Aqua Security

  • Updated on Jan 26, 2025
  • Published on May 14, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Aqua Audit Events

✅

✅

✅

aqua_audit_events

NDJSON

API / S3

Overview

imageAqua Security provides a platform for securing cloud-native applications, with a strong focus on containerized environments, Kubernetes, and serverless workloads. Its features include vulnerability scanning for images and code, runtime protection to detect and prevent malicious activity, and compliance checks for cloud-native environments. Aqua integrates with CI/CD pipelines to enforce security earlier in the development process and provides tools for securing infrastructure-as-code. It is designed to work across multiple cloud providers and orchestrators, making it a comprehensive solution for securing modern, dynamic application infrastructure.

Supported data types

Aqua Audit Events

Table name: aqua_audit_events

Aqua Audit Events is a feature within Aqua Security's platform that tracks and logs significant security-related actions and events across cloud-native environments. It provides detailed records of activities such as configuration changes, policy updates, and runtime security events, helping organizations maintain visibility and accountability. These audit logs can be integrated with external logging and monitoring tools, such as SIEM solutions, for centralized analysis and compliance reporting. Aqua Audit Events is particularly useful for meeting regulatory requirements and troubleshooting security incidents in containerized and Kubernetes-based infrastructures.

Send data to Hunters

You can collect logs using 2 methods:

  • API - follow a few simple steps to connect logs to Hunters using API.
  • S3 storage - route logs to an S3 bucket and provide Hunters with the details.

Using API

The integration with the Aqua events is done via API collection, for which a license of type Enterprise Licenses is needed.

To connect Aqua logs:

  1. Follow this guide by Aqua and provide Hunters with the following information:

    • User Email

    • User Password

    • Hostname of your workload protection system in the correct region, see also here. Example - https://xxxxxxx.cloud.aquasec.com

  2. Complete the process on the Hunters platform, following this guide.

Using S3 storage

Alternatively, you can collect the these logs from your network to a shared storage service (e.g. to an S3 bucket) shared with Hunters. Click here for further instructions.

Expected format

The expected format of the logs is the ND-JSON format as exported by Aqua.

        {
          "id": 558, 
          "time": 99999, 
          "timestamp": 0, 
          "date": 0, 
          "type": "Runtime", 
          "user": "root", 
          "action": "exec", 
          "image": "099383092.sdsd.ecr.us-west-2.amazonaws.com/gffy:latest", 
          "imagehash": "sha256:1408a56565ab9ac8e01d5de6a0ecdd797485da5dbb9391ac5443229552a373", 
          "container": "853g450b9cc", 
          "containerid": "853e4d80656545nkdfvfc164f1e7f6d9a-1189836358", 
          "host": "ip-111-22-32-111.us-west-2.compute.internal (microenforcer)", 
          "hostid": "5b987d3e-5432-41e5-9c7f-61ea7f944eac", 
          "category": "file", 
          "result": 2, 
          "data": "
						{\"pid\": 492, 
						\"euid\": \"0\", 
						\"host\": \"ip-111-22-32-111.us-west-2.compute.internal (microenforcer)\", 
						\"ppid\": 487, 
						\"rule\": \"Hunters PoC Policy\", 
						\"time\": 1666950955, 
						\"user\": \"root\", 
						\"euser\": \"root\", 
						\"image\": \"099383092.sdsd.ecr.us-west-2.amazonaws.com/gotty:latest\", 
						\"level\": \"block\", 
						\"action\": \"exec\", 
						\"hostid\": \"090909-5dec-41e5-9c7f-61ea7f944eac\", 
						\"reason\": \"Unauthorized action blocked by runtime policy\", 
						\"result\": 2, 
						\"tactic\": \"Defense Evasion\", 
						\"command\": \"chmod\", 
						\"control\": \"Executables Blocked\", 
						\"imageid\": \"1408a3877cddab9ac8909098a0ecdd797485da5dbb9391ac5443229552a373\", 
						\"process\": \"docker\", 
						\"category\": \"file\", 
						\"resource\": \"/bin/busybox\", 
						\"container\": \"853e4909cc\", 
						\"hostgroup\": \"hunters-poc\", 
						\"rule_type\": \"runtime.policy\", 
						\"technique\": \"Execution Guardrails\", 
						\"timestamp\": 1666959995218, 
						\"repository\": \"gotty\", 
						\"containerid\": \"853e4d800909a7f8ccc164f1e7f6d9a-1189836358\", 
						\"container_ip\": \"111.22.32,111\", 
						\"resource_digest\": \"b9c85b04c09cdxcxa02baf303846ff9a5ccb3cb9d2676012f14d9f348fce3\"}", 
          "account_id": 0, 
          "audit_type": ""
        },
        {
        "id": 239861, 
        "time": 166999980, 
        "timestamp": 0, 
        "date": 0, 
        "type": "scalock.admin", 
        "user": "System", 
        "action": "Enforcer Disconnected", 
        "image": "", 
        "imagehash": "", 
        "container": "", 
        "containerid": "", 
        "host": "ip-999-99-99-4.us-west-2.compute.internal (microenforcer)", 
        "hostid": "", 
        "category": "Host", 
        "result": 3, 
        "data": "
					{\"hostid\": \"3ba4862c-4303-419d-ae01-2239c467703a\", 
					\"hostip\": \"999.99.99.4\", 
					\"hostname\": \"ip-999-99-99-4.us-west-2.compute.internal (microenforcer)\", 
					\"adjective\": \545452c-4303-419d-ae01-2239c467703a\", 
					\"hostgroup\": \"hunters-poc\", 
					\"description\": \"\"}", 
        "account_id": 0, 
        "audit_type": ""
        }