Container
Use the IBM® QRadar® Container Content Extension to closely monitor containers in your deployment.
- IBM Security QRadar Container Content Extension 1.1.4
- IBM Security QRadar Container Content Extension 1.1.3
- IBM Security QRadar Container Content Extension 1.1.2
- IBM Security QRadar Container Content Extension 1.1.1
- IBM Security QRadar Container Content Extension 1.1.0
- IBM Security QRadar Container Content Extension 1.0.1
- IBM Security QRadar Container Content Extension 1.0.0
IBM Security QRadar Container Content Extension 1.1.4
The following table shows the custom properties that are updated in IBM Security QRadar Container Content Extension 1.1.4.
| Name | Details |
|---|---|
| Container Image | Property is now optimized. |
| GroupID | Updated property description. |
IBM Security QRadar Container Content Extension 1.1.3
The following table shows the building blocks that is new in IBM Security QRadar Container Content Extension 1.1.3.
| Name | Description |
|---|---|
| BB:DeviceDefinition: Containers | Defines all container log sources on the system. |
IBM Security QRadar Container Content Extension 1.1.2
The following table shows the custom properties in IBM Security QRadar Container Content Extension 1.1.2.
| Name | Optimized | Capture Group | Regex |
|---|---|---|---|
| Command Arguments | Yes | 1 | argc=\d+ ((a\d+="[^"]+?" ?)+) |
| Source Mount Point | Yes | 1 | volumeMounts"\:[{.*?\"mountPath[\":]([^\"]) |
The following table shows the rules and building blocks that are new or updated in IBM Security QRadar Container Content Extension 1.1.2.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:CategoryDefinition: Resource Creation Events | Triggers when components are created under critical namespaces, such as kube-system or kube-public. The namespace kube-system should only be used by objects created from Kubernetes system. The namespace kube-public is readable by all users, which must be used with caution. |
| Rule | Creation of Resources in Critical Namespaces | Triggers when resources are created under critical namespaces, such as kube-system or kube-public. The namespace kube-system should only be used by objects created from a Kubernetes system. The namespace kube-public is readable by all users, which must be used with caution. |
| Rule | Critical File or Directory Mounted on a Container | Detects when a critical file or directory is mounted on a container, for example /etc/passwd. This allows access to critical directory or files on a host. |
| Rule | Namespace Created Followed by Multiple Resources Created on a Container Environment | Triggers when an unauthorized user creates a new namespace, followed by multiple resources creation in that namespace. Creating a namespace is a valid action for any user, but creating multiple resources in the namespace right after creating the namespace is suspicious. |
| Rule | SUID or SGID Binaries Reconnaissance | Detects a user trying to find all SUID/SGID binaries. Adversaries can use SUID/SGID binaries to escalate their privileges. |
IBM Security QRadar Container Content Extension 1.1.1
The following table shows the custom properties in IBM Security QRadar Container Content Extension 1.1.1.
IBM Security QRadar Container Content Extension 1.1.0
The following table shows the custom properties in IBM Security QRadar Container Content Extension 1.1.0.
| Name | Optimized | Found in |
|---|---|---|
| Namespace | Yes | Kubernetes |
| Privileged Container | Yes | |
| Process CommandLine | Yes | |
| Reason | Yes | Kubernetes |
| Resource | Yes | Kubernetes |
| Resource Name | Yes | Kubernetes |
| Role | Yes | |
| Role Actions | Yes | Kubernetes |
| Role Assigned Resources | Yes | Kubernetes |
The following table shows the rules and building blocks in IBM Security QRadar Container Content Extension 1.1.0.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:BehaviourDefinition: Unauthorized User Creating Namespaces | Identifies unauthorized users creating namespaces. |
| Building Block | BB:CategoryDefinition: Resource Creation Events | Detects when components are created under critical namespaces, such as kube-system or kube-public. The namespace kube-system should only be used by objects created from Kubernetes system. The namespace kube-public is readable by all users, which must be used with caution. |
| Building Block | BB:DeviceDefinition: Containers | Defines all container log sources on the system. |
| Rule | Command Execution in Critical Namespaces by Non-System User |
Detects execution of a command in a critical namespace, for example kube-system in Kerbernetes, by a non-system user. Normal users should not interact with system resources. Note: Edit the rule to replace "system:serviceaccount" with typical service accounts on the
system.
|
| Rule | Communication from an Insecure Port |
Detects detects communication from an insecure port (2379, 8080, or 10250). The insecure port is disabled by default from Kubernetes v.1.14, but it's possible to enable it explicitly (insecure-port flag in the policy). Once the insecure port is enabled, full access to the API without authentication is granted. |
| Rule | Creation of a Privileged Role for Container |
Detects the creation of a privileged role. By default, it's defined as a role having access to all resources with all rights, or having create, update, or delete rights on "secrets" specifically. Note: The rule response adds the role to the Privileged Role reference set.
