Handling Alarm Events

mark_as_handled

ignore

add_to_alarm_whitelist

add_to_login_whitelist

isolate_and_kill

unhandle

do_not_ignore

remove_from_alarm_whitelist

remove_from_login_whitelist

do_not_isolate_or_kill

container_1001: Container namespace

container_1002: Container open port

container_1003: Container security option

container_1004: Container mount directory

containerescape_0001: High-risk system call

containerescape_0002: Shocker attack

containerescape_0003: Dirty Cow attack

containerescape_0004: Container file escape

dockerfile_001: Modification of user-defined protected container file

dockerfile_002: Modification of executable files in the container file system

dockerproc_001: Abnormal container process

fileprotect_0001: File privilege escalation

fileprotect_0002: Key file change

fileprotect_0003: AuthorizedKeysFile path change

fileprotect_0004: File directory change

login_0001: Brute-force attack attempt

login_0002: Brute-force attack succeeded

login_1001: Succeeded login

login_1002: Remote login

login_1003: Weak password

malware_0001: Shell change

malware_0002: Reverse shell

malware_1001: Malicious program

procdet_0001: Abnormal process behavior

procdet_0002: Process privilege escalation

procreport_0001: High-risk command

user_1001: Account change

user_1002: Unsafe account

vmescape_0001: Sensitive command executed on VM

vmescape_0002: Sensitive file accessed by virtualization process

vmescape_0003: Abnormal VM port access

webshell_0001: Web shell

network_1001: Mining

network_1002: DDoS attacks

network_1003: Malicious scanning

network_1004: Attack in sensitive areas

ransomware_0001: ransomware attack

ransomware_0002: ransomware attack

ransomware_0003: ransomware attack

fileless_0001: process injection

fileless_0002: dynamic library injection

fileless_0003: key configuration change

fileless_0004: environment variable change

fileless_0005: memory file process

fileless_0006: VDSO hijacking

crontab_1001: suspicious crontab task

vul_exploit_0001: Redis vulnerability exploit

vul_exploit_0002: Hadoop vulnerability exploit

vul_exploit_0003: MySQL vulnerability exploit

rootkit_0001: suspicious rootkit file

rootkit_0002: suspicious kernel module

RASP_0004: web shell upload

RASP_0018: fileless web shell

blockexec_001: known ransomware attack

hips_0001: Windows Defender disabled

hips_0002: suspicious hacker tool

hips_0003: suspicious ransomware encryption behavior

hips_0004: hidden account creation

hips_0005: user password and credential reading

hips_0006: suspicious SAM file export

hips_0007: suspicious shadow copy deletion

hips_0008: backup file deletion

hips_0009: registry of suspicious ransomware

hips_0010: suspicious abnormal process

hips_0011: suspicious scan

hips_0012: suspicious ransomware script running

hips_0013: suspicious mining command execution

hips_0014: suspicious windows security center disabling

hips_0015: suspicious behavior of disabling the firewall service

hips_0016: suspicious system automatic recovery disabling

hips_0017: executable file execution in Office

hips_0018: abnormal file creation with macros in Office

hips_0019: suspicious registry operation

hips_0020: Confluence remote code execution

hips_0021: MSDT remote code execution

portscan_0001: common port scan

portscan_0002: secret port scan

k8s_1001: Kubernetes event deletion

k8s_1002: privileged pod creations

k8s_1003: interactive shell used in pod

k8s_1004: pod created with sensitive directory

k8s_1005: pod created with server network

k8s_1006: pod created with host PID space

k8s_1007: authentication failure when common pods access API server

k8s_1008: API server access from common pod using cURL

k8s_1009: exec in system management space

k8s_1010: pod created in management space

k8s_1011: static pod creation

k8s_1012: DaemonSet creation

k8s_1013: scheduled cluster task creation

k8s_1014: operation on secrets

k8s_1015: allowed operation enumeration

k8s_1016: high privilege RoleBinding or ClusterRoleBinding

k8s_1017: ServiceAccount creation

k8s_1018: Cronjob creation

k8s_1019: interactive shell used for exec in pods

k8s_1020: unauthorized access to API server

k8s_1021: access to API server with curl

k8s_1022: Ingress vulnerability

k8s_1023: man-in-the-middle (MITM) attack

k8s_1024: worm, mining, or Trojan

k8s_1025: K8s event deletion

k8s_1026: SelfSubjectRulesReview

imgblock_0001: image blocking based on whitelist

imgblock_0002: image blocking based on blacklist

imgblock_0003: image tag blocking based on whitelist

imgblock_0004: image tag blocking based on blacklist

imgblock_0005: container creation blocked based on whitelist

imgblock_0006: container creation blocked based on blacklist

imgblock_0007: container mount proc blocking

imgblock_0008: container seccomp unconfined blocking

imgblock_0009: container privilege blocking

imgblock_0010: container capabilities blocking

1001: common malware

1002: virus

1003: worm

1004: Trojan

1005: botnet

1006: backdoor

1010 : Rootkit

1011: ransomware

1012: hacker tool

1015 : web shell

1016: mining

1017: reverse shell

2001: common vulnerability exploit

2012: remote code execution

2047: Redis vulnerability exploit

2048: Hadoop vulnerability exploit

2049: MySQL vulnerability exploit

3002: file privilege escalation

3003: process privilege escalation

3004: critical file change

3005: file/directory change

3007: abnormal process behavior

3015: high-risk command execution

3018: abnormal shell

3027: suspicious crontab task

3029: system protection disabled

3030: backup deletion

3031: suspicious registry operations

3036: container image blocking

4002: brute-force attack

4004: abnormal login

4006: invalid accounts

4014: account added

4020: password theft

6002: port scan

6003: server scan

13001: Kubernetes event deletion

13002: abnormal pod behavior

13003: enumerating user information

13004: cluster role binding

1001: common malware

1002: virus

1003: worm

1004: Trojan

1005: botnet

1006: backdoor

1010 : Rootkit

1011: ransomware

1012: hacker tool

1015 : web shell

1016: mining

1017: reverse shell

2001: common vulnerability exploit

2012: remote code execution

2047: Redis vulnerability exploit

2048: Hadoop vulnerability exploit

2049: MySQL vulnerability exploit

3002: file privilege escalation

3003: process privilege escalation

3004: critical file change

3005: file/directory change

3007: abnormal process behavior

3015: high-risk command execution

3018: abnormal shell

3027: suspicious crontab task

3029: system protection disabled

3030: backup deletion

3031: suspicious registry operations

3036: container image blocking

4002: brute-force attack

4004: abnormal login

4006: invalid accounts

4014: account added

4020: password theft

6002: port scan

6003: server scan

13001: Kubernetes event deletion

13002: abnormal pod behavior

13003: enumerating user information

13004: cluster role binding

"file/process hash" # process/file hash

"file_path"

"process_path"

"login_ip": login IP address

"reg_key": registry key

"process_cmdline": process command line

"username"

"equal"

"contain"