diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 4d04206faa5..a3386133c2d 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -170,6 +170,7 @@ /packages/etcd @elastic/obs-infraobs-integrations /packages/f5 @elastic/security-service-integrations /packages/f5_bigip @elastic/security-service-integrations +/packages/falco @elastic/security-service-integrations /packages/fim @elastic/sec-linux-platform /packages/fireeye @elastic/security-service-integrations /packages/fleet_server @elastic/fleet diff --git a/packages/falco/LICENSE.txt b/packages/falco/LICENSE.txt new file mode 100644 index 00000000000..809108b857f --- /dev/null +++ b/packages/falco/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/falco/_dev/build/build.yml b/packages/falco/_dev/build/build.yml new file mode 100644 index 00000000000..e2b012548e0 --- /dev/null +++ b/packages/falco/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.11.0 diff --git a/packages/falco/_dev/build/docs/README.md b/packages/falco/_dev/build/docs/README.md new file mode 100644 index 00000000000..69b5cc5eabd --- /dev/null +++ b/packages/falco/_dev/build/docs/README.md @@ -0,0 +1,46 @@ +# Falco Integration +This integration allows for the shipping of [Falco](https://falco.org/) alerts to Elastic for observability and organizational awareness. Alerts can then be analyzed by using either the dashboard included with the integration or via the creation of a custom dashboard within Kibana. + +## Data Streams +The Falco integration collects one type of data stream: logs. + +**Logs** The Logs data stream collected by the Falco integration is comprised of Falco Alerts. See more details about Falco Alerts in [Falco's Outputs Documentation](https://falco.org/docs/outputs/). A complete list of potential fields used by this integration can be found in the [Logs reference](#logs-reference) + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Falco must be configured to output alerts to a supported output channel as defined in [Setup](#setup). The system will only receive fields output by Falco's rules. If a rule does not include a desired field the rule must be edited in Falco to add the field. + +This integration is compatible with Falco version 0.37 and above, and should not be expected to perform successfully in lower versions. + +## Setup + +For step-by-step instructions on how to set up an integration, see the {{ url "getting-started-observability" "Getting started" }} guide. + +In order to capture alerts from Falco you **must** configure Falco to output Alerts as JSON to one of the supported channels: [Logfile](#logfile-input) or [TCP Syslog](#tcp-syslog-input). + +**Required:** To configure Falco to output JSON, set the config properties `json_output=true` and `json_include_output_property=true` in Falco's config. See the examples in Falco's [Output Channels documentation](https://falco.org/docs/outputs/channels/#http-output). + +### Logfile Input + +The logfile input reads data from one or more Falco log files using the Elastic Agent. Use this input when the Elastic Agent will be deployed to the same machine as Falco or when Falco's log files are available via a mounted filesystem. + +To use this input Falco must be configured to output alerts to a log file. See Falco's [File Output](https://falco.org/docs/outputs/channels/#file-output) documentation for details. + +### TCP Syslog Input + +The TCP Syslog input allows the Elastic Agent to receive Falco Alerts via remote syslog. Use this input when you want to send data via [Falco Sidekick](https://github.com/falcosecurity/falcosidekick). + +To use this input you will need to deploy the Elastic Agent *first* and then configure and deploy Falco Sidekick to send Alerts to the Agent via Syslog. See [Syslog Output](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/syslog.md) and [Connecting Falco to Sidekick](https://github.com/falcosecurity/falcosidekick?tab=readme-ov-file#connect-falco) for more details. + +## Logs Reference + +### alerts + +Falco alerts can contain a multitude of various fields pertaining to the type of activity on the host machine. + +{{ fields "alerts" }} + +{{ event "alerts" }} diff --git a/packages/falco/_dev/deploy/docker/docker-compose.yml b/packages/falco/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..909624a6d6d --- /dev/null +++ b/packages/falco/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,13 @@ +services: + falco-tcp: + image: docker.elastic.co/observability/stream:v0.15.0 + volumes: + - ./sample_syslog:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/var/log + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9030 -p=tcp /sample_logs/*.log + falco-logfile: + image: alpine + volumes: + - ./sample_logfile:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/var/log + command: /bin/sh -c "cp /sample_logs/* /var/log/" diff --git a/packages/falco/_dev/deploy/docker/sample_logfile/sample.log b/packages/falco/_dev/deploy/docker/sample_logfile/sample.log new file mode 100644 index 00000000000..3e7770407ef --- /dev/null +++ b/packages/falco/_dev/deploy/docker/sample_logfile/sample.log @@ -0,0 +1,17 @@ +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:19.341081180+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-07T18:54:19.341081180Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108059341081180,"evt.type":"openat","fd.name":"/etc/shadow","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"time":"2024-05-07T18:54:20.008519431Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108060008519431,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2}} +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:26.271403849+0000: Warning Sensitive file opened for reading by trusted program after startup (file=/etc/shadow pcmdline=event-generator run --loop gparent=containerd-shim ggparent=runc gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file trusted after startup","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-07T18:54:26.271403849Z", "output_fields": {"container.id":"9656db3bb358","container.full_id":"9656db3bb3588e7b23da7d48fe889434573036c27ae5a74837233de441c3601e","container.name":"elastic-package-service-falco-event-generator-1","container.image": "falcosecurity/event-generator:0.10.0","container.image.tag":"0.10.0","container.image.digest":["sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27"],"container.image.id":"16e0fa09a4f1018f22be6cce3ec21848dccaa566b063bda4c814c37dc36adfea","container.image.repository":"falcosecurity/event-generator","evt.time.iso8601":1715108066271403849,"evt.type":"openat","fd.name":"/etc/shadow","proc.cmdline":"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s","proc.exepath":"/bin/event-generator","proc.name":"httpd","proc.pcmdline":"event-generator run --loop","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:27.767673017+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator3982217557/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Notice","rule":"Run shell untrusted","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"time":"2024-05-07T18:54:27.767673017Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108067767673017,"evt.type":"execve","proc.cmdline":"bash -c ls > /dev/null","proc.exepath":"/bin/bash","proc.name":"bash","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator3982217557/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","source":"syscall","tags":[],"time":"2024-05-07T18:54:20.008519431Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108060008519431,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:26.104747558+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"time":"2024-05-13T13:23:26.104747558Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.arg.flags":"0","evt.time.iso8601":1715606606104747558,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:27.021777225+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator2286495765/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Notice","rule":"Run shell untrusted","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"time":"2024-05-13T13:23:27.021777225Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.arg.flags":"EXE_WRITABLE","evt.time.iso8601":1715606607021777225,"evt.type":"execve","proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":"runc","proc.aname[5]":"init","proc.aname[6]":"init","proc.aname[7]":null,"proc.cmdline":"bash -c ls > /dev/null","proc.exepath":"/bin/bash","proc.name":"bash","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator2286495765/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:28.170686725+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:28.170686725Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606608170686725,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:29.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:29.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "SUCCESS","fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:29.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:31.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:31.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.num":4525,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","k8s.ns.name":"kubernetes-ns","k8s.pod.ip":"175.16.199.0/24","k8s.pod.name":"kubernetes-pod-1","k8s.pod.uid":"aadadjh763wiuh","k8s.pod.labels":["key1:value1","key2:value2","key3:value3"],"proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:33.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:33.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.mounts":"/proc/sys/fs/binfmt_misc:/tmp/binary:bind:ro:private /var/log:/mnt/log:bind:rw:shared","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:34.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:34.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","container.type":"docker","container.privileged":true,"container.ip":"81.2.69.144","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","fd.cip.name":"example.com","fd.sip.name":"otherexample.com","fd.rip.name":"fourthexample.com","fd.lip.name":"thirdexample.com","evt.failed":true,"fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:36.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:36.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","fd.directory":"var/log/example","fd.filename":"example.tar.gz","fd.cip":"216.160.83.56","fd.sip":"89.160.20.112","fd.lip":"89.160.20.128","fd.rip":"67.43.156.0","fd.cport":5400,"fd.sport":5700,"fd.lport":5689,"fd.rport":6789,"fd.ino":"567874","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:37.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:37.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","proc.aname[2]":"runc","group.gid":"123355","group.name":"test-1","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdnargs": 1,"proc.env":"TEST_VALUE1=testvalue1 TEST_VALUE2=testvalue2","proc.cwd":"/bin/event-generator","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.args":"run --loop","proc.name":"event-generator","proc.pid":133567,"proc.ppid":133568,"proc.vpgid":4555852,"proc.vpgid.name":"generic-process","proc.vpgid.exepath":"/bin/event-generator","proc.ppid.duration":2345,"proc.ppid.ts":"23455","proc.pid.ts":"23451","proc.vpid":133569,"proc.pvpid":133570,"proc.sid":133571,"proc.sid.exepath":"/bin/event-generator","proc.sname":"containerd-shim","proc.is_sid_leader":true,"proc.is_vpgid_leader":false,"proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:38.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:38.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.pexepath":"/bin/event-generator","proc.exepath":"/bin/event-generator","proc.args":"run --loop -v","proc.name":"event-generator","proc.pname":"containerd-shim","proc.duration":"662789","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} \ No newline at end of file diff --git a/packages/falco/_dev/deploy/docker/sample_syslog/sample.log b/packages/falco/_dev/deploy/docker/sample_syslog/sample.log new file mode 100644 index 00000000000..e061db46d8f --- /dev/null +++ b/packages/falco/_dev/deploy/docker/sample_syslog/sample.log @@ -0,0 +1,17 @@ +<5>2024-08-07T13:49:16Z a72f9a747cf8 Falco[1]: {"uuid":"23716645-4d9d-4254-9429-2a287a9af199","output":"2024-08-07T13:49:16.479964318+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator3282684109/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=containerd-shim aname[5]=init aname[6]=\u003cNA\u003e aname[7]=\u003cNA\u003e evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls \u003e /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Notice","rule":"Run shell untrusted","time":"2024-08-07T13:49:16.479964318Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.arg.flags":"EXE_WRITABLE","evt.time.iso8601":1723038556479964318,"evt.type":"execve","proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":"containerd-shim","proc.aname[5]":"init","proc.aname[6]":null,"proc.aname[7]":null,"proc.cmdline":"bash -c ls \u003e /dev/null","proc.exepath":"/bin/bash","proc.name":"bash","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator3282684109/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"hostname":"e822ea6618ae"} +<4>2024-08-07T13:49:51Z a72f9a747cf8 Falco[1]: {"uuid":"f910e4b2-a48a-4fd6-a0e9-8a92011b0967","output":"2024-08-07T13:49:51.594375833+0000: Warning Sensitive file opened for reading by trusted program after startup (file=/etc/shadow pcmdline=event-generator run --loop gparent=containerd-shim ggparent=containerd-shim gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file trusted after startup","time":"2024-08-07T13:49:51.594375833Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.time.iso8601":1723038591594375833,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"containerd-shim","proc.aname[3]":"containerd-shim","proc.aname[4]":"init","proc.cmdline":"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s","proc.exepath":"/bin/event-generator","proc.name":"httpd","proc.pcmdline":"event-generator run --loop","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"hostname":"e822ea6618ae"} +<6>2024-08-07T13:49:51Z a72f9a747cf8 Falco[1]: {"uuid":"a9f98848-b6de-4762-9208-3aa6ea75836b","output":"2024-08-07T13:49:51.703321833+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","time":"2024-08-07T13:49:51.703321833Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.arg.flags":"0","evt.time.iso8601":1723038591703321833,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2},"source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"hostname":"e822ea6618ae"} +<4>2024-08-07T13:49:52Z a72f9a747cf8 Falco[1]: {"uuid":"08afe288-a2e9-42f6-be0c-58d3491371e9","output":"2024-08-07T13:49:52.577159500+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=containerd-shim ggparent=init gggparent=\u003cNA\u003e evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","time":"2024-08-07T13:49:52.5771595Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.time.iso8601":1723038592577159500,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"containerd-shim","proc.aname[3]":"init","proc.aname[4]":null,"proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"hostname":"e822ea6618ae"} +<5>2024-08-07T13:49:54Z a72f9a747cf8 Falco[1]: {"uuid":"a55cfede-8bc6-4d31-8ddd-8c6357d08bf1","output":"2024-08-07T13:49:54.671805751+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator1582963572/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=containerd-shim aname[5]=init aname[6]=\u003cNA\u003e aname[7]=\u003cNA\u003e evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls \u003e /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Notice","rule":"Run shell untrusted","time":"2024-08-07T13:49:54.671805751Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.arg.flags":"EXE_WRITABLE","evt.time.iso8601":1723038594671805751,"evt.type":"execve","proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":"containerd-shim","proc.aname[5]":"init","proc.aname[6]":null,"proc.aname[7]":null,"proc.cmdline":"bash -c ls \u003e /dev/null","proc.exepath":"/bin/bash","proc.name":"bash","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator1582963572/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"hostname":"e822ea6618ae"} +<4>2024-08-07T13:49:33Z a72f9a747cf8 Falco[1]: {"uuid":"6226017d-46ce-4cb1-b9df-de9bd0b3d6f5","output":"2024-08-07T13:49:32.984941866+0000: Warning Sensitive file opened for reading by trusted program after startup (file=/etc/shadow pcmdline=event-generator run --loop gparent=containerd-shim ggparent=containerd-shim gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file trusted after startup","time":"2024-08-07T13:49:32.984941866Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.time.iso8601":1723038572984941866,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"containerd-shim","proc.aname[3]":"containerd-shim","proc.aname[4]":"init","proc.cmdline":"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s","proc.exepath":"/bin/event-generator","proc.name":"httpd","proc.pcmdline":"event-generator run --loop","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"hostname":"e822ea6618ae"} +<6>2024-08-07T13:49:33Z a72f9a747cf8 Falco[1]: {"uuid":"8587b0c0-ed2d-4ab9-910b-317ed6d24fd8","output":"2024-08-07T13:49:33.096302617+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","time":"2024-08-07T13:49:33.096302617Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.arg.flags":"0","evt.time.iso8601":1723038573096302617,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2},"source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"hostname":"e822ea6618ae"} +<4>2024-08-07T13:49:33Z a72f9a747cf8 Falco[1]: {"uuid":"9ba61ad6-88f5-4569-8e72-5e6898ca4a4e","output":"2024-08-07T13:49:33.661685533+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=containerd-shim ggparent=init gggparent=\u003cNA\u003e evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","time":"2024-08-07T13:49:33.661685533Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.time.iso8601":1723038573661685533,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"containerd-shim","proc.aname[3]":"init","proc.aname[4]":null,"proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"hostname":"e822ea6618ae"} +<5>2024-08-07T13:49:35Z a72f9a747cf8 Falco[1]: {"uuid":"30a75e4c-4782-4861-ac37-ee7474d72d37","output":"2024-08-07T13:49:35.686482576+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator959862485/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=containerd-shim aname[5]=init aname[6]=\u003cNA\u003e aname[7]=\u003cNA\u003e evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls \u003e /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Notice","rule":"Run shell untrusted","time":"2024-08-07T13:49:35.686482576Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.arg.flags":"EXE_WRITABLE","evt.time.iso8601":1723038575686482576,"evt.type":"execve","proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":"containerd-shim","proc.aname[5]":"init","proc.aname[6]":null,"proc.aname[7]":null,"proc.cmdline":"bash -c ls \u003e /dev/null","proc.exepath":"/bin/bash","proc.name":"bash","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator959862485/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"hostname":"e822ea6618ae"} +<4>2024-08-07T13:52:15Z a72f9a747cf8 Falco[1]: {"uuid":"be9e0511-8645-48c8-b503-d1b71a85908d","output":"2024-08-07T13:52:15.888895608+0000: Warning Sensitive file opened for reading by trusted program after startup (file=/etc/shadow pcmdline=event-generator run --loop gparent=containerd-shim ggparent=containerd-shim gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file trusted after startup","time":"2024-08-07T13:52:15.888895608Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.time.iso8601":1723038735888895608,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"containerd-shim","proc.aname[3]":"containerd-shim","proc.aname[4]":"init","proc.cmdline":"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s","proc.exepath":"/bin/event-generator","proc.name":"httpd","proc.pcmdline":"event-generator run --loop","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"hostname":"e822ea6618ae"} +<6>2024-08-07T13:52:16Z a72f9a747cf8 Falco[1]: {"uuid":"02ce1f94-18f1-46b1-9286-d94e811b3cbf","output":"2024-08-07T13:52:15.999926775+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","time":"2024-08-07T13:52:15.999926775Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.arg.flags":"0","evt.time.iso8601":1723038735999926775,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2},"source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"hostname":"e822ea6618ae"} +<4>2024-08-07T13:52:16Z a72f9a747cf8 Falco[1]: {"uuid":"96f7b259-4529-4963-b139-17ca91a8e4fa","output":"2024-08-07T13:52:16.883443608+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=containerd-shim ggparent=init gggparent=\u003cNA\u003e evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","time":"2024-08-07T13:52:16.883443608Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.time.iso8601":1723038736883443608,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"containerd-shim","proc.aname[3]":"init","proc.aname[4]":null,"proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"hostname":"e822ea6618ae"} +<4>2024-08-07T13:52:18Z a72f9a747cf8 Falco[1]: {"uuid":"5912fd92-a26d-440d-afd1-f161398f747e","output":"2024-08-07T13:52:18.406629567+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=containerd-shim ggparent=init gggparent=\u003cNA\u003e evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","time":"2024-08-07T13:52:18.406629567Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.time.iso8601":1723038738406629567,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"containerd-shim","proc.aname[3]":"init","proc.aname[4]":null,"proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"hostname":"e822ea6618ae"} +<5>2024-08-07T13:52:21Z