PromQL Queries for Security and Incident Response Teams
2020-03-29, 09:45–10:15, Room 1

Prometheus monitoring can be useful not only for platform operators, service owners or DevOps teams but also provides great visibility to security and SOC teams.
In this talk we will go through several use cases where security and incident response teams have found themselves leveraging monitoring tools like Prometheus to identify and analyze typical attacks on containers running on Kubernetes.
A sudden sustained increase of your CPU usage might be some kind of cryptomining attack on your containers. A new CVE has been discovered and some of your apps might be affected. Your cluster is scaling out for no reason. In this talk we will cover these and more real use cases of metrics and PromQL queries that will make your DevSecOps team love Prometheus even more.


In this talk I will give a security point of view to Prometheus monitoring. It seems that we associate Prometheus with visibility, troubleshooting and dashboards but the metrics offer a wide range of possibilities
The DevSecOps approach “you code it, you build it, you run it” has now another point: “you secure it”. Many security issues have to be addressed by DevOps teams who know most about the applications.
This talk will encourage to use all the tools at hand in different ways to help you achieve all your goals.