Adjust the AQL query to include any permission considered as Privileged.
|
| Rule | Creation of Resources in Critical Namespaces | Detects when resources are created under critical namespaces, such as kube-system or kube-public. The namespace kube-system should only be used by objects created from Kubernetes system. The namespace kube-public is readable by all users, which must be used with caution. |
| Rule | Deletion of a Privileged Role for Container |
Detects the deletion of a privileged role defined in the Privileged Role reference set. Note: The rule response removes the role from the Privileged Role reference
set.
Note: In IBM
Security QRadar 7.3.2 and
earlier versions, the reference set does not link properly to Privileged Roles - AlphaNumeric. This
was corrected in 7.3.2 patch 1. If you do not have 7.3.2 patch 1 installed, you can do the
following: Select the rule, and click Next. Under Rule
Response, click the list for the reference set, and select Privileged Roles -
AlphaNumeric.
|
| Rule | Multiple Failures Reading Secrets | Detects multiple failures reading secrets (storage of sensitive information, such as passwords, OAuth tokens, ssh keys, etc). |
| Rule | Multiple Sensitive Resources Deleted | Detects when multiple sensitive resources are being deleted. This may indicate an intruder is
compromising sensitive information. Note: The Sensitive Resource Names
reference map of sets must be populated with the relevant names.
|
| Rule | Namespace Created Followed by Multiple Resources Created on a Container Environment | Detects when an unauthorized user creates a new namespace, followed by multiple resources
creation in that namespace. Creating a namespace is a valid action for any user, but creating
multiple resources in the namespace right after creating the namespace is suspicious. Note: Edit the
rule to replace "authorized_users" by typical administrators of the system.
|
| Rule | Remote Shell Execution to a Container Detected | Detects remote shell execution. An adversary might use this technique to execute arbitrary commands on a server. This could affect applications and data, and allow to pivot to other systems within the organization. |
The following table shows the reports in IBM Security QRadar Container Content Extension 1.1.0.
| Report Name | Description |
|---|---|
| Forbidden Failed API Requests Grouped by Username | Shows forbidden failed API requests from Kubernetes users. Saved Search: Events: Forbidden Failed API Requests Grouped by Username Note: Edit this
search and any relevant search dependencies to refine the results.
|
| Privileged Roles and Users for Container |
Shows privileged roles and users from Kubernetes. The report content is collated by using the following Log Activity searches:
Note: Edit this search and any relevant search dependencies to refine the results.
|
The following table shows the reference data in IBM Security QRadar Container Content Extension 1.1.0.
| Type | Name | Description |
|---|---|---|
| Reference Set | Privileged Role | Lists all privileged roles. |
| Reference Map of Sets | Sensitive Resource Names | Lists all sensitive resource names per resource type. |
The following table shows the saved searches in IBM Security QRadar Container Content Extension 1.1.0.
| Name | Description |
|---|---|
| Forbidden Failed API Requests Grouped by Username | Shows all forbidden failed API requests, grouped by username. |
| Privileged Roles for Container | Shows all privileged roles for containers. |
| Privileged Users for Container | Shows all privileged users for containers. |
IBM Security QRadar Container Content Extension 1.0.1
Updated the content extension to enable all custom properties by default, and to fix broken links in the rule response limiter.
