This article introduces Elastic’s "Defend for Containers," a runtime security integration released in version 9.3.0 specifically designed for cloud-native Linux environments. It shifts the focus from static image scanning to real-time behavioral monitoring, providing deep visibility into process execution and file access within containerized workloads. By enriching telemetry with Kubernetes and orchestration metadata, it enables detection engineers to analyze activity based on container identity and security context rather than just host-level artifacts.
The post details the deployment and configuration of Defend for Containers via Elastic Agent, emphasizing its flexible policy model. Using selectors and responses, users can define granular conditions for logging, alerting, or blocking actions based on specific operations like executable creation or interactive shell spawns. It also highlights the integration's pre-built detection ruleset, which covers common container threats such as privilege escalation, credential access, and drift detection.
Finally, the guide breaks down the structure of the generated telemetry, including process lineage, Linux capabilities (like CAP_SYS_ADMIN), and file event semantics. While currently in Beta with some limitations regarding network events and read-only file access, the integration provides a robust foundation for identifying hands-on-keyboard activity and container breakouts. Understanding these event fields is crucial for building effective, context-aware detection logic in modern ephemeral infrastructures.
Top comments (0)