Defend for Containers (Elastic Stack 9.3.0) is a runtime security integration that captures container process and file telemetry, enriches events with container and orchestration context, and provides a policy-driven model (selectors and responses) for detection and response in Kubernetes environments. The integration ships pre-built detection rules, supports Elastic Agent deployment on clusters (EKS/GKE; limited AKS support), and emphasizes runtime behavior such as interactive execution, file modifications, capability exposure, and privilege escalation for workload-aware detections. #DefendForContainers #Kubernetes
Keypoints
- Defend for Containers (released in Elastic Stack 9.3.0) provides runtime visibility into container process and file events, enriched with container and orchestration metadata for behavior-driven detection.
- The integration is deployed via Elastic Agent (Fleet) and configured through policies composed of selectors (operations/conditions) and responses (log/alert/block).
- Default policies include Threat Detection (logs fork/exec events) and Drift Detection & Prevention (alerts on executable creation/modification), and selectors support rich wildcard and path-based matching.
- Defend for Containers exposes important fields for detection engineering including process lineage, interactive flags, Linux capabilities, container image and security context, host PID namespace, and orchestration labels.
- Beta limitations: formal support for Amazon EKS and Google GKE, partial/unsupported AKS telemetry (no file events), and no built-in network event capture—complementary network data sources are recommended.
- Pre-built detection rules tailored to container/Kubernetes threats are available in Elastic Security (9.3.0+), and policies should be validated in monitoring mode before enabling blocking to avoid disrupting workloads.
- The integration focuses on write-oriented file events (open-with-write intent, create/modify/delete) and prioritizes runtime behavior over static image scanning for detecting post-compromise activity.
MITRE Techniques
- [T1595 ] Active Scanning – Reconnaissance behavior is highlighted as a detection target (‘reconnaissance activity’)
- [T1110 ] Brute Force – General credential access attempts mapping to credential-access behaviors (‘credential access attempts’)
- [T1528 ] Steal Application Access Token – Service account token abuse and token discovery in containers (‘service account token abuse’)
- [T1059 ] Command and Scripting Interpreter – Interpreter abuse and interactive process execution inside containers (‘interpreter abuse’, ‘interactive process execution’)
- [T1027 ] Obfuscated Files or Information – Encoded or obfuscated payload execution techniques referenced as detection targets (‘encoded payload execution’)
- [T1105 ] Ingress Tool Transfer – Tooling installation and bringing utilities into containers to enable post-compromise activity (‘tooling installation’)
- [T1572 ] Protocol Tunneling – Tunneling behavior called out as a telemetry use case to detect covert network channels (‘tunneling behavior’)
- [T1068 ] Exploitation for Privilege Escalation – Multiple privilege escalation vectors are noted as detection coverage goals (‘privilege escalation vectors’)
Indicators of Compromise
- [File paths ] examples used in selector and policy examples – /usr/bin/echo, /etc/**
- [Container image names ] container selection and exclusions – docker.io/nginx, nginx
- [Kubernetes manifests / filenames ] deployment artifact referenced for agent installation – elastic-agent-managed-kubernetes.yml
- [Kubernetes selectors / namespaces ] selector examples and wildcard patterns for scoping – prod-* (namespace), backend-* (pod name)
- [Executable paths / targets ] path-based selector examples showing scope for executable changes – /usr/bin/**, /usr/local/**
Read more: https://www.elastic.co/security-labs/getting-started-with-defend-for-containers