- Elastic integrations
- Integrations quick reference
- 1Password
- Abnormal Security
- ActiveMQ
- Active Directory Entity Analytics
- Airflow
- Akamai
- Apache
- API (custom)
- Arbor Peakflow SP Logs
- Arista NG Firewall
- Atlassian
- Auditd
- Auth0
- authentik
- AWS
- Amazon CloudFront
- Amazon DynamoDB
- Amazon EBS
- Amazon EC2
- Amazon ECS
- Amazon EMR
- AWS API Gateway
- Amazon GuardDuty
- AWS Health
- Amazon Kinesis Data Firehose
- Amazon Kinesis Data Stream
- Amazon Managed Streaming for Apache Kafka (MSK)
- Amazon NAT Gateway
- Amazon RDS
- Amazon Redshift
- Amazon S3
- Amazon S3 Storage Lens
- Amazon Security Lake
- Amazon SNS
- Amazon SQS
- Amazon VPC
- Amazon VPN
- AWS Bedrock
- AWS Billing
- AWS CloudTrail
- AWS CloudWatch
- AWS ELB
- AWS Fargate
- AWS Inspector
- AWS Lambda
- AWS Logs (custom)
- AWS Network Firewall
- AWS Route 53
- AWS Security Hub
- AWS Transit Gateway
- AWS Usage
- AWS WAF
- Azure
- Activity logs
- App Service
- Application Gateway
- Application Insights metrics
- Application Insights metrics overview
- Application State Insights metrics
- Azure logs (v2 preview)
- Azure OpenAI
- Billing metrics
- Container instance metrics
- Container registry metrics
- Container service metrics
- Custom Azure Logs
- Custom Blob Storage Input
- Database Account metrics
- Event Hub input
- Firewall logs
- Frontdoor
- Functions
- Microsoft Entra ID
- Monitor metrics
- Network Watcher VNet
- Network Watcher NSG
- Platform logs
- Resource metrics
- Spring Cloud logs
- Storage Account metrics
- Virtual machines metrics
- Virtual machines scaleset metrics
- Barracuda
- BitDefender
- Bitwarden
- blacklens.io
- Blue Coat Director Logs
- BBOT (Bighuge BLS OSINT Tool)
- Box Events
- Bravura Monitor
- Broadcom ProxySG
- Canva
- Cassandra
- CEL Custom API
- Ceph
- Check Point
- Cilium Tetragon
- CISA Known Exploited Vulnerabilities
- Cisco
- Cisco Meraki Metrics
- Citrix
- Claroty CTD
- Cloudflare
- Cloud Asset Inventory
- CockroachDB Metrics
- Common Event Format (CEF)
- Containerd
- CoreDNS
- Corelight
- Couchbase
- CouchDB
- Cribl
- CrowdStrike
- Cyberark
- Cybereason
- CylanceProtect Logs
- Custom Websocket logs
- Darktrace
- Data Exfiltration Detection
- DGA
- Digital Guardian
- Docker
- Elastic APM
- Elastic Fleet Server
- Elastic Security
- Elastic Stack monitoring
- Elasticsearch Service Billing
- Envoy Proxy
- ESET PROTECT
- ESET Threat Intelligence
- etcd
- Falco
- F5
- File Integrity Monitoring
- FireEye Network Security
- First EPSS
- Forcepoint Web Security
- ForgeRock
- Fortinet
- Gigamon
- GitHub
- GitLab
- Golang
- Google Cloud
- Custom GCS Input
- GCP
- GCP Audit logs
- GCP Billing metrics
- GCP Cloud Run metrics
- GCP CloudSQL metrics
- GCP Compute metrics
- GCP Dataproc metrics
- GCP DNS logs
- GCP Firestore metrics
- GCP Firewall logs
- GCP GKE metrics
- GCP Load Balancing metrics
- GCP Metrics Input
- GCP PubSub logs (custom)
- GCP PubSub metrics
- GCP Redis metrics
- GCP Security Command Center
- GCP Storage metrics
- GCP VPC Flow logs
- GCP Vertex AI
- GoFlow2 logs
- Hadoop
- HAProxy
- Hashicorp Vault
- HTTP Endpoint logs (custom)
- IBM MQ
- IIS
- Imperva
- InfluxDb
- Infoblox
- Iptables
- Istio
- Jamf Compliance Reporter
- Jamf Pro
- Jamf Protect
- Jolokia Input
- Journald logs (custom)
- JumpCloud
- Kafka
- Keycloak
- Kubernetes
- LastPass
- Lateral Movement Detection
- Linux Metrics
- Living off the Land Attack Detection
- Logs (custom)
- Lumos
- Lyve Cloud
- Mattermost
- Memcached
- Menlo Security
- Microsoft
- Microsoft 365
- Microsoft Defender for Cloud
- Microsoft Defender for Endpoint
- Microsoft DHCP
- Microsoft DNS Server
- Microsoft Entra ID Entity Analytics
- Microsoft Exchange Online Message Trace
- Microsoft Exchange Server
- Microsoft Graph Activity Logs
- Microsoft M365 Defender
- Microsoft Office 365 Metrics Integration
- Microsoft Sentinel
- Microsoft SQL Server
- Mimecast
- ModSecurity Audit
- MongoDB
- MongoDB Atlas
- MySQL
- Nagios XI
- NATS
- NetFlow Records
- Netskope
- Network Beaconing Identification
- Network Packet Capture
- Nginx
- Okta
- Oracle
- OpenCanary
- Osquery
- Palo Alto
- pfSense
- PHP-FPM
- PingOne
