For every process_id (not PID, it's a generated unique to the lifecycle of the process) and every container_image, collect events for some configurable time period during its run time.
The collected events can be used to generate a profile, where if the bounds of the profile are exceeded, the engine adds an indicator to the event with a positive risk score. If the event is within bounds it can apply an indicator with a negative (lower) risk score, which will reduce false positives.
When process digests are added to the agent and if they are present, they can be used instead of process_id and the profile can be reused rather than lasting for the length of the process lifecycle.
Need to decide how profiles will be stored and shared among the servers with the profile engines.
dustin-decker
commented
6 years ago
For every
process_id(not PID, it's a generated unique to the lifecycle of the process) and everycontainer_image, collect events for some configurable time period during its run time.The collected events can be used to generate a profile, where if the bounds of the profile are exceeded, the engine adds an indicator to the event with a positive risk score. If the event is within bounds it can apply an indicator with a negative (lower) risk score, which will reduce false positives.
When process digests are added to the agent and if they are present, they can be used instead of
process_idand the profile can be reused rather than lasting for the length of the process lifecycle.Need to decide how profiles will be stored and shared among the servers with the profile engines.