Unauthorized Network Flow
No violationsstackroxhighruntimeThis policy generates a violation for the network flows that fall outside baselines for which 'alert on anomalous violations' is set.
- Rationale
- The network baseline is a list of flows that are allowed, and once it is frozen, any flow outside that is a concern.
- Remediation
- Evaluate this network flow. If deemed to be okay, add it to the baseline. If not, investigate further as required.
CategoriesAnomalous ActivityZero Trust
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 10.1
- ISO/IEC 27001 2022
- A.8.16
- NIST SP 800-53 rev. 5
- SI-4
- PCI DSS 4.0
- 5.3.27.2.1
- SOC 2 2017 TSC
- CC6.1CC7.2
Generated artifacts
1 of 5 targets supportedunauthorized-network-flow.yaml
- rule: unauthorized-network-flow
desc: This policy generates a violation for the network flows that fall outside baselines for which 'alert on anomalous violations' is set.
condition: (evt.type=connect or evt.type=accept) and not fd.sip in (known_endpoints)
output: Process %proc.name executed by user %user.name (uid=%user.uid) in container %container.id image=%container.image.repository (policy=Unauthorized Network Flow)
priority: ERROR
source: syscall
tags:
- stackrox-import
- policy
- z
IR (canonical)
{
"id": "1b74ffdd-8e67-444c-9814-1c23863c8ccb",
"name": "Unauthorized Network Flow",
"description": "This policy generates a violation for the network flows that fall outside baselines for which 'alert on anomalous violations' is set.",
"rationale": "The network baseline is a list of flows that are allowed, and once it is frozen, any flow outside that is a concern.",
"remediation": "Evaluate this network flow. If deemed to be okay, add it to the baseline. If not, investigate further as required.",
"severity": "high",
"categories": [
"Anomalous Activity",
"Zero Trust"
],
"lifecycle": [
"runtime"
],
"eventSource": "deployment",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "unexpected-network-flow-detected",
"values": [
"true"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "1b74ffdd-8e67-444c-9814-1c23863c8ccb",
"name": "Unauthorized Network Flow",
"description": "This policy generates a violation for the network flows that fall outside baselines for which 'alert on anomalous violations' is set.",
"rationale": "The network baseline is a list of flows that are allowed, and once it is frozen, any flow outside that is a concern.",
"remediation": "Evaluate this network flow. If deemed to be okay, add it to the baseline. If not, investigate further as required.",
"disabled": false,
"categories": [
"Anomalous Activity",
"Zero Trust"
],
"lifecycleStages": [
"RUNTIME"
],
"eventSource": "DEPLOYMENT_EVENT",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "Unauthorized Network Flow",
"policyGroups": [
{
"fieldName": "Unexpected Network Flow Detected",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "true"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}