Viewing Container Based Events

With FIM, you receive real-time updates about anomalous activities that are detected. These updates (events) are sent with detailed information covering all aspects of the changes happening within your monitored area, including the specifics of the individuals involved, the actions taken, the timing, and the locations affected. It is important to note that events can be either anticipated and approved, or unforeseen and malicious.

FIM is also integrated with the Quays Container Security application to monitor Events in containers. The Container Security application's Event attributes are mapped with FIM Event attributes. Qualys Container Runtime Sensor (CRS) tracks the file events happening in your containers, which are hosted on a cluster. 

FIM on Containers and FIM on network devices is the requirement of PCI DSS 4.0. Container based FIM is available on demand. Contact your Technical Account Manager (TAM) to activate this feature.

Quays Container Security (CS) has a policy for Qualys FIM. This policy is based upon the Qualys FIM OOTB library profile Lightweight Monitoring Profile for Linux and Linux Monitoring Profile for PCI DSS.

When a user performs an operation such as delete, content edit, or rename on the image path mentioned in the policy, an event is generated. The FIM event service is set to utilize this information and display it to FIM UI, accompanied by important information about the content event.

Prerequisites

Account with Container Security v 1.34 or later, along with the licensed or trial version of FIM.

To monitor container based events, you need to begin with the configuration in Container Security application. For more information on installing a runtime sensor on a container, refer to Container Runtime Sensor Online Help.

Viewing Events

You can view FIM events detected by different sources such as:

  • Container Based
    Events originating from dynamic container environments. The Qualys Cloud Platform stores any activity on the monitored locations in the containers for 13 months, even though the containers are short-lived.
  • Host Based
    Events originate from hosts equipped with the Qualys Cloud Agent.
  • Scan Based
    Events originate from network devices, which sends events at regular scan intervals.

You can sort and view the list of container based events on the All Events tab, Event Review tab, Ignored tab, and Incidents Details page.

Viewing Container based events.

Viewing Event Details

You can view details by clicking Event Details in the Quick Actions for the selected event. This View Details page provides complete information about the FIM event.

You can view the following details.

Event Alert: What has changed, Category, User details, success status, and so on

Triggers: Monitoring Profile, Section and Rules

View asset details: View details of the container in the Container Security application

Identification: Sensor UUID

Container Information: SHA for the container, Image Name, Node Name, Name Space

For more information on Events, refer to the Events section.

You can view the list of containers by navigating to the Container Security application > Assets tab > Containers.

Related Topics

Events, Incidents, and Rules

Automatic Incident Creation for Malicious Events