Alauda Security Service

Using Process Baseline

Process baselining in Alauda Security Service helps secure your environment by learning which processes normally run in your containers and highlighting or enforcing deviations from that baseline.

TOC

What is a Process Baseline?Baseline StatesUnlockedLockedManaging Process BaselinesViewing BaselinesAdding a ProcessRemoving a ProcessLocking/Unlocking the Baseline

What is a Process Baseline?

When you deploy Alauda Security Service, there is no default process baseline. As deployments are discovered, a process baseline is automatically created for each container type and populated from observed process activity.

Baseline States

Unlocked

  • During initial discovery (first hour), baselines are unlocked.
  • New processes are automatically added to the baseline and do not trigger risks or violations.
  • After one hour, new processes are marked as risks but do not trigger violations, and are not added to the baseline.

Locked

  • Locking a baseline stops new processes from being added.
  • Any process not in the baseline triggers a violation.
  • You can always manually add or remove processes from the baseline.

If a deployment has multiple container types, each has its own baseline. If some are locked and others unlocked, the deployment status shows as Mixed.

Managing Process Baselines

You can view and manage process baselines from the Risk workflow in the Alauda Security Service portal. Baseline management is most useful when you are validating expected runtime behavior for a deployment and deciding whether newly observed processes are acceptable.

Viewing Baselines

  1. Go to Risk in the portal.
  2. Select a deployment.
  3. In the details panel, open the Process Discovery tab.
  4. Baselines are listed under Spec Container Baselines.

Adding a Process

  1. In Process Discovery, under Running Processes, click the Add icon next to a process not already in the baseline.

Removing a Process

  1. In Process Discovery, under Spec Container Baselines, click the Remove icon next to the process you want to remove.

Locking/Unlocking the Baseline

  • Click the Lock icon to enforce violations for unlisted processes.
  • Click the Unlock icon to stop enforcing violations.

By managing process baselines, you can separate expected runtime behavior from unexpected process execution and reduce the noise in runtime investigations.