Created
October 7, 2019 13:31
-
-
Save johnfitzpatrick/73030028db0fb3f423a97af3ba407422 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - rule: Blacklisted Containers | |
| desc: > | |
| Detect the initial process started by a container that is from a list of blacklisted containers. | |
| condition: container_started and container and blacklisted_containers | |
| output: Container started is blacklisted (user=%user.name command=%proc.cmdline %container.info image=%container.image.repository:%container.image.tag) | |
| priority: WARNING | |
| tags: [container, mitre_lateral_movement] | |
| - macro: blacklisted_containers | |
| condition: (container.name startswith 'k8s_actor_actor') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment