Upwind Security

  • Published on Aug 10, 2025
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Upwind Security Logs

✅

upwind_security_logs

NDJSON

S3

Overview

Cloud Security Happens at Runtime  is a runtime-powered Cloud-Native Application Protection Platform (CNAPP) designed tosecure cloud environments in real time. It provides deep visibility into workloads, APIs, identities, and containers by analyzing actual runtime behavior. Security teams use Upwind to detect threats, prioritize risks, and respond instantly based on real usage context. The platform reduces alert noise by mapping vulnerabilities to live assets and connections. Upwind also supports shift-left security by connecting runtime insights back into CI/CD workflows.  

Supported data types

Upwind Security Logs

Table name: upwind_security_logs

collects runtime threat detections from the Upwind CNAPP platform. It ingests high-fidelity alerts about suspicious process behavior, reverse shells, privilege escalations, and other MITRE-mapped tactics within containerized workloads. Each log includes severity, resource context, command-line activity, and detection metadata. The data is enriched with MITRE ATT&CK mappings and linked to cloud assets in Kubernetes environments.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Upwind logs via an intermediary AWS S3 bucket.

To connect Upwind logs:

  1. Export your logs from Upwind to an AWS S3 bucket by following this guide.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{
  "category": "PROCESS",
  "description": "Network sniffing involves the interception and analysis of network traffic flowing between devices on a network. Attackers may use network sniffing tools to capture sensitive information, such as passwords or account credentials, as they travel across a network. This can lead to unauthorized access or data exfiltration.",
  "first_seen_time": "2025-07-11T09:34:07Z",
  "id": "uwd-xxxxxxxxxxxxxxxx",
  "last_seen_time": "2025-07-11T09:34:07Z",
  "links": [
    {
      "href": "https://api.upwind.io/v1alpha1/detections/uwd-xxxxxxxxxxxxxxxx",
      "rel": "SELF"
    },
    {
      "href": "https://console.upwind.io/threats?selectedDetectionId=uwd-xxxxxxxxxxxxxxxx",
      "rel": "VIEW"
    }
  ],
  "mitre_attacks": [
    {
      "links": [
        {
          "href": "https://attack.mitre.org/tactics/TA0006",
          "rel": "TACTIC"
        },
        {
          "href": "https://attack.mitre.org/techniques/T1040",
          "rel": "TECHNIQUE"
        }
      ],
      "tactic_id": "TA0006",
      "tactic_name": "Credential Access",
      "technique_id": "T1040",
      "technique_name": "Network Sniffing"
    }
  ],
  "occurrence_count": 2,
  "resource": {
    "cloud_account_id": "byoc-<redacted>",
    "cloud_provider": "BYOC",
    "cluster_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "id": "ep-xxxxxxxxxxxxxxxx",
    "name": "<redacted-node-name>",
    "region": "byoc-<redacted-region>",
    "type": "KUBERNETES_NODE"
  },
  "severity": "CRITICAL",
  "status": "OPEN",
  "title": "A Kubernetes Node is executing a network sniffing tool",
  "triggers": [
    {
      "events": [
        {
          "data": {
            "command": "tcpdump -i <interface> -w <file> port <port>",
            "description": "Tcpdump can be used by hackers to capture network traffic, which can aid in identifying potential vulnerabilities. Additionally, it can be used to analyze captured traffic to identify sensitive information, such as login credentials or credit card numbers.",
            "execution_count": 2,
            "last_process_tree": [
              {
                "command": "tcpdump -i <interface> -w <file> port <port>",
                "host_parent_process_id": 3286645,
                "host_process_id": 3313708,
                "name": "<redacted-binary>",
                "start_time": "2025-07-11T09:33:13Z"
              }
            ],
            "name": "tcpdump",
            "pattern": "FREQUENT",
            "status": "TERMINATED",
            "user_name": "<redacted-user>",
            "validation": ["MD5"]
          },
          "description": "Execution of suspicious process",
          "type": "PROCESS_EXECUTION"
        }
      ],
      "policy_id": "dp-xxxxxxxx-xxxx-xx",
      "policy_name": "network sniffing processes"
    }
  ],
  "type": "network_sniffing",
  "upwind_console_link": "https://console.upwind.io/threats?mainPageTab=Detections&sidePanel=detection-details&sidePanelItemId=uwd-xxxxxxxxxxxxxxxx"
}