Container Start (5fe82895-28e5-4aac-845e-dc886b63be2e)
"Container Start" data component captures events related to the activation or invocation of a container within a containerized environment. This includes starting a previously stopped container, restarting an existing container, or initializing a container for runtime. Monitoring these activities is critical for identifying unauthorized or unexpected container activations, which may indicate potential adversarial activity or misconfigurations. Examples:
- Docker Example:
docker start <container_name>,docker restart <container_name> - Kubernetes Example: Kubernetes automatically restarts containers as part of pod lifecycle management (e.g., due to health checks or configuration changes).
- Cloud-Native Example
- AWS ECS: API Call: StartTask to activate a stopped ECS task.
- Azure Container Instances: Command to restart a container group instance.
- GCP Kubernetes Engine: Automatic restarts as part of node or pod management.
This data component can be collected through the following measures:
- Docker Audit Logging: Enable Docker logging to capture start and restart events. Use tools like auditd to monitor terminal activity involving container lifecycle commands.
- Kubernetes Audit Logs: Enable Kubernetes API server audit logging.
- Cloud Provider Logs
- AWS CloudTrail: Capture StartTask or related API calls for ECS.
- Azure Monitor: Track activity in container groups that indicate start or restart events.
- GCP Cloud Logging: Record logs related to pod restarts or scaling events in Kubernetes Engine.
- SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services to correlate container start events.