Container Creation (a5ae90ca-0c4b-481c-959f-0eb18a7ff953)
"Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples:
- Docker Example:
docker create my-container,docker run --name=my-container nginx:latest - Kubernetes Example:
kubectl run my-pod --image=nginx,kubectl create deployment my-deployment --image=nginx - Cloud Container Services Example
- AWS ECS: Task or service creation (
RunTaskorCreateService). - Azure Container Instances: Deployment of a container group.
- Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs.
- AWS ECS: Task or service creation (
This data component can be collected through the following measures:
- Docker Audit Logging: Enable Docker daemon logging to capture
createcommands. Configure the Docker daemon to use a log driver such assyslogorjson-file. - Kubernetes Audit Logs: Enable Kubernetes API server audit logging:
- Cloud Provider Logs
- AWS CloudTrail: Enable logging for ECS
RunTaskorCreateServiceevents. - Azure Monitor: Enable activity logging for container group creation.
- GCP Cloud Logging: Monitor API calls such as
container.projects.zones.clusters.create.
- AWS CloudTrail: Enable logging for ECS
- SIEM Integration: Use a SIEM to collect logs from Docker, Kubernetes, or cloud platforms.