aquasecurity/tracee

Features

• Monitors - Deploys as a container or Helm chart to audit system events and enforce policies in Kubernetes clusters.
• Observability Tools - Deploys a monitoring agent via Helm chart to audit system activity and detect threats across Kubernetes clusters.
• eBPF Runtime Security Monitors - Monitors containerized and host workloads in real time to detect security threats using eBPF-based system call analysis.
• Containerized Environment Monitors - Monitors containerized environments and Kubernetes without requiring changes to existing applications.
• Unified Event Normalizers - Normalizes system calls, network events, and container activities into a single event stream for consistent processing.
• eBPF Security Tools - Monitors system calls and application behavior in real time using eBPF to detect threats in containerized environments.
• Behavioral Threat Detection - Analyzes event streams to identify security threats and anomalous behavioral patterns in containerized environments.
• Cloud Native - Applies behavioral patterns and pre-defined signatures to identify suspicious activity across distributed workloads.
• Monitoring Policies - Defines flexible, configurable policies to control what system events to monitor and how to respond.
• YAML Detection Policies - Creates scoped, filterable security policies using a few lines of YAML, deployable across environments.
• Threat Detection - Analyzes system events in real time to identify suspicious behavior patterns and potential security threats.
• Signature-Based Threat Detectors - Matches system event streams against pre-defined behavioral signatures to flag suspicious activity without custom rules.
• Security Alert Triggers - Generates events for immediate threat detection and response when suspicious activity is observed.
• YAML-Based Event Filters - Defines scoped, YAML-based policies to target specific workloads and reduce noise during kernel event capture.
• Kernel Event Observability - Captures system calls and kernel events in real time by attaching eBPF programs to kernel hooks.
• System Call Monitors - Tracks system calls, process execution, file operations, and network activity to provide deep visibility into Linux system behavior.
• eBPF-Based Activity Monitors - Captures system calls and application behavior via eBPF to expose live events for security and observability.
• System Event Monitors - Captures over 400 system calls, network events, and container activities as unified events for comprehensive security monitoring.
• Forensic Artifact Collection - Captures network traffic, binaries, memory dumps, and file artifacts for post-incident investigation and compliance.
• Helm Chart Deployment - Packages the monitoring agent as a Helm chart for declarative deployment in Kubernetes clusters.
• Standalone Binaries - Runs as a self-contained binary that can be deployed directly on hosts without container runtime dependencies.
• Audit Trail Investigators - Investigates security incidents using detailed audit trails with process lineage, file paths, and network connections.
• Container Forensics Collection - Captures memory dumps, binaries, and network traffic from containers for post-incident investigation and compliance.
• Built-in Threat Signatures - Ships pre-built threat detection signatures that flag suspicious behavior without requiring custom rules.
• Forensics and Incident Response - Runtime security and forensics using eBPF.
• Networking and Security - Runtime security and forensics tool for Linux.
• Security Lab Environments - Runtime security and forensics tool using eBPF.

Star history