IBM Security QRadar Container Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Container Content Extension 1.0.0.
| Name | Optimized | Found in |
|---|---|---|
| Container ID | Yes | osquery |
| File Directory | Yes | |
| Filename | Yes | |
| GroupID | Yes | |
| Parent Process Name | Yes | |
| Parent Process Path | Yes | |
| Privileged Container | Yes | |
| Process CommandLine | Yes | |
| Process Name | Yes | |
| Rule Details | Yes | osquery |
| SHA256 Hash | Yes | |
| Source Mount Point | Yes | osquery |
| Target User Name | Yes | |
| User ID | Yes |
The following table shows the rules and building blocks in IBM Security QRadar Container Content Extension 1.0.0.
| Type | Name | Description |
|---|---|---|
| Building Block | BB:BehaviourDefinition: Abnormal Process Spawned | Used to track Privilege Modification followed by Suspicious Activity. |
| Building Block | BB:BehaviourDefinition: Abnormal Right Assigned followed by Privileged Container Creation | Used to track Privilege Modification followed by Suspicious Activity. |
| Building Block | BB:BehaviourDefinition: Linux Shell Spawned by a Process |
Detects a shell that is created from a process, which is unlikely. Note: Populate the Whitelisted Linux Processes reference set to whitelist
processes that are allowed to create new Linux
shells.
|
| Building Block | BB:DeviceDefinition: Operating System | Defines all operating systems on the system. |
| Building Block | BB:BehaviourDefinition: Process Spawned by Utility | Detects command line utilities that are used to create new processes, such as echo, find, nmap, ncat, and zip. |
| Rule | Abnormal Rights Assigned to Unauthorized Users |
Detects an unusual sudo rule added in the system. The Target User Name is the user whom the sudoer rule was applied to. Note: Edit this rule to replace
authorized_usernamewith the list of typical administrators of the system, and utilities with file modification or execution capabilities. |
| Rule | Creation of a Privileged Container | Detects the creation of a privileged container. Running a container with the privileged flag gives all capabilities to the container, including the access to the host device. |
| Rule | Creation of a User with Superuser Privileges | Detects the creation of a user account that has a uid or gid of 0, which indicates a Superuser. |
| Rule | Critical File or Directory Mounted on a Container |
Detects when a critical file or directory is mounted on a container, for example /etc/passwd. A critical file or directory that is mounted on a container allows access to the host's critical directory or files. Note: Edit this rule to add any critical file or directory you might want to monitor.
|
| Rule | Hostile Process Detected in a Container |
Detects processes that are categorized as hostile, such as malware, phishing, cryptomining. Note: The Malware Hashes SHA reference set must be populated. You can use the
Threat Intelligence App to import threat intel feeds into that reference set.
|
| Rule | Login Shell Overridden |
Detects when a login shell gets overridden. Adversaries might override a login shell to achieve persistence. Note: The Login Shell Filename reference set is pre-populated with shell file
names, and can be tuned.
|
| Rule | Modification to Authorized Keys File | Detects when the /.ssh/authorized_keys file is modified. The attacker adds their Public Key to the authorized_keys file, which allows them login to the system anytime without further authentication if they have their Private Key. |
| Rule | Multiple Sensitive Containers Stopped or Deleted |
Detects when multiple sensitive containers are being stopped or deleted. This might indicate that an intruder is compromising sensitive information. Note: The Sensitive Container IDs reference set must be populated with the
relevant Container IDs.
|
| Rule | No Password Rule Added to Sudoers File | Detects an unusual sudo rule added in the system, which requires no
password for a user. Note: Edit the rule to replace
authorized_usernamewith the list of authorized administrators of the system. |
| Rule | Privilege Modification followed by Suspicious Activity | Detects privilege addition for unauthorized users, followed by suspicious execution of processes. |
| Rule | Reverse or Bind Shell Detected | Detects any reverse or bind shell. This is a shell connection that is initiated from the target host to the attacker host. |
| Rule | SUID or SGID Binaries Reconnaissance | Detects a user trying to find all SUID/SGID binaries. Adversaries can use SUID/SGID binaries to escalate their privileges. |
The following table shows the reference data in IBM Security QRadar Container Content Extension 1.0.0.
| Type | Name | Description |
|---|---|---|
| Reference Set | Login Shell Filename | Lists all login shell names. |
| Reference Set | Malware Hashes SHA | Lists all malware SHA hashes for processes. |
| Reference Set | Networking Utility Commands | Lists all networking utility commands that can open sessions. |
| Reference Set | Sensitive Container IDs | Lists all sensitive container IDs (must be populated by the user). |
| Reference Set | Utility with Execute Capabilities | Lists all utility commands with execute capabilities. |
| Reference Set | Whitelisted Linux Processes |
Lists all whitelisted Linux processes that are authorized to perform actions on critical files. |