- PingFederate
- Pleasant Password Server
- PostgreSQL
- Prometheus
- Proofpoint TAP
- Proofpoint On Demand
- Pulse Connect Secure
- Qualys VMDR
- QNAP NAS
- RabbitMQ Logs
- Radware DefensePro Logs
- Rapid7
- Redis
- Rubrik RSC Metrics Integration
- Salesforce
- SentinelOne
- ServiceNow
- Slack Logs
- Snort
- Snyk
- SonicWall Firewall
- Sophos
- Spring Boot
- SpyCloud Enterprise Protection
- SQL Input
- Squid Logs
- SRX
- STAN
- Statsd Input
- Sublime Security
- Suricata
- StormShield SNS
- Symantec
- Symantec Endpoint Security
- Sysmon for Linux
- Sysdig
- Syslog Router Integration
- System
- System Audit
- Tanium
- TCP Logs (custom)
- Teleport
- Tenable
- Threat intelligence
- ThreatConnect
- Threat Map
- Thycotic Secret Server
- Tines
- Traefik
- Trellix
- Trend Micro
- TYCHON Agentless
- UDP Logs (custom)
- Universal Profiling
- Vectra Detect
- VMware
- WatchGuard Firebox
- WebSphere Application Server
- Windows
- Wiz
- Zeek
- ZeroFox
- Zero Networks
- ZooKeeper Metrics
- Zoom
- Zscaler
How Container Workload Protection Works
editHow Container Workload Protection Works
editVersion |
1.2.7 (View all) |
Compatible Kibana version(s) |
8.11.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Enterprise |
Level of support |
Elastic |
CWP is powered by a lightweight integration (Defend for Containers BETA) that is bundled and configured by the Elastic Agent. The agent is installed as a daemonset on supported Kubernetes clusters and the integration uses eBPF LSM and tracepoint probes to produce system events. Events are evaluated against eBPF LSM hook points, enabling a configured policy to be evaluated before system activity is allowed to proceed.
The policy determines which system behaviors (for example, process executions, file creations or deletions, etc) will result in an action. Actions are simple: logging the behavior to Elasticsearch, creating an alert in Elasticsearch, or blocking the behavior.
Threat Detection
editThe system ships with a default policy configured featuring two selectors and responses. The first selector is designed to stream process telemetry events to the user’s Elasticsearch cluster. The policy uses the selector allProcesses which specifies fork and exec operations. This selector is mapped to the allProcesses response, which specifies a log action.
The resulting telemetry data is transformed into an ECS document and streamed back to the user’s Elasticsearch cluster, where the Elastic Security SIEM evaluates the data to detect malicious behavior.
Drift Detection & Prevention
editThe second selector is written to detect the modification of existing executables or the creation of new executables within a container (This is how Elastic detects “container drift”). The policy selector is named executableChanges and is mapped to a response section called executableChanges which specifies an alert action.
This policy is configured with an alert response, meaning that when drift conditions are detected, the matching event(s) are collected and written as an alert to the user’s Elasticsearch cluster. A prebuilt rule “escalation rule” in the SIEM watches for these alert documents and raises an alert in the SIEM when drift is detected. This policy can also be modified to block drift operations by changing the response action to block.
Policies
editUsers that want to use the full strength of CWP will benefit to understand the system’s policy syntax, which enables fine-grained policies to be constructed. Policies can be built to precisely match expected container behaviors– disallowing any unexpected behaviors– and thereby substantially hardening the security posture of container workloads.
Policies are composed of selectors and responses. A given policy must contain at least one selector and one response. Currently, the system supports two types of selectors and responses, file and process. Selectors tell the service what system operations to match and have a number of conditions that can be grouped together (using a logical AND operation) to provide precise control. Responses instruct the system on what actions to take when system operations match selectors.
