Implementing Security Event Detection

2 min read Infrastructure & DevOps Security

Implementing Security Event Detection

Effective security detection in Kubernetes requires understanding normal behavior patterns to identify anomalies. Baseline establishment should consider workload types, communication patterns, and resource usage. Production workloads exhibit different patterns than development environments. Time-based patterns like business hours activity require temporal baseline adjustments.

Threat detection rules must balance sensitivity with false positive rates. Overly sensitive rules generate alert fatigue, causing teams to ignore legitimate threats. Under-sensitive rules miss actual attacks. Rule tuning requires iterative refinement based on environmental observations. Starting with vendor-provided rules then customizing for specific environments provides good coverage.

# Falco rules for Kubernetes security monitoring
- rule: K8s Unauthorized API Access
  desc: Detect unauthorized access to Kubernetes API
  condition: >
    ka.verb in (create, update, patch, delete) and
    ka.user.name in (system:anonymous, system:unauthenticated) and
    not ka.sourceips["/127.0.0.1"]
  output: >
    Unauthorized Kubernetes API access (user=%ka.user.name verb=%ka.verb 
    resource=%ka.target.resource sourceIP=%ka.sourceips)
  priority: WARNING
  source: k8s_audit
  tags: [k8s, api, unauthorized]

- rule: Suspicious kubectl Exec
  desc: Detect kubectl exec operations in production
  condition: >
    ka.verb=create and
    ka.target.resource=pods and
    ka.target.subresource=exec and
    ka.target.namespace in (production, prod, prd)
  output: >
    kubectl exec in production namespace (user=%ka.user.name pod=%ka.target.name 
    namespace=%ka.target.namespace command=%ka.requestObject.command)
  priority: WARNING
  source: k8s_audit
  tags: [k8s, exec, production]

- rule: Container Privilege Escalation
  desc: Detect privilege escalation in running containers
  condition: >
    container.id != host and
    proc.name in (sudo, su) and
    proc.pname != sudo and
    not container.image.repository in (allowed_sudo_images)
  output: >
    Privilege escalation detected (user=%user.name command=%proc.cmdline 
    container=%container.name image=%container.image.repository)
  priority: CRITICAL
  tags: [container, privilege_escalation]

- rule: Cryptocurrency Mining Detection
  desc: Detect cryptocurrency mining activities
  condition: >
    container.id != host and
    (proc.name in (minerd, xmrig, minergate) or
     (proc.cmdline contains "stratum+tcp" or 
      proc.cmdline contains "stratum2+tcp"))
  output: >
    Cryptocurrency mining detected (command=%proc.cmdline 
    container=%container.name cpu=%thread.cpu)
  priority: CRITICAL
  tags: [cryptomining, malware]

- rule: Suspicious Network Tool Usage
  desc: Detect usage of network reconnaissance tools
  condition: >
    container.id != host and
    proc.name in (nmap, masscan, zmap, nc, netcat, ncat, telnet) and
    not container.image.repository in (allowed_network_tools)
  output: >
    Network tool usage detected (tool=%proc.name args=%proc.args 
    container=%container.name)
  priority: WARNING
  tags: [network, reconnaissance]

Machine learning enhances detection capabilities by identifying novel attack patterns. Unsupervised learning algorithms can detect statistical anomalies in API access patterns, network flows, or resource usage. However, ML models require substantial training data and may generate false positives during legitimate but unusual operations like deployments or incident response.