Using Container Threat Detection

Review Container Threat Detection findings in the Security Command Center dashboard, and see examples of Container Threat Detection findings. Container Threat Detection is a built-in service for the Security Command Center Premium tier. To view Container Threat Detection findings, it must be enabled in Security Command Center sources & services settings.

Using a supported GKE version

To detect potential threats to your containers, you need to make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE). Container Threat Detection currently supports the following GKE versions on the Regular and Rapid channels:

  • >= 1.15.9-gke.12
  • >= 1.16.5-gke.2
  • >= 1.17

In a future update, Container Threat Detection will support version 1.14 and the Stable channel.

To use a supported GKE version and detect threats to your containers:

  1. Follow the guide to upgrade a cluster.
  2. Make sure that Container Threat Detection is enabled for the cluster:
    1. Go to the Security Command Center Resources page in the Cloud Console.
      Go to the Sources & Services page
    2. Under the Container Threat Detection column, next to each container you upgraded, select On.

For more information, see configuring Security Command Center resources.

Reviewing findings

When Container Threat Detection generates findings, you can view them in Security Command Center, or in Cloud Logging if you have configured Security Command Center sinks to write to Google Cloud's operations suite. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Container Threat Detection.

Container Threat Detection has the following latencies:

  • Activation latency of one hour for newly onboarded organizations.
  • Activation latency of one hour for newly created clusters.
  • Detection latency of minutes for threats in clusters that have been activated.

Reviewing findings in Security Command Center

To review Container Threat Detection findings in Security Command Center:

  1. Go to the Security Command Center Findings tab in the Google Cloud Console.
    Go to the Findings tab
  2. Next to View by, click Source Type.
  3. In the Source type list, select Container Threat Detection.
  4. To view details about a specific finding, click the finding name under category. The finding details panel expands to display information including the following:
    • The type of finding, like "Added Binary Executed"
    • Source: "Container Threat Detection"
    • Event time: when the finding occurred
    • Finding ID: a unique identifier for the finding
    • Resource name: the GKE cluster that is affected
    • Finding properties with more information like:
      • Container name
      • Container creation time
      • Container image URI and ID
      • Additional fields based on the detector. For example, reverse shell findings include the IP address of the remote host.

Viewing findings in Cloud Logging

To view Container Threat Detection findings in Cloud Logging:

  1. Go to the Logs Viewer page for Cloud Logging in the Cloud Console.
    Go to the Logs Viewer page
  2. On the Logs Viewer page, click Select, and then click the project where you are storing your Container Threat Detection logs.
  3. In the resource drop-down list, select Cloud Threat Detector.
    • To view findings from all detectors, select all detector_name.
    • To view findings from a specific detector, select its name.

What's next