Deployment
editThe service can be deployed in two ways: declaratively using Elastic Agent in standalone mode, or as a managed D4C integration through Fleet. With the former, teams have the flexibility to integrate their policies into Git for an infrastructure-as-code (IoC) approach, streamlining the deployment process and enabling easier management.
You will need to include the following capabilities
under securityContext
in your k8s yaml in order for the service to work.
securityContext: runAsUser: 0 # The following capabilities are needed for 'Defend for containers' integration (cloud-defend) # If you are using this integration, please uncomment these lines before applying. capabilities: add: - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps. - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations. - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock'
Policy example
editA given policy must contain at least one selector
(file or process) and one response
.
process: selectors: - name: allProcesses operation: [fork, exec] - name: interactiveProcesses operation: [fork, exec] sessionLeaderInteractive: true responses: - match: [allProcesses] actions: [log] - match: [interactiveProcesses] actions: [alert] file: selectors: - name: executableChanges operation: [createExecutable, modifyExecutable] responses: - match: [executableChanges] actions: [alert]
Due to the fact that
file
andprocess
operations happen asynchronously, theirselectors
andresponses
must be managed as separate entities. A file selector cannot be used to trigger a process response and vice versa.
Selectors
editA selector tells the service what system operations to match on and has a number of conditions that can be grouped together (using a logical AND operation) to provide precise control.
- name: exampleFileSelector operation: [createExecutable, modifyExecutable] containerImageName: [nginx] containerImageTag: [latest] targetFilePath: [/usr/bin/**] kubernetesClusterId: [cluster1] kubernetesClusterName: [stagingCluster] kubernetesNamespace: [default] kubernetesPodLabel: [‘production:*’] kubernetesPodName: [‘nginx-pod-*’] ignoreVolumeMounts: true
A selector MUST contain a name and at least one of the following conditions.
Common conditions (available for both file and process selectors)
editName | Description |
---|---|
containerImageFullName |
A list of container full image names to match on. e.g. "docker.io/nginx". |
containerImageName |
A list of container image names to match on. e.g. nginx |
containerImageTag |
A list of container image tags to match on. e.g. latest |
kubernetesClusterId |
A list of kubernetes cluster IDs to match on. For consistency with KSPM, the kube-system namespace uid is used as a cluster ID. |
kubernetesClusterName |
A list of kubernetes cluster names to match on. |
kubernetesNamespace |
A list of kubernetes namespaces to match on. |
kubernetesPodName |
A list of kubernetes pod names to match on. Trailing wildcards supported. |
kubernetesPodLabel |
A list of resource labels. Trailing wildcards supported (value only). e.g. |
For example, the following selector will match attempts to create executables on any portion of a file system, in any container as long as its Pod has the label
environment:production
orservice:auth*
- name: operation: [createExecutable] kubernetesPodLabel: [environment:production, service:auth*]
File Specific Conditions
editName | Description |
---|---|
operation |
The list of system operations to match on. Options include |
ignoreVolumeMounts |
If set, ignores file operations on ALL volume mounts. |
ignoreVolumeFiles |
If set, ignores operations on file mounts only. e.g. mounted files, configMaps, secrets etc… |
targetFilePath |
A list of file paths to include. Paths are absolute and wildcards are supported. |
Consider the following selector example:
- name: targetFilePath: [/usr/bin/echo, /usr/sbin/*, /usr/local/**]
In this example,
-
/usr/bin/echo
will match on theecho
binary, and only this binary -
/usr/local/**
will match on everything recursively under/usr/local/
including/usr/local/bin/something
-
/usr/sbin/*
includes everything that’s a direct child of/usr/sbin
Process Specific Conditions
editName | Description |
---|---|
operation |
The list of system operations to match on. Options include |
processExecutable |
A list of executables (full path included) to match on. e.g. |
processName |
A list of process names (executable basename) to match on. e.g. bash, vi, cat etc… |
sessionLeaderInteractive |
If set to true, will only match on interactive sessions (i.e. sessions with a controlling TTY) |
Responses
editResponses instruct the system on what actions
to take when system operations match selectors
.
