Editing runtime autoprofile settings

To edit autoprofile parameters:

  1. In PoliciesRuntime policiesAutoprofiles section, click the name of the autoprofile in the list of created container runtime autoprofiles.
  2. If necessary, in the displayed sidebar, on the General information tab, edit the values of one, multiple, or all of the following parameters:
    • Autoprofile status. Use the Verified/Not verified toggle switch to change the autoprofile status to Verified or Not verified.
    • Name of the runtime autoprofile. You can specify a custom autoprofile name to replace the name automatically generated by the solution.
    • Description of the runtime autoprofile. By default, no description is added when autoprofiling.
    • If the configuration of the solution allows, under Applied in containers, change the pod label, if necessary. You can also click the Add label pair button to specify an additional pod label to which the solution will apply the runtime autoprofile.
    • Under Restrict events, edit the network status monitoring parameters as follows:
      • Container processes. If necessary, use the Disabled / Enabled toggle switch to enable or disable the ability to restrict executable files in accordance with configured rules. You can specify specific file names and paths to block, as well as specify exceptions.

        If processes are running inside containers in the relevant build, the solution performs the following actions:

        • When events are detected in processes in Audit and Enforce mode, the solution activates the Block specified executable files setting and all unique paths are indicated in the Executables or path field.
        • If there are no events in processes in Audit and Enforce mode, the solution applies the Block all executable files setting.

          If it detects events other than the above, the solution activates the Allow exclusions setting and specifies all unique path values in the Executables or path field.

      • Ingress connections. If necessary, you can use the Disabled/Enabled toggle switch to enable or disable the ability to restrict ingress connections of the container.

        If inbound traffic is observed in containers in the relevant build, the solution performs the following actions:

        • When events related to ingress connections are detected in Audit or Enforce mode, the solution restricts ingress network connections.
        • If there are no events related to inbound traffic in Audit and Enforce mode, or if other events are detected, the solution activates the Allow exclusions option. The Sources, TCP ports and UDP ports fields contain all the unique recipients of inbound connections. The solution displays exception statuses for the network reputation of ingress connections.

        You can also click buttons to specify network reputation exception statuses of ingress connections.

      • Egress connections. If necessary, you can use the Disabled/Enabled toggle switch to enable or disable the ability to restrict egress connections of the container.

        If outbound traffic is observed in containers in the relevant build, the solution performs the following actions:

        • When events related to outbound connections are detected in Audit and Enforce mode, the solution activates the Restrict outbound network connections setting.
        • If there are no events related to inbound traffic in Audit and Enforce mode, or if other events are detected, the solution activates the Allow exclusions option. The Sources, TCP ports and UDP ports fields specify all unique outbound connection sources.

        You can also click buttons to specify network reputation exception statuses of egress connections.

      • Threats identified with File Threat Protection. If necessary, use the Disabled / Enabled toggle switch to enable or disable File Threat Protection. File Threat Protection is disabled by default.
      • File operations. If necessary, you can use the Disabled / Enabled toggle switch to enable or disable the monitoring of file operations in the container.

        If actions are observed inside the containers in the relevant build, upon detection of file management events in Audit and Enforce mode, the solution activates the File operations setting. In this case, all unique paths are indicated in the Path field, and the check boxes of all detected operation types are selected in the Operation type field.

        You can also click Add rule to add rules to be applied when monitoring file operations.

      • Listening on ports. If necessary, you can use the Disabled / Enabled toggle switch to enable or disable the monitoring of port opening in the container. By default, Listening on ports is disabled.

      If a setting is enabled in the Settings section, the solution determines the specific build of the image and scans all containers deployed from that build.

  3. Save changes to the autoprofile by doing one of the following:
    • To save without changing the autoprofile status to Verified, click Save.
    • To save and change the status of the autoprofile to Verified, click Save and verify.
Page top