Behavioral Detection overview

Behavioral Detection is run-time monitoring of an environment for any signs of malicious behaviors that could indicate an attack on the environment. It offers better and continuous protection against unusual events or threats. It is a part of the CNDR solution that quickly identifies, and issues alerts related to. any activities deviating from the normal range.

The Aqua CyberCenter contains a sequence of actions, taken by applications and users, which Aqua classifies as abnormal. If any application or user activity matches any behavior stream signature, Aqua detects that behavior and warns the users of incidents by reporting them on the Incidents page. Examples for Behavioral Detection include identifying and alerting events such as deletion of system logs, DDoS tool usage, kernel module loading, and so on.

Behavioral Detection is enabled in both the Aqua Enforcer and VM Enforcer group settings and runs in Audit mode.

Functioning of Behavioral Detection

Behavioral Detection is a robust global setting in Aqua Enforcer and VM Enforcer groups for enabling runtime protection for containers and virtual machines. The behavioral detection component collects data on the actions of users and applications running in your containers and virtual machines. All events collected from the user environment are continuously tested with the predefined behavior stream signatures that are classified as dangerous. When suspicious behavioral patterns that match a behavior stream signature are detected, Aqua alerts the users to the presence of potential threats within the environment. Aqua updates the behavior stream signature list continually.

When Aqua detects malicious activity from the applications, an alert is created, and it logs an entry as the Detect action in Audit and Incidents reports. Refer to the Behavioral Detection Logs section below for a detailed explanation on viewing results.

Incidents overview

While developing a signature for each Behavioral Detection finding, Aqua Security Research assigns severity to each. The severity reflects the level of confidence that the observed behavior is malicious, and not simply part of benign application flow: 5 (critical), 4 (high), 3 (medium), 2 (low), or 1 (negligible).

The Incidents page of the UI displays all behavioral detection events of severity critical and high. You may want to focus your attention on the events of the highest severity first.

For more information

Refer to Behavioral Detection and Incidents.