A policy can contain one or more responses. Each response is comprised of the following:
responses: - match: [allProcesses] exclude: [excludeSystemDServices] actions: [log] - match: [nefariousActivity] actions: [alert, block]
Response Field | Description |
---|---|
match |
An array of one or more selectors of the same type ( |
exclude |
An optional array of one or more selectors to use as exclusions to everything in match |
actions |
An array of actions to perform (if at least one |
Action | Description |
---|---|
|
Sends events to the |
|
Writes events (file or process) to the |
|
Prevents the system operation from proceeding. This blocking action happens prior to the execution of the event. It is required that the |
Example
editConsider the following yaml.
file: selectors: - name: binDirExeMods operation: - createExecutable - modifyExecutable targetFilePath: - /usr/bin/** - name: etcFileChanges operation: - createFile - modifyFile - deleteFile targetFilePath: - /etc/** - name: nginx containerImageName: - nginx responses: - match: - binDirExeMods - etcFileChanges exclude: - nginx actions: - alert - block
We have three file
selectors. Two are used to match (logically OR’d), and one to exclude.
This could be read as: If an executable is created or modified under /usr/bin or a file is created, modified or deleted under /etc, block and create an alert as long as it’s not an nginx container.
e.g.
IF (binDirExeMods
OR etcFileChanges
) AND NOT nginx
= RUN ACTIONS alert
and block
Process Events
editThe following fields are populated for all events where event.category: process
Field | Examples |
---|---|
2023-03-20T16:03:59.520Z |
|
7829f26d-c2d1-4eaf-a1ac-cd9cb9e12f75 |
|
cloud-defend |
|
8.8.0 |
|
1234567abc |
|
elastic-dev |
|
us-east-1c |
|
webapp-node |
|
123456abc |
|
staging |
|
aws |
|
us-east-1 |
|
cloud_defend.matched_selectors |
[interactiveSessions] |
cloud_defend.package_policy_id |
4c9cbba0-c812-11ed-a8dd-91ec403e4f03 |
cloud_defend.package_policy_revision |
2 |
cloud_defend.hook_point |
[tracepointsched_process_fork,tracepointsched_process_exec, kprobe__taskstats_exit] |
nginx_1 |
|
nginx |
|
latest |
|
cloud_defend.process |
|
default |
|
logs |
|
8.7.0 |
|
fork, exec, end |
|
verified |
|
process |
|
2023-03-20T16:03:59.520Z |
|
cloud_defend.process |
|
3ee85eee-72d9-4e9d-934f-3787952ca830 |
|
2023-03-20T16:04:12Z |
|
event, alert |
|
cloud_defend |
|
start, end, denied |
|
0 |
|
amd64 |
|
815a760f-8153-49e1-9d0b-da0d3b2a468c |
|
1bb9e6a948dfb1c3cd38d1fdc8de4481 |
|
[127.0.0.1, 172.20.0.2, 172.18.0.6] |
|
kibana-node |
|
[32:a9:cc:26:4c:e5, 7a:ec:f0:3e:29:ee] |
|
kibana-node.myapp.co |
|
ubuntu |
|
Ubuntu 20.04.5 |
|
5.10.161+ #1 SMP Thu Jan 5 22:49:42 UTC 2023 |
|
'Linux |
|
ubuntu |
|
linux |
|
20.04.5 |
|
4026531836 |
|
12345 |
|
website |
|
default |
|
172.18.0.6 |
|
orchestrator.resource.annotation |
[note:testing] |
orchestrator.resource.label |
[service:webapp] |
webapp-proxy |
|
DaemonSet, ReplicaSet etc… |
|
pod |
|
[ls, --color=auto] |
|
2023-03-20T16:04:12Z |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
[bash] |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
container |
|
/bin/bash |
|
0 |
|
true |
|
bash |
|
1915529 |
|
false |
|
2023-03-20T16:03:59.520Z |
|
0 |
|
/usr/share/elastic-agent |
|
/usr/bin/ls |
|
[ls, --color=auto] |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
/usr/bin/ls |
|
0 |
|
true |
|
ls |
|
1915529 |
|
true |
|
2023-03-20T16:03:59.520Z |
|
0 |
|
/usr/share/elastic-agent |
|
true |
|
ls |
|
[bash] |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
/bin/bash |
|
0 |
|
true |
|
bash |
|
1915529 |
|
false |
|
2023-03-20T16:03:59.520Z |
|
0 |
|
/usr/share/elastic-agent |
|
1916234 |
|
[{ args: [bash], executable: /bin/bash}] |
