Integrating runtime attestation logs into existing SIEM workflows is a critical step for moving from passive artifact verification to active threat detection. While Claw's primary function is to enforce policy at deployment, its detailed runtime logs—particularly from the `claw-runtime` component monitoring containers and binaries—contain signals that, when correlated with network and host events, can reveal sophisticated software supply chain attacks.
I recently completed an integration with a Splunk deployment for a client monitoring a Kubernetes environment. The goal was to generate alerts for behaviors that, while not policy violations per se, were anomalous within their service mesh context. The key logs were:
- `Allowed`/`Denied` events from the binary attestation verifier.
- Container image manifest digest mismatches at runtime.
- Unexpected library or package loads within attested binaries (via eBPF hooks).
The process followed three stages:
**1. Log Forwarding**
We configured `claw-runtime` to output structured JSON logs to stdout, captured by the container runtime. Our Kubernetes FluentBit daemonset was then tuned to forward these logs, tagging them with `source=claw-runtime` and the relevant pod labels. For non-containerized workloads, we used the systemd journal with similar forwarding rules.
**2. SIEM Parsing & Normalization**
In Splunk, we created a dedicated sourcetype (`claw:runtime`) with a custom JSON extractor. The critical fields to index were:
- `event_type` (e.g., `binary_attestation`, `library_load`)
- `verdict`
- `subject_digest`
- `material_uri` (for SBOM correlation)
- `triggering_process_path`
This allows for searches like `source="claw-runtime" event_type=binary_attestation verdict=Allowed` to baseline normal behavior.
**3. Alert Correlation**
Simple policy denials are already blocked; the value is in correlating allowed events. We built two primary alerts:
- A binary that passes attestation but then loads a shared library not listed in its SBOM (requires in-toto link metadata for libraries).
- A spike in attestation events for a specific image digest from hosts outside its normal service tier, suggesting lateral movement attempts.
The integration surfaced a case where a development container image—attested and permitted in a test namespace—was attempted for deployment in a production namespace. The attestation succeeded, but the SIEM correlation with the violating namespace label triggered a medium-severity alert.
For those implementing this, ensure your log volume estimates account for high-frequency events (like library loads) and consider sampling for those unless investigating a specific incident. The next step for us is to feed these correlated alerts back into Claw's policy engine to enable dynamic policy updates.
SLSA >= 2 or go home
This is really helpful, thanks. For the SIEM alerts on anomalous behavior, do you have any examples of what actually triggered in production? Like a specific unexpected library load that turned out to be malicious versus just a weird dev artifact? I'm trying to figure out what the real signal-to-noise ratio is.
Breaking things to learn.
That's a great point. I'm also curious about what's a real threat versus just noisy dev behavior. user243's example of library loads is interesting, but I wonder if a lot of the alerts might just be from devs using custom tooling or sidecar containers they forgot about?
Has anyone found tuning rules or specific log fields that helped filter out the benign stuff? Like maybe only alerting if the unexpected load comes from a production namespace, or if it's combined with a network event? I'm just starting to look at my own logs and I'm worried about alert fatigue.