a72f9a747cf8 Falco[1]: {"uuid":"5939ab78-2496-4dac-bcef-80960766e095","output":"2024-08-07T13:52:21.559676652+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator923269073/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=containerd-shim aname[5]=init aname[6]=\u003cNA\u003e aname[7]=\u003cNA\u003e evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls \u003e /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Notice","rule":"Run shell untrusted","time":"2024-08-07T13:52:21.559676652Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.arg.flags":"EXE_WRITABLE","evt.time.iso8601":1723038741559676652,"evt.type":"execve","proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":"containerd-shim","proc.aname[5]":"init","proc.aname[6]":null,"proc.aname[7]":null,"proc.cmdline":"bash -c ls \u003e /dev/null","proc.exepath":"/bin/bash","proc.name":"bash","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator923269073/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"hostname":"e822ea6618ae"} +<4>2024-08-07T13:52:27Z a72f9a747cf8 Falco[1]: {"uuid":"27e026ab-aff1-4270-ae0c-469ed95cd021","output":"2024-08-07T13:52:27.869416238+0000: Warning Sensitive file opened for reading by trusted program after startup (file=/etc/shadow pcmdline=event-generator run --loop gparent=containerd-shim ggparent=containerd-shim gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file trusted after startup","time":"2024-08-07T13:52:27.869416238Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.time.iso8601":1723038747869416238,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"containerd-shim","proc.aname[3]":"containerd-shim","proc.aname[4]":"init","proc.cmdline":"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s","proc.exepath":"/bin/event-generator","proc.name":"httpd","proc.pcmdline":"event-generator run --loop","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"hostname":"e822ea6618ae"} +<6>2024-08-07T13:52:27Z a72f9a747cf8 Falco[1]: {"uuid":"5501216c-4dc5-466d-9c85-f35d8eca46e7","output":"2024-08-07T13:52:27.977094822+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","time":"2024-08-07T13:52:27.977094822Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.arg.flags":"0","evt.time.iso8601":1723038747977094822,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2},"source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"hostname":"e822ea6618ae"} +<5>2024-08-07T13:52:30Z a72f9a747cf8 Falco[1]: {"uuid":"39f1509a-a072-4f23-829c-c3a7e38def51","output":"2024-08-07T13:52:30.385538781+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator545907734/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=containerd-shim aname[5]=init aname[6]=\u003cNA\u003e aname[7]=\u003cNA\u003e evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls \u003e /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)","priority":"Notice","rule":"Run shell untrusted","time":"2024-08-07T13:52:30.385538781Z","output_fields":{"container.id":"2ae6a7f15b6e","container.name":"elastic-package-service-10413-falco-event-generator-1","evt.arg.flags":"EXE_WRITABLE","evt.time.iso8601":1723038750385538781,"evt.type":"execve","proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":"containerd-shim","proc.aname[5]":"init","proc.aname[6]":null,"proc.aname[7]":null,"proc.cmdline":"bash -c ls \u003e /dev/null","proc.exepath":"/bin/bash","proc.name":"bash","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator545907734/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"hostname":"e822ea6618ae"} \ No newline at end of file diff --git a/packages/falco/changelog.yml b/packages/falco/changelog.yml new file mode 100644 index 00000000000..5c6fb40174a --- /dev/null +++ b/packages/falco/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial release of the Falco package + type: enhancement + link: https://github.com/elastic/integrations/pull/9619 diff --git a/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log new file mode 100644 index 00000000000..3e7770407ef --- /dev/null +++ b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log @@ -0,0 +1,17 @@ +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:19.341081180+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-07T18:54:19.341081180Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108059341081180,"evt.type":"openat","fd.name":"/etc/shadow","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"time":"2024-05-07T18:54:20.008519431Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108060008519431,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2}} +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:26.271403849+0000: Warning Sensitive file opened for reading by trusted program after startup (file=/etc/shadow pcmdline=event-generator run --loop gparent=containerd-shim ggparent=runc gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file trusted after startup","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-07T18:54:26.271403849Z", "output_fields": {"container.id":"9656db3bb358","container.full_id":"9656db3bb3588e7b23da7d48fe889434573036c27ae5a74837233de441c3601e","container.name":"elastic-package-service-falco-event-generator-1","container.image": "falcosecurity/event-generator:0.10.0","container.image.tag":"0.10.0","container.image.digest":["sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27"],"container.image.id":"16e0fa09a4f1018f22be6cce3ec21848dccaa566b063bda4c814c37dc36adfea","container.image.repository":"falcosecurity/event-generator","evt.time.iso8601":1715108066271403849,"evt.type":"openat","fd.name":"/etc/shadow","proc.cmdline":"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s","proc.exepath":"/bin/event-generator","proc.name":"httpd","proc.pcmdline":"event-generator run --loop","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:27.767673017+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator3982217557/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Notice","rule":"Run shell untrusted","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"time":"2024-05-07T18:54:27.767673017Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108067767673017,"evt.type":"execve","proc.cmdline":"bash -c ls > /dev/null","proc.exepath":"/bin/bash","proc.name":"bash","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator3982217557/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","source":"syscall","tags":[],"time":"2024-05-07T18:54:20.008519431Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108060008519431,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:26.104747558+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"time":"2024-05-13T13:23:26.104747558Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.arg.flags":"0","evt.time.iso8601":1715606606104747558,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:27.021777225+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator2286495765/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Notice","rule":"Run shell untrusted","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"time":"2024-05-13T13:23:27.021777225Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.arg.flags":"EXE_WRITABLE","evt.time.iso8601":1715606607021777225,"evt.type":"execve","proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":"runc","proc.aname[5]":"init","proc.aname[6]":"init","proc.aname[7]":null,"proc.cmdline":"bash -c ls > /dev/null","proc.exepath":"/bin/bash","proc.name":"bash","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator2286495765/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:28.170686725+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:28.170686725Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606608170686725,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:29.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:29.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "SUCCESS","fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:29.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:31.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:31.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.num":4525,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","k8s.ns.name":"kubernetes-ns","k8s.pod.ip":"175.16.199.0/24","k8s.pod.name":"kubernetes-pod-1","k8s.pod.uid":"aadadjh763wiuh","k8s.pod.labels":["key1:value1","key2:value2","key3:value3"],"proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:33.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:33.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.mounts":"/proc/sys/fs/binfmt_misc:/tmp/binary:bind:ro:private /var/log:/mnt/log:bind:rw:shared","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:34.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:34.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","container.type":"docker","container.privileged":true,"container.ip":"81.2.69.144","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","fd.cip.name":"example.com","fd.sip.name":"otherexample.com","fd.rip.name":"fourthexample.com","fd.lip.name":"thirdexample.com","evt.failed":true,"fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:36.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:36.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","fd.directory":"var/log/example","fd.filename":"example.tar.gz","fd.cip":"216.160.83.56","fd.sip":"89.160.20.112","fd.lip":"89.160.20.128","fd.rip":"67.43.156.0","fd.cport":5400,"fd.sport":5700,"fd.lport":5689,"fd.rport":6789,"fd.ino":"567874","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:37.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:37.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","proc.aname[2]":"runc","group.gid":"123355","group.name":"test-1","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdnargs": 1,"proc.env":"TEST_VALUE1=testvalue1 TEST_VALUE2=testvalue2","proc.cwd":"/bin/event-generator","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.args":"run --loop","proc.name":"event-generator","proc.pid":133567,"proc.ppid":133568,"proc.vpgid":4555852,"proc.vpgid.name":"generic-process","proc.vpgid.exepath":"/bin/event-generator","proc.ppid.duration":2345,"proc.ppid.ts":"23455","proc.pid.ts":"23451","proc.vpid":133569,"proc.pvpid":133570,"proc.sid":133571,"proc.sid.exepath":"/bin/event-generator","proc.sname":"containerd-shim","proc.is_sid_leader":true,"proc.is_vpgid_leader":false,"proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"a2000de987ff","output":"2024-05-13T13:23:38.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-13T13:23:38.089890892Z", "output_fields": {"container.id":"84c0b936c919","container.name":"elastic-package-service-falco-event-generator-1","evt.time":1715606609089890892,"evt.type":"openat","evt.res": "ENOENT","evt.failed":true,"fd.name":"/etc/shadow","proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run --loop","proc.pexepath":"/bin/event-generator","proc.exepath":"/bin/event-generator","proc.args":"run --loop -v","proc.name":"event-generator","proc.pname":"containerd-shim","proc.duration":"662789","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} \ No newline at end of file diff --git a/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log-config.yml b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log-config.yml new file mode 100644 index 00000000000..416c9e9e0bf --- /dev/null +++ b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ^\d{4}-[01]\d-[0-3]\dT[0-2]\d:[0-5]\d:[0-5]\d\.\d+([+-][0-2]\d:[0-5]\d|Z)$ +fields: + log.file.path: /var/foo/events.log + tags: ["preserve_original_event", "preserve_falco_fields"] diff --git a/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log-expected.json b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log-expected.json new file mode 100644 index 00000000000..8c1c42ff858 --- /dev/null +++ b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log-expected.json @@ -0,0 +1,1985 @@ +{ + "expected": [ + { + "@timestamp": "2024-05-07T18:54:19.341Z", + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109951218Z", + "kind": "alert", + "original": "{\"hostname\":\"97ade2b595f0\",\"output\":\"2024-05-07T18:54:19.341081180+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-07T18:54:19.341081180Z\", \"output_fields\": {\"container.id\":\"9656db3bb358\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715108059341081180,\"evt.type\":\"openat\",\"fd.name\":\"/etc/shadow\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "97ade2b595f0", + "output": "2024-05-07T18:54:19.341081180+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "time": { + "iso8601": 1715108059341 + }, + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "proc": { + "cmdline": "event-generator run --loop", + "exepath": "/bin/event-generator", + "name": "event-generator", + "pname": "containerd-shim", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-07T18:54:19.341081180Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "97ade2b595f0", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "97ade2b595f0" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-07T18:54:20.008Z", + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109971884Z", + "kind": "alert", + "original": "{\"hostname\":\"97ade2b595f0\",\"output\":\"2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Informational\",\"rule\":\"System user interactive\",\"source\":\"syscall\",\"tags\":[\"NIST_800-53_AC-2\",\"T1059\",\"container\",\"host\",\"maturity_stable\",\"mitre_execution\",\"users\"],\"time\":\"2024-05-07T18:54:20.008519431Z\", \"output_fields\": {\"container.id\":\"9656db3bb358\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715108060008519431,\"evt.type\":\"execve\",\"proc.cmdline\":\"login\",\"proc.exepath\":\"/bin/busybox\",\"proc.name\":\"login\",\"proc.pname\":\"event-generator\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"daemon\",\"user.uid\":2}}", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 1, + "event.type": [ + "start" + ], + "falco": { + "hostname": "97ade2b595f0", + "output": "2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "time": { + "iso8601": 1715108060008 + }, + "type": "execve" + }, + "proc": { + "cmdline": "login", + "exepath": "/bin/busybox", + "name": "login", + "pname": "event-generator", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "daemon", + "uid": "2" + } + }, + "priority": "Informational", + "rule": "System user interactive", + "source": "syscall", + "tags": [ + "NIST_800-53_AC-2", + "T1059", + "container", + "host", + "maturity_stable", + "mitre_execution", + "users" + ], + "time": "2024-05-07T18:54:20.008519431Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "97ade2b595f0", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "login", + "executable": "/bin/busybox", + "name": "login", + "parent": { + "name": "event-generator" + }, + "user": { + "id": "2", + "name": "daemon" + } + }, + "related": { + "hosts": [ + "97ade2b595f0" + ] + }, + "rule": { + "name": "System user interactive" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1059" + ] + }, + { + "@timestamp": "2024-05-07T18:54:26.271Z", + "container": { + "id": "9656db3bb358", + "image": { + "hash": { + "all": [ + "sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27" + ] + }, + "name": "falcosecurity/event-generator:0.10.0" + }, + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109973551Z", + "kind": "alert", + "original": "{\"hostname\":\"97ade2b595f0\",\"output\":\"2024-05-07T18:54:26.271403849+0000: Warning Sensitive file opened for reading by trusted program after startup (file=/etc/shadow pcmdline=event-generator run --loop gparent=containerd-shim ggparent=runc gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file trusted after startup\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-07T18:54:26.271403849Z\", \"output_fields\": {\"container.id\":\"9656db3bb358\",\"container.full_id\":\"9656db3bb3588e7b23da7d48fe889434573036c27ae5a74837233de441c3601e\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"container.image\": \"falcosecurity/event-generator:0.10.0\",\"container.image.tag\":\"0.10.0\",\"container.image.digest\":[\"sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27\"],\"container.image.id\":\"16e0fa09a4f1018f22be6cce3ec21848dccaa566b063bda4c814c37dc36adfea\",\"container.image.repository\":\"falcosecurity/event-generator\",\"evt.time.iso8601\":1715108066271403849,\"evt.type\":\"openat\",\"fd.name\":\"/etc/shadow\",\"proc.cmdline\":\"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"httpd\",\"proc.pcmdline\":\"event-generator run --loop\",\"proc.pname\":\"event-generator\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "97ade2b595f0", + "output": "2024-05-07T18:54:26.271403849+0000: Warning Sensitive file opened for reading by trusted program after startup (file=/etc/shadow pcmdline=event-generator run --loop gparent=containerd-shim ggparent=runc gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "full_id": "9656db3bb3588e7b23da7d48fe889434573036c27ae5a74837233de441c3601e", + "id": "9656db3bb358", + "image": { + "digest": [ + "sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27" + ], + "id": "16e0fa09a4f1018f22be6cce3ec21848dccaa566b063bda4c814c37dc36adfea", + "name": "falcosecurity/event-generator:0.10.0", + "repository": "falcosecurity/event-generator", + "tag": "0.10.0" + }, + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "time": { + "iso8601": 1715108066271 + }, + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "proc": { + "cmdline": "httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s", + "exepath": "/bin/event-generator", + "name": "httpd", + "pcmdline": "event-generator run --loop", + "pname": "event-generator", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file trusted after startup", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-07T18:54:26.271403849Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "97ade2b595f0", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s", + "executable": "/bin/event-generator", + "name": "httpd", + "parent": { + "command_line": "event-generator run --loop", + "name": "event-generator" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "97ade2b595f0" + ] + }, + "rule": { + "name": "Read sensitive file trusted after startup" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-07T18:54:27.767Z", + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109974759Z", + "kind": "alert", + "original": "{\"hostname\":\"97ade2b595f0\",\"output\":\"2024-05-07T18:54:27.767673017+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator3982217557/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Notice\",\"rule\":\"Run shell untrusted\",\"source\":\"syscall\",\"tags\":[\"T1059.004\",\"container\",\"host\",\"maturity_stable\",\"mitre_execution\",\"process\",\"shell\"],\"time\":\"2024-05-07T18:54:27.767673017Z\", \"output_fields\": {\"container.id\":\"9656db3bb358\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715108067767673017,\"evt.type\":\"execve\",\"proc.cmdline\":\"bash -c ls > /dev/null\",\"proc.exepath\":\"/bin/bash\",\"proc.name\":\"bash\",\"proc.pcmdline\":\"httpd --loglevel info run ^helper.RunShell$\",\"proc.pexe\":\"/tmp/falco-event-generator3982217557/httpd\",\"proc.pexepath\":\"/bin/event-generator\",\"proc.pname\":\"httpd\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 2, + "event.type": [ + "start" + ], + "falco": { + "hostname": "97ade2b595f0", + "output": "2024-05-07T18:54:27.767673017+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator3982217557/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "time": { + "iso8601": 1715108067767 + }, + "type": "execve" + }, + "proc": { + "cmdline": "bash -c ls > /dev/null", + "exepath": "/bin/bash", + "name": "bash", + "pcmdline": "httpd --loglevel info run ^helper.RunShell$", + "pexe": "/tmp/falco-event-generator3982217557/httpd", + "pexepath": "/bin/event-generator", + "pname": "httpd", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Notice", + "rule": "Run shell untrusted", + "source": "syscall", + "tags": [ + "T1059.004", + "container", + "host", + "maturity_stable", + "mitre_execution", + "process", + "shell" + ], + "time": "2024-05-07T18:54:27.767673017Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "97ade2b595f0", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "bash -c ls > /dev/null", + "executable": "/bin/bash", + "name": "bash", + "parent": { + "command_line": "httpd --loglevel info run ^helper.RunShell$", + "executable": "/bin/event-generator", + "name": "httpd" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "97ade2b595f0" + ] + }, + "rule": { + "name": "Run shell untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1059" + ], + "threat.technique.subtechnique.id": [ + "T1059.004" + ] + }, + { + "@timestamp": "2024-05-07T18:54:20.008Z", + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109975926Z", + "kind": "alert", + "original": "{\"hostname\":\"97ade2b595f0\",\"output\":\"2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Informational\",\"rule\":\"System user interactive\",\"source\":\"syscall\",\"tags\":[],\"time\":\"2024-05-07T18:54:20.008519431Z\", \"output_fields\": {\"container.id\":\"9656db3bb358\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715108060008519431,\"evt.type\":\"execve\",\"proc.cmdline\":\"login\",\"proc.exepath\":\"/bin/busybox\",\"proc.name\":\"login\",\"proc.pname\":\"event-generator\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"daemon\",\"user.uid\":2}}", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 1, + "event.type": [ + "start" + ], + "falco": { + "hostname": "97ade2b595f0", + "output": "2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "time": { + "iso8601": 1715108060008 + }, + "type": "execve" + }, + "proc": { + "cmdline": "login", + "exepath": "/bin/busybox", + "name": "login", + "pname": "event-generator", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "daemon", + "uid": "2" + } + }, + "priority": "Informational", + "rule": "System