Goal Summary:

Expand the ACS feature to include File Integrity Monitoring (FIM) at both the host and container levels1. The goal is to deliver a solution that can replace the current CrowdStrike solution to ensure a successful audit next year

Goals and expected user outcomes:

The primary goal is for users to be able to monitor file activity at both the container and host levels. The ACS SFA agent will forward file system events to a sensor, which will then enrich them with Kubernetes context and forward to Central. This will enable the user's SOC team to receive alerts that are similar to what they get from CrowdStrike. The alerts will contain sufficient information low level information as well as k8s context to allow for streamlined triage and assignment to the correct teams.

The new feature should also effectively reduce noise from routine system events and allow customer to customize the filtering directly via a policy. 

Acceptance Criteria:

• Policies should be set up to track specific files and paths.
   
• The events generated must be enriched with Kubernetes context, including tags, labels, and annotations, to facilitate correlation and investigation.
   
• The solution must provide a way to distinguish between file changes that occur at the host level versus the container level.
   
• The system must be able to filter out noise from events caused by actions like OpenShift upgrades.
   
• The events should include all details available that come from SFA agent. 

Success Criteria or KPIs measured:

• Customer can swap this new functionality for existing product and achieve similar type of alerting in different usecases.

• The ACS solution should be able to support the number of file activity policies and paths currently being tracked by CrowdStrike.

• The number of alerts is manageable, and the noise is successfully reduced.