Custom Flags

What are Custom Flags?

Custom Flags in Spyderbat are a powerful feature that enable users to create tailored detection rules to monitor activities or behaviors specific to their environment.

Custom Flags are designed to address unique needs that Spyderbat's built-in detections may not cover and may be specific to your organization's requirements.

Leveraging the Spyderbat Query Language (SpyQL)

Spyderbat allows you to write Custom Flags using the Spyderbat Query Language (SpyQL). SpyQL enables you to craft precise queries that define the conditions for your Custom Flags.

SpyQL supports complex queries that allow you to combine multiple conditions, use various logical operators (AND, OR, NOT), and apply patterns with matches pattern (~=) and regular expressions with Regex using ~~= operator, equality operator =, etc.

SpyQL is used for Historical Search in Console and for Custom Flags. The queries are composed of two parts, the schema or object type you are looking for and the query itself. In Historical Search you must also specify a time window, however Custom Flags operate in real-time so that section is not supported. The SpyQL query below is from Historical Search and is querying for any Container where the cluster-name field matches the value integrationc2 using the equality operator (=):

You can use Historical Search in the UI to test your Custom Flag queries.

Custom Flags Key Features:

1. Real-Time Monitoring: Once set up, Custom flags operate in real-time, triggering immediate flags when a record matches the SpyQL query.

2. Flexibility: You can define flags that range from broad conditions e.g., anytime a new StatefulSet is created to highly specific scenarios, e.g., a serviceaccount with cluster-admin role created in a particular namespace by a particular user.

3. Red Flag vs Ops Flag: You can choose between a Custom Red Flag (Security) or a Custom Ops Flag (Devops) based on your detection needs.

   • Redflag: Indicates a security issue or potential malicious activity.

   • Opsflag: Highlights operational or configuration issues that may need attention.

   Custom flags also allow you to add your own description and select severity options such as low, high, critical, or info.

4. Integration with Spydertraces: Custom Red Flags may trigger and/or contribute to the score of a Spydertrace just like the built-in Spyderbat detections do.

5. Custom Flag Operations: The ability to create, delete, edit, disable, and enable custom flags further enhances your control over managing the detection process, and gives the ability to evolve as required.

Getting Started

Currently, Custom Flags are only manageable using the Spyctl CLI. Management via the Console UI is coming soon.

Follow the Spyctl CLI tutorial for setting up Custom Flags here.