user interactive", + "source": "syscall", + "tags": [], + "time": "2024-05-07T18:54:20.008519431Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "97ade2b595f0", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "login", + "executable": "/bin/busybox", + "name": "login", + "parent": { + "name": "event-generator" + }, + "user": { + "id": "2", + "name": "daemon" + } + }, + "related": { + "hosts": [ + "97ade2b595f0" + ] + }, + "rule": { + "name": "System user interactive" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ] + }, + { + "@timestamp": "2024-05-13T13:23:26.104Z", + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109977051Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:26.104747558+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Informational\",\"rule\":\"System user interactive\",\"source\":\"syscall\",\"tags\":[\"NIST_800-53_AC-2\",\"T1059\",\"container\",\"host\",\"maturity_stable\",\"mitre_execution\",\"users\"],\"time\":\"2024-05-13T13:23:26.104747558Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.arg.flags\":\"0\",\"evt.time.iso8601\":1715606606104747558,\"evt.type\":\"execve\",\"proc.cmdline\":\"login\",\"proc.exepath\":\"/bin/busybox\",\"proc.name\":\"login\",\"proc.pname\":\"event-generator\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"daemon\",\"user.uid\":2}}", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 1, + "event.type": [ + "start" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:26.104747558+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "arg": {}, + "time": { + "iso8601": 1715606606104 + }, + "type": "execve" + }, + "proc": { + "cmdline": "login", + "exepath": "/bin/busybox", + "name": "login", + "pname": "event-generator", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "daemon", + "uid": "2" + } + }, + "priority": "Informational", + "rule": "System user interactive", + "source": "syscall", + "tags": [ + "NIST_800-53_AC-2", + "T1059", + "container", + "host", + "maturity_stable", + "mitre_execution", + "users" + ], + "time": "2024-05-13T13:23:26.104747558Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "login", + "executable": "/bin/busybox", + "name": "login", + "parent": { + "name": "event-generator" + }, + "user": { + "id": "2", + "name": "daemon" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "System user interactive" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1059" + ] + }, + { + "@timestamp": "2024-05-13T13:23:27.021Z", + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109981759Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:27.021777225+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator2286495765/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Notice\",\"rule\":\"Run shell untrusted\",\"source\":\"syscall\",\"tags\":[\"T1059.004\",\"container\",\"host\",\"maturity_stable\",\"mitre_execution\",\"process\",\"shell\"],\"time\":\"2024-05-13T13:23:27.021777225Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.arg.flags\":\"EXE_WRITABLE\",\"evt.time.iso8601\":1715606607021777225,\"evt.type\":\"execve\",\"proc.aname[2]\":\"event-generator\",\"proc.aname[3]\":\"containerd-shim\",\"proc.aname[4]\":\"runc\",\"proc.aname[5]\":\"init\",\"proc.aname[6]\":\"init\",\"proc.aname[7]\":null,\"proc.cmdline\":\"bash -c ls > /dev/null\",\"proc.exepath\":\"/bin/bash\",\"proc.name\":\"bash\",\"proc.pcmdline\":\"httpd --loglevel info run ^helper.RunShell$\",\"proc.pexe\":\"/tmp/falco-event-generator2286495765/httpd\",\"proc.pexepath\":\"/bin/event-generator\",\"proc.pname\":\"httpd\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 2, + "event.type": [ + "start" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:27.021777225+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator2286495765/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "arg": {}, + "time": { + "iso8601": 1715606607021 + }, + "type": "execve" + }, + "proc": { + "cmdline": "bash -c ls > /dev/null", + "exepath": "/bin/bash", + "name": "bash", + "pcmdline": "httpd --loglevel info run ^helper.RunShell$", + "pexe": "/tmp/falco-event-generator2286495765/httpd", + "pexepath": "/bin/event-generator", + "pname": "httpd", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Notice", + "rule": "Run shell untrusted", + "source": "syscall", + "tags": [ + "T1059.004", + "container", + "host", + "maturity_stable", + "mitre_execution", + "process", + "shell" + ], + "time": "2024-05-13T13:23:27.021777225Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "bash -c ls > /dev/null", + "executable": "/bin/bash", + "name": "bash", + "parent": { + "command_line": "httpd --loglevel info run ^helper.RunShell$", + "executable": "/bin/event-generator", + "name": "httpd" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Run shell untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1059" + ], + "threat.technique.subtechnique.id": [ + "T1059.004" + ] + }, + { + "@timestamp": "2024-05-13T13:23:28.170Z", + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109984176Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:28.170686725+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:28.170686725Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606608170686725,\"evt.type\":\"openat\",\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:28.170686725+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "time": { + "iso8601": 1715606608170 + }, + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "proc": { + "cmdline": "event-generator run --loop", + "exepath": "/bin/event-generator", + "name": "event-generator", + "pname": "containerd-shim", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-13T13:23:28.170686725Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-13T13:23:29.089Z", + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109985468Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:29.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "time": { + "iso8601": 1715606609089 + }, + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "proc": { + "cmdline": "event-generator run --loop", + "exepath": "/bin/event-generator", + "name": "event-generator", + "pname": "containerd-shim", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-13T13:23:29.089890892Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-13T13:23:29.089Z", + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109986593Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:29.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"SUCCESS\",\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "outcome": "success", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "res": "SUCCESS", + "time": { + "iso8601": 1715606609089 + }, + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "proc": { + "cmdline": "event-generator run --loop", + "exepath": "/bin/event-generator", + "name": "event-generator", + "pname": "containerd-shim", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-13T13:23:29.089890892Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-13T13:23:29.089Z", + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109990426Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:29.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "outcome": "failure", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "failed": true, + "res": "ENOENT", + "time": { + "iso8601": 1715606609089 + }, + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "proc": { + "cmdline": "event-generator run --loop", + "exepath": "/bin/event-generator", + "name": "event-generator", + "pname": "containerd-shim", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-13T13:23:29.089890892Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-13T13:23:29.089Z", + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109991801Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:31.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:31.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.num\":4525,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"k8s.ns.name\":\"kubernetes-ns\",\"k8s.pod.ip\":\"175.16.199.0/24\",\"k8s.pod.name\":\"kubernetes-pod-1\",\"k8s.pod.uid\":\"aadadjh763wiuh\",\"k8s.pod.labels\":[\"key1:value1\",\"key2:value2\",\"key3:value3\"],\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "outcome": "failure", + "provider": "syscall", + "sequence": 4525 + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:31.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "failed": true, + "num": 4525, + "res": "ENOENT", + "time": { + "iso8601": 1715606609089 + }, + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "k8s": { + "ns": { + "name": "kubernetes-ns" + }, + "pod": { + "ip": "175.16.199.0/24", + "labels": [ + "key1:value1", + "key2:value2", + "key3:value3" + ], + "name": "kubernetes-pod-1", + "uid": "aadadjh763wiuh" + } + }, + "proc": { + "cmdline": "event-generator run --loop", + "exepath": "/bin/event-generator", + "name": "event-generator", + "pname": "containerd-shim", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-13T13:23:31.089890892Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "orchestrator": { + "namespace": "kubernetes-ns", + "resource": { + "id": "aadadjh763wiuh", + "label": [ + "key1:value1", + "key2:value2", + "key3:value3" + ], + "name": "kubernetes-pod-1" + } + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-13T13:23:29.089Z", + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109992968Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:33.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:33.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.mounts\":\"/proc/sys/fs/binfmt_misc:/tmp/binary:bind:ro:private /var/log:/mnt/log:bind:rw:shared\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "outcome": "failure", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:33.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "mounts": "/proc/sys/fs/binfmt_misc:/tmp/binary:bind:ro:private /var/log:/mnt/log:bind:rw:shared", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "failed": true, + "res": "ENOENT", + "time": { + "iso8601": 1715606609089 + }, + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "proc": { + "cmdline": "event-generator run --loop", + "exepath": "/bin/event-generator", + "name": "event-generator", + "pname": "containerd-shim", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-13T13:23:33.089890892Z" + }, + "falco.container.mounts": [ + { + "dest": "/tmp/binary", + "mode": "bind", + "propagation": "private", + "rdrw": "ro", + "source": "/proc/sys/fs/binfmt_misc" + }, + { + "dest": "/mnt/log", + "mode": "bind", + "propagation": "shared", + "rdrw": "rw", + "source": "/var/log" + } + ], + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-13T13:23:29.089Z", + "client": { + "domain": "example.com" + }, + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1", + "runtime": "docker", + "security_context": { + "privileged": true + } + }, + "destination": { + "domain": "fourthexample.com" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109994093Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:34.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:34.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"container.type\":\"docker\",\"container.privileged\":true,\"container.ip\":\"81.2.69.144\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"fd.cip.name\":\"example.com\",\"fd.sip.name\":\"otherexample.com\",\"fd.rip.name\":\"fourthexample.com\",\"fd.lip.name\":\"thirdexample.com\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "outcome": "failure", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:34.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "ip": "81.2.69.144", + "name": "elastic-package-service-falco-event-generator-1", + "privileged": true, + "type": "docker" + }, + "evt": { + "failed": true, + "res": "ENOENT", + "time": { + "iso8601": 1715606609089 + }, + "type": "openat" + }, + "fd": { + "cip": { + "name": "example.com" + }, + "lip": { + "name": "thirdexample.com" + }, + "name": "/etc/shadow", + "rip": { + "name": "fourthexample.com" + }, + "sip": { + "name": "otherexample.com" + } + }, + "proc": { + "cmdline": "event-generator run --loop", + "exepath": "/bin/event-generator", + "name": "event-generator", + "pname": "containerd-shim", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-13T13:23:34.089890892Z" + }, + "falco.container.mounts": null, + "host": { + "ip": [ + "81.2.69.144" + ] + }, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "server": { + "domain": "otherexample.com" + }, + "source": { + "domain": "thirdexample.com" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-13T13:23:29.089Z", + "client": { + "address": "216.160.83.56", + "ip": "216.160.83.56", + "port": 5400 + }, + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "destination": { + "address": "67.43.156.0", + "ip": "67.43.156.0", + "port": 6789 + }, + "event": { + "ingested": "2024-08-14T12:27:08.109995176Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:36.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:36.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"fd.directory\":\"var/log/example\",\"fd.filename\":\"example.tar.gz\",\"fd.cip\":\"216.160.83.56\",\"fd.sip\":\"89.160.20.112\",\"fd.lip\":\"89.160.20.128\",\"fd.rip\":\"67.43.156.0\",\"fd.cport\":5400,\"fd.sport\":5700,\"fd.lport\":5689,\"fd.rport\":6789,\"fd.ino\":\"567874\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "outcome": "failure", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:36.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "client": { + "ip": "216.160.83.56" + }, + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "destination": { + "ip": "67.43.156.0" + }, + "evt": { + "failed": true, + "res": "ENOENT", + "time": { + "iso8601": 1715606609089 + }, + "type": "openat" + }, + "fd": { + "cport": 5400, + "directory": "var/log/example", + "filename": "example.tar.gz", + "ino": "567874", + "lport": 5689, + "name": "/etc/shadow", + "rport": 6789, + "sport": 5700 + }, + "proc": { + "cmdline": "event-generator run --loop", + "exepath": "/bin/event-generator", + "name": "event-generator", + "pname": "containerd-shim", + "tty": 0 + }, + "server": { + "ip": "89.160.20.112" + }, + "source": { + "ip": "89.160.20.128" + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-13T13:23:36.089890892Z" + }, + "falco.container.mounts": null, + "file": { + "directory": "var/log/example", + "inode": "567874", + "name": "example.tar.gz" + }, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "server": { + "address": "89.160.20.112", + "ip": "89.160.20.112", + "port": 5700 + }, + "source": { + "address": "89.160.20.128", + "ip": "89.160.20.128", + "port": 5689 + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-13T13:23:29.089Z", + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109996259Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:37.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:37.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"group.gid\":\"123355\",\"group.name\":\"test-1\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdnargs\": 1,\"proc.env\":\"TEST_VALUE1=testvalue1 TEST_VALUE2=testvalue2\",\"proc.cwd\":\"/bin/event-generator\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.args\":\"run --loop\",\"proc.name\":\"event-generator\",\"proc.pid\":133567,\"proc.ppid\":133568,\"proc.vpgid\":4555852,\"proc.vpgid.name\":\"generic-process\",\"proc.vpgid.exepath\":\"/bin/event-generator\",\"proc.ppid.duration\":2345,\"proc.ppid.ts\":\"23455\",\"proc.pid.ts\":\"23451\",\"proc.vpid\":133569,\"proc.pvpid\":133570,\"proc.sid\":133571,\"proc.sid.exepath\":\"/bin/event-generator\",\"proc.sname\":\"containerd-shim\",\"proc.is_sid_leader\":true,\"proc.is_vpgid_leader\":false,\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "outcome": "failure", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:37.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "failed": true, + "res": "ENOENT", + "time": { + "iso8601": 1715606609089 + }, + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "group": { + "gid": "123355", + "name": "test-1" + }, + "proc": { + "args": "run --loop", + "cmdline": "event-generator run --loop", + "cmdnargs": 1, + "cwd": "/bin/event-generator", + "env": "TEST_VALUE1=testvalue1 TEST_VALUE2=testvalue2", + "exepath": "/bin/event-generator", + "is_sid_leader": true, + "is_vpgid_leader": false, + "name": "event-generator", + "pid": { + "ts": "23451" + }, + "pname": "containerd-shim", + "ppid": { + "duration": 2345, + "ts": "23455" + }, + "pvpid": 133570, + "sid": { + "exepath": "/bin/event-generator" + }, + "sname": "containerd-shim", + "tty": 0, + "vpgid": { + "exepath": "/bin/event-generator", + "name": "generic-process" + }, + "vpid": 133569 + }, + "process": { + "group_leader": { + "vpid": 4555852 + }, + "parent": { + "pid": 133568 + }, + "pid": 133567, + "session_leader": { + "pid": 133571 + } + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-13T13:23:37.089890892Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "args": [ + "/bin/event-generator", + "run", + "--loop" + ], + "args_count": 1, + "command_line": "event-generator run --loop", + "env_vars": [ + "TEST_VALUE1=testvalue1", + "TEST_VALUE2=testvalue2" + ], + "executable": "/bin/event-generator", + "group": { + "id": "123355", + "name": "test-1" + }, + "group_leader": { + "executable": "/bin/event-generator", + "name": "generic-process", + "same_as_process": false, + "vpid": 4555852 + }, + "name": "event-generator", + "parent": { + "name": "containerd-shim", + "pid": 133568, + "start": "23455", + "uptime": 2345, + "vpid": 133570 + }, + "pid": 133567, + "session_leader": { + "executable": "/bin/event-generator", + "name": "containerd-shim", + "pid": 133571, + "same_as_process": true + }, + "start": "23451", + "user": { + "id": "0", + "name": "root" + }, + "vpid": 133569, + "working_directory": "/bin/event-generator" + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-13T13:23:29.089Z", + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.109997426Z", + "kind": "alert", + "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:38.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:38.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.pexepath\":\"/bin/event-generator\",\"proc.exepath\":\"/bin/event-generator\",\"proc.args\":\"run --loop -v\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.duration\":\"662789\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", + "outcome": "failure", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "a2000de987ff", + "output": "2024-05-13T13:23:38.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "84c0b936c919", + "name": "elastic-package-service-falco-event-generator-1" + }, + "evt": { + "failed": true, + "res": "ENOENT", + "time": 1715606609089890892, + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "proc": { + "args": "run --loop -v", + "cmdline": "event-generator run --loop", + "duration": "662789", + "exepath": "/bin/event-generator", + "name": "event-generator", + "pexepath": "/bin/event-generator", + "pname": "containerd-shim", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Warning", + "rule": "Read sensitive file untrusted", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-13T13:23:38.089890892Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "a2000de987ff", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "args": [ + "/bin/event-generator", + "run", + "--loop", + "-v" + ], + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "executable": "/bin/event-generator", + "name": "containerd-shim" + }, + "uptime": 662789, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "a2000de987ff" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1555" + ] + } + ] +} \ No newline at end of file diff --git a/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log new file mode 100644 index 00000000000..c24d4f34b3f --- /dev/null +++ b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log @@ -0,0 +1,3 @@ +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:19.341081180+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-07T18:54:19.341081180Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108059341081180,"evt.type":"openat","fd.name":"/etc/shadow","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Informational","rule":"System user interactive","source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"time":"2024-05-07T18:54:20.008519431Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108060008519431,"evt.type":"execve","proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2}} +{"hostname":"97ade2b595f0","output":"2024-05-07T18:54:19.341081180+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)","priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2024-05-07T18:54:19.341081180Z", "output_fields": {"container.id":"9656db3bb358","container.name":"elastic-package-service-falco-event-generator-1","evt.time.iso8601":1715108059341081180,"evt.type":"openat","fd.name":"/etc/shadow","fd.type":"file","proc.cmdline":"event-generator run --loop","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0}} \ No newline at end of file diff --git a/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log-config.yml b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log-config.yml new file mode 100644 index 00000000000..db8b6e14944 --- /dev/null +++ b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ^\d{4}-[01]\d-[0-3]\dT[0-2]\d:[0-5]\d:[0-5]\d\.