Docker Integration

System Requirements

Docker container support is native for F5 Distributed Cloud App Infrastructure Protection (AIP) Agents in Investigate and legacy packages. To enable Docker, contact the Support Team or your customer success manager.


While running Linux Agent 2.x or 3.x in a Docker containerized environment, an error message might appear in your log files stating you are running an unsupported version of Docker. We apologize for the inconvenience and recommend disregarding this error. For additional information about our supported versions for Docker containers, see System Requirements.

Docker Feature Overview

Docker container events integrate seamlessly into the security, operations, and compliance feature sets of Distributed Cloud AIP. Additionally, Distributed Cloud AIP provides a default Docker rule set called the Docker Rule Set.

We support the following Docker features:

  • Audit events related to Docker Containers on the host
  • Audit user and process activity on the Docker Containers
  • Audit file change events with Docker Container file systems

Feature Background

The Distributed Cloud AIP Docker support was designed with the following use cases in mind:

Feature Use Case
Host Actions Related to Docker Know when a new Docker image is pulled or run
User Actions on Container Receive an alert on any user executing shell commands in the container.
Docker Configuration files on Host Audit all Docker configuration files on the host.
File Changes on Container Audit any file changes on the container.
Network Connections to/from Containers Know if any network connection initiations to/from the container and get alerted on deviations.

Docker Specific Event Keys

Support for Docker includes these additional, specific to Docker, keys which help event searches and rules.

Key Type Value Description Present in event types
containerId string ID number assigned to a container Docker events
containerImage string Image name and tag of a container Docker events

Search Docker Events

On the Events page, you can search for Docker events using specific containerIds. For all Docker events, you can search for containerId != null


Was this article helpful?
1 out of 1 found this helpful