Indicates that an allowed process has been used in ways that are inconsistent with its expected behavior.
This type of incident could be a sign that a process has been used to compromise a container.
Indicates the unauthorized transfer of data from one system to another.
These incidents are triggered when a pattern of audits indicate attempts to move data to an external location.
For example: High rate of DNS query events, reporting aggregation started in a container, DNS resolution of suspicious name (www.<WEBSITE_NAME>.com).
Indicates attempts to abuse a provider’s service to extract sensitive information.
For example: Container A queried provider API at <IP_ADDRESS>.