\d+([+-][0-2]\d:[0-5]\d|Z)$ +fields: + log.file.path: /var/foo/events.log + tags: [] diff --git a/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log-expected.json b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log-expected.json new file mode 100644 index 00000000000..6d541accde4 --- /dev/null +++ b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log-expected.json @@ -0,0 +1,262 @@ +{ + "expected": [ + { + "@timestamp": "2024-05-07T18:54:19.341Z", + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.687659426Z", + "kind": "alert", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "97ade2b595f0", + "output": "2024-05-07T18:54:19.341081180+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": {}, + "evt": { + "type": "openat" + }, + "fd": { + "name": "/etc/shadow" + }, + "proc": { + "tty": 0 + }, + "user": { + "loginuid": -1 + } + }, + "priority": "Warning", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-07T18:54:19.341081180Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "97ade2b595f0", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "97ade2b595f0" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [], + "threat.technique.id": [ + "T1555" + ] + }, + { + "@timestamp": "2024-05-07T18:54:20.008Z", + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.687672051Z", + "kind": "alert", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 1, + "event.type": [ + "start" + ], + "falco": { + "hostname": "97ade2b595f0", + "output": "2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": {}, + "evt": { + "type": "execve" + }, + "proc": { + "tty": 0 + }, + "user": { + "loginuid": -1 + } + }, + "priority": "Informational", + "source": "syscall", + "tags": [ + "NIST_800-53_AC-2", + "T1059", + "container", + "host", + "maturity_stable", + "mitre_execution", + "users" + ], + "time": "2024-05-07T18:54:20.008519431Z" + }, + "falco.container.mounts": null, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "97ade2b595f0", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "login", + "executable": "/bin/busybox", + "name": "login", + "parent": { + "name": "event-generator" + }, + "user": { + "id": "2", + "name": "daemon" + } + }, + "related": { + "hosts": [ + "97ade2b595f0" + ] + }, + "rule": { + "name": "System user interactive" + }, + "tags": [], + "threat.technique.id": [ + "T1059" + ] + }, + { + "@timestamp": "2024-05-07T18:54:19.341Z", + "container": { + "id": "9656db3bb358", + "name": "elastic-package-service-falco-event-generator-1" + }, + "event": { + "ingested": "2024-08-14T12:27:08.687673843Z", + "kind": "alert", + "provider": "syscall" + }, + "event.category": [ + "process" + ], + "event.severity": 3, + "event.type": [ + "access" + ], + "falco": { + "hostname": "97ade2b595f0", + "output": "2024-05-07T18:54:19.341081180+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)", + "output_fields": { + "container": {}, + "evt": { + "type": "openat" + }, + "fd": { + "name": "/etc/shadow", + "type": "file" + }, + "proc": { + "tty": 0 + }, + "user": { + "loginuid": -1 + } + }, + "priority": "Warning", + "source": "syscall", + "tags": [ + "T1555", + "container", + "filesystem", + "host", + "maturity_stable", + "mitre_credential_access" + ], + "time": "2024-05-07T18:54:19.341081180Z" + }, + "falco.container.mounts": null, + "file": { + "path": "/etc/shadow", + "type": "file" + }, + "log": { + "file": { + "path": "/var/foo/events.log" + } + }, + "observer": { + "hostname": "97ade2b595f0", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "event-generator run --loop", + "executable": "/bin/event-generator", + "name": "event-generator", + "parent": { + "name": "containerd-shim" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "97ade2b595f0" + ] + }, + "rule": { + "name": "Read sensitive file untrusted" + }, + "tags": [], + "threat.technique.id": [ + "T1555" + ] + } + ] +} \ No newline at end of file diff --git a/packages/falco/data_stream/alerts/_dev/test/system/test-default-config.yml b/packages/falco/data_stream/alerts/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..4f1443f54d8 --- /dev/null +++ b/packages/falco/data_stream/alerts/_dev/test/system/test-default-config.yml @@ -0,0 +1,13 @@ +service: falco-tcp +service_notify_signal: SIGHUP +vars: ~ +input: tcp +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9030 + preserve_falco_fields: true + preserve_original_event: true +wait_for_data_timeout: 180s +# assert: +# hit_count: 8 diff --git a/packages/falco/data_stream/alerts/_dev/test/system/test-logfile-config.yml b/packages/falco/data_stream/alerts/_dev/test/system/test-logfile-config.yml new file mode 100644 index 00000000000..f6e83765fd3 --- /dev/null +++ b/packages/falco/data_stream/alerts/_dev/test/system/test-logfile-config.yml @@ -0,0 +1,10 @@ +service: falco-logfile +input: logfile +vars: ~ +data_stream: + vars: + paths: + - "{{SERVICE_LOGS_DIR}}/*.log" + preserve_falco_fields: true + preserve_original_event: true +wait_for_data_timeout: 180s diff --git a/packages/falco/data_stream/alerts/agent/stream/logfile.yml.hbs b/packages/falco/data_stream/alerts/agent/stream/logfile.yml.hbs new file mode 100644 index 00000000000..a1920e5b26b --- /dev/null +++ b/packages/falco/data_stream/alerts/agent/stream/logfile.yml.hbs @@ -0,0 +1,17 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_falco_fields}} + - preserve_falco_fields +{{/if}} +exclude_files: [".gz$"] +processors: +- add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/falco/data_stream/alerts/agent/stream/tcp.yml.hbs b/packages/falco/data_stream/alerts/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..06e5d98ed7d --- /dev/null +++ b/packages/falco/data_stream/alerts/agent/stream/tcp.yml.hbs @@ -0,0 +1,21 @@ +host: {{listen_address}}:{{listen_port}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_falco_fields}} + - preserve_falco_fields +{{/if}} +processors: + - add_locale: ~ +{{#if preserve_original_event}} + - copy_fields: + fields: + - from: message + to: event.original +{{/if}} + - syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/falco/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/falco/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..412107ad375 --- /dev/null +++ b/packages/falco/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,707 @@ +--- +description: Pipeline for mapping falco fields to ECS / falco-namespaced fields +processors: +- set: + field: event.kind + value: 'alert' +- set: + field: event.original + copy_from: message + ignore_empty_value: true + if: ctx.event?.original == null && ctx['tags'] != null && ctx['tags'].contains('preserve_original_event') +- json: + field: message + target_field: falco + if: ctx?.message != null +- script: + tag: move_falco_fields + lang: painless + if: ctx?.output_fields != null + params: + fields: + - uuid + - output + - priority + - rule + - time + - output_fields + - source + - tags + - hostname + source: >- + def m = new HashMap(); + for (def v : params.fields) { + if (ctx.containsKey(v)) { + m[v] = ctx[v]; + ctx.remove(v); + } + } + ctx['falco'] = m +- dot_expander: + field: 'container.image' + path: falco.output_fields +- dot_expander: + field: 'fd.cip' + path: falco.output_fields +- dot_expander: + field: 'fd.sip' + path: falco.output_fields +- dot_expander: + field: 'fd.lip' + path: falco.output_fields +- dot_expander: + field: 'fd.rip' + path: falco.output_fields +- dot_expander: + field: 'proc.ppid' + path: falco.output_fields +- dot_expander: + field: 'proc.pid' + path: falco.output_fields +- dot_expander: + field: 'proc.sid' + path: falco.output_fields +- dot_expander: + field: 'proc.vpgid' + path: falco.output_fields +- rename: + field: falco.output_fields.container.image + target_field: falco.output_fields.container.image.name + ignore_missing: true +- rename: + field: falco.output_fields.fd.cip + target_field: falco.output_fields.client.ip + ignore_missing: true +- rename: + field: falco.output_fields.fd.sip + target_field: falco.output_fields.server.ip + ignore_missing: true +- rename: + field: falco.output_fields.fd.lip + target_field: falco.output_fields.source.ip + ignore_missing: true +- rename: + field: falco.output_fields.fd.rip + target_field: falco.output_fields.destination.ip + ignore_missing: true +- rename: + field: falco.output_fields.proc.ppid + target_field: falco.output_fields.process.parent.pid + ignore_missing: true +- rename: + field: falco.output_fields.proc.pid + target_field: falco.output_fields.process.pid + ignore_missing: true +- rename: + field: falco.output_fields.proc.sid + target_field: falco.output_fields.process.session_leader.pid + ignore_missing: true +- rename: + field: falco.output_fields.proc.vpgid + target_field: falco.output_fields.process.group_leader.vpid + ignore_missing: true +- dot_expander: + field: '*' + path: falco.output_fields +# Overarching event fields +- script: + lang: painless + tag: 'painless_map_event_category' + source: | + def allowedValues = [ + 'api', + 'authentication', + 'configuration', + 'database', + 'driver', + 'email', + 'file', + 'host', + 'iam', + 'intrusion_detection', + 'library', + 'malware', + 'network', + 'package', + 'process', + 'registry', + 'session', + 'threat', + 'vulnerability', + 'web' + ]; + + if (ctx?.falco?.output_fields?.evt != null && ctx?.falco?.output_fields?.evt?.category != null) { + def inputCategory = ctx?.falco?.output_fields?.evt?.category; + def lowercaseCategory = inputCategory.toLowerCase(); + if (allowedValues.contains(lowercaseCategory)) { + ctx['event.category'] = [inputCategory]; + } else if (inputCategory == 'time' || inputCategory == 'scheduler') { + ctx['event.category'] = ['configuration']; + } else if (inputCategory == 'system' || inputCategory == 'memory' || inputCategory == 'sleep' || inputCategory == 'wait' || inputCategory == 'internal') { + ctx['event.category'] = ['host']; + } else if (inputCategory == 'ipc' || inputCategory == 'net' || inputCategory == 'signal') { + ctx['event.category'] = ['network']; + } else if (inputCategory == 'processing' || inputCategory == 'process' || inputCategory == 'io_read' || inputCategory == 'io_write' || inputCategory == 'io_other') { + ctx['event.category'] = ['process']; + } else if (inputCategory == 'user') { + ctx['event.category'] = ['session']; + } else { + ctx['event.category'] = ['process']; + } + } else { + ctx['event.category'] = ['process']; + } + + +- script: + lang: painless + tag: 'painless_map_event_type' + source: | + def allowedValues = [ + 'access', + 'admin', + 'allowed', + 'change', + 'connection', + 'creation', + 'deletion', + 'denied', + 'end', + 'error', + 'group', + 'indicator', + 'info', + 'installation', + 'protocol', + 'start', + 'user' + ]; + if (ctx?.falco?.output_fields?.evt != null && ctx?.falco?.output_fields?.evt?.type != null) { + def inputType = ctx?.falco?.output_fields?.evt?.type; + def lowercaseType = inputType.toLowerCase(); + if (allowedValues.contains(lowercaseType)) { + ctx['event.type'] = [inputType]; + } else if (inputType == 'faccessat' || inputType == 'faccessat2' || inputType == 'fsopen' || inputType == 'name_to_handle_at' || inputType == 'nfsservctl' || inputType == 'open' || inputType == 'open_by_handle_at' || inputType == 'open_tree' || inputType == 'openat' || inputType == 'openat2' || inputType == 'pciconfig_read' || inputType == 'pidfd_open' || inputType == 'read' || inputType == 'readahead' || inputType == 'readdir' || inputType == 'readlink' || inputType == 'readlinkat' || inputType == 'readv' || inputType == 's390_pci_mmio_read' || inputType == 'uselib' || inputType == 'vm86old' || inputType == 'vm86') { + ctx['event.type'] = ['access']; + } else if (inputType == 'bdflush' || inputType == 'membarrier' || inputType == 'ptrace' || inputType == 'reboot' || inputType == 'restart_syscall') { + ctx['event.type'] = ['admin']; + } else if (inputType == 'fallocate' || inputType == 'finit_module') { + ctx['event.type'] = ['allowed']; + } else if (inputType == 'llseek' || inputType == 'sysctl' || inputType == 'acct' || inputType == 'adjtimex' || inputType == 'alarm' || inputType == 'arch_prctl' || inputType == 'bind' || inputType == 'bpf' || inputType == 'brk' || inputType == 'capset' || inputType == 'chdir' || inputType == 'chmod' || inputType == 'chown' || inputType == 'chown32' || inputType == 'chroot' || inputType == 'clock_adjtime' || inputType == 'clock_nanosleep' || inputType == 'clock_settime' || inputType == 'close' || inputType == 'close_range' || inputType == 'epoll_ctl' || inputType == 'fchdir' || inputType == 'fchmod' || inputType == 'fchmodat' || inputType == 'fchown' || inputType == 'fchown32' || inputType == 'fchownat' || inputType == 'fcntl' || inputType == 'fcntl64' || inputType == 'flock' || inputType == 'free_hugepages' || inputType == 'fsetxattr' || inputType == 'fsconfig' || inputType == 'ftruncate' || inputType == 'ftruncate64' || inputType == 'futimesat' || inputType == 'io_setup' || inputType == 'io_uring_setup' || inputType == 'ioctl' || inputType == 'ioperm' || inputType == 'iopl' || inputType == 'ioprio_set' || inputType == 'keyctl' || inputType == 'landlock_restrict_self' || inputType == 'lchown' || inputType == 'lchown32' || inputType == 'madvise' || inputType == 'mbind' || inputType == 'memory_ordering' || inputType == 'migrate_pages' || inputType == 'mlock' || inputType == 'mlock2' || inputType == 'mlockall' || inputType == 'mmap' || inputType == 'mmap2' || inputType == 'modify_ldt' || inputType == 'move_mount' || inputType == 'move_pages' || inputType == 'mprotect' || inputType == 'mq_getsetattr' || inputType == 'mremap' || inputType == 'msgctl' || inputType == 'munlock' || inputType == 'munlockall' || inputType == 'munmap' || inputType == 'nanosleep' || inputType == 'nice' || inputType == 'old_adjtimex' || inputType == 'pause' || inputType == 'pciconfig_write' || inputType == 'personality' || inputType == 'perfctr' || inputType == 'perfmonctl' || inputType == 'pivot_root' || inputType == 'pkey_alloc' || inputType == 'pkey_free' || inputType == 'pkey_mprotect' || inputType == 'prctl' || inputType == 'prlimit64' || inputType == 'process_madvise' || inputType == 'process_vm_writev' || inputType == 'pwrite64' || inputType == 'pwritev' || inputType == 'pwritev2' || inputType == 'quotactl' || inputType == 'quotactl_fd' || inputType == 'rename' || inputType == 'renameat' || inputType == 'renameat2' || inputType == 'rseq' || inputType == 'rt_sigaction' || inputType == 'rt_sigpending' || inputType == 'rt_sigprocmask' || inputType == 'rt_sigqueueinfo' || inputType == 'rt_sigreturn' || inputType == 'rtas' || inputType == 's390_pci_mmio_write' || inputType == 's390_guarded_storage' || inputType == 'sched_setaffinity' || inputType == 'sched_setattr' || inputType == 'sched_setparam' || inputType == 'sched_setscheduler' || inputType == 'seccomp' || inputType == 'semctl' || inputType == 'semop' || inputType == 'semtimedop' || inputType == 'set_mempolicy' || inputType == 'set_robust_list' || inputType == 'set_thread_area' || inputType == 'set_tid_address' || inputType == 'set_tls' || inputType == 'set_domainname' || inputType == 'set_fsgid' || inputType == 'setfsgid32' || inputType == 'setfsuid' || inputType == 'setfsuid32' || inputType == 'setgid' || inputType == 'setgid32' || inputType == 'sethae' || inputType == 'sethostimer' || inputType == 'setitimer' || inputType == 'setns' || inputType == 'setpgid' || inputType == 'setpgrp' || inputType == 'setpriority' || inputType == 'setregid' || inputType == 'setregid32' || inputType == 'setresgid' || inputType == 'setresgid32' || inputType == 'setresuid' || inputType == 'setresuid32' || inputType == 'setreuid' || inputType == 'setreuid32' || inputType == 'setrlimit' || inputType == 'setsid' || inputType == 'setsockopt' || inputType == 'settimeofday' || inputType == 'setuid' || inputType == 'setuid32' || inputType == 'setup' || inputType == 'setxattr' || inputType == 'shmat' || inputType == 'shmctl' || inputType == 'shmdt' || inputType == 'sigaction' || inputType == 'sigaltstack' || inputType == 'subpage_prot' || inputType == 'swapcontext' || inputType == 'switch_endian' || inputType == 'sys_debug_setcontext' || inputType == 'timer_settime' || inputType == 'timerfd_settime' || inputType == 'truncate' || inputType == 'truncate64' || inputType == 'umask' || inputType == 'utime' || inputType == 'utimesat' || inputType == 'utimes' || inputType == 'write' || inputType == 'writev' || inputType == 'xtensa') { + ctx['event.type'] = ['change']; + } else if (inputType == 'accept' || inputType == 'accept4' || inputType == 'connect' || inputType == 'mq_timedreceive' || inputType == 'mq_timedsend' || inputType == 'msgrcv' || inputType == 'msgsnd' || inputType == 'pidfd_send_signal' || inputType == 'recv' || inputType == 'recvfrom' || inputType == 'recvmsg' || inputType == 'recvmmsg' || inputType == 'rt_sigqueueinfo' || inputType == 'rt_tgsigqueueinfo' || inputType == 'send' || inputType == 'sendfile' || inputType == 'sendfile64' || inputType == 'sendmmsg' || inputType == 'sendmsg' || inputType == 'sendto' || inputType == 'signal' || inputType == 'signalfd' || inputType == 'signalfd4' || inputType == 'socket' || inputType == 'socketcall' || inputType == 'socketpair' || inputType == 'syscall') { + ctx['event.type'] = ['connection']; + } else if (inputType == 'add_key' || inputType == 'clone' || inputType == 'clone2' || inputType == 'clone3' || inputType == 'copy_file_range' || inputType == 'creat' || inputType == 'create_module' || inputType == 'dup' || inputType == 'dup2' || inputType == 'dup3' || inputType == 'epoll_create' || inputType == 'epoll_create1' || inputType == 'eventfd' || inputType == 'eventfd2' || inputType == 'fdatasync' || inputType == 'fork' || inputType == 'fsmount' || inputType == 'fsync' || inputType == 'init_module' || inputType == 'inotify_add_watch' || inputType == 'inotify_init' || inputType == 'inotify_init1' || inputType == 'kexec_file_load' || inputType == 'kexec_load' || inputType == 'landlock_add_rule' || inputType == 'landlock_create_ruleset' || inputType == 'link' || inputType == 'linkat' || inputType == 'memfd_create' || inputType == 'memfd_secret' || inputType == 'mkdir' || inputType == 'mkdirat' || inputType == 'mknod' || inputType == 'mknodat' || inputType == 'mount' || inputType == 'mq_notify' || inputType == 'mq_open' || inputType == 'msync' || inputType == 'pidfd_getfd' || inputType == 'pipe' || inputType == 'pipe2' || inputType == 'remap_file_pages' || inputType == 'splice' || inputType == 'spu_create' || inputType == 'symlink' || inputType == 'symlinkat' || inputType == 'sync' || inputType == 'sync_file_range' || inputType == 'sync_file_range2' || inputType == 'syncfs' || inputType == 'tee' || inputType == 'timer_create' || inputType == 'timerfd_create' || inputType == 'vfork' || inputType == 'vmsplice') { + ctx['event.type'] = ['creation']; + } else if (inputType == 'cacheflush' || inputType == 'delete_module' || inputType == 'fremovexattr' || inputType == 'inotify_rm_watch' || inputType == 'io_destroy' || inputType == 'lremovexattr' || inputType == 'mq_unlink' || inputType == 'oldumount' || inputType == 'removexattr' || inputType == 'riscv_flush_icache' || inputType == 'rmdir' || inputType == 'spill' || inputType == 'timer_delete' || inputType == 'umount' || inputType == 'unlink' || inputType == 'unlinkat' || inputType == 'unshare') { + ctx['event.type'] = ['deletion']; + } else if (inputType == 'exit' || inputType == 'exit_group' || inputType == 'io_cancel' || inputType == 'kill' || inputType == 'shutdown' || inputType == 'swapoff' || inputType == 'tgkill' || inputType == 'tkill' || inputType == 'vhangup') { + ctx['event.type'] = ['end']; + } else if (inputType == 'fanotify_init' || inputType == 'fanotify_mark' || inputType == 'setgroups' || inputType == 'setgroups32') { + ctx['event.type'] = ['group']; + } else if (inputType == 'alloc_hugepages' || inputType == 'capget' || inputType == 'clock_getres' || inputType == 'clock_gettime' || inputType == 'epoll_pwait' || inputType == 'epoll_pwait2' || inputType == 'epoll_wait' || inputType == 'fadvise64' || inputType == 'fadvise64_64' || inputType == 'fgetxattr' || inputType == 'flistxattr' || inputType == 'fspick' || inputType == 'fstat' || inputType == 'fstat64' || inputType == 'fstatat64' || inputType == 'fstatfs' || inputType == 'fstatfs64' || inputType == 'futex' || inputType == 'get_kernel_syms' || inputType == 'get_mempolicy' || inputType == 'get_robust_list' || inputType == 'get_thread_area' || inputType == 'get_tls' || inputType == 'getcpu' || inputType == 'getcwd' || inputType == 'getdents' || inputType == 'getdents64' || inputType == 'getdomainname' || inputType == 'getdtablesize' || inputType == 'getegid' || inputType == 'getegid32' || inputType == 'geteuid' || inputType == 'geteuid32' || inputType == 'getgid' || inputType == 'getgid32' || inputType == 'getgroups' || inputType == 'getgroups32' || inputType == 'gethostname' || inputType == 'getitimer' || inputType == 'getpeername' || inputType == 'getpagesize' || inputType == 'getpgid' || inputType == 'getpgrp' || inputType == 'getpid' || inputType == 'getppid' || inputType == 'getpriority' || inputType == 'getrandom' || inputType == 'getresgid' || inputType == 'getresgid32' || inputType == 'getresuid' || inputType == 'getresuid32' || inputType == 'getrlimit' || inputType == 'getrusage' || inputType == 'getsid' || inputType == 'getsockname' || inputType == 'getsockopt' || inputType == 'gettid' || inputType == 'gettimeofday' || inputType == 'getuid' || inputType == 'getuid32' || inputType == 'getunwind' || inputType == 'getxattr' || inputType == 'getxgid' || inputType == 'getxpid' || inputType == 'getxuid' || inputType == 'io_getevents' || inputType == 'io_pgetevents' || inputType == 'io_submit' || inputType == 'io_uring_register' || inputType == 'ioprio_get' || inputType == 'kcmp' || inputType == 'kern_features' || inputType == 'lgetxattr' || inputType == 'listen' || inputType == 'listxattr' || inputType == 'llistxattr' || inputType == 'lookup_dcookie' || inputType == 'lstat' || inputType == 'lstat64' || inputType == 'mincore' || inputType == 'msgget' || inputType == 'newfstatat' || inputType == 'old_getrlimit' || inputType == 'old_fstat' || inputType == 'oldlstat' || inputType == 'oldolduname' || inputType == 'oldstat' || inputType == 'olduname' || inputType == 'or1k_atomic' || inputType == 'pciconfig_iobase' || inputType == 'poll' || inputType == 'ppoll' || inputType == 'pread64' || inputType == 'preadv' || inputType == 'preadv2' || inputType == 'process_vm_readv' || inputType == 'pselect6' || inputType == 'query_module' || inputType == 'request_key' || inputType == 'rt_sigsuspend' || inputType == 'rt_sigtimedwait' || inputType == 's390_runtime_instr' || inputType == 's390_sthyi' || inputType == 'sched_get_affinity' || inputType == 'sched_get_priority_max' || inputType == 'sched_get_priority_min' || inputType == 'sched_getaffinity' || inputType == 'sched_getattr' || inputType == 'sched_getparam' || inputType == 'sched_getscheduler' || inputType == 'sched_rr_get_interval' || inputType == 'sched_yield' || inputType == 'select' || inputType == 'semget' || inputType == 'sgetmask' || inputType == 'shmget' || inputType == 'sigpending' || inputType == 'sigprocmask' || inputType == 'sigreturn' || inputType == 'sigsuspend' || inputType == 'ssetmask' || inputType == 'stat' || inputType == 'stat64' || inputType == 'statfs' || inputType == 'statfs64' || inputType == 'statx' || inputType == 'stime' || inputType == 'sysfs' || inputType == 'sysinfo' || inputType == 'syslog' || inputType == 'sysmips' || inputType == 'time' || inputType == 'timer_getoverrun' || inputType == 'timer_gettime' || inputType == 'timerfd_gettime' || inputType == 'times' || inputType == 'ugetrlimit' || inputType == 'uname' || inputType == 'ustat' || inputType == 'wait' || inputType == 'wait4' || inputType == 'waitid' || inputType == 'waitpid') { + ctx['event.type'] = ['info']; + } else if (inputType == 'utrap_install') { + ctx['event.type'] = ['installation']; + } else if (inputType == 'ipc') { + ctx['event.type'] = ['protocol']; + } else if (inputType == 'execve' || inputType == 'execveat' || inputType == 'execv' || inputType == 'io_uring_enter' || inputType == 'perf_event_open' || inputType == 'spu_run' || inputType == 'swapon') { + ctx['event.type'] = ['start']; + } else if (inputType == 'userfaultfd' || inputType == 'usr26' || inputType == 'usr32') { + ctx['event.type'] = ['user']; + } else { + ctx['event.type'] = ['info']; + } + } else { + ctx['event.type'] = ['info']; + } +- set: + field: event.outcome + value: success + if: ctx?.falco?.output_fields?.evt?.res != null && ctx?.falco?.output_fields?.evt?.res == 'SUCCESS' + tag: set_event_outcome_success +- set: + field: event.outcome + value: failure + if: ctx?.falco?.output_fields?.evt?.res != null && ctx?.falco?.output_fields?.evt?.res != 'SUCCESS' && ctx?.falco?.output_fields?.evt?.failed != null && ctx?.falco?.output_fields?.evt?.failed == true + tag: set_event_outcome_failure +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' + ignore_empty_value: true + ignore_failure: true +- script: + lang: painless + tag: 'painless_set_threat_technique_id' + if: ctx?.falco?.tags != null + source: | + def mitreRegex = /T\d{4}/; + for (int i = 0; i < ctx?.falco?.tags.length; i++) { + def tag = ctx?.falco?.tags[i]; + def matcher = mitreRegex.matcher(tag); + if (matcher.find()) { + ctx['threat.technique.id'] = [matcher.group()]; + break; + } + } +- script: + lang: painless + tag: 'painless_set_threat_subtechnique_id' + if: ctx?.falco?.tags != null + source: | + def mitreRegex = /T\d{4}.\d{3}/; + for (int i = 0; i < ctx?.falco?.tags.length; i++) { + def tag = ctx?.falco?.tags[i]; + def matcher = mitreRegex.matcher(tag); + if (matcher.find()) { + ctx['threat.technique.subtechnique.id'] = [matcher.group()]; + break; + } + } +- script: + lang: painless + tag: 'painless_set_event_severity' + if: ctx?.falco?.priority != null + source: | + def priority = ctx?.falco?.priority.toLowerCase(); + if (priority == "emergency") { + ctx['event.severity'] = 7; + } else if (priority == "alert") { + ctx['event.severity'] = 6; + } else if (priority == "critical") { + ctx['event.severity'] = 5; + } else if (priority == "error") { + ctx['event.severity'] = 4; + } else if (priority == "warning") { + ctx['event.severity'] = 3; + } else if (priority == "notice") { + ctx['event.severity'] = 2; + } else if (priority == "informational") { + ctx['event.severity'] = 1; + } else if (priority == "debug") { + ctx['event.severity'] = 0; + } +- set: + field: rule.name + copy_from: falco.rule + ignore_empty_value: true +- set: + field: event.sequence + copy_from: falco.output_fields.evt.num + ignore_empty_value: true +- script: + lang: painless + tag: 'Script for generating @timestamp' + source: | + if (ctx.falco?.output_fields?.evt?.time != null) { + def timeField = ctx.falco.output_fields.evt.time; + def inputFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ"); + + if (timeField instanceof Map) { + if (timeField.iso8601 != null) { + if (timeField.iso8601 instanceof String) { + def formatted = inputFormat.parse(timeField.iso8601); + ctx['@timestamp'] = formatted; + ctx.falco.output_fields.evt.time.iso8601 = formatted; + } else if (timeField.iso8601 instanceof Long) { + long milliseconds = timeField.iso8601 / 1000000; + ctx['@timestamp'] = new Date(milliseconds); + ctx.falco.output_fields.evt.time.iso8601 = milliseconds; + } + } else if (timeField.rawtime != null) { + if (timeField.rawtime instanceof String) { + def formatted = inputFormat.parse(timeField.rawtime); + ctx['@timestamp'] = formatted; + } else if (timeField.rawtime instanceof Long) { + long milliseconds = timeField.rawtime / 1000000; + ctx['@timestamp'] = new Date(milliseconds); + } + } else { + if (timeField instanceof String) { + def formatted = inputFormat.parse(timeField); + ctx['@timestamp'] = formatted; + } else if (timeField instanceof Long) { + long milliseconds = timeField / 1000000; + ctx['@timestamp'] = new Date(milliseconds); + } + } + } else { + if (timeField instanceof String) { + def formatted = inputFormat.parse(timeField); + ctx['@timestamp'] = formatted; + } else if (timeField instanceof Long) { + long milliseconds = timeField / 1000000; + ctx['@timestamp'] = new Date(milliseconds); + } + } + } +- set: + field: event.provider + copy_from: falco.source + ignore_empty_value: true +# Process and observer fields +- set: + field: observer.hostname + copy_from: falco.hostname + ignore_empty_value: true +- append: + field: related.hosts + value: '{{falco.hostname}}' + if: ctx.falco?.hostname != null + allow_duplicates: false +- set: + field: process.executable + copy_from: falco.output_fields.proc.exepath + ignore_empty_value: true + +- set: + field: file.path + value: '{{falco.output_fields.fd.name}}' + if: ctx.falco.output_fields.fd?.type != null && (ctx.falco.output_fields.fd.type == 'file' || ctx.falco.output_fields.fd.type == 'directory') + tag: 'painless_set_file_path' +- set: + field: file.type + value: '{{falco.output_fields.fd.type}}' + if: ctx.falco.output_fields.fd?.type != null && (ctx.falco.output_fields.fd.type == 'file' || ctx.falco.output_fields.fd.type == 'directory') + tag: 'painless_set_file_path' + +- set: + field: process.parent.executable + copy_from: falco.output_fields.proc.pexepath + ignore_empty_value: true +- set: + field: process.name + copy_from: falco.output_fields.proc.name + ignore_empty_value: true +- set: + field: process.parent.name + copy_from: falco.output_fields.proc.pname + ignore_empty_value: true +- script: + lang: painless + tag: 'Script for generating process.args' + source: | + if (ctx.falco.output_fields?.proc?.exepath != null && ctx.falco.output_fields?.proc?.args != null) { + def path = ctx.falco.output_fields.proc.exepath; + def args = ctx.falco.output_fields.proc.args; + def argItems = args.splitOnToken(' '); + def finalList = []; + finalList.add(path); + for (int i = 0; i < argItems.length; i++) { + finalList.add(argItems[i]); + } + ctx['process']['args'] = finalList; + } +- set: + field: process.command_line + copy_from: falco.output_fields.proc.cmdline + ignore_empty_value: true +- set: + field: process.parent.command_line + copy_from: falco.output_fields.proc.pcmdline + ignore_empty_value: true +- set: + field: process.args_count + copy_from: falco.output_fields.proc.cmdnargs + ignore_empty_value: true +- split: + field: falco.output_fields.proc.env + separator: "\\s+" + target_field: process.env_vars + ignore_missing: true +- set: + field: process.working_directory + copy_from: falco.output_fields.proc.cwd + ignore_empty_value: true +- set: + field: process.pid + copy_from: falco.output_fields.process.pid + ignore_empty_value: true +- set: + field: process.parent.pid + copy_from: falco.output_fields.process.parent.pid + ignore_empty_value: true +- set: + field: process.vpid + copy_from: falco.output_fields.proc.vpid + ignore_empty_value: true +- set: + field: process.parent.vpid + copy_from: falco.output_fields.proc.pvpid + ignore_empty_value: true +- set: + field: process.session_leader.pid + copy_from: falco.output_fields.process.session_leader.pid + ignore_empty_value: true +- set: + field: process.session_leader.name + copy_from: falco.output_fields.proc.sname + ignore_empty_value: true +- set: + field: process.session_leader.executable + copy_from: falco.output_fields.proc.sid.exepath + ignore_empty_value: true +- set: + field: process.group_leader.vpid + copy_from: falco.output_fields.process.group_leader.vpid + ignore_empty_value: true +- set: + field: process.group_leader.name + copy_from: falco.output_fields.proc.vpgid.name + ignore_empty_value: true +- set: + field: process.group_leader.executable + copy_from: falco.output_fields.proc.vpgid.exepath + ignore_empty_value: true +- convert: + field: falco.output_fields.proc.duration + target_field: process.uptime + type: long + ignore_missing: true +- set: + field: process.parent.uptime + copy_from: falco.output_fields.proc.ppid.duration + ignore_empty_value: true +- set: + field: process.start + copy_from: falco.output_fields.proc.pid.ts + ignore_empty_value: true +- set: + field: process.parent.start + copy_from: falco.output_fields.proc.ppid.ts + ignore_empty_value: true +- set: + field: process.session_leader.same_as_process + copy_from: falco.output_fields.proc.is_sid_leader + ignore_empty_value: true +- set: + field: process.group_leader.same_as_process + copy_from: falco.output_fields.proc.is_vpgid_leader + ignore_empty_value: true +- set: + field: process.thread.capabilities.permitted + copy_from: falco.output_fields.thread.cap_permitted + ignore_empty_value: true +- set: + field: process.thread.capabilities.effective + copy_from: falco.output_fields.thread.cap_effective + ignore_empty_value: true +- set: + field: process.thread.id + copy_from: falco.output_fields.thread.tid + ignore_empty_value: true +- convert: + field: falco.output_fields.user.uid + type: string + ignore_missing: true +- set: + field: process.user.id + copy_from: falco.output_fields.user.uid + ignore_empty_value: true +- set: + field: process.user.name + copy_from: falco.output_fields.user.name + ignore_empty_value: true +- set: + field: process.group.id + copy_from: falco.output_fields.group.gid + ignore_empty_value: true +- set: + field: process.group.name + copy_from: falco.output_fields.group.name + ignore_empty_value: true +# Container fields +- set: + field: container.id + copy_from: falco.output_fields.container.id + ignore_empty_value: true +- set: + field: container.name + copy_from: falco.output_fields.container.name + ignore_empty_value: true +- set: + field: container.image.name + copy_from: falco.output_fields.container.image.name + ignore_empty_value: true +- set: + field: container.runtime + copy_from: falco.output_fields.container.type + ignore_empty_value: true +- set: + field: container.security_context.privileged + copy_from: falco.output_fields.container.privileged + ignore_empty_value: true +- set: + field: container.image.hash.all + copy_from: falco.output_fields.container.image.digest + ignore_empty_value: true +- set: + field: host.ip + value: ['{{falco.output_fields.container.ip}}'] + if: ctx?.falco?.output_fields?.container?.ip != null + ignore_empty_value: true +# File-specifc fields +- set: + field: file.directory + copy_from: falco.output_fields.fd.directory + ignore_empty_value: true +- set: + field: file.name + copy_from: falco.output_fields.fd.filename + ignore_empty_value: true +- convert: + field: falco.output_fields.client.ip + target_field: client.ip + type: ip + ignore_missing: true + ignore_failure: true +- set: + field: client.address + copy_from: client.ip + ignore_empty_value: true +- convert: + field: falco.output_fields.server.ip + target_field: server.ip + type: ip + ignore_missing: true + ignore_failure: true +- set: + field: server.address + copy_from: server.ip + ignore_empty_value: true +- convert: + field: falco.output_fields.source.ip + target_field: source.ip + type: ip + ignore_missing: true + ignore_failure: true +- set: + field: source.address + copy_from: source.ip + ignore_empty_value: true +- convert: + field: falco.output_fields.destination.ip + target_field: destination.ip + type: ip + ignore_missing: true + ignore_failure: true +- set: + field: destination.address + copy_from: destination.ip + ignore_empty_value: true +- set: + field: client.port + copy_from: falco.output_fields.fd.cport + ignore_empty_value: true +- set: + field: server.port + copy_from: falco.output_fields.fd.sport + ignore_empty_value: true +- set: + field: source.port + copy_from: falco.output_fields.fd.lport + ignore_empty_value: true +- set: + field: destination.port + copy_from: falco.output_fields.fd.rport + ignore_empty_value: true +- set: + field: client.domain + copy_from: falco.output_fields.fd.cip.name + ignore_empty_value: true +- set: + field: server.domain + copy_from: falco.output_fields.fd.sip.name + ignore_empty_value: true +- set: + field: source.domain + copy_from: falco.output_fields.fd.lip.name + ignore_empty_value: true +- set: + field: destination.domain + copy_from: falco.output_fields.fd.rip.name + ignore_empty_value: true +- set: + field: file.inode + copy_from: falco.output_fields.fd.ino + ignore_empty_value: true +- set: + field: orchestrator.namespace + copy_from: falco.output_fields.k8s.ns.name + ignore_empty_value: true +- set: + field: orchestrator.resource.name + copy_from: falco.output_fields.k8s.pod.name + ignore_empty_value: true +- set: + field: orchestrator.resource.id + copy_from: falco.output_fields.k8s.pod.uid + ignore_empty_value: true +- set: + field: orchestrator.resource.label + copy_from: falco.output_fields.k8s.pod.labels + ignore_empty_value: true +- convert: + field: falco.output_fields.k8s.pod.ip + target_field: orchestrator.resource.ip + type: ip + ignore_missing: true + ignore_failure: true +- set: + field: orchestrator.resource.type + value: 'pod' + if: ctx.containsKey('falco.output_fields.k8s.pod.name') +- set: + field: orchestrator.type + value: 'kubernetes' + if: ctx.containsKey('falco.output_fields.k8s.pod.name') +- set: + field: observer.type + value: sensor +- set: + field: observer.vendor + value: sysdig +- set: + field: observer.product + value: falco +- script: + lang: painless + tag: 'container.mounts' + source: | + if (ctx.falco.output_fields?.container?.mounts != null) { + def mountsString = ctx.falco.output_fields.container.mounts; + def mountItems = mountsString.splitOnToken(' '); + def mountsList = []; + for (int i = 0; i < mountItems.length; i++) { + def mountItem = mountItems[i]; + def parts = mountItem.splitOnToken(':'); + def mountRecord = [:]; + mountRecord.source = parts.length > 0 ? parts[0] : null; + mountRecord.dest = parts.length > 1 ? parts[1] : null; + mountRecord.mode = parts.length > 2 ? parts[2] : null; + mountRecord.rdrw = parts.length > 3 ? parts[3] : null; + mountRecord.propagation = parts.length > 4 ? parts[4] : null; + mountsList.add(mountRecord); + } + ctx['falco.container.mounts'] = mountsList; + } else { + ctx['falco.container.mounts'] = null; + } + +# some of the fields removed here are undocumented fields sent by falco +- remove: + field: ['message','falco.output_fields.evt.arg.flags','falco.output_fields.proc.aname[2]','falco.output_fields.proc.aname[3]','falco.output_fields.proc.aname[4]','falco.output_fields.proc.aname[5]','falco.output_fields.proc.aname[6]','falco.output_fields.proc.aname[7]'] + ignore_missing: true +- remove: + field: ['falco.rule','falco.output_fields.evt.num','falco.output_fields.evt.time','falco.output_fields.proc.exepath','falco.output_fields.proc.pexepath','falco.output_fields.proc.name','falco.output_fields.proc.pname','falco.output_fields.proc.cmdline','falco.output_fields.proc.pcmdline','falco.output_fields.proc.cmdnargs','falco.output_fields.proc.env','falco.output_fields.proc.cwd','falco.output_fields.proc.vpid','falco.output_fields.proc.pvpid','falco.output_fields.proc.sname','falco.output_fields.proc.sid.exepath','falco.output_fields.proc.vpgid','falco.output_fields.proc.vpgid.name','falco.output_fields.proc.vpgid.exepath','falco.output_fields.proc.duration','falco.output_fields.proc.ppid.duration','falco.output_fields.proc.pid.ts','falco.output_fields.proc.ppid.ts','falco.output_fields.proc.is_sid_leader','falco.output_fields.proc.is_vpgid_leader','falco.output_fields.thread.cap_permitted','falco.output_fields.thread.cap_effective','falco.output_fields.thread.tid','falco.output_fields.user.uid','falco.output_fields.user.name','falco.output_fields.group.gid','falco.output_fields.group.name','falco.output_fields.container.id','falco.output_fields.container.name','falco.output_fields.container.type','falco.output_fields.container.privileged','falco.output_fields.container.image.digest','falco.output_fields.container.ip','falco.output_fields.fd.directory','falco.output_fields.fd.filename','falco.output_fields.fd.cport','falco.output_fields.fd.sport','falco.output_fields.fd.lport','falco.output_fields.fd.rport','falco.output_fields.fd.cip.name','falco.output_fields.fd.sip.name','falco.output_fields.fd.lip','falco.output_fields.fd.lip.name','falco.output_fields.fd.rip.name','falco.output_fields.fd.ino','falco.output_fields.k8s.ns.name','falco.output_fields.k8s.pod.name','falco.output_fields.k8s.pod.uid','falco.output_fields.k8s.pod.labels','falco.output_fields.k8s.pod.ip'] + if: ctx['tags'] == null || !(ctx['tags'].contains('preserve_falco_fields')) + ignore_missing: true + +on_failure: +- append: + field: error.message + value: 'Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"' +- set: + field: event.kind + value: pipeline_error diff --git a/packages/falco/data_stream/alerts/fields/agent.yml b/packages/falco/data_stream/alerts/fields/agent.yml new file mode 100644 index 00000000000..01225e597fc --- /dev/null +++ b/packages/falco/data_stream/alerts/fields/agent.yml @@ -0,0 +1,42 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset +- name: log.source.address + type: keyword + description: Log source when collecting via TCP input diff --git a/packages/falco/data_stream/alerts/fields/base-fields.yml b/packages/falco/data_stream/alerts/fields/base-fields.yml new file mode 100644 index 00000000000..6b16a9f7eae --- /dev/null +++ b/packages/falco/data_stream/alerts/fields/base-fields.yml @@ -0,0 +1,22 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. + value: 'logs' +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. + value: 'falco.alerts' +- name: data_stream.namespace + type: constant_keyword + description: Preserved Falco field +- name: event.dataset + type: constant_keyword + description: Data stream / event dataset. + value: 'falco.alerts' +- name: event.module + type: constant_keyword + description: The module the event belongs to. + value: falco +- name: '@timestamp' + type: date + description: Event timestamp with nanos. diff --git a/packages/falco/data_stream/alerts/fields/fields.yml b/packages/falco/data_stream/alerts/fields/fields.yml new file mode 100644 index 00000000000..fb7e9e9df56 --- /dev/null +++ b/packages/falco/data_stream/alerts/fields/fields.yml @@ -0,0 +1,666 @@ +- name: process.group.id + type: text + description: Preserved Falco field +- name: process.group.name + type: text + description: Preserved Falco field +- name: falco + type: group + description: Namespace for Falco-specific fields without a direct ECS equivalent. + fields: + - name: rule + type: keyword + description: Name of the Falco rule that triggered the alert + - name: priority + type: keyword + description: Falco alert priority + - name: hostname + type: keyword + description: Required field for integration + - name: source + type: keyword + description: Preserved Falco field + - name: tags + type: keyword + description: Preserved Falco field + - name: time + type: date + description: Preserved Falco field + - name: uuid + type: keyword + description: Preserved Falco field + - name: container.mounts + type: nested + description: List of mount information. + fields: + - name: source + type: keyword + - name: dest + type: keyword + - name: mode + type: keyword + - name: rdrw + type: keyword + - name: propagation + type: keyword + - name: output + type: text + index: false + - name: output_fields + type: group + dynamic: false + description: Preserved Falco fields + fields: + - name: evt.pluginname + type: keyword + description: Name of the plugin that generated the event (if applicable). + - name: evt.plugininfo + type: text + description: Summary of the event if it came from a plugin-defined event source. + - name: evt.is_async + type: boolean + description: Denotes whether the event is async or not. + - name: evt.asynctype + type: keyword + description: The type of event, if asyncronous. + - name: evt.latency + type: long + description: Delta between an exit event and corresponding enter event. + unit: nanos + - name: evt.time.iso8601 + type: date + description: Time event occurred + - name: evt.deltatime + type: long + description: Delta between current event and previous. + unit: nanos + - name: evt.dir + type: keyword + description: Either an enter event (>) or an