Remote/API driven creation and start of a container whose image is not on an allow‑list (or is tagged latest), executed by a non-admin principal, and/or started with risky runtime attributes (e.g., --privileged, host PID/NET namespaces, sensitive host path mounts, capability adds). Correlates create ➜ start ➜ first network/process actions from that container within a short time window.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | docker:daemon | container_create,container_start |
| Container Start (DC0077) | containerd:runtime | CRI CreateContainer/StartContainer with privileged=true OR added capabilities OR host* namespaces |
| Process Creation (DC0032) | ebpf:syscalls | process execution or network connect from just-created container PID namespace |
| Network Traffic Content (DC0085) | docker:events | remote API calls to /containers/create or /containers/{id}/start |
| Field | Description |
|---|---|
| known_images | Environment-specific allow-list of approved images (with digests). |
| known_admins | Service accounts or CI/CD users permitted to deploy containers. |
| TimeWindow | Max time between create, start, and first activity to consider events causally linked (default 5m). |
| RiskThreshold | Minimum number of risky attributes (e.g., unknown image + privileged) to alert. |
| PrivilegedFlags | Set of runtime flags considered high risk (e.g., --privileged, --cap-add=SYS_ADMIN, hostPID, hostNetwork, /var/run/docker.sock mount). |