Appearance
Container Runtime Enrichment
Enhance security events with container runtime metadata by automatically connecting to Docker and containerd.
Overview
The enricher feature enriches security events with detailed container information. When enabled, Jibril automatically connects to available container runtimes and adds container context to every security event.
Zero configuration
- Automatically detects available runtimes.
- Connects to runtime sockets.
- Maintains container inventory.
- Enriches events transparently.
Configuration
Enable container runtime enrichment through Jibril's configuration file:
yaml
features:
- enricherDefaults
The enricher will automatically:
- Detect available container runtimes.
- Connect to runtime sockets.
- Maintain container inventory.
- Enrich events transparently.
Supported Runtimes
docker
Socket: /var/run/docker.sock
Automatically detected when:
- Docker daemon is running.
- Socket is accessible to Jibril.
Supported versions:
- Docker Engine 20.10+.
- Docker CE/EE.
containerd
Socket: /run/containerd/containerd.sock
Automatically detected when:
- containerd daemon is running.
- Socket is accessible to Jibril.
Supported versions:
- containerd 1.4+.
- Used by Kubernetes (CRI).
Note: Jibril can connect to multiple runtimes simultaneously. If both
dockerandcontainerdare available, both will be monitored (even if containerd is used as the CRI for Docker, information will be then correlated).
Use Cases
Scenario: Suspicious network activity detected
With enricher
- Immediately identify which container is responsible
- Check if container is privileged
- Verify image source and version
- Review container labels for ownership
- Correlate with deployment metadata
Without enricher
- Only see process ID and command
- Manual correlation with containers required
- Difficult to track across container restarts
Compliance and Audit
Track privileged container usage.
- Automatic logging of all privileged containers
- Full audit trail with container metadata
- Easy filtering by security settings
- Clear ownership via labels
Container Escape Detection
Container breakout attempts.
- Detect when containerized process accesses host filesystem
- Identify privilege escalation in containers
- Track unexpected capability usage
- Monitor privileged operations from containers
Enhanced context:
- Know if escape originated from privileged container
- Identify vulnerable image versions
- Correlate with container configuration
Enriched Metadata
Container Identity
- Container ID - Full and shortened (12 chars) identifier
- Container Name - Human-readable container name
- Container Hostname - Internal hostname
- Container State - Current state (running, paused, exited)
Image Information
- Image Name - Full image name
- Image Tag - Image version tag
- Image ID - Unique image identifier
- Image Digest - Content hash
Runtime Information
- Runtime Type - Docker or containerd
- Runtime Version - Version information
Security Settings
- Privileged - Whether container runs with elevated privileges
- Capabilities - Linux capabilities granted
- Security Options - AppArmor, SELinux, seccomp profiles
- Read-Only Root - Filesystem protection status
Network Configuration
- IP Addresses - Container IP addresses
- Network Mode - Bridge, host, none
- Ports - Exposed and published ports
- Networks - Attached networks
Labels and Metadata
- Container Labels - All user-defined labels
- Kubernetes Metadata - Pod name, namespace, deployment (if applicable)
- Annotations - Additional metadata
- Environment Variables - Container environment configuration
Lifecycle Information