exit event (<). + - name: evt.cpu + type: integer + description: Number of the CPU where the event occurred. + - name: evt.args + type: text + description: Aggregated string of all event arguments. + - name: evt.arg.flags + type: text + description: Preserved Falco field + - name: evt.info + type: text + description: Contains either the event arguments, or the data decoded from them. + - name: evt.buffer + type: binary + description: Binary buffer for events which have one. + - name: evt.buflen + type: unsigned_long + description: Length of the binary buffer, if applicable. + - name: evt.res + type: text + description: Return value of the event. + - name: evt.rawres + type: long + description: Return value of the event, as a number. + - name: evt.failed + type: boolean + description: Denotes if the event returned an error status. + - name: evt.is_io + type: boolean + description: Denotes events that read or write to FDs. + - name: evt.is_io_read + type: boolean + description: Denotes events that read from FDs. + - name: evt.is_io_write + type: boolean + description: Denotes events that write to FDs. + - name: evt.io_dir + type: keyword + description: Type based on whether the event reads from or writes to FDs. + - name: evt.is_wait + type: boolean + description: Denotes events that force the thread to wait. + - name: evt.wait_latency + type: long + description: Time spent waiting for events to return, in cases where the thread is forced to wait. + unit: nanos + - name: evt.is_syslog + type: boolean + description: Denotes events that are written to /dev/log + - name: evt.count.error + type: integer + description: Returns 1 for events that returned with an error + - name: evt.count.error_file + type: integer + description: Returns 1 for events that returned with an error and are related to file I/O + - name: evt.count.error_net + type: integer + description: Returns 1 for events that returned with an error and are related to network I/O + - name: evt.count.error_memory + type: integer + description: Returns 1 for events that returned with an error and are related to memory allocation. + - name: evt.count.error_other + type: integer + description: Returns 1 for events that returned with an error and are related to none of the previous categories. + - name: evt.count.exit + type: integer + description: Returns 1 for exit events. + - name: evt.abspath + type: text + description: Calculated absolute path. + - name: evt.abspath_src + type: text + description: Source of the absolute path. + - name: evt.abspath_dst + type: text + description: Destination of the absolute path. + - name: evt.is_open_read + type: boolean + description: Denotes whether or not the path was opened for reading for open/openat/openat2/open_by_handle_at events. + - name: evt.is_open_write + type: boolean + description: Denotes whether or not the path was opened for writing for open/openat/openat2/open_by_handle_at events. + - name: evt.is_open_exec + type: boolean + description: Denotes whether or not a file was created with execute permissions for open/openat/openat2/open_by_handle_at or create events. + - name: evt.is_open_create + type: boolean + description: Denotes whether or not a file was created for open/openat/openat2/open_by_handle_at events. + - name: proc.exe + type: text + description: First command line argument, collected from args. + - name: proc.pexe + type: text + description: First command line argument of the parent process. + - name: proc.cmdlenargs + type: long + description: Total length of command line args, excluding whitespace. + - name: proc.exeline + type: text + description: Full command line, with exe as first argument. + - name: proc.loginshellid + type: long + description: PID of the oldest shell among the ancestors of the current process, if applicable. + - name: proc.tty + type: long + description: Controlling terminal of the process. + - name: proc.sid.exe + type: text + description: First command line argument of the current process's session leader. + - name: proc.vpgid.exe + type: text + description: First command line argument of the current process's group leader. + - name: proc.is_exe_writable + type: boolean + description: Denotes if this process' executable file is writable by the same user that spawned the process. + - name: proc.is_exe_upper_layer + type: boolean + description: Denotes if this process' executable file is in upper layer in overlayfs. + - name: proc.is_exe_from_memfd + type: boolean + description: Denotes if this process' executable file is in upper layer in overlayfs. + - name: proc.exe_ino + type: long + description: The inode number of the executable file on disk. + - name: proc.exe_ino_ctime + type: date_nanos + description: Last status change of executable file as epoch timestamp. + - name: proc.exe_ino_mtime + type: date_nanos + description: Last modification time of executable file as epoch timestamp. + - name: proc.exe_ino_ctime_duration_proc_start + type: long + description: Number of nanoseconds between modifying status of executable image and spawning a new process using the changed executable image. + - name: proc.exe_ino_ctime_duration_pidns_start + type: long + description: Number of nanoseconds between PID namespace start ts and ctime exe file if PID namespace start predates ctime. + - name: proc.pidns_init_start_ts + type: date_nanos + description: Start of PID namespace as epoch timestamp. + - name: proc.thread.cap_inheritable + type: keyword + description: Set of inheritable capabilities set. + - name: proc.is_container_healthcheck + type: boolean + description: Denotes if this process is running as a part of the container's health check. + - name: proc.is_container_liveness_probe + type: boolean + description: Denotes if this process is running as a part of the container's liveness probe. + - name: proc.is_container_readiness_probe + type: boolean + description: Denotes if this process is running as a part of the container's readiness probe. + - name: proc.fdopencount + type: unsigned_long + description: Number of open FDs for the process. + - name: proc.fdopenlimit + type: long + description: Maximum number of FDs the process can open. + - name: proc.fdusage + type: double + description: Ratio between open FDs and maximum available FDs for the process. + - name: proc.vmsize + type: unsigned_long + description: Total virtual memory for the process. + unit: byte + - name: proc.vmrss + type: unsigned_long + description: Resident non-swapped memory for the process. + unit: byte + - name: proc.vmswap + type: unsigned_long + description: Swapped memory for the process. + - name: proc.ppid.duration + type: long + description: Preserved Falco field + - name: process.parent.pid + type: long + description: Preserved Falco field + - name: process.pid + type: long + description: Preserved Falco field + - name: process.session_leader.pid + type: long + description: Preserved Falco field + - name: process.group_leader.vpid + type: long + description: Preserved Falco field + - name: thread.pfmajor + type: unsigned_long + description: Number of major page faults since thread start. + - name: thread.pfminor + type: unsigned_long + description: Number of minor page faults since thread start. + - name: thread.ismain + type: boolean + description: Denotes if the threat generating the event is the main one in the process. + - name: thread.vtid + type: long + description: The ID of the thread generating the event as seen from its current PID namespace. + - name: thread.exectime + type: long + description: CPU time spent by last scheduled thread. + unit: nanos + - name: thread.totalexectime + type: long + description: Total CPU time for the current thread since the beginning of the capture. + unit: nanos + - name: thread.cgroups + type: flattened + description: Aggregated string of cgroups the thread belongs to. + - name: proc.nthreads + type: unsigned_long + description: Number of alive threads in the process generating the event currently has, including the leader thread. + - name: proc.nchilds + type: unsigned_long + description: Number of alive (not leader) threads in the process generating the event currently has, excluding the leader thread. + - name: thread.cpu + type: double + description: CPU consumed by the thread in the last second. + - name: thread.cpu_user + type: double + description: The user CPU consumed by the thread in the last second. + - name: thread.cpu_system + type: double + description: The system CPU consumed by the thread in the last second. + - name: thread.vmsize + type: unsigned_long + description: Total virtual memory for the process' main thread. Non-main threads will appear as zero. + - name: thread.vmrss + type: unsigned_long + description: Resident non-swapped memory for the process' main thread. Non-main threads will appear as zero. + - name: user.homedir + type: text + description: Home directory of the user. + - name: user.shell + type: keyword + description: User's shell. + - name: user.loginuid + type: long + description: Audit user ID. If an invalid UID is encountered, returns -1. + - name: user.loginname + type: keyword + description: Audit user name. + - name: container.id + type: keyword + description: The truncated container ID (first 12 characters) extracted from the Linux cgroups by Falco within the kernel + - name: container.name + type: keyword + description: The container name + - name: container.healthcheck + type: text + description: The container's health check. Will be N/A if no health check configured. + - name: container.liveness_probe + type: text + description: The container's liveness probe. Will be N/A if no liveness probe configured. + - name: container.mounts + type: text + description: The raw text value for container mounts information + - name: container.readiness_probe + type: text + description: The container's readiness probe. Will be N/A if no readiness probe configured. + - name: container.start_ts + type: date_nanos + description: Container start as epoch timestamp. + - name: container.duration + type: long + description: Number of nanoseconds since container.start_ts. + unit: nanos + - name: container.cni_json + type: object + description: Container's CNI result field from the respective container status info. + object_type: keyword + - name: fd.num + type: long + description: Unique number identifying the file descriptor. + - name: fd.type + type: keyword + description: Type of FD. Can be 'file', 'directory', 'ipv4', 'ipv6', 'unix', 'pipe', 'event', 'signalfd', 'eventpoll', 'inotify' 'signalfd' or 'memfd'. + - name: fd.typechar + type: keyword + description: Type of FD as a single character. Can be 'f' for file, 4 for IPv4 socket, 6 for IPv6 socket, 'u' for unix socket, p for pipe, 'e' for eventfd, 's' for signalfd, 'l' for eventpoll, 'i' for inotify, 'b' for bpf, 'u' for userfaultd, 'r' for io_uring, 'm' for memfd ,'o' for unknown. + - name: fd.name + type: text + description: FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. + - name: fd.I4proto + type: keyword + description: The IP protocol of a socket. Can be 'tcp', 'udp', 'icmp' or 'raw'. + - name: fd.sockfamily + type: keyword + description: The socket family for socket events. Can be 'ip' or 'unix'. + - name: fd.is_server + type: boolean + description: Denotes if process owning the FD is the server endpoint in the connection. + - name: fd.uid + type: keyword + description: Unique identifier for the FD, created from the FD number and thread ID. + - name: fd.containername + type: keyword + description: Concatenation of the container ID and the FD name. + - name: fd.containerdirectory + type: keyword + description: Concatenation of the container ID and the directory name. + - name: fd.cproto + type: keyword + description: For TCP/UDP FDs, the client protocol. + - name: fd.sproto + type: keyword + description: For TCP/UDP FDs, the server protocol. + - name: fd.lproto + type: keyword + description: For TCP/UDP FDs, the local protocol. + - name: fd.rproto + type: keyword + description: For TCP/UDP FDs, the remote protocol. + - name: fd.connected + type: boolean + description: Denotes if the socket is connected for TCP/UDP FDs. + - name: fd.name_changed + type: boolean + description: Denotes if the name of an FD changes due to an event. + - name: fd.dev + type: integer + description: Device number containing the referenced file. + - name: fd.dev_major + type: integer + description: Major device number containing the referenced file. + - name: fd.dev_minor + type: integer + description: Minor device number containing the referenced file. + - name: fs.path.name + type: keyword + description: For any event type that deals with a filesystem path, the path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed. + - name: fs.path.source + type: keyword + description: For any event type that deals with a filesystem path, and specifically for a source and target like mv, cp, etc, the source path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed. + - name: fs.path.target + type: keyword + description: For any event type that deals with a filesystem path, and specifically for a target and target like mv, cp, etc, the target path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed. + - name: fdlist.names + type: keyword + description: For poll events, FD names in the fds argument. + - name: fdlist.cips + type: ip + description: For poll events, client IP addresses in the fds argument. + - name: fdlist.sips + type: ip + description: For poll events, server IP addresses in the fds argument. + - name: fdlist.cports + type: ip + description: For poll events / TCP/UDP FDs, client TCP/UDP ports in the fds argument. + - name: fdlist.sports + type: ip + description: For poll events, server TCP/UDP ports in the fds argument. + - name: client.ip + type: ip + description: Falco copy of the ECS field of the same name + - name: server.ip + type: ip + description: Falco copy of the ECS field of the same name + - name: source.ip + type: ip + description: Falco copy of the ECS field of the same name + - name: destination.ip + type: ip + description: Falco copy of the ECS field of the same name + - name: k8s.pod.sandbox_id + type: keyword + description: Truncated Kubernetes pod sandbox ID (first 12 characters). + - name: k8s.pod.full_sandbox_id + type: keyword + description: Full, non-truncated Kubernetes pod sandbox ID. + - name: k8s.pod.cni_json + type: object + description: Kubernetes CNI result field from the respective pod status info. + object_type: keyword + - name: output + type: text + description: Preserved Falco field + - name: priority + type: keyword + description: Preserved Falco field + - name: rule + type: text + description: Preserved Falco field + - name: evt.num + type: integer + description: Preserved Falco field + - name: evt.time + type: date + description: Preserved Falco field + - name: evt.source + type: text + description: Preserved Falco field + - name: evt.hostname + type: text + description: Preserved Falco field + - name: proc.exepath + type: text + description: Preserved Falco field + - name: proc.pexepath + type: text + description: Preserved Falco field + - name: proc.name + type: text + description: Preserved Falco field + - name: proc.pname + type: text + description: Preserved Falco field + - name: proc.cmdline + type: text + description: Preserved Falco field + - name: proc.pcmdline + type: text + description: Preserved Falco field + - name: proc.cmdnargs + type: integer + description: Preserved Falco field + - name: proc.args + type: text + description: Preserved Falco field + - name: proc.env + type: text + description: Preserved Falco field + - name: proc.cwd + type: text + description: Preserved Falco field + - name: proc.ppid + type: integer + description: Preserved Falco field + - name: proc.vpid + type: integer + description: Preserved Falco field + - name: proc.pvpid + type: integer + description: Preserved Falco field + - name: proc.sid + type: integer + description: Preserved Falco field + - name: proc.sname + type: text + description: Preserved Falco field + - name: proc.sid.exepath + type: text + description: Preserved Falco field + - name: proc.vpgid + type: integer + description: Preserved Falco field + - name: proc.vpgid.name + type: text + description: Preserved Falco field + - name: proc.vpgid.exepath + type: text + description: Preserved Falco field + - name: proc.duration + type: text + description: Preserved Falco field + - name: proct.ppid.duration + type: text + description: Preserved Falco field + - name: proc.pid.ts + type: text + description: Preserved Falco field + - name: proc.ppid.ts + type: text + description: Preserved Falco field + - name: proc.is_sid_leader + type: boolean + description: Preserved Falco field + - name: proc.is_vpgid_leader + type: boolean + description: Preserved Falco field + - name: thread.cap_permitted + type: text + description: Preserved Falco field + - name: thread.cap_effective + type: text + description: Preserved Falco field + - name: thread.tid + type: integer + description: Preserved Falco field + - name: user.uid + type: integer + description: Preserved Falco field + - name: user.name + type: text + description: Preserved Falco field + - name: group.gid + type: integer + description: Preserved Falco field + - name: group.name + type: text + description: Preserved Falco field + - name: container.image.digest + type: text + description: Preserved Falco field + - name: container.image.tag + type: text + description: Preserved Falco field + - name: container.full_id + type: text + description: Preserved Falco field + - name: container.image.full_id + type: keyword + description: Full container image ID, enriched as part of the container engine enrichment. + - name: container.image.id + type: keyword + description: Container image ID. + - name: container.image.repository + type: keyword + description: The container image repository. + - name: container.type + type: text + description: Preserved Falco field + - name: container.privileged + type: boolean + description: Preserved Falco field + - name: container.ip + type: text + description: Preserved Falco field + - name: container.image.name + type: text + description: Falco copy of the ECS field of the same name + - name: fd.directory + type: text + description: Preserved Falco field + - name: fd.filename + type: text + description: Preserved Falco field + - name: fd.cport + type: long + description: Preserved Falco field + - name: fd.sport + type: long + description: Preserved Falco field + - name: fd.lport + type: long + description: Preserved Falco field + - name: fd.rport + type: long + description: Preserved Falco field + - name: fd.cip.name + type: text + description: Preserved Falco field + - name: fd.sip.name + type: text + description: Preserved Falco field + - name: fd.lip.name + type: text + description: Preserved Falco field + - name: fd.rip.name + type: text + description: Preserved Falco field + - name: fd.ino + type: text + description: Preserved Falco field + - name: syslog.facility.str + type: text + description: Preserved Falco field + - name: syslog.facility + type: text + description: Preserved Falco field + - name: syslog.severity.str + type: text + description: Preserved Falco field + - name: syslog.severity + type: text + description: Preserved Falco field + - name: k8s.ns.name + type: text + description: Preserved Falco field + - name: k8s.pod.name + type: text + description: Preserved Falco field + - name: k8s.pod.uid + type: text + description: Preserved Falco field + - name: k8s.pod.labels + type: text + description: Preserved Falco field + - name: k8s.pod.ip + type: text + description: Preserved Falco field + - name: evt.category + type: text + description: Preserved Falco field + - name: evt.type + type: text + description: Preserved Falco field diff --git a/packages/falco/data_stream/alerts/manifest.yml b/packages/falco/data_stream/alerts/manifest.yml new file mode 100644 index 00000000000..09b2d4ecb3d --- /dev/null +++ b/packages/falco/data_stream/alerts/manifest.yml @@ -0,0 +1,80 @@ +title: "Falco Alerts" +type: logs +streams: + - input: tcp + enabled: false + template_path: tcp.yml.hbs + title: Syslog TCP input + description: Collect Falco alerts using syslog input over TCP + vars: + - name: listen_address + type: text + title: Listen Address + description: | + Bind address for the syslog listener. Use 0.0.0.0 to listen on all interfaces. + required: true + show_user: true + default: 0.0.0.0 + - name: listen_port + type: text + title: Listen port + description: | + Bind port for the syslog listener. + required: true + show_user: true + default: 9030 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: preserve_falco_fields + required: true + show_user: true + title: Preserve Falco fields + description: Preserve Falco fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + # TODO we need to consider if this will work with a logfile set up for rotation + - input: logfile + template_path: logfile.yml.hbs + title: Logfile Input + description: Collect Falco Alerts using logfile input + enabled: false + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + default: + - /var/log/falco.log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: preserve_falco_fields + required: true + show_user: true + title: Preserve Falco fields + description: Preserve Falco fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/falco/data_stream/alerts/sample_event.json b/packages/falco/data_stream/alerts/sample_event.json new file mode 100644 index 00000000000..d6c18be971c --- /dev/null +++ b/packages/falco/data_stream/alerts/sample_event.json @@ -0,0 +1,172 @@ +{ + "@timestamp": "2024-08-07T13:49:16.479Z", + "agent": { + "ephemeral_id": "e24920c4-6d15-4f8f-b432-f643a642b923", + "id": "3cce77a3-202d-48b6-955c-bde66f5021b2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.14.1" + }, + "container": { + "id": "2ae6a7f15b6e", + "name": "elastic-package-service-10413-falco-event-generator-1" + }, + "data_stream": { + "dataset": "falco.alerts", + "namespace": "94205", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "3cce77a3-202d-48b6-955c-bde66f5021b2", + "snapshot": false, + "version": "8.14.1" + }, + "event": { + "agent_id_status": "verified", + "dataset": "falco.alerts", + "ingested": "2024-08-14T12:08:25Z", + "kind": "alert", + "original": "<5>2024-08-07T13:49:16Z a72f9a747cf8 Falco[1]: {\"uuid\":\"23716645-4d9d-4254-9429-2a287a9af199\",\"output\":\"2024-08-07T13:49:16.479964318+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator3282684109/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=containerd-shim aname[5]=init aname[6]=\\u003cNA\\u003e aname[7]=\\u003cNA\\u003e evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls \\u003e /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)\",\"priority\":\"Notice\",\"rule\":\"Run shell untrusted\",\"time\":\"2024-08-07T13:49:16.479964318Z\",\"output_fields\":{\"container.id\":\"2ae6a7f15b6e\",\"container.name\":\"elastic-package-service-10413-falco-event-generator-1\",\"evt.arg.flags\":\"EXE_WRITABLE\",\"evt.time.iso8601\":1723038556479964318,\"evt.type\":\"execve\",\"proc.aname[2]\":\"event-generator\",\"proc.aname[3]\":\"containerd-shim\",\"proc.aname[4]\":\"containerd-shim\",\"proc.aname[5]\":\"init\",\"proc.aname[6]\":null,\"proc.aname[7]\":null,\"proc.cmdline\":\"bash -c ls \\u003e /dev/null\",\"proc.exepath\":\"/bin/bash\",\"proc.name\":\"bash\",\"proc.pcmdline\":\"httpd --loglevel info run ^helper.RunShell$\",\"proc.pexe\":\"/tmp/falco-event-generator3282684109/httpd\",\"proc.pexepath\":\"/bin/event-generator\",\"proc.pname\":\"httpd\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0},\"source\":\"syscall\",\"tags\":[\"T1059.004\",\"container\",\"host\",\"maturity_stable\",\"mitre_execution\",\"process\",\"shell\"],\"hostname\":\"e822ea6618ae\"}", + "provider": "syscall", + "timezone": "+00:00" + }, + "event.category": [ + "process" + ], + "event.severity": 2, + "event.type": [ + "start" + ], + "falco": { + "hostname": "e822ea6618ae", + "output": "2024-08-07T13:49:16.479964318+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator3282684109/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=containerd-shim aname[5]=init aname[6]= aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "2ae6a7f15b6e", + "name": "elastic-package-service-10413-falco-event-generator-1" + }, + "evt": { + "arg": {}, + "time": { + "iso8601": 1723038556479 + }, + "type": "execve" + }, + "proc": { + "cmdline": "bash -c ls > /dev/null", + "exepath": "/bin/bash", + "name": "bash", + "pcmdline": "httpd --loglevel info run ^helper.RunShell$", + "pexe": "/tmp/falco-event-generator3282684109/httpd", + "pexepath": "/bin/event-generator", + "pname": "httpd", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Notice", + "rule": "Run shell untrusted", + "source": "syscall", + "tags": [ + "T1059.004", + "container", + "host", + "maturity_stable", + "mitre_execution", + "process", + "shell" + ], + "time": "2024-08-07T13:49:16.479964318Z", + "uuid": "23716645-4d9d-4254-9429-2a287a9af199" + }, + "falco.container.mounts": null, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "bec788532d91483489ff64145e57effe", + "ip": [ + "192.168.160.9" + ], + "mac": [ + "02-42-C0-A8-A0-09" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "6.6.12-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "192.168.160.5:34984" + }, + "syslog": { + "appname": "Falco", + "facility": { + "code": 0, + "name": "kernel" + }, + "hostname": "a72f9a747cf8", + "priority": 5, + "procid": "1", + "severity": { + "code": 5, + "name": "Notice" + } + } + }, + "observer": { + "hostname": "e822ea6618ae", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "bash -c ls > /dev/null", + "executable": "/bin/bash", + "name": "bash", + "parent": { + "command_line": "httpd --loglevel info run ^helper.RunShell$", + "executable": "/bin/event-generator", + "name": "httpd" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "e822ea6618ae" + ] + }, + "rule": { + "name": "Run shell untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1059" + ], + "threat.technique.subtechnique.id": [ + "T1059.004" + ] +} \ No newline at end of file diff --git a/packages/falco/docs/README.md b/packages/falco/docs/README.md new file mode 100644 index 00000000000..8e8e1f5a901 --- /dev/null +++ b/packages/falco/docs/README.md @@ -0,0 +1,454 @@ +# Falco Integration +This integration allows for the shipping of [Falco](https://falco.org/) alerts to Elastic for observability and organizational awareness. Alerts can then be analyzed by using either the dashboard included with the integration or via the creation of a custom dashboard within Kibana. + +## Data Streams +The Falco integration collects one type of data stream: logs. + +**Logs** The Logs data stream collected by the Falco integration is comprised of Falco Alerts. See more details about Falco Alerts in [Falco's Outputs Documentation](https://falco.org/docs/outputs/). A complete list of potential fields used by this integration can be found in the [Logs reference](#logs-reference) + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Falco must be configured to output alerts to a supported output channel as defined in [Setup](#setup). The system will only receive fields output by Falco's rules. If a rule does not include a desired field the rule must be edited in Falco to add the field. + +This integration is compatible with Falco version 0.37 and above, and should not be expected to perform successfully in lower versions. + +## Setup + +For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +In order to capture alerts from Falco you **must** configure Falco to output Alerts as JSON to one of the supported channels: [Logfile](#logfile-input) or [TCP Syslog](#tcp-syslog-input). + +**Required:** To configure Falco to output JSON, set the config properties `json_output=true` and `json_include_output_property=true` in Falco's config. See the examples in Falco's [Output Channels documentation](https://falco.org/docs/outputs/channels/#http-output). + +### Logfile Input + +The logfile input reads data from one or more Falco log files using the Elastic Agent. Use this input when the Elastic Agent will be deployed to the same machine as Falco or when Falco's log files are available via a mounted filesystem. + +To use this input Falco must be configured to output alerts to a log file. See Falco's [File Output](https://falco.org/docs/outputs/channels/#file-output) documentation for details. + +### TCP Syslog Input + +The TCP Syslog input allows the Elastic Agent to receive Falco Alerts via remote syslog. Use this input when you want to send data via [Falco Sidekick](https://github.com/falcosecurity/falcosidekick). + +To use this input you will need to deploy the Elastic Agent *first* and then configure and deploy Falco Sidekick to send Alerts to the Agent via Syslog. See [Syslog Output](https://github.com/falcosecurity/falcosidekick/blob/master/docs/outputs/syslog.md) and [Connecting Falco to Sidekick](https://github.com/falcosecurity/falcosidekick?tab=readme-ov-file#connect-falco) for more details. + +## Logs Reference + +### alerts + +Falco alerts can contain a multitude of various fields pertaining to the type of activity on the host machine. + +**Exported fields** + +| Field | Description | Type | Unit | +|---|---|---|---| +| @timestamp | Event timestamp with nanos. | date | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Preserved Falco field | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| event.dataset | Data stream / event dataset. | constant_keyword | | +| event.module | The module the event belongs to. | constant_keyword | | +| falco.container.mounts.dest | | keyword | | +| falco.container.mounts.mode | | keyword | | +| falco.container.mounts.propagation | | keyword | | +| falco.container.mounts.rdrw | | keyword | | +| falco.container.mounts.source | | keyword | | +| falco.hostname | Required field for integration | keyword | | +| falco.output | | text | | +| falco.output_fields.client.ip | Falco copy of the ECS field of the same name | ip | | +| falco.output_fields.container.cni_json | Container's CNI result field from the respective container status info. | object | | +| falco.output_fields.container.duration | Number of nanoseconds since container.start_ts. | long | nanos | +| falco.output_fields.container.full_id | Preserved Falco field | text | | +| falco.output_fields.container.healthcheck | The container's health check. Will be N/A if no health check configured. | text | | +| falco.output_fields.container.id | The truncated container ID (first 12 characters) extracted from the Linux cgroups by Falco within the kernel | keyword | | +| falco.output_fields.container.image.digest | Preserved Falco field | text | | +| falco.output_fields.container.image.full_id | Full container image ID, enriched as part of the container engine enrichment. | keyword | | +| falco.output_fields.container.image.id | Container image ID. | keyword | | +| falco.output_fields.container.image.name | Falco copy of the ECS field of the same name | text | | +| falco.output_fields.container.image.repository | The container image repository. | keyword | | +| falco.output_fields.container.image.tag | Preserved Falco field | text | | +| falco.output_fields.container.ip | Preserved Falco field | text | | +| falco.output_fields.container.liveness_probe | The container's liveness probe. Will be N/A if no liveness probe configured. | text | | +| falco.output_fields.container.mounts | The raw text value for container mounts information | text | | +| falco.output_fields.container.name | The container name | keyword | | +| falco.output_fields.container.privileged | Preserved Falco field | boolean | | +| falco.output_fields.container.readiness_probe | The container's readiness probe. Will be N/A if no readiness probe configured. | text | | +| falco.output_fields.container.start_ts | Container start as epoch timestamp. | date_nanos | | +| falco.output_fields.container.type | Preserved Falco field | text | | +| falco.output_fields.destination.ip | Falco copy of the ECS field of the same name | ip | | +| falco.output_fields.evt.abspath | Calculated absolute path. | text | | +| falco.output_fields.evt.abspath_dst | Destination of the absolute path. | text | | +| falco.output_fields.evt.abspath_src | Source of the absolute path. | text | | +| falco.output_fields.evt.arg.flags | Preserved Falco field | text | | +| falco.output_fields.evt.args | Aggregated string of all event arguments. | text | | +| falco.output_fields.evt.asynctype | The type of event, if asyncronous. | keyword | | +| falco.output_fields.evt.buffer | Binary buffer for events which have one. | binary | | +| falco.output_fields.evt.buflen | Length of the binary buffer, if applicable. | unsigned_long | | +| falco.output_fields.evt.category | Preserved Falco field | text | | +| falco.output_fields.evt.count.error | Returns 1 for events that returned with an error | integer | | +| falco.output_fields.evt.count.error_file | Returns 1 for events that returned with an error and are related to file I/O | integer | | +| falco.output_fields.evt.count.error_memory | Returns 1 for events that returned with an error and are related to memory allocation. | integer | | +| falco.output_fields.evt.count.error_net | Returns 1 for events that returned with an error and are related to network I/O | integer | | +| falco.output_fields.evt.count.error_other | Returns 1 for events that returned with an error and are related to none of the previous categories. | integer | | +| falco.output_fields.evt.count.exit | Returns 1 for exit events. | integer | | +| falco.output_fields.evt.cpu | Number of the CPU where the event occurred. | integer | | +| falco.output_fields.evt.deltatime | Delta between current event and previous. | long | nanos | +| falco.output_fields.evt.dir | Either an enter event (\>) or an exit event (\<). | keyword | | +| falco.output_fields.evt.failed | Denotes if the event returned an error status. | boolean | | +| falco.output_fields.evt.hostname | Preserved Falco field | text | | +| falco.output_fields.evt.info | Contains either the event arguments, or the data decoded from them. | text | | +| falco.output_fields.evt.io_dir | Type based on whether the event reads from or writes to FDs. | keyword | | +| falco.output_fields.evt.is_async | Denotes whether the event is async or not. | boolean | | +| falco.output_fields.evt.is_io | Denotes events that read or write to FDs. | boolean | | +| falco.output_fields.evt.is_io_read | Denotes events that read from FDs. | boolean | | +| falco.output_fields.evt.is_io_write | Denotes events that write to FDs. | boolean | | +| falco.output_fields.evt.is_open_create | Denotes whether or not a file was created for open/openat/openat2/open_by_handle_at events. | boolean | | +| falco.output_fields.evt.is_open_exec | Denotes whether or not a file was created with execute permissions for open/openat/openat2/open_by_handle_at or create events. | boolean | | +| falco.output_fields.evt.is_open_read | Denotes whether or not the path was opened for reading for open/openat/openat2/open_by_handle_at events. | boolean | | +| falco.output_fields.evt.is_open_write | Denotes whether or not the path was opened for writing for open/openat/openat2/open_by_handle_at events. | boolean | | +| falco.output_fields.evt.is_syslog | Denotes events that are written to /dev/log | boolean | | +| falco.output_fields.evt.is_wait | Denotes events that force the thread to wait. | boolean | | +| falco.output_fields.evt.latency | Delta between an exit event and corresponding enter event. | long | nanos | +| falco.output_fields.evt.num | Preserved Falco field | integer | | +| falco.output_fields.evt.plugininfo | Summary of the event if it came from a plugin-defined event source. | text | | +| falco.output_fields.evt.pluginname | Name of the plugin that generated the event (if applicable). | keyword | | +| falco.output_fields.evt.rawres | Return value of the event, as a number. | long | | +| falco.output_fields.evt.res | Return value of the event. | text | | +| falco.output_fields.evt.source | Preserved Falco field | text | | +| falco.output_fields.evt.time | Preserved Falco field | date | | +| falco.output_fields.evt.time.iso8601 | Time event occurred | date | | +| falco.output_fields.evt.type | Preserved Falco field | text | | +| falco.output_fields.evt.wait_latency | Time spent waiting for events to return, in cases where the thread is forced to wait. | long | nanos | +| falco.output_fields.fd.I4proto | The IP protocol of a socket. Can be 'tcp', 'udp', 'icmp' or 'raw'. | keyword | | +| falco.output_fields.fd.cip.name | Preserved Falco field | text | | +| falco.output_fields.fd.connected | Denotes if the socket is connected for TCP/UDP FDs. | boolean | | +| falco.output_fields.fd.containerdirectory | Concatenation of the container ID and the directory name. | keyword | | +| falco.output_fields.fd.containername | Concatenation of the container ID and the FD name. | keyword | | +| falco.output_fields.fd.cport | Preserved Falco field | long | | +| falco.output_fields.fd.cproto | For TCP/UDP FDs, the client protocol. | keyword | | +| falco.output_fields.fd.dev | Device number containing the referenced file. | integer | | +| falco.output_fields.fd.dev_major | Major device number containing the referenced file. | integer | | +| falco.output_fields.fd.dev_minor | Minor device number containing the referenced file. | integer | | +| falco.output_fields.fd.directory | Preserved Falco field | text | | +| falco.output_fields.fd.filename | Preserved Falco field | text | | +| falco.output_fields.fd.ino | Preserved Falco field | text | | +| falco.output_fields.fd.is_server | Denotes if process owning the FD is the server endpoint in the connection. | boolean | | +| falco.output_fields.fd.lip.name | Preserved Falco field | text | | +| falco.output_fields.fd.lport | Preserved Falco field | long | | +| falco.output_fields.fd.lproto | For TCP/UDP FDs, the local protocol. | keyword | | +| falco.output_fields.fd.name | FD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple. | text | | +| falco.output_fields.fd.name_changed | Denotes if the name of an FD changes due to an event. | boolean | | +| falco.output_fields.fd.num | Unique number identifying the file descriptor. | long | | +| falco.output_fields.fd.rip.name | Preserved Falco field | text | | +| falco.output_fields.fd.rport | Preserved Falco field | long | | +| falco.output_fields.fd.rproto | For TCP/UDP FDs, the remote protocol. | keyword | | +| falco.output_fields.fd.sip.name | Preserved Falco field | text | | +| falco.output_fields.fd.sockfamily | The socket family for socket events. Can be 'ip' or 'unix'. | keyword | | +| falco.output_fields.fd.sport | Preserved Falco field | long | | +| falco.output_fields.fd.sproto | For TCP/UDP FDs, the server protocol. | keyword | | +| falco.output_fields.fd.type | Type of FD. Can be 'file', 'directory', 'ipv4', 'ipv6', 'unix', 'pipe', 'event', 'signalfd', 'eventpoll', 'inotify' 'signalfd' or 'memfd'. | keyword | | +| falco.output_fields.fd.typechar | Type of FD as a single character. Can be 'f' for file, 4 for IPv4 socket, 6 for IPv6 socket, 'u' for unix socket, p for pipe, 'e' for eventfd, 's' for signalfd, 'l' for eventpoll, 'i' for inotify, 'b' for bpf, 'u' for userfaultd, 'r' for io_uring, 'm' for memfd ,'o' for unknown. | keyword | | +| falco.output_fields.fd.uid | Unique identifier for the FD, created from the FD number and thread ID. | keyword | | +| falco.output_fields.fdlist.cips | For poll events, client IP addresses in the fds argument. | ip | | +| falco.output_fields.fdlist.cports | For poll events / TCP/UDP FDs, client TCP/UDP ports in the fds argument. | ip | | +| falco.output_fields.fdlist.names | For poll events, FD names in the fds argument. | keyword | | +| falco.output_fields.fdlist.sips | For poll events, server IP addresses in the fds argument. | ip | | +| falco.output_fields.fdlist.sports | For poll events, server TCP/UDP ports in the fds argument. | ip | | +| falco.output_fields.fs.path.name | For any event type that deals with a filesystem path, the path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed. | keyword | | +| falco.output_fields.fs.path.source | For any event type that deals with a filesystem path, and specifically for a source and target like mv, cp, etc, the source path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed. | keyword | | +| falco.output_fields.fs.path.target | For any event type that deals with a filesystem path, and specifically for a target and target like mv, cp, etc, the target path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed. | keyword | | +| falco.output_fields.group.gid | Preserved Falco field | integer | | +| falco.output_fields.group.name | Preserved Falco field | text | | +| falco.output_fields.k8s.ns.name | Preserved Falco field | text | | +| falco.output_fields.k8s.pod.cni_json | Kubernetes CNI result field from the respective pod status info. | object | | +| falco.output_fields.k8s.pod.full_sandbox_id | Full, non-truncated Kubernetes pod sandbox ID. | keyword | | +| falco.output_fields.k8s.pod.ip | Preserved Falco field | text | | +| falco.output_fields.k8s.pod.labels | Preserved Falco field | text | | +| falco.output_fields.k8s.pod.name | Preserved Falco field | text | | +| falco.output_fields.k8s.pod.sandbox_id | Truncated Kubernetes pod sandbox ID (first 12 characters). | keyword | | +| falco.output_fields.k8s.pod.uid | Preserved Falco field | text | | +| falco.output_fields.output | Preserved Falco field | text | | +| falco.output_fields.priority | Preserved Falco field | keyword | | +| falco.output_fields.proc.args | Preserved Falco field | text | | +| falco.output_fields.proc.cmdlenargs | Total length of command line args, excluding whitespace. | long | | +| falco.output_fields.proc.cmdline | Preserved Falco field | text | | +| falco.output_fields.proc.cmdnargs | Preserved Falco field | integer | | +| falco.output_fields.proc.cwd | Preserved Falco field | text | | +| falco.output_fields.proc.duration | Preserved Falco field | text | | +| falco.output_fields.proc.env | Preserved Falco field | text | | +| falco.output_fields.proc.exe | First command line argument, collected from args. | text | | +| falco.output_fields.proc.exe_ino | The inode number of the executable file on disk. | long | | +| falco.output_fields.proc.exe_ino_ctime | Last status change of executable file as epoch timestamp. | date_nanos | | +| falco.output_fields.proc.exe_ino_ctime_duration_pidns_start | Number of nanoseconds between PID namespace start ts and ctime exe file if PID namespace start predates ctime. | long | | +| falco.output_fields.proc.exe_ino_ctime_duration_proc_start | Number of nanoseconds between modifying status of executable image and spawning a new process using the changed executable image. | long | | +| falco.output_fields.proc.exe_ino_mtime | Last modification time of executable file as epoch timestamp. | date_nanos | | +| falco.output_fields.proc.exeline | Full command line, with exe as first argument. | text | | +| falco.output_fields.proc.exepath | Preserved Falco field | text | | +| falco.output_fields.proc.fdopencount | Number of open FDs for the process. | unsigned_long | | +| falco.output_fields.proc.fdopenlimit | Maximum number of FDs the process can open. | long | | +| falco.output_fields.proc.fdusage | Ratio between open FDs and maximum available FDs for the process. | double | | +| falco.output_fields.proc.is_container_healthcheck | Denotes if this process is running as a part of the container's health check. | boolean | | +| falco.output_fields.proc.is_container_liveness_probe | Denotes