Docker container support is native for agents in Investigate and legacy packages, to enable Docker contact the Support Team or your customer success manager.
Review the System Requirements article before installing the Threat Stack Agent.
Docker Feature Overview
Docker container events integrate seamlessly into the security, operations, and compliance feature sets of the Threat Stack platform. Additionally, Threat Stack provides a default Docker rule set, called the Docker Base Rule Set
We support the following Docker features:
- Audit events related to Docker Containers on the host
- Audit user and process activity on the Docker Containers
- Audit file change events with Docker Container file systems
Threat Stack offers support for behavior and event monitoring on Docker containers running natively on the host. We do not support orchestration tools, such as Kubernetes or Rancher.
The Threat Stack Docker support was designed with the following use cases in mind:
|Host Actions Related to Docker||Know when a new Docker image is pulled or run|
|User Actions on Container||Receive an alert on any user executing shell commands in the container.|
|Docker Configuration files on Host||Audit all Docker configuration files on the host.|
|File Changes on Container||Audit any file changes on the container.|
|Network Connections to/from Containers||Know if any network connection initiations to/from the container and get alerted on deviations.|
Docker Specific Event Keys
Support for Docker includes these additional, specific to Docker, keys which help event searches and rules.
|Key||Type||Value Description||Present in event types|
|containerId||string||ID number assigned to a container||Docker events|
|containerImage||string||Image name and tag of a container||Docker events|
Search Docker Events
On Events page, you can search for Docker events using specific containerIds. For all Docker events, you can do a search on containerId != null