Kubernetes Runtime Protection Rules and Exclusions

These Runtime Protection rules and exclusions allow you to customize the CloudGuard security policy:

  • Exclusion - Classify a Security Event as benign and ignore similar future events.

  • Deny rule - Prevent malicious event recurrence by deleting (killing) the container that executes the operation.

Rules and Exclusions by Engines

You can define deny rules for Signatures, but not for File Reputation and Profiling. For File Reputation and Profiling engines, you can define only custom exclusions.

You can create a rule or exclusion for signatures to enforce your security policy in CloudGuard. These actions are possible only after a security event has occurred and appeared in the Events table.

  • To allow the event and set it as benign, add an exclusion. When CloudGuard detects this behavior again, it does not trigger a security alert.

  • To block the operations related to the signature, add a rule. When CloudGuard detects this activity again, the Signatures engine kills the container that executes the operation.

  • To automatically block all signatures on a cluster, set a toggle button on the cluster's Runtime Protection tab - For more information, see Creating Rules.

    The blocked event has a special icon and the Blocked indication in the event details.

You can create an exclusion based on the manual classification of an executable file as benign. This allows you to override a false identification of the file as malicious.

You can create a cluster deny rule for all File Reputation events.

  • To automatically block all File Reputation violations on a cluster, set a toggle button on the cluster's Runtime Protection tab - For more information, see Creating Rules.

    The blocked event has a special icon and the Blocked indication in the event details.

You can manually allow (add an exclusion) specific processes and networks in the profile. This helps you fine-tune the profile if it falsely identifies some behavior as unwanted, malicious, or anomalous, while in practice it is benign (false-positive detection). For example, a monthly maintenance process that occurs after the profile finalization is flagged as anomalous.

Profile exclusions contain processes (commands) and networks that you explicitly allow for the applicable scope. Each process and network added to the profile with exclusion has the Exclusion tag in its line.

For profiles, you cannot define rules, that is, forbid a process or network.

Security Events Deduplication

Alerts deduplication mechanism allows CloudGuard reduce the clutter caused by repeated alerts.

When the Runtime Protection engine detects an alert that repeats frequently over a short period, it reduces the number of reported alerts. The engine only reports a sample of these repeated alerts.

Actions

Runtime Protection is enabled by default for all Pod Groups.

If you have disabled the functionality or did not select it when onboarding your cluster to CloudGuard, follow the steps below to enable Runtime Protection.

  1. In the CloudGuard portal, navigate to Workload Protection > Containers Assets | Environments.

  2. Select the environment from the list (you can filter the list to narrow your search) and open the Blades tab.

  3. Set Runtime Protection to ON.

    The confirmation window opens with instructions on how to install the agent on the cluster.

  4. Install the agent on your cluster.

  5. In the confirmation window, click Yes to confirm your action.

  6. Optionally, set Behavioral Profiling to ON. This is a Public Preview feature disabled by default.

It takes CloudGuard several minutes to enable Runtime Protection on your environment.

You can create rules only for triggered security events, that is, from the recorded alerts. After you apply the rule, CloudGuard kills the executing container when the same malicious activity occurs again.

You cannot create rules for Profiling.

To create a rule:

  1. Navigate to Events > Threat & Security Events.

  2. Find an event with the Containers Runtime Protection source and SignatureEvent in the title and select it. If you need it, adjust the time frame filter to see all related events.

  3. On the toolbar, click Add Deny Rule.

    The Deny Rule Confirmation window opens.

  4. You can apply the rule to the selected podClosed The smallest and simplest Kubernetes object. A pod represents a set of running containers on your cluster. A pod is typically set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like logging. Pods are commonly managed by a Deployment. group or to all pods in the cluster. Select the applicable option and click Create.

    CloudGuard adds the rule in the Rules section on the Runtime Protection Rules tab of the corresponding pod group.

  5. For the cluster scope, create deny rules with the toggle buttons on the Runtime Protection tab of the cluster.

    1. Open the cluster page.

    2. Go to the Runtime Protection tab.

    3. In the Rules section:

      • Set the Block All Malicious Signatures toggle button to ON to automatically block all Signatures in a cluster:

      • Set the Block All Malware toggle button to ON to automatically block all File Reputation violations on a cluster:

You can define and enforce exclusions in the scope of a specific workload, a group of workloads, or all the Pods in a specific cluster (environment).

Engine

Available Context

File Reputation

Create an exclusion from:

  • The menu of the finding or event in the Events > Threat & Security Events table, select a Malicious File event

  • The Runtime Protection tab associated with a cluster or a pod group

Signatures

Create an exclusion from the Events tab and from a specific security event.

Profiling

Create an exclusion from:

  • The menu of the finding or event in the Events > Threat & Security Events table

  • The Runtime Protection and Runtime Protection Rules tabs related to a Pod Group

  • The Runtime Protection tab associated with a cluster (environment)

To create an exclusion:

  1. Select the context for the new exclusion and open the relevant entity.

  2. In the Events table, click Exclude. On the entity tab, click Create New Exclusion.

  3. In the Create New Exclusion window, enter the details:

    1. Name - The name for the exclusion that appears in the list of exclusions in this tab.

    2. Target - Type of action to exclude from monitoring: a process or a specific host. For Signatures, the Signature type is preselected.

    3. Pattern - Path for processes or domain name for hosts. For Signatures, the pattern is the preselected name of the Signature.

    4. Process / Parent Process - Path of the process that can run the excluded domain or process.

    5. Scope - Application to a specific Pod group, a list of Pod groups, or all the Pods in a certain cluster (environment).

  4. Click Create.

The default profile learning period is 24 hours. You can modify the profiling time based on your knowledge of the workload behavior. If you set the learning period to a value that is shorter than the completed period, the profile learning stops immediately.

To change the profiling period:

  1. Open the Runtime Protection tab of the workload (Pod Group).

  2. On the Profiling status bar, click the menu button on the right and select Settings. The Pod Group Settings window opens.

  3. With the up and down arrows, adjust the Days, Hours, and Minutes as necessary.

  4. Click Save.

Note - CloudGuard saves the setting of the new profiling period for future versions of the Pod Group.

More Links