Book a Demo Start Free Contact Us

Response Actions

Spyderbat’s Policy Response Actions provide a powerful mechanism for responding to security events and deviations within your environment. These actions allow you to automate responses, enforce security policies, and maintain operational integrity. Response actions fall under two main categories, Agent and Standard.

Categories of Response Actions

  1. Agent Response Actions:

    • Purpose: These actions are executed directly on machines where the Spyderbat Nano Agent is installed.

    • Targeted Scope: They allow for machine-specific responses.

    • Examples:

      • Kill a process.

      • Kill a pod.

  2. Standard Response Actions:

    • Purpose: These actions generate security and operations flags.

    • Insights: They provide visibility into policy violations or anomalies. They serve as alerts that can be further processed by other systems or personnel.

    • Examples:

      • Creating red flags. (Security focused, can trigger Spydertraces)

      • Creating operations flags. (Operations focused, highlight potential problems with infrastructure)

Actions

Response actions are defined within the spec field of policies.

For Example:

apiVersion: spyderbat/v1
kind: SpyderbatPolicy
metadata:
  name: demo-cluster-policy
  type: cluster
spec:
  enabled: true
  mode: audit
  clusterSelector:
    matchFields:
      name: demo-cluster
  rulesets:
  - demo-cluster_ruleset
  response:
    default:
    - makeRedFlag:
        severity: high
    actions:
    - agentKillProcess:
        processSelector:
          matchFields:
            exe: /bin/bash

  • The default section contains global actions that apply to the entire policy. Whenever a deviation occurs, default actions are taken if applicable.

  • The actions section allows you to define more specific actions with selectors that narrow the scope of when the action should be executed.

makeRedFlag Action

This action makes a security flag. The ultimate consumer of these types of flags are security personnel investigating an anomaly. They can trigger spydertraces and/or be used to trigger notifications.

Supported Selectors

Cluster

Machine

Namespace

Pod

Container

Service

Fields

  • severity: The priority level of the red flag. Can be critical, high, medium, low, or info.

  • impact: [Optional] A string describing the security impact should the flag be generated.

  • content: [Optional] A string containing markdown that can detail next steps or who to contact.

Example:

response:
    default:
    - makeRedFlag:
        severity: high
    actions:
    - makeRedFlag:
      namespaceSelector:
        kubernetes.io/metadata.name: production
      severity: critical
      impact: Unexpected activity on this critical workload could be malicious and should be investigated immediately.
      content: '### Remediation
      1. Contact developer
      2. Confirm if activity is expected or not
      3. If not, conduct investigation
      '

makeOpsFlag Action

This action makes an operations flag. The ultimate consumer of these types of flags are operations personnel responsible for maintaining infrastructure.

Supported Selectors

Cluster

Machine

Namespace

Pod

Container

Service

Fields

  • severity: The priority level of the operations flag. Can be critical, high, medium, low, or info.

  • impact: [Optional] A string describing the operations impact should the flag be generated.

  • content: [Optional] A string containing markdown that can detail next steps or who to contact.

Example:

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - makeOpsFlag:
      namespaceSelector:
        kubernetes.io/metadata.name: production
      severity: critical
      impact: This workload appears to be behaving abnormally, operations should investigate.
      content: '### Remediation
      1. Confirm configuration
      2. Deploy fix
      '

agentKillPod

This action tells the Spyderbat Nano Agent to kill a deviant process.

Supported Selectors

Cluster

Machine

Namespace

Pod

Container

Examples:

Kill pods running deviant netcat processes.

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - agentKillPod:
        processSelector:
          matchFields:
            name: nc

Kill all pods with deviations

response:
    default:
    - makeOpsFlag:
        severity: high
    - agentKillPod:
    actions: []

agentKillProcess

This action tells the Spyderbat Nano Agent to kill a deviant process.

Supported Selectors

Cluster

Machine

Namespace

Pod

Container

Service

Examples:

Kill deviant processes running the /bin/bash executable.

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - agentKillProcess:
        processSelector:
          matchFields:
            exe: /bin/bash

Kill all deviant processes

response:
    default:
    - makeOpsFlag:
        severity: high
    - agentKillProcess:
    actions: []

agentKillProcessGroup

This action kills a process an any other processes within the same process group (pgid).

Supported Selectors

Cluster

Machine

Namespace

Pod

Container

Service

Examples:

Kill process group of deviant processes running the /bin/bash executable.

response:
    default:
    - makeOpsFlag:
        severity: high
    actions:
    - agentKillProcessGroup:
        processSelector:
          matchFields:
            exe: /bin/bash

Kill all deviant processes and their associated groups.

response:
    default:
    - makeOpsFlag:
        severity: high
    - agentKillProcessGroup:
    actions: []

Related Pages

  • Selectors - Reference documentation on the various selector types.

  • Policies - The policies that use response actions.

Last updated

© SPYDERBAT, Inc., All Rights Reserved