Container Workload Protection
Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/05"
3integration = ["cloud_defend"]
4maturity = "production"
5min_stack_comments = "Initial version of the Container Workload Protection alerts"
6min_stack_version = "8.8.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to
13immediately begin triaging and investigating these alerts.
14"""
15enabled = true
16from = "now-10m"
17index = ["logs-cloud_defend.alerts-*"]
18language = "kuery"
19license = "Elastic License v2"
20max_signals = 10000
21name = "Container Workload Protection"
22risk_score = 47
23rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512"
24rule_name_override = "message"
25severity = "medium"
26tags = ["Data Source: Elastic Defend for Containers", "Domain: Container"]
27timestamp_override = "event.ingested"
28type = "query"
29
30query = '''
31event.kind:alert and event.module:cloud_defend
32'''
Related rules
- Container Management Utility Run Inside A Container
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container
- Netcat Listener Established Inside A Container
- SSH Authorized Keys File Modified Inside a Container