Security Center Enterprise supports threat detection on Kubernetes containers. This feature checks the security status of running container clusters and detects security threats and attacks in the container clusters. This topic describes how to enable threat detection on Kubernetes containers for your servers. It also describes the container threats that can be detected in Security Center.


Security Center Ultimate is purchased, or Security Center is upgraded to the Ultimate edition. For more information, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Background information

After you enable threat detection on Kubernetes containers, Security Center automatically detects threats that trigger alerts of the K8s Abnormal Behavior type. You do not need to perform other operations. For more information about the threats that can be detected by Security Center, see Threats that can be detected.

Enable threat detection on Kubernetes containers

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the K8s Threat Detection section, turn on Threat Detection.
    After you enable threat detection on Kubernetes containers, you can view the alerts that are triggered by the risks detected in Kubernetes container clusters on the Alerts page. We recommend that you check and handle these alerts at the earliest opportunity. For more information, see View and handle alert events.

Threats that can be detected

Type Item
K8s abnormal behavior Suspicious instruction run on a Kubernetes API server
Mounting of suspicious directories to a pod
Lateral movement among Kubernetes service accounts
Startup of a pod that contains a malicious image
Unusual network connection Outbound connection of reverse shells
Suspicious outbound network connection
Suspicious lateral movement in internal networks
Malicious process DDoS trojan
Suspicious connection from mining machines
Suspicious program
Suspicious tool initiating brute-force attacks on ports
Suspicious attack program
Backdoor program
Malicious vulnerability detection tool
Malicious program
Mining program
Self-mutating trojan
Webshell Webshell
Suspicious process Suspicious command run by Apache CouchDB
Suspicious command run by FTP applications
Suspicious command run by Hadoop
Suspicious command run by Java applications
Suspicious command run by Jenkins
Suspicious account creation in Linux
Suspicious command run by scheduled tasks in Linux
Suspicious command run by MySQL
Suspicious command run by Oracle
Suspicious command run by PostgreSQL applications
Suspicious command run by Python applications
Suspicious execution of non-interactive SSH commands that contain only one line targeting remote machines
Webshell running suspicious probe commands
Modification of the RDP configuration in Windows
Suspicious execution of download commands in Windows
Suspicious account creation in Windows
Malicious code injection in crontab jobs
Suspicious command sequence in Linux
Execution of suspicious commands in Linux
Dynamic injection of suspicious scripts
Reverse shell
Reverse shell command
Potential data breach by using HTTP tunnels
Suspicious SSH tunneling
Suspicious webshell injection
Suspicious starting of a privileged container
Suspicious port listening
Malicious container startup
Remote API debugging in Docker that may pose security risks
Suspicious command
Privilege escalation in containers or container escapes
Malicious container startup