Back to catalog

Unauthorized Network Flow

No violationsstackroxhighruntime

This policy generates a violation for the network flows that fall outside baselines for which 'alert on anomalous violations' is set.

Rationale
The network baseline is a list of flows that are allowed, and once it is frozen, any flow outside that is a concern.
Remediation
Evaluate this network flow. If deemed to be okay, add it to the baseline. If not, investigate further as required.
CategoriesAnomalous ActivityZero Trust
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 10.1
ISO/IEC 27001 2022
A.8.16
NIST SP 800-53 rev. 5
SI-4
PCI DSS 4.0
5.3.27.2.1
SOC 2 2017 TSC
CC6.1CC7.2

Generated artifacts

1 of 5 targets supported
unauthorized-network-flow.yaml
- rule: unauthorized-network-flow
  desc: This policy generates a violation for the network flows that fall outside baselines for which 'alert on anomalous violations' is set.
  condition: (evt.type=connect or evt.type=accept) and not fd.sip in (known_endpoints)
  output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Unauthorized Network Flow)
  priority: ERROR
  source: syscall
  tags:
    - stackrox-import
    - policy
    - z
IR (canonical)
{
  "id": "1b74ffdd-8e67-444c-9814-1c23863c8ccb",
  "name": "Unauthorized Network Flow",
  "description": "This policy generates a violation for the network flows that fall outside baselines for which 'alert on anomalous violations' is set.",
  "rationale": "The network baseline is a list of flows that are allowed, and once it is frozen, any flow outside that is a concern.",
  "remediation": "Evaluate this network flow. If deemed to be okay, add it to the baseline. If not, investigate further as required.",
  "severity": "high",
  "categories": [
    "Anomalous Activity",
    "Zero Trust"
  ],
  "lifecycle": [
    "runtime"
  ],
  "eventSource": "deployment",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "unexpected-network-flow-detected",
    "values": [
      "true"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "1b74ffdd-8e67-444c-9814-1c23863c8ccb",
  "name": "Unauthorized Network Flow",
  "description": "This policy generates a violation for the network flows that fall outside baselines for which 'alert on anomalous violations' is set.",
  "rationale": "The network baseline is a list of flows that are allowed, and once it is frozen, any flow outside that is a concern.",
  "remediation": "Evaluate this network flow. If deemed to be okay, add it to the baseline. If not, investigate further as required.",
  "disabled": false,
  "categories": [
    "Anomalous Activity",
    "Zero Trust"
  ],
  "lifecycleStages": [
    "RUNTIME"
  ],
  "eventSource": "DEPLOYMENT_EVENT",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "Unauthorized Network Flow",
      "policyGroups": [
        {
          "fieldName": "Unexpected Network Flow Detected",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "true"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}