Threat Stack Docker Integration


Docker container events are now supported on the Threat Stack platform. Events from Docker containers flow through the platform integrating seamlessly into the Security, Operations and Compliance feature sets of the platform. The following features will be supported for Docker:

  • Audit events related to Docker Containers on the host
  • Audit user and process activity on the Docker Containers
  • Audit file change events with Docker Container file systems

Accordingly, Docker support in ThreatStack comes with default rules out of the box, called the Docker Base Rule Set

Use Cases

  1. Host Actions Related to Docker: Customer wants to know when a new Docker image is pulled or run
  2. User Actions on Container: Customer wants to get alerted on any user executing shell commands in the container
  3. Docker Configuration files on Host: Customer wants to audit all Docker configuration files on the host
  4. File Changes on Container: Customer wants to audit any file changes on the container
  5. Network Connections to/from Containers: Customer wants to know any network connection initiations to/from the container and get alerted on deviations


Docker Support  and How to Configure


  1. Threat Stack Agent version 1.4.10+
  2. Linux kernel version >= 3.10 (see supported OSes and kernels)
  3. Docker version 1.8.0 - 17.03.2-ce


Docker support is built-in for all agents, all the customers need to do is enable container support.

Contact Threat Stack support( for assistance enabling Docker support.

Docker Events

On Events page, users can search for Docker events using specific containerIds.  For all Docker events, the users can do a search on containerId != null

Docker Specific Event Keys

With the addition of support for Docker there are additional keys available for event searches and rules. These are specific for Docker events and are as follows:

Key Type Value Description Present in event types
containerId string ID number assigned to a container Docker events
containerImage string Image name and tag of a container Docker events



Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.