (insecure-port flag in the policy). Once the insecure port is enabled, full access to the API without authentication is granted. |
Rule | Creation of a Privileged Role for Container | Detects the creation of a privileged role. By default, it's defined as a role having access to all resources with all rights, or having create, update, or delete rights on "secrets" specifically. Note: The rule response adds the role to the Privileged Role reference set. Adjust the AQL query to include any permission considered as Privileged. |
Rule | Creation of Resources in Critical Namespaces | Detects when resources are created under critical namespaces, such as kube-system or kube-public. The namespace kube-system should only be used by objects created from Kubernetes system. The namespace kube-public is readable by all users, which must be used with caution. |
Rule | Deletion of a Privileged Role for Container | Detects the deletion of a privileged role defined in the Privileged Role reference set. Note: The rule response removes the role from the Privileged Role reference set. Note: In JSA 7.3.2 and earlier versions, the reference set does not link properly to Privileged Roles - AlphaNumeric. This was corrected in 7.3.2 patch 1. If you do not have 7.3.2 patch 1 installed, you can do the following: Select the rule, and click Next. Under Rule Response, click the list for the reference set, and select Privileged Roles - AlphaNumeric. |
Rule | Multiple Failures Reading Secrets | Detects multiple failures reading secrets (storage of sensitive information, such as passwords, OAuth tokens, ssh keys, etc). |
Rule | Multiple Sensitive Resources Deleted | Detects when multiple sensitive resources are being deleted. This may indicate an intruder is compromising sensitive information. Note: The Sensitive Resource Names reference map of sets must be populated with the relevant names. |
Rule | Namespace Created Followed by Multiple Resources Created on a Container Environment | Detects when an unauthorized user creates a new namespace, followed by multiple resources creation in that namespace. Creating a namespace is a valid action for any user, but creating multiple resources in the namespace right after creating the namespace is suspicious. Note: Edit the rule to replace "authorized_users" by typical administrators of the system. |
Rule | Remote Shell Execution to a Container Detected | Detects remote shell execution. An adversary might use this technique to execute arbitrary commands on a server. This could affect applications and data, and allow to pivot to other systems within the organization. |
The following table shows the reports in JSA Container Content Extension V1.1.0.
Table 4: Reports in JSA Container Content Extension V1.1.0
Report Name | Description |
|---|---|
Forbidden Failed API Requests Grouped by Username | Shows forbidden failed API requests from Kubernetes users. Saved Search: Events: Forbidden Failed API Requests Grouped by Username Note: Edit this search and any relevant search dependencies to refine the results. |
Privileged Roles and Users for Container | Shows privileged roles and users from Kubernetes. The report content is collated by using the following Log Activity searches:
Note: Edit this search and any relevant search dependencies to refine the results. |
The following table shows the reference data in JSA Container Content Extension V1.1.0.
Table 5: Reference Data in JSA Container Content Extension V1.1.0
Type | Name | Description |
|---|---|---|
Reference Set | Privileged Role | Lists all privileged roles. |
Reference Map of Sets | Sensitive Resource Names | Lists all sensitive resource names per resource type. |
The following table shows the saved searches in JSA Container Content Extension V1.1.0.
Table 6: Saved Searches in JSA Container Content Extension V1.1.0
Name | Description |
|---|---|
Forbidden Failed API Requests Grouped by Username | Shows all forbidden failed API requests, grouped by username. |
Privileged Roles for Container | Shows all privileged roles for containers. |
Privileged Users for Container | Shows all privileged users for containers. |
JSA Container Content Extension V1.0.1
Updated the content extension to enable all custom properties by default, and to fix broken links in the rule response limiter.
JSA Container Content Extension V1.0.0
The following table shows the custom properties in JSA Container Content Extension V1.0.0.
