Spyderbat
Book a DemoStart FreeContact Us
  • Spyderbat Product Docs
  • Getting Started
    • Create an Organization
    • Install the Nano Agent
    • Three Things to Try with Spyderbat Community Edition
    • Manage Users and Roles
  • Installation
    • Spyderbat Nano Agent
      • Kubernetes
        • Pre Deployment Environment Data Collection Script
      • Linux Standalone
      • AWS Unattended Install
        • Secure your Registration Code with AWS Secrets Manager
      • Create a Golden Image with the Nano Agent Pre-Installed
    • Spyderbat AWS Agent
      • AWS Linux VM
      • Kubernetes
      • Configuration Guide - AWS Linux VM
      • Configuration Guide - Kubernetes
    • Install Spyctl CLI
      • Initial Configuration
    • Install Spydertop CLI
    • Install the Spyderbat Event Forwarder
      • Helm Chart
      • Traditional Installer
  • Concepts
    • Guardian & Interceptor
      • Ruleset Policies
      • Workload Policies
    • Flashback (Go Back In Time)
      • Investigations
    • Search
      • Saved Searches
    • Summarize
      • Spydertrace Summarize
    • Dashboards
      • Dashboard Categories
    • Reports
    • Notifications
      • Notification Targets
      • Notification Templates
    • Actions
    • Integrations
      • AWS Integration
      • Spyderbat Event Forwarder
    • Suppression & Tuning
    • Scout (Detections)
      • Custom Flags
  • Tutorials
    • Flashback
      • How to Use the Investigations Feature in Spyderbat
    • Guardian
      • How to Lock Down Your Workloads With Guardian Policies Using Spyctl
      • How to Put Guardrails Around Your K8s Clusters Using Spyctl
    • Integrations
      • How to Configure Event Forwarder Webhook for Panther
      • How to Set Up Spyderbat to Ingest Falco Alerts
      • How to Create and Use a Spyderbat API Key
    • Notifications
      • How to Set Up Notifications Using Spyctl
      • How to Set up Agent-Health Notifications Using Spyctl
    • Dashboards
    • Miscellaneous
      • How to Set Up Spyderbat to Monitor Systems From vulnhub.com
    • Scout (Detections)
      • How to Set Up Custom Flags Using Spyctl CLI
  • Reference
    • Policies
      • Response Actions
    • Rulesets
    • Selectors
    • Notifications
    • Spyctl CLI
      • Spyctl Commands
      • Guardian Policy Management using Spyctl
      • Notification Template Management using Spyctl
      • Notification Target Management using Spyctl
    • Search
      • All Operators
      • All Fields
      • All Related Objects
  • Quick Links
    • Contact Us
    • Try Spyderbat for Free
    • Book a Demo
Powered by GitBook

© SPYDERBAT, Inc., All Rights Reserved

On this page
  • What are Custom Flags?
  • Getting Started

Was this helpful?

Export as PDF
  1. Concepts
  2. Scout (Detections)

Custom Flags

Last updated 8 months ago

Was this helpful?

What are Custom Flags?

Custom Flags in Spyderbat are a powerful feature that enable users to create tailored detection rules to monitor activities or behaviors specific to their environment.

Custom Flags are designed to address unique needs that Spyderbat's built-in detections may not cover and may be specific to your organization's requirements.

Leveraging the Spyderbat Query Language (SpyQL)

Spyderbat allows you to write Custom Flags using the Spyderbat Query Language (SpyQL). SpyQL enables you to craft precise queries that define the conditions for your Custom Flags.

SpyQL supports complex queries that allow you to combine multiple conditions, use various logical operators (AND, OR, NOT), and apply patterns with matches pattern (~=) and regular expressions with Regex using ~~= operator, equality operator =, etc.

SpyQL is used for Historical Search in Console and for Custom Flags. The queries are composed of two parts, the schema or object type you are looking for and the query itself. In Historical Search you must also specify a time window, however Custom Flags operate in real-time so that section is not supported. The SpyQL query below is from Historical Search and is querying for any Container where the cluster-name field matches the value integrationc2 using the equality operator (=):

You can use Historical Search in the UI to test your Custom Flag queries.

Custom Flags Key Features:

  1. Real-Time Monitoring: Once set up, Custom flags operate in real-time, triggering immediate flags when a record matches the SpyQL query.

  2. Flexibility: You can define flags that range from broad conditions e.g., anytime a new StatefulSet is created to highly specific scenarios, e.g., a serviceaccount with cluster-admin role created in a particular namespace by a particular user.

  3. Red Flag vs Ops Flag: You can choose between a Custom Red Flag (Security) or a Custom Ops Flag (Devops) based on your detection needs.

    • Redflag: Indicates a security issue or potential malicious activity.

    • Opsflag: Highlights operational or configuration issues that may need attention.

    Custom flags also allow you to add your own description and select severity options such as low, high, critical, or info.

  4. Integration with Spydertraces: Custom Red Flags may trigger and/or contribute to the score of a Spydertrace just like the built-in Spyderbat detections do.

  5. Custom Flag Operations: The ability to create, delete, edit, disable, and enable custom flags further enhances your control over managing the detection process, and gives the ability to evolve as required.

Getting Started

Currently, Custom Flags are only manageable using the . Management via the Console UI is coming soon.

Follow the Spyctl CLI tutorial for setting up Custom Flags .

Spyctl CLI
here
Query Image