|
[bash] |
|
/bin/bash |
|
[bash] |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
/bin/bash |
|
0 |
|
true |
|
bash |
|
1915529 |
|
false |
|
2023-03-20T16:03:59.520Z |
|
0 |
|
/usr/share/elastic-agent |
|
2023-03-20T16:03:59.520Z |
|
/usr/share/elastic-agent |
|
0 |
File Events
editThe following fields are populated for all events where event.category: file
Field | Examples |
---|---|
2023-03-20T16:03:59.520Z |
|
7829f26d-c2d1-4eaf-a1ac-cd9cb9e12f75 |
|
cloud-defend |
|
8.8.0 |
|
1234567abc |
|
elastic-dev |
|
us-east-1c |
|
123456abc |
|
staging |
|
aws |
|
us-east-1 |
|
cloud_defend.matched_selectors |
[binModifications] |
cloud_defend.package_policy_id |
4c9cbba0-c812-11ed-a8dd-91ec403e4f03 |
cloud_defend.package_policy_revision |
2 |
cloud_defend.hook_point |
One of: lsmpath_chmod, lsmpath_mknod, lsmfile_open, lsmpath_truncate, lsmpath_rename, lsmpath_link, lsm__path_unlink |
nginx_1 |
|
nginx |
|
latest |
|
cloud_defend.process |
|
default |
|
logs |
|
8.7.0 |
|
One of: creation, modification, deletion, rename, link, open |
|
verified |
|
process |
|
2023-03-20T16:03:59.520Z |
|
cloud_defend.process |
|
3ee85eee-72d9-4e9d-934f-3787952ca830 |
|
2023-03-20T16:04:12Z |
|
One of: event, alert |
|
cloud_defend |
|
One of: start, end, denied |
|
ts |
|
script.ts |
|
/home/workspace/project/script.ts |
|
0 |
|
amd64 |
|
815a760f-8153-49e1-9d0b-da0d3b2a468c |
|
1bb9e6a948dfb1c3cd38d1fdc8de4481 |
|
[127.0.0.1, 172.20.0.2, 172.18.0.6] |
|
kibana-node |
|
[32:a9:cc:26:4c:e5, 7a:ec:f0:3e:29:ee] |
|
kibana-node.myapp.co |
|
ubuntu |
|
Ubuntu 20.04.5 |
|
5.10.161+ #1 SMP Thu Jan 5 22:49:42 UTC 2023 |
|
'Linux |
|
ubuntu |
|
linux |
|
20.04.5 |
|
4026531836 |
|
12345 |
|
website |
|
default |
|
172.18.0.6 |
|
orchestrator.resource.annotation |
[note:testing] |
orchestrator.resource.label |
[service:webapp] |
webapp-proxy |
|
… |
|
pod |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
/usr/bin/vi |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
true |
|
vi |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
1916234 |
|
NzgyOWYyNmQtYzJkMS00ZWFmLWExYWMtY2Q5Y2I5ZTEyZjc1LTE5MTU1MzUtMTY3OTMyODIzOQ== |
|
0 |
|
0 |
Support matrix
editEKS 1.24-1.27 (AL2022) | GKE 1.24-1.27 (COS) | |
---|---|---|
Process event exports |
✅ |
✅ |
File event exports |
✅ |
✅ |
Drift prevention |
✅ |
✅ |
Mount point awareness |
✅ |
✅ |
Process blocking |
✅ |
✅ |
Network event exports |
Coming soon |
Coming soon |
Network blocking |
Coming soon |
Coming soon |
Changelog
editChangelog
Version | Details | Kibana version(s) |
---|---|---|
1.2.7 |
Bug fix (View pull request) |
8.11.0 or higher |
1.2.6 |
Bug fix (View pull request) |
8.11.0 or higher |
1.2.5 |
Enhancement (View pull request) |
8.11.0 or higher |
1.2.4 |
Enhancement (View pull request) |
8.11.0 or higher |
1.2.3 |
Enhancement (View pull request) |
8.11.0 or higher |
1.2.2 |
Enhancement (View pull request) |
8.11.0 or higher |
1.2.1 |
Enhancement (View pull request) |
8.11.0 or higher |
1.2.1-preview2 |
Enhancement (View pull request) |
— |
1.2.1-preview |
Enhancement (View pull request) |
— |
1.2.0 |
Enhancement (View pull request) |
8.8.0 or higher |
1.2.0-preview |
Enhancement (View pull request) |
— |
1.1.0 |
Enhancement (View pull request) |
8.8.0 or higher |
1.0.7 |
Enhancement (View pull request) |
8.8.0 or higher |
1.0.6 |
Enhancement (View pull request) |
8.8.0 or higher |
1.0.5 |
Enhancement (View pull request) |
8.8.0 or higher |
1.0.4 |
Enhancement (View pull request) |
— |
1.0.3 |
Enhancement (View pull request) |
— |
1.0.2 |
Enhancement (View pull request) |
— |
1.0.1 |
Enhancement (View pull request) |
— |
1.0.0 |
Enhancement (View pull request) |
— |
0.1.1 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |
On this page