generated from coulomb/repo-seed
47 lines
1.3 KiB
Markdown
47 lines
1.3 KiB
Markdown
# Pattern: Runtime Threat Detection
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: Railiance platform, NetKingdom
|
|
Genesis family: Kubernetes and platform
|
|
|
|
## Problem
|
|
|
|
Admission controls and build checks do not detect every compromise that
|
|
appears after workloads are running.
|
|
|
|
## Context
|
|
|
|
Use this pattern for Kubernetes runtime events, process and network
|
|
signals, container behavior, privileged action monitoring, and incident
|
|
response triggers.
|
|
|
|
## Forces
|
|
|
|
- Runtime signals can be noisy.
|
|
- Detection must distinguish platform, tenant, human, service, and
|
|
agent activity.
|
|
- Alerts need enough context for response.
|
|
- Detection coverage should feed audit and incident workflows.
|
|
|
|
## Solution
|
|
|
|
Collect runtime process, network, Kubernetes, and workload signals,
|
|
classify them using a security event taxonomy, and route actionable
|
|
alerts into incident response and audit workflows.
|
|
|
|
## Verification
|
|
|
|
- Runtime detections include actor, workload, namespace, tenant, and
|
|
severity where available.
|
|
- Known suspicious events trigger alerts or findings.
|
|
- False positives are tuned without disabling critical coverage.
|
|
- Detection events link to incident runbooks.
|
|
|
|
## Related Patterns
|
|
|
|
- Security Event Taxonomy.
|
|
- Central Audit Ledger.
|
|
- Incident Runbook Library.
|
|
- Kill Switch / Tenant Freeze.
|