Skip to main content

Container threat detection


This feature is tech preview. Tech preview features may be subject to significant changes before they become GA.

Big picture

Get alerts when security threats, such as malware and other suspicious processes, are detected in your cluster.


Calico Cloud provides a threat detection engine that analyzes observed file and process activity to detect known malicious and suspicious activity.

As part of these threat detection capabilities, Calico Cloud maintains a database of malware file hashes. This database consists of SHA256, SHA1, and MD5 hashes of executable file contents that are known to be malicious. Whenever a program is launched in a Calico Cloud cluster, malware detection generates an alert in the Security Events dashboard if the program's hash matches one that is known to be malicious.

Our threat detection engine also monitors activity within the containers running in your clusters to detect suspicious behavior and generate corresponding alerts. The threat detection engine monitors the following types of suspicious activity within containers:

  • Access to sensitive system files and directories
  • Defense evasion
  • Discovery
  • Execution
  • Persistence
  • Privilege escalation

Before you begin...


Calico Cloud Container threat detection uses eBPF to monitor container activity, and it runs on Linux-based nodes in a Kubernetes cluster.

Nodes require amd64 (x86_64) architecture CPUs and one of the following distributions:

  • Ubuntu Bionic with kernel version 4.15.0 or 5.4.0
  • Ubuntu Focal with kernel version 5.4.0, 5.8.0 or 5.11.0
  • CentOS 7 or 8
  • Fedora 29, 30, 31, 32, 33 or 34
  • Amazon Linux 2
  • Debian Stretch or later
  • Any other distribution with a Linux kernel 5.0 or later that provides BPF Type Format (BTF) for that kernel at the standard place (/sys/kernel/btf/vmlinux)

If your nodes are running a variant kernel, or a similarly-modern kernel but with another platform, please open a Support ticket so we can bundle the BTF data to precisely match the version of the kernel running on your cluster nodes.

How to

Enable Container Threat Detection

Container threat detection is disabled by default.

To enable Container threat detection on your managed cluster, go to the Threat Defence section in the Calico Cloud UI, and select Enable Container Threat Detection. This will result in Container threat detection running on all nodes in the managed cluster to detect malware and suspicious processes.

Alternatively, Container threat detection can be enabled using kubectl:

kubectl apply -f - <<EOF
kind: RuntimeSecurity
name: default

Monitor the Security Events page for malicious programs

If a malicious or suspicious program is run within the cluster, it will be reported on the Security Events page of the Calico Cloud UI.


Container activity logs in Kibana

Lower-level reports for file and process activity are captured for your cluster in Kibana using the index pattern tigera_secure_ee_runtime*. Please note that most of these reports are not usually malicious; they constitute the raw data against which known malicious program fingerprints and activity patterns are compared. Suspicious and known malicious activity is reported on the Security Events page of the Calico Cloud UI.