Table 7: Custom Properties in JSA Container Content Extension V1.0.0
Name | Optimized | Found in |
|---|---|---|
Container ID | Yes | |
File Directory | Yes | |
Filename | Yes | |
GroupID | Yes | |
Parent Process Name | Yes | |
Parent Process Path | Yes | |
Privileged Container | Yes | |
Process CommandLine | Yes | |
Process Name | Yes | |
Rule Details | Yes | |
SHA256 Hash | Yes | |
Source Mount Point | Yes | |
Target User Name | Yes | |
User ID | Yes |
The following table shows the rules and building blocks in JSA Container Content Extension V1.0.0.
Table 8: Rules and Building Blocks in JSA Container Content Extension V1.0.0
Type | Name | Description |
|---|---|---|
Building Block | BB:BehaviourDefinition: Abnormal Process Spawned | Used to track Privilege Modification followed by Suspicious Activity. |
Building Block | BB:BehaviourDefinition: Abnormal Right Assigned followed by Privileged Container Creation | Used to track Privilege Modification followed by Suspicious Activity. |
Building Block | BB:BehaviourDefinition: Linux Shell Spawned by a Process | Detects a shell that is created from a process, which is unlikely. Note: Populate the Whitelisted Linux Processes reference set to whitelist processes that are allowed to create new Linux shells. |
Building Block | BB:DeviceDefinition: Operating System | Defines all operating systems on the system. |
Building Block | BB:BehaviourDefinition: Process Spawned by Utility | Detects command line utilities that are used to create new processes,
such as |
Rule | Abnormal Rights Assigned to Unauthorized Users | Detects an unusual Note: Edit this rule to replace authorized_username with the list of typical administrators of the system, and utilities with file modification or execution capabilities. |
Rule | Creation of a Privileged Container | Detects the creation of a privileged container. Running a container with the privileged flag gives all capabilities to the container, including the access to the host device. |
Rule | Creation of a User with Superuser Privileges | Detects the creation of a user account that has a uid or gid of 0, which indicates a Superuser. |
Rule | Critical File or Directory Mounted on a Container | Detects when a critical file or directory is mounted on a container,
for example Note: Edit this rule to add any critical file or directory you might want to monitor. |
Rule | Hostile Process Detected in a Container | Detects processes that are categorized as hostile, such as malware, phishing, cryptomining. Note: The Malware Hashes SHA reference set must be populated. You can use the Threat Intelligence App to import threat intel feeds into that reference set. |
Rule | Login Shell Overridden | Detects when a login shell gets overridden. Adversaries might override a login shell to achieve persistence. Note: The Login Shell Filename reference set is pre-populated with shell file names, and can be tuned. |
Rule | Modification to Authorized Keys File | Detects when the |
Rule | Multiple Sensitive Containers Stopped or Deleted | Detects when multiple sensitive containers are being stopped or deleted. This might indicate that an intruder is compromising sensitive information. Note: The Sensitive Container IDs reference set must be populated with the relevant Container IDs. |
Rule | No Password Rule Added to Sudoers File | Detects an unusual Note: Edit the rule to replace authorized_username with the list of authorized administrators of the system. |
Rule | Privilege Modification followed by Suspicious Activity | Detects privilege addition for unauthorized users, followed by suspicious execution of processes. |
Rule | Reverse or Bind Shell Detected | Detects any reverse or bind shell. This is a shell connection that is initiated from the target host to the attacker host. |
Rule | SUID or SGID Binaries Reconnaissance | Detects a user trying to find all SUID/SGID binaries. Adversaries can use SUID/SGID binaries to escalate their privileges. |
The following table shows the reference data in JSA Container Content Extension V1.0.0.
Table 9: Reference Data in JSA Container Content Extension V1.0.0
Type | Name | Description |
|---|---|---|
Reference Set | Login Shell Filename | Lists all login shell names. |
Reference Set | Malware Hashes SHA | Lists all malware SHA hashes for processes. |
Reference Set | Networking Utility Commands | Lists all networking utility commands that can open sessions. |
Reference Set | Sensitive Container IDs | Lists all sensitive container IDs (must be populated by the user). |
Reference Set | Utility with Execute Capabilities | Lists all utility commands with execute capabilities. |
Reference Set | Whitelisted Linux Processes | Lists all whitelisted Linux processes that are authorized to perform actions on critical files. |