Security event management
This feature is tech preview. Tech preview features may be subject to significant changes before they become GA.
Big picture​
Get alerts on security events in a single dashboard.
Value​
Security events indicate that a threat actor may be present in your Kubernetes cluster. For example, a DNS request to a malicious hostname, perhaps generated by a Domain Generation Algorithm (DGA), a triggered WAF rule, or the opening of a sensitive file. Calico Cloud provides security engineers and incident response teams with a single dashboard to manage threat alerts. Benefits include:
- A filtered list of critical events with recommended remediation
- Identify impacts on applications
- Understand the scope and frequency of the issue
- Manage alert noise by dismissing events (show/hide)
Before you begin​
Required
Limitations
- You cannot control which users can view or edit the page using fine-grained role-based access controls
Security events dashboard​
In Manager UI, go to Threat defense, Security Events.
UI help​
Event details page
Provides actions to remediate the detection and stop the attack from progressing. For example:
Severity
Calico Cloud calculates severity (Critical, High, Medium, Low) using a combination of NIST CVSS 3.0 and MITRE IDs.
MITRE IDs
Multiple MITRE IDs may be associated with a security event.
Attack Vector
- Network
- Process
- File
MITRE Tactic (based on the MITRE tactics) includes a specific path, method, or scenario that can compromise cluster security. Valid entries:
| Tactic | Purpose |
|---|---|
| Initial access | Gain an initial foothold within a network using various entry vectors. |
| Execution | Control code running on local or remote systems using malicious code. |
| Impact | Disrupt availability or compromise integrity by manipulating business and operational processes. |
| Persistence | Maintain access to systems across restarts, credential changes, and other interruptions. |
| Privilege Escalation | Access higher-level permissions on a system or network. |
| Defense Evasion | Masquerade and hide malware to avoid detection to compromise software, data, scripts, and processes. |
| Discovery | Gain knowledge about your system and internal network. |
| Command and Control | Communicate with compromised systems to control them. |
Frequently asked questions​
How is the recommended remediation determined?
The Tigera Security Research team maps MITRE IDs to events and provides the recommended remediation.
Will I see all Calico Cloud alerts in this dashboard?
No. Calico Cloud security events do not encompass all types of alerts nor all security alert types; they only contain alerts for threats. Alerts for vulnerabilities detected in a container image, or misconfigurations in your Kubernetes cluster, are displayed in their respective dashboards. However, when vulnerabilities or misconfigurations are exploited by an attacker, those indicators of an attack are considered security events.
What does dismissing a security event do?
Dismissing a security event hides it from view.
Why are some fields in columns blank?
Security events generated from older managed clusters will not have values for the new fields (for example, MITRE IDs). You can dismiss these events.
Where can I view security event logs?
Go to: Logs, Kibana index, tigera_secure_ee_events.