Docker Integration


System Requirements

Docker container support is native for agents in Investigate and legacy packages, to enable Docker contact the Support Team or your customer success manager.

Review the System Requirements article before installing the Threat Stack Agent.

Docker Feature Overview

Docker container events integrate seamlessly into the security, operations, and compliance feature sets of the Threat Stack platform. Additionally, Threat Stack provides a default Docker rule set, called the Docker Base Rule Set

We support the following Docker features:

  • Audit events related to Docker Containers on the host
  • Audit user and process activity on the Docker Containers
  • Audit file change events with Docker Container file systems

Feature Background

The Threat Stack Docker support was designed with the following use cases in mind:

Feature Use Case
Host Actions Related to Docker Know when a new Docker image is pulled or run
User Actions on Container Receive an alert on any user executing shell commands in the container.
Docker Configuration files on Host Audit all Docker configuration files on the host.
File Changes on Container Audit any file changes on the container.
Network Connections to/from Containers Know if any network connection initiations to/from the container and get alerted on deviations.

Docker Specific Event Keys

Support for Docker includes these additional, specific to Docker, keys which help event searches and rules.

Key Type Value Description Present in event types
containerId string ID number assigned to a container Docker events
containerImage string Image name and tag of a container Docker events

Search Docker Events

On Events page, you can search for Docker events using specific containerIds. For all Docker events, you can do a search on containerId != null


Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request