- Creation Time - When container was created
- Start Time - When container started running
- PID - Container's process ID on host
- Exit Code - Exit code (for stopped containers)
Example
json
{
"uuid": "266af317e11775e569f18e9659f79f5fc9af6248f483d0b0b0d28bfb8cf19f6c",
"timestamp": "2026-01-26T15:43:27Z",
"note": "file_example_blergh",
"metadata": {
"kind": "file_example",
"name": "file_example_blergh",
"format": "file_access",
"version": "1.0",
"description": "Detect access magic files as an example",
"importance": "high",
"documentation": "https://garnet.gitbook.io/jibril/detections/file-access/file_example",
"tactic": "example",
"technique": "example",
"subtechnique": "example"
},
"background": {
"files": {
"root": {
"path": "/",
"dirs": [
{
"path": "/bin",
"base": "bin",
"files": [
{
"path": "/bin/busybox",
"base": "busybox",
"actions": ["mmap", "open", "close", "execve"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 804616,
"access": "2025-12-16 14:19:28",
"change": "2025-12-16 14:19:28",
"creation": "2026-01-26 15:43:16"
}
}
]
},
{
"path": "/lib",
"base": "lib",
"files": [
{
"path": "/lib/ld-musl-x86_64.so.1",
"base": "ld-musl-x86_64.so.1",
"actions": ["mmap", "open", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 666216,
"access": "2025-10-13 18:32:08",
"change": "2025-10-13 18:32:08",
"creation": "2026-01-26 15:43:16"
}
}
]
},
{
"path": "/tmp",
"base": "tmp",
"files": [
{
"path": "/tmp/blergh",
"base": "blergh",
"actions": ["open", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 0,
"access": "2026-01-26 15:43:27",
"change": "2026-01-26 15:43:27",
"creation": "2026-01-26 15:43:27"
}
}
]
}
]
}
},
"containers": {
"mnt_namespace_ids": [
{
"name": "container01",
"id": "6c0428dd2e67"
}
],
"pid_namespace_ids": [
{
"name": "container01",
"id": "6c0428dd2e67"
}
],
"uts_namespace_ids": [
{
"name": "container01",
"id": "6c0428dd2e67"
}
],
"ipc_namespace_ids": [
{
"name": "container01",
"id": "6c0428dd2e67"
}
],
"net_namespace_ids": [
{
"name": "container01",
"id": "6c0428dd2e67"
}
],
"cgroup_namespace_ids": [
{
"name": "container01",
"id": "6c0428dd2e67"
}
],
"containers": [
{
"id": "6c0428dd2e67",
"name": "container01",
"hostname": "6c0428dd2e67",
"image_id": "e7b39c54cdec",
"image": "alpine:latest",
"runtime": "runc",
"driver": "overlay2",
"pid": 1275136,
"status": "running",
"is_attached": true,
"path": "/bin/sh",
"cwd": "/",
"created_at": "2026-01-26 15:43:16",
"started_at": "2026-01-26 15:43:16",
"finished_at": "0001-01-01 00:00:00",
"mounts": [
{
"source": "proc",
"destination": "/proc",
"type": "proc"
},
{
"source": "tmpfs",
"destination": "/dev",
"type": "tmpfs"
},
{
"source": "devpts",
"destination": "/dev/pts",
"type": "devpts"
},
{
"source": "sysfs",
"destination": "/sys",
"type": "sysfs"
},
{
"source": "cgroup",
"destination": "/sys/fs/cgroup",
"type": "cgroup"
},
{
"source": "mqueue",
"destination": "/dev/mqueue",
"type": "mqueue"
},
{
"source": "shm",
"destination": "/dev/shm",
"type": "tmpfs"
},
{
"source": "/var/lib/docker/containers/6c0428dd2e675f97dc292999a9315ab567d38e72c980898c030f84952ba37c92/resolv.conf",
"destination": "/etc/resolv.conf",
"type": "bind"
},
{
"source": "/var/lib/docker/containers/6c0428dd2e675f97dc292999a9315ab567d38e72c980898c030f84952ba37c92/hostname",
"destination": "/etc/hostname",
"type": "bind"
},
{
"source": "/var/lib/docker/containers/6c0428dd2e675f97dc292999a9315ab567d38e72c980898c030f84952ba37c92/hosts",
"destination": "/etc/hosts",
"type": "bind"
}
],
"network_mode": "bridge",
"cgroupns_mode": "private",
"ipc_mode": "private",
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"cmd": ["/bin/sh"],
