Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-runtime-threat-detection.md

47 lines
1.3 KiB
Markdown

# Pattern: Runtime Threat Detection
Status: seed
Readiness target: RL3 production
Primary owners: Railiance platform, NetKingdom
Genesis family: Kubernetes and platform
## Problem
Admission controls and build checks do not detect every compromise that
appears after workloads are running.
## Context
Use this pattern for Kubernetes runtime events, process and network
signals, container behavior, privileged action monitoring, and incident
response triggers.
## Forces
- Runtime signals can be noisy.
- Detection must distinguish platform, tenant, human, service, and
agent activity.
- Alerts need enough context for response.
- Detection coverage should feed audit and incident workflows.
## Solution
Collect runtime process, network, Kubernetes, and workload signals,
classify them using a security event taxonomy, and route actionable
alerts into incident response and audit workflows.
## Verification
- Runtime detections include actor, workload, namespace, tenant, and
severity where available.
- Known suspicious events trigger alerts or findings.
- False positives are tuned without disabling critical coverage.
- Detection events link to incident runbooks.
## Related Patterns
- Security Event Taxonomy.
- Central Audit Ledger.
- Incident Runbook Library.
- Kill Switch / Tenant Freeze.