Upwind Security

Overview

Cloud Security Happens at Runtime is a runtime-powered Cloud-Native Application Protection Platform (CNAPP) designed to secure cloud environments in real time. It provides deep visibility into workloads, APIs, identities, and containers by analyzing actual runtime behavior. Security teams use Upwind to detect threats, prioritize risks, and respond instantly based on real usage context. The platform reduces alert noise by mapping vulnerabilities to live assets and connections. Upwind also supports shift-left security by connecting runtime insights back into CI/CD workflows.  

Supported data types

Upwind Security Logs - Detection Logs

Table name: upwind_security_logs

collects runtime threat detections from the Upwind CNAPP platform. It ingests high-fidelity alerts about suspicious process behavior, reverse shells, privilege escalations, and other MITRE-mapped tactics within containerized workloads. Each log includes severity, resource context, command-line activity, and detection metadata. The data is enriched with MITRE ATT&CK mappings and linked to cloud assets in Kubernetes environments.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Upwind logs (Detection) via an intermediary AWS S3 bucket.

To connect Upwind logs using AWS S3 bucket:

1. Export your logs from Upwind to an AWS S3 bucket by following this guide.

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Hunters also supports the collection of logs from Upwind using API.

To connect Upwind logs using API:

1. Official Upwind’s Api refs

2. Official Upwind’s User guide

3. Official Upwind’s docs center

4. You can ask Upwind to support you with the full onboarding guide in case of need, but here’s a high level way to do it:

5. Go to settings of your account and click on “Connect organization or account”

6. Choose a Cloud provider to sync your assets with the Upwind platform:
   Once you’d click on “Connect organization or account” you’ll reach:

   Please choose your cloud-provider, you’d like to integrate with Upwind.

7. Fill in the details of you account-id, org-id, arn etc.. and generate new client credentials, on this next page:
   

8. In the Settings menu - generate new credentials for API-method and make sure to use your client-id and secret on our portal SSI integrations page:
   
   
   Once you’d click on “Generate credentials” you’d see, add would have to pick “API” and “Generate new client credentials”:

   
   

9. Once you’d have the client-id, org-id, client-secret, you can go to the Hunters SSI page, search for upwind and try to connect to the API method:
   
   And then fill in:

   

10. Now you should be connected and well ingesting logs 😀😀😀

Expected format

Logs are expected in JSON format for the upwind detection:

{
  "category": "PROCESS",
  "description": "Network sniffing involves the interception and analysis of network traffic flowing between devices on a network. Attackers may use network sniffing tools to capture sensitive information, such as passwords or account credentials, as they travel across a network. This can lead to unauthorized access or data exfiltration.",
  "first_seen_time": "2025-07-11T09:34:07Z",
  "id": "uwd-xxxxxxxxxxxxxxxx",
  "last_seen_time": "2025-07-11T09:34:07Z",
  "links": [
    {
      "href": "https://api.upwind.io/v1alpha1/detections/uwd-xxxxxxxxxxxxxxxx",
      "rel": "SELF"
    },
    {
      "href": "https://console.upwind.io/threats?selectedDetectionId=uwd-xxxxxxxxxxxxxxxx",
      "rel": "VIEW"
    }
  ],
  "mitre_attacks": [
    {
      "links": [
        {
          "href": "https://attack.mitre.org/tactics/TA0006",
          "rel": "TACTIC"
        },
        {
          "href": "https://attack.mitre.org/techniques/T1040",
          "rel": "TECHNIQUE"
        }
      ],
      "tactic_id": "TA0006",
      "tactic_name": "Credential Access",
      "technique_id": "T1040",
      "technique_name": "Network Sniffing"
    }
  ],
  "occurrence_count": 2,
  "resource": {
    "cloud_account_id": "byoc-<redacted>",
    "cloud_provider": "BYOC",
    "cluster_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "id": "ep-xxxxxxxxxxxxxxxx",
    "name": "<redacted-node-name>",
    "region": "byoc-<redacted-region>",
    "type": "KUBERNETES_NODE"
  },
  "severity": "CRITICAL",
  "status": "OPEN",
  "title": "A Kubernetes Node is executing a network sniffing tool",
  "triggers": [
    {
      "events": [
        {
          "data": {
            "command": "tcpdump -i <interface> -w <file> port <port>",
            "description": "Tcpdump can be used by hackers to capture network traffic, which can aid in identifying potential vulnerabilities. Additionally, it can be used to analyze captured traffic to identify sensitive information, such as login credentials or credit card numbers.",
            "execution_count": 2,
            "last_process_tree": [
              {
                "command": "tcpdump -i <interface> -w <file> port <port>",
                "host_parent_process_id": 3286645,
                "host_process_id": 3313708,
                "name": "<redacted-binary>",
                "start_time": "2025-07-11T09:33:13Z"
              }
            ],
            "name": "tcpdump",
            "pattern": "FREQUENT",
            "status": "TERMINATED",
            "user_name": "<redacted-user>",
            "validation": ["MD5"]
          },
          "description": "Execution of suspicious process",
          "type": "PROCESS_EXECUTION"
        }
      ],
      "policy_id": "dp-xxxxxxxx-xxxx-xx",
      "policy_name": "network sniffing processes"
    }
  ],
  "type": "network_sniffing",
  "upwind_console_link": "https://console.upwind.io/threats?mainPageTab=Detections&sidePanel=detection-details&sidePanelItemId=uwd-xxxxxxxxxxxxxxxx"
}