Using Container Threat Detection

Review Container Threat Detection findings in the Security Command Center dashboard, and see examples of Container Threat Detection findings. Container Threat Detection is a built-in service for the Security Command Center Premium tier. To view Container Threat Detection findings, it must be enabled in Security Command Center Services settings.

The following video shows the steps to set up Container Threat Detection and provides information about how to use the dashboard. Learn more about viewing and managing Container Threat Detection findings in text later on this page.

Using a supported GKE version

To detect potential threats to your containers, you need to make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE). Container Threat Detection currently supports the following GKE versions on the Regular and Rapid channels:

  • >= 1.15.9-gke.12
  • >= 1.16.5-gke.2
  • >= 1.17

In a future update, Container Threat Detection will support version 1.14 and the Stable channel.

To use a supported GKE version and detect threats to your containers:

  1. Follow the guide to upgrade a cluster.
  2. Make sure that Container Threat Detection is enabled for the cluster:
    1. Go to the Security Command Center Settings page in the Cloud Console.
      Go to the Settings page
    2. Navigate to Advanced settings and expand the menu. You see a list of your organization's resources.
    3. Under the Container Threat Detection column, select Enabled by default for each cluster you upgraded. The service is automatically enabled for child resources in folders if they are set to inherit. Manually enable Container Threat Detection for child resources that are not set to inherit.
    4. A dialog box appears to confirm your choices. Read the message, then click Yes, I Understand.

For more information, see configuring Security Command Center resources.

Reviewing findings

When Container Threat Detection generates findings, you can view them in Security Command Center. If you have configured Security Command Center sinks to write to Google Cloud's operations suite, you can also view findings in Cloud Logging. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Container Threat Detection.

Container Threat Detection has the following latencies:

  • Activation latency of 3.5 hours for newly onboarded organizations.
  • Activation latency of 30 minutes for newly created clusters.
  • Detection latency of minutes for threats in clusters that have been activated.

Reviewing findings in Security Command Center

To review Container Threat Detection findings in Security Command Center:

  1. Go to the Security Command Center Findings tab in the Google Cloud Console.
    Go to the Findings tab
  2. Next to View by, click Source Type.
  3. In the Source type list, select Container Threat Detection.
  4. To view details about a specific finding, click the finding name under category. The finding details panel expands to display information including the following:
    • The type of finding, like "Added Binary Executed"
    • Source: "Container Threat Detection"
    • Event time: when the finding occurred
    • Finding ID: a unique identifier for the finding
    • Resource name: the GKE cluster that is affected
    • Finding properties with more information like:
      • Container name
      • Container creation time
      • Container image URI and ID
      • Additional fields based on the detector. For example, reverse shell findings include the IP address of the remote host.

Viewing findings in Cloud Logging

To view Container Threat Detection findings in Cloud Logging:

  1. Go to the Logs Viewer page for Cloud Logging in the Cloud Console.
    Go to the Logs Viewer page
  2. On the Logs Viewer page, click Select, and then click the project where you are storing your Container Threat Detection logs.
  3. In the resource drop-down list, select Cloud Threat Detector.
    • To view findings from all detectors, select all detector_name.
    • To view findings from a specific detector, select its name.

Example findings

Read Container Threat Detection detectors to review example findings.

What's next