Spydertraces

A Spydertrace is a record of causally connected activity on a system. When Spyderbat detects a noteworthy behavior, it captures not just that event but everything causally linked to it: the process ancestry chain, subsequent child processes, network connections, and the container or host context. The result is a self-contained record of what happened and how, which analysts can investigate to determine whether the activity is a threat, benign, or a false positive.

How Spydertraces are triggered

Spydertraces start with a red flag — a behavioral indicator detected by Spyderbat's built-in detections. Red flags are observations, not verdicts: they indicate that something worth examining occurred, not that it was necessarily malicious. The red flag that starts the trace is called the trigger. As activity continues within the same causal chain, additional red flags may fire and get absorbed into the same trace.

Custom flags behave the same way. A user-defined detection rule can trigger a new trace or contribute to the score of one already in progress, depending on whether the flagged activity is causally connected to existing trace activity.

Scoring

Each trace carries a numeric score reflecting how many and how severe its flags are. It increases as additional red flags join the trace. Severity levels for individual red flags are: info, low, medium, high, and critical. Info-level flags don't contribute to traces.

The score is capped based on the highest severity flag present:

Info-level flags don't contribute to traces and are not included above.

The console uses score to indicate triage priority:

One factor can push a score above these caps: if the trace involved an interactive session running under a privileged account (root, admin, SYSTEM, or administrator), the trace gets an additional 25 points and the score cap is lifted entirely regardless of flag severity.

Trace lifecycle

A trace is active while activity is ongoing. Once the associated activity ends, it moves to closed.

Each trace records:

• The full process ancestry chain leading to the triggering event

• The triggering flag and all contributing red flags

• Network connections made during the activity

• Container context (name, image, cluster, namespace) when applicable, or host context for non-containerized workloads

Working with Spydertraces

Traces appear in the Spyderbat dashboard and can be queried from the Search page. From Search results, select one or more traces and open them in the Investigations view for causal analysis — see Investigations.

To get alerted when new traces match criteria you care about (e.g. score above a threshold, specific flag classes), save a search targeting Spydertraces and attach a notification to it. See Notifications.

Traces can be suppressed to reduce noise from known-safe activity. Suppression sets the score to zero and prevents future traces matching the same pattern from appearing. See Suppression & Tuning.