Viewing Container Based Events
With FIM, you receive real-time updates about anomalous activities that are detected. These updates (events) are sent with detailed information covering all aspects of the changes happening within your monitored area, including the specifics of the individuals involved, the actions taken, the timing, and the locations affected. It is important to note that events can be either anticipated and approved, or unforeseen and malicious.
FIM is also integrated with the Quays Container Security application to monitor Events in containers. The Container Security application's Event attributes are mapped with FIM Event attributes. Qualys Container Runtime Sensor (CRS) tracks the file events happening in your containers, which are hosted on a cluster.
FIM on Containers and FIM on network devices is the requirement of PCI DSS 4.0. Container based FIM is available on demand. Contact your Technical Account Manager (TAM) to activate this feature.
Quays Container Security (CS) has a policy for Qualys FIM. This policy is based upon the Qualys FIM OOTB library profile Lightweight Monitoring Profile for Linux and Linux Monitoring Profile for PCI DSS.
When a user performs an operation such as delete, content edit, or rename on the image path mentioned in the policy, an event is generated. The FIM event service is set to utilize this information and display it to FIM UI, accompanied by important information about the content event.
Prerequisites
Account with Container Security v 1.34 or later, along with the licensed or trial version of FIM.
To monitor container based events, you need to begin with the configuration in Container Security application. For more information on installing a runtime sensor on a container, refer to Container Runtime Sensor Online Help.
Viewing Events
You can view FIM events detected by different sources such as:
- Container Based
Events originating from dynamic container environments. The Qualys Cloud Platform stores any activity on the monitored locations in the containers for 13 months, even though the containers are short-lived. - Host Based
Events originate from hosts equipped with the Qualys Cloud Agent. - Scan Based
Events originate from network devices, which sends events at regular scan intervals.
You can sort and view the list of container based events on the All Events tab, Event Review tab, Ignored tab, and Incidents Details page.
Viewing Event Details
You can view details by clicking Event Details in the Quick Actions for the selected event. This View Details page provides complete information about the FIM event.
You can view the following details.
Event Alert: What has changed, Category, User details, success status, and so on
Triggers: Monitoring Profile, Section and Rules
View asset details: View details of the container in the Container Security application
Identification: Sensor UUID
Container Information: SHA for the container, Image Name, Node Name, Name Space
For more information on Events, refer to the Events section.
You can view the list of containers by navigating to the Container Security application > Assets tab > Containers.
Related Topics
Automatic Incident Creation for Malicious Events