Use network baselining

Identify and address abnormal network activity.

In the StackRox Kubernetes Security Platform, you can minimize your risks by using network baselining. It’s a proactive approach to keep your infrastructure secure. The StackRox Kubernetes Security Platform first discovers existing network flows and creates a baseline, and then it treats network flows outside of this baseline as anomalous.

  • To use the Network baseline feature, you must use the StackRox Kubernetes Security Platform version 3.0.54 or newer.
  • To enable Alerts on baseline violations, you must use the StackRox Kubernetes Security Platform version 3.0.56 or newer.

Network baselines

When you install the StackRox Kubernetes Security Platform, there is no default network baseline. As the StackRox Kubernetes Security Platform discovers network flows, it creates a baseline and then it adds all discovered network flows to it.

  • When the StackRox Kubernetes Security Platform discovers new network activity, it adds that network flow to the network baseline.
  • Network flows don’t show up as anomalous flows and don’t trigger any violations.

After the discovery phase:

  • The StackRox Kubernetes Security Platform stops adding network flows to the network baselines.
  • New network flows (which aren’t in the network baseline) show up as anomalous flows but they don’t trigger any violations.

View network baselines

To view the network baseline for a deployment:

  1. On the Network Graph view, select a deployment.

  2. The Network Flows details panel show both anomalous and baseline flows. From this panel, you can:

    • mark network flows from the baseline as anomalous by selecting Mark as Anomalous, or
    • add network flows to baseline from the anomalous flows by selecting Add to Baseline.

Alert on baseline violations

You need the StackRox Kubernetes Security Platform version 3.0.56 or newer to enable alerts on baseline violations.

To receive violations for anomalous network flows:

  1. On the Network Graph view, select a deployment.
  2. In the network flow details panel, select Baseline Settings.
  3. Turn on the Alert on baseline violations toggle.

Once you turn on the Alert on baseline violations toggle anomalous network flows trigger violations.

Turn off the Alert on baseline violations toggle to stop receiving violations for anomalous network flows.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.