"namespaces": {
"mnt_ns": 4026532536,
"pid_ns": 4026532645,
"uts_ns": 4026532643,
"ipc_ns": 4026532644,
"net_ns": 4026532647,
"cgroup_ns": 4026532646
}
}
]
},
"ancestry": [
{
"start": "2026-01-15T17:52:34-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 1,
"ppid": 0,
"comm": "systemd",
"cmd": "systemd",
"exe": "/usr/lib/systemd/systemd",
"args": "/usr/lib/systemd/systemd --switched-root --system --deserialize=50",
"envs": "BOOT_IMAGE=/vmlinuz-linux-lts COLUMNS=80 LINES=25 TERM=linux",
"namespaces": {
"mnt_ns": 4026531841,
"pid_ns": 4026531836,
"uts_ns": 4026531838,
"ipc_ns": 4026531839,
"net_ns": 4026531840,
"cgroup_ns": 4026531835
}
},
{
"start": "2026-01-26T12:43:16-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 1275113,
"ppid": 1,
"comm": "containerd-shim",
"cmd": "containerd-shim-runc-v2",
"exe": "/usr/bin/containerd-shim-runc-v2",
"args": "/usr/bin/containerd-shim-runc-v2 -namespace moby -id 6c0428dd2e675f97dc292999a9315ab567d38e72c980898c030f84952ba37c92 -address /run/containerd/containerd.sock",
"envs": "LANG=en_US.UTF-8 PATH=/opt/containerd/bin:/usr/local/sbin:/usr/local/bin:/usr/bin USER=root INVOCATION_ID=37894e4e179c4d8f8910543016767800 JOURNAL_STREAM=9:9918 SYSTEMD_EXEC_PID=782 MEMORY_PRESSURE_WATCH=/sys/fs/cgroup/system.slice/containerd.service/memory.pressure MEMORY_PRESSURE_WRITE=c29tZSAyMDAwMDAgMjAwMDAwMAA= NOTIFY_SOCKET=/run/systemd/notify LD_LIBRARY_PATH=/opt/containerd/lib: MAX_SHIM_VERSION=2 TTRPC_ADDRESS=/run/containerd/containerd.sock.ttrpc GRPC_ADDRESS=/run/containerd/containerd.sock NAMESPACE=moby GOMAXPROCS=4 OTEL_SERVICE_NAME=containerd-shim-6c0428dd2e675f97dc292999a9315ab567d38e72c980898c030f84952ba37c92",
"namespaces": {
"mnt_ns": 4026531841,
"pid_ns": 4026531836,
"uts_ns": 4026531838,
"ipc_ns": 4026531839,
"net_ns": 4026531840,
"cgroup_ns": 4026531835
}
},
{
"start": "2026-01-26T12:43:16-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 1275136,
"ppid": 1275113,
"comm": "sh",
"cmd": "busybox",
"exe": "/bin/busybox",
"args": "/bin/sh",
"envs": "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=6c0428dd2e67 TERM=xterm HOME=/root",
"namespaces": {
"mnt_ns": 4026532536,
"pid_ns": 4026532645,
"uts_ns": 4026532643,
"ipc_ns": 4026532644,
"net_ns": 4026532647,
"cgroup_ns": 4026532646
}
},
{
"start": "2026-01-26T12:43:27-03:00",
"exit": "2026-01-26T12:43:27-03:00",
"retcode": 0,
"uid": 0,
"pid": 1275304,
"ppid": 1275136,
"comm": "touch",
"cmd": "busybox",
"exe": "/bin/busybox",
"args": "touch /tmp/blergh",
"envs": "HOSTNAME=6c0428dd2e67 SHLVL=1 HOME=/root TERM=xterm PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/",
"namespaces": {
"mnt_ns": 4026532536,
"pid_ns": 4026532645,
"uts_ns": 4026532643,
"ipc_ns": 4026532644,
"net_ns": 4026532647,
"cgroup_ns": 4026532646
}
}
]
},
"file": {
"path": "/tmp/blergh",
"dir": "/tmp",
"basename": "blergh",
"type": "regular",
"owner": {
"uid": 0,
"gid": 0
},
"actions": {
"actions": ["open", "close"],
"open": true,
"read": false,
"write": false,
"exec": false,
"create": false,
"unlink": false,
"rename": false,
"link": false,
"truncate": false,
"fsync": false,
"flock": false,
"mmap": false,
"close": true,
"async": false,
"seek": false
},
"permissions": {
"mode": "rw-r--r--",
"owner_read": true,
"owner_write": true,
"owner_exec": false,
"group_read": true,
"group_write": false,
"group_exec": false,
"other_read": true,
"other_write": false,
"other_exec": false
},
"special": {
"setuid": false,
"setgid": false,
"sticky": false
},
"metadata": {
"size": 0,
"access": "2026-01-26 15:43:27",
"change": "2026-01-26 15:43:27",
"creation": "2026-01-26 15:43:27"
}
}
}