if this process is running as a part of the container's liveness probe. | boolean | | +| falco.output_fields.proc.is_container_readiness_probe | Denotes if this process is running as a part of the container's readiness probe. | boolean | | +| falco.output_fields.proc.is_exe_from_memfd | Denotes if this process' executable file is in upper layer in overlayfs. | boolean | | +| falco.output_fields.proc.is_exe_upper_layer | Denotes if this process' executable file is in upper layer in overlayfs. | boolean | | +| falco.output_fields.proc.is_exe_writable | Denotes if this process' executable file is writable by the same user that spawned the process. | boolean | | +| falco.output_fields.proc.is_sid_leader | Preserved Falco field | boolean | | +| falco.output_fields.proc.is_vpgid_leader | Preserved Falco field | boolean | | +| falco.output_fields.proc.loginshellid | PID of the oldest shell among the ancestors of the current process, if applicable. | long | | +| falco.output_fields.proc.name | Preserved Falco field | text | | +| falco.output_fields.proc.nchilds | Number of alive (not leader) threads in the process generating the event currently has, excluding the leader thread. | unsigned_long | | +| falco.output_fields.proc.nthreads | Number of alive threads in the process generating the event currently has, including the leader thread. | unsigned_long | | +| falco.output_fields.proc.pcmdline | Preserved Falco field | text | | +| falco.output_fields.proc.pexe | First command line argument of the parent process. | text | | +| falco.output_fields.proc.pexepath | Preserved Falco field | text | | +| falco.output_fields.proc.pid.ts | Preserved Falco field | text | | +| falco.output_fields.proc.pidns_init_start_ts | Start of PID namespace as epoch timestamp. | date_nanos | | +| falco.output_fields.proc.pname | Preserved Falco field | text | | +| falco.output_fields.proc.ppid | Preserved Falco field | integer | | +| falco.output_fields.proc.ppid.duration | Preserved Falco field | long | | +| falco.output_fields.proc.ppid.ts | Preserved Falco field | text | | +| falco.output_fields.proc.pvpid | Preserved Falco field | integer | | +| falco.output_fields.proc.sid | Preserved Falco field | integer | | +| falco.output_fields.proc.sid.exe | First command line argument of the current process's session leader. | text | | +| falco.output_fields.proc.sid.exepath | Preserved Falco field | text | | +| falco.output_fields.proc.sname | Preserved Falco field | text | | +| falco.output_fields.proc.thread.cap_inheritable | Set of inheritable capabilities set. | keyword | | +| falco.output_fields.proc.tty | Controlling terminal of the process. | long | | +| falco.output_fields.proc.vmrss | Resident non-swapped memory for the process. | unsigned_long | byte | +| falco.output_fields.proc.vmsize | Total virtual memory for the process. | unsigned_long | byte | +| falco.output_fields.proc.vmswap | Swapped memory for the process. | unsigned_long | | +| falco.output_fields.proc.vpgid | Preserved Falco field | integer | | +| falco.output_fields.proc.vpgid.exe | First command line argument of the current process's group leader. | text | | +| falco.output_fields.proc.vpgid.exepath | Preserved Falco field | text | | +| falco.output_fields.proc.vpgid.name | Preserved Falco field | text | | +| falco.output_fields.proc.vpid | Preserved Falco field | integer | | +| falco.output_fields.process.group_leader.vpid | Preserved Falco field | long | | +| falco.output_fields.process.parent.pid | Preserved Falco field | long | | +| falco.output_fields.process.pid | Preserved Falco field | long | | +| falco.output_fields.process.session_leader.pid | Preserved Falco field | long | | +| falco.output_fields.proct.ppid.duration | Preserved Falco field | text | | +| falco.output_fields.rule | Preserved Falco field | text | | +| falco.output_fields.server.ip | Falco copy of the ECS field of the same name | ip | | +| falco.output_fields.source.ip | Falco copy of the ECS field of the same name | ip | | +| falco.output_fields.syslog.facility | Preserved Falco field | text | | +| falco.output_fields.syslog.facility.str | Preserved Falco field | text | | +| falco.output_fields.syslog.severity | Preserved Falco field | text | | +| falco.output_fields.syslog.severity.str | Preserved Falco field | text | | +| falco.output_fields.thread.cap_effective | Preserved Falco field | text | | +| falco.output_fields.thread.cap_permitted | Preserved Falco field | text | | +| falco.output_fields.thread.cgroups | Aggregated string of cgroups the thread belongs to. | flattened | | +| falco.output_fields.thread.cpu | CPU consumed by the thread in the last second. | double | | +| falco.output_fields.thread.cpu_system | The system CPU consumed by the thread in the last second. | double | | +| falco.output_fields.thread.cpu_user | The user CPU consumed by the thread in the last second. | double | | +| falco.output_fields.thread.exectime | CPU time spent by last scheduled thread. | long | nanos | +| falco.output_fields.thread.ismain | Denotes if the threat generating the event is the main one in the process. | boolean | | +| falco.output_fields.thread.pfmajor | Number of major page faults since thread start. | unsigned_long | | +| falco.output_fields.thread.pfminor | Number of minor page faults since thread start. | unsigned_long | | +| falco.output_fields.thread.tid | Preserved Falco field | integer | | +| falco.output_fields.thread.totalexectime | Total CPU time for the current thread since the beginning of the capture. | long | nanos | +| falco.output_fields.thread.vmrss | Resident non-swapped memory for the process' main thread. Non-main threads will appear as zero. | unsigned_long | | +| falco.output_fields.thread.vmsize | Total virtual memory for the process' main thread. Non-main threads will appear as zero. | unsigned_long | | +| falco.output_fields.thread.vtid | The ID of the thread generating the event as seen from its current PID namespace. | long | | +| falco.output_fields.user.homedir | Home directory of the user. | text | | +| falco.output_fields.user.loginname | Audit user name. | keyword | | +| falco.output_fields.user.loginuid | Audit user ID. If an invalid UID is encountered, returns -1. | long | | +| falco.output_fields.user.name | Preserved Falco field | text | | +| falco.output_fields.user.shell | User's shell. | keyword | | +| falco.output_fields.user.uid | Preserved Falco field | integer | | +| falco.priority | Falco alert priority | keyword | | +| falco.rule | Name of the Falco rule that triggered the alert | keyword | | +| falco.source | Preserved Falco field | keyword | | +| falco.tags | Preserved Falco field | keyword | | +| falco.time | Preserved Falco field | date | | +| falco.uuid | Preserved Falco field | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| input.type | Input type | keyword | | +| log.offset | Log offset | long | | +| log.source.address | Log source when collecting via TCP input | keyword | | +| process.group.id | Preserved Falco field | text | | +| process.group.name | Preserved Falco field | text | | + + +An example event for `alerts` looks as following: + +```json +{ + "@timestamp": "2024-08-07T13:49:16.479Z", + "agent": { + "ephemeral_id": "e24920c4-6d15-4f8f-b432-f643a642b923", + "id": "3cce77a3-202d-48b6-955c-bde66f5021b2", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.14.1" + }, + "container": { + "id": "2ae6a7f15b6e", + "name": "elastic-package-service-10413-falco-event-generator-1" + }, + "data_stream": { + "dataset": "falco.alerts", + "namespace": "94205", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "3cce77a3-202d-48b6-955c-bde66f5021b2", + "snapshot": false, + "version": "8.14.1" + }, + "event": { + "agent_id_status": "verified", + "dataset": "falco.alerts", + "ingested": "2024-08-14T12:08:25Z", + "kind": "alert", + "original": "<5>2024-08-07T13:49:16Z a72f9a747cf8 Falco[1]: {\"uuid\":\"23716645-4d9d-4254-9429-2a287a9af199\",\"output\":\"2024-08-07T13:49:16.479964318+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator3282684109/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=containerd-shim aname[5]=init aname[6]=\\u003cNA\\u003e aname[7]=\\u003cNA\\u003e evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls \\u003e /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)\",\"priority\":\"Notice\",\"rule\":\"Run shell untrusted\",\"time\":\"2024-08-07T13:49:16.479964318Z\",\"output_fields\":{\"container.id\":\"2ae6a7f15b6e\",\"container.name\":\"elastic-package-service-10413-falco-event-generator-1\",\"evt.arg.flags\":\"EXE_WRITABLE\",\"evt.time.iso8601\":1723038556479964318,\"evt.type\":\"execve\",\"proc.aname[2]\":\"event-generator\",\"proc.aname[3]\":\"containerd-shim\",\"proc.aname[4]\":\"containerd-shim\",\"proc.aname[5]\":\"init\",\"proc.aname[6]\":null,\"proc.aname[7]\":null,\"proc.cmdline\":\"bash -c ls \\u003e /dev/null\",\"proc.exepath\":\"/bin/bash\",\"proc.name\":\"bash\",\"proc.pcmdline\":\"httpd --loglevel info run ^helper.RunShell$\",\"proc.pexe\":\"/tmp/falco-event-generator3282684109/httpd\",\"proc.pexepath\":\"/bin/event-generator\",\"proc.pname\":\"httpd\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0},\"source\":\"syscall\",\"tags\":[\"T1059.004\",\"container\",\"host\",\"maturity_stable\",\"mitre_execution\",\"process\",\"shell\"],\"hostname\":\"e822ea6618ae\"}", + "provider": "syscall", + "timezone": "+00:00" + }, + "event.category": [ + "process" + ], + "event.severity": 2, + "event.type": [ + "start" + ], + "falco": { + "hostname": "e822ea6618ae", + "output": "2024-08-07T13:49:16.479964318+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator3282684109/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=containerd-shim aname[5]=init aname[6]= aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=2ae6a7f15b6e container_name=elastic-package-service-10413-falco-event-generator-1)", + "output_fields": { + "container": { + "id": "2ae6a7f15b6e", + "name": "elastic-package-service-10413-falco-event-generator-1" + }, + "evt": { + "arg": {}, + "time": { + "iso8601": 1723038556479 + }, + "type": "execve" + }, + "proc": { + "cmdline": "bash -c ls > /dev/null", + "exepath": "/bin/bash", + "name": "bash", + "pcmdline": "httpd --loglevel info run ^helper.RunShell$", + "pexe": "/tmp/falco-event-generator3282684109/httpd", + "pexepath": "/bin/event-generator", + "pname": "httpd", + "tty": 0 + }, + "user": { + "loginuid": -1, + "name": "root", + "uid": "0" + } + }, + "priority": "Notice", + "rule": "Run shell untrusted", + "source": "syscall", + "tags": [ + "T1059.004", + "container", + "host", + "maturity_stable", + "mitre_execution", + "process", + "shell" + ], + "time": "2024-08-07T13:49:16.479964318Z", + "uuid": "23716645-4d9d-4254-9429-2a287a9af199" + }, + "falco.container.mounts": null, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "docker-fleet-agent", + "id": "bec788532d91483489ff64145e57effe", + "ip": [ + "192.168.160.9" + ], + "mac": [ + "02-42-C0-A8-A0-09" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "focal", + "family": "debian", + "kernel": "6.6.12-linuxkit", + "name": "Ubuntu", + "platform": "ubuntu", + "type": "linux", + "version": "20.04.6 LTS (Focal Fossa)" + } + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "192.168.160.5:34984" + }, + "syslog": { + "appname": "Falco", + "facility": { + "code": 0, + "name": "kernel" + }, + "hostname": "a72f9a747cf8", + "priority": 5, + "procid": "1", + "severity": { + "code": 5, + "name": "Notice" + } + } + }, + "observer": { + "hostname": "e822ea6618ae", + "product": "falco", + "type": "sensor", + "vendor": "sysdig" + }, + "process": { + "command_line": "bash -c ls > /dev/null", + "executable": "/bin/bash", + "name": "bash", + "parent": { + "command_line": "httpd --loglevel info run ^helper.RunShell$", + "executable": "/bin/event-generator", + "name": "httpd" + }, + "user": { + "id": "0", + "name": "root" + } + }, + "related": { + "hosts": [ + "e822ea6618ae" + ] + }, + "rule": { + "name": "Run shell untrusted" + }, + "tags": [ + "preserve_original_event", + "preserve_falco_fields" + ], + "threat.technique.id": [ + "T1059" + ], + "threat.technique.subtechnique.id": [ + "T1059.004" + ] +} +``` diff --git a/packages/falco/img/falco-application-dashboard-screenshot.png b/packages/falco/img/falco-application-dashboard-screenshot.png new file mode 100644 index 00000000000..fd3883fd688 Binary files /dev/null and b/packages/falco/img/falco-application-dashboard-screenshot.png differ diff --git a/packages/falco/img/falco-stacked-color.svg b/packages/falco/img/falco-stacked-color.svg new file mode 100644 index 00000000000..918ef9989a1 --- /dev/null +++ b/packages/falco/img/falco-stacked-color.svg @@ -0,0 +1,13 @@ + + + + + + + + + + + + + diff --git a/packages/falco/kibana/dashboard/falco-872f3c48-4d4c-4bf3-a13c-1250743bf925.json b/packages/falco/kibana/dashboard/falco-872f3c48-4d4c-4bf3-a13c-1250743bf925.json new file mode 100644 index 00000000000..71468fb9e6a --- /dev/null +++ b/packages/falco/kibana/dashboard/falco-872f3c48-4d4c-4bf3-a13c-1250743bf925.json @@ -0,0 +1,857 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "falco.alerts" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "falco.alerts" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Overview\nThis dashboard provides information about the Security Alerts collected by the Falco Integration.\n\nAlerts are broken down by category, source, and type of alert. Further investigation into the details of the individual alerts can be done via the Alert Stream display.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 15, + "i": "870875bc-884a-406f-b6dd-ca138e99da77", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "870875bc-884a-406f-b6dd-ca138e99da77", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-bbf1e7a8-220a-4a72-8dff-78ef0a8d76bb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "bbf1e7a8-220a-4a72-8dff-78ef0a8d76bb": { + "columnOrder": [ + "90da6505-2367-4d02-9d85-4da350e8e307", + "01243ee2-1881-4d87-98fa-bf23cbec4b05" + ], + "columns": { + "01243ee2-1881-4d87-98fa-bf23cbec4b05": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"falco.alerts\" " + }, + "isBucketed": false, + "label": "Alert Count", + "operationType": "count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "90da6505-2367-4d02-9d85-4da350e8e307": { + "customLabel": false, + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "01243ee2-1881-4d87-98fa-bf23cbec4b05" + ], + "layerId": "bbf1e7a8-220a-4a72-8dff-78ef0a8d76bb", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "90da6505-2367-4d02-9d85-4da350e8e307" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "showCurrentTimeMarker": false, + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "2078f109-fccb-4018-9b2b-7fa09d8b191b", + "w": 18, + "x": 12, + "y": 0 + }, + "panelIndex": "2078f109-fccb-4018-9b2b-7fa09d8b191b", + "title": "Alerts Over Time [Logs Falco]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4e4bbe76-095b-4148-ba0f-c4c625d30465", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "4e4bbe76-095b-4148-ba0f-c4c625d30465": { + "columnOrder": [ + "5d123347-d60c-4a2b-8002-6ea4ae924f3d", + "3611606c-ab44-4c6e-8019-08de30e25835", + "95aa1257-f7d8-41c1-8dba-4fb75f70750f" + ], + "columns": { + "3611606c-ab44-4c6e-8019-08de30e25835": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"falco.alerts\" " + }, + "isBucketed": false, + "label": "Alert Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "5d123347-d60c-4a2b-8002-6ea4ae924f3d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "fallback": false, + "type": "alphabetical" + }, + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.hostname" + }, + "95aa1257-f7d8-41c1-8dba-4fb75f70750f": { + "customLabel": true, + "dataType": "date", + "filter": { + "language": "kuery", + "query": "\"@timestamp\": * AND data_stream.dataset : \"falco.alerts\" " + }, + "isBucketed": false, + "label": "Most recent alert", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "5d123347-d60c-4a2b-8002-6ea4ae924f3d", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "3611606c-ab44-4c6e-8019-08de30e25835", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "95aa1257-f7d8-41c1-8dba-4fb75f70750f", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "4e4bbe76-095b-4148-ba0f-c4c625d30465", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "4c13b099-95cf-40ff-9a94-c762e939862a", + "w": 18, + "x": 30, + "y": 0 + }, + "panelIndex": "4c13b099-95cf-40ff-9a94-c762e939862a", + "title": "Alerts by Host - Top 10 [Logs Falco]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ec8cc475-7057-4045-832a-6b54d1d6071a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "ec8cc475-7057-4045-832a-6b54d1d6071a": { + "columnOrder": [ + "35ff8775-b18b-41fa-a428-c60022381960", + "4256234f-298f-42e3-9ae1-27e3447766ec", + "d95f2f80-b600-46ce-8aed-32691d06d4d9" + ], + "columns": { + "35ff8775-b18b-41fa-a428-c60022381960": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Pod Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4256234f-298f-42e3-9ae1-27e3447766ec", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "orchestrator.resource.name" + }, + "4256234f-298f-42e3-9ae1-27e3447766ec": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"falco.alerts\" " + }, + "isBucketed": false, + "label": "Alert Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d95f2f80-b600-46ce-8aed-32691d06d4d9": { + "customLabel": true, + "dataType": "date", + "filter": { + "language": "kuery", + "query": "\"@timestamp\": * AND data_stream.dataset : \"falco.alerts\" " + }, + "isBucketed": false, + "label": "Most Recent Alert", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "35ff8775-b18b-41fa-a428-c60022381960", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "4256234f-298f-42e3-9ae1-27e3447766ec", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "d95f2f80-b600-46ce-8aed-32691d06d4d9", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "ec8cc475-7057-4045-832a-6b54d1d6071a", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "9bcb127d-f1a7-4d3d-9a67-aa5e64e27c72", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "9bcb127d-f1a7-4d3d-9a67-aa5e64e27c72", + "title": "Alerts by Pod - Top 10 [Logs Falco]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3262928f-5119-4364-a33d-048d27242eeb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "3262928f-5119-4364-a33d-048d27242eeb": { + "columnOrder": [ + "ce1b6a9d-3334-493a-a415-7ff3d36a7fe3", + "98fd896d-54ea-4371-966e-ed1106be2213" + ], + "columns": { + "98fd896d-54ea-4371-966e-ed1106be2213": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"falco.alerts\" " + }, + "isBucketed": false, + "label": "Alert Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ce1b6a9d-3334-493a-a415-7ff3d36a7fe3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Priority", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "98fd896d-54ea-4371-966e-ed1106be2213", + "type": "column" + }, + "orderDirection": "asc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 8 + }, + "scale": "ordinal", + "sourceField": "falco.priority" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "3262928f-5119-4364-a33d-048d27242eeb", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "98fd896d-54ea-4371-966e-ed1106be2213" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "ce1b6a9d-3334-493a-a415-7ff3d36a7fe3" + ] + } + ], + "palette": { + "name": "default", + "type": "palette" + }, + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "3e25fb05-fb7a-46c8-a37e-5e0059d7c579", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "3e25fb05-fb7a-46c8-a37e-5e0059d7c579", + "title": "Alerts by Priority - Top 10 [Logs Falco]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a138435d-cbd0-4df4-bbfe-a090a3de9712", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "a138435d-cbd0-4df4-bbfe-a090a3de9712": { + "columnOrder": [ + "307f4068-04d1-4c02-b2de-a3df4bda390a", + "5040a1cb-ef05-45b1-a9d5-48daee48a2ae" + ], + "columns": { + "307f4068-04d1-4c02-b2de-a3df4bda390a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Rule Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "rule.name" + }, + "5040a1cb-ef05-45b1-a9d5-48daee48a2ae": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Alert Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "307f4068-04d1-4c02-b2de-a3df4bda390a", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "5040a1cb-ef05-45b1-a9d5-48daee48a2ae", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "a138435d-cbd0-4df4-bbfe-a090a3de9712", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "f87c7e28-2bd7-4672-b85c-a87aa09097c6", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "f87c7e28-2bd7-4672-b85c-a87aa09097c6", + "title": "Rules Triggered - Top 10 [Logs Falco]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "event.original", + "process.name", + "event.severity", + "rule.name" + ], + "grid": { + "columns": { + "event.original": { + "width": 695 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"falco.alerts\"" + } + } + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "rowsPerPage": 25, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "usesAdHocDataView": false + }, + "description": "", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "783e0fa2-9820-4c87-8a69-c3b744b67dd6", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "783e0fa2-9820-4c87-8a69-c3b744b67dd6", + "title": "Alert Stream [Logs Falco]", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Falco] Alerts Overview", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-07-18T16:22:11.284Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "falco-872f3c48-4d4c-4bf3-a13c-1250743bf925", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2078f109-fccb-4018-9b2b-7fa09d8b191b:indexpattern-datasource-layer-bbf1e7a8-220a-4a72-8dff-78ef0a8d76bb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4c13b099-95cf-40ff-9a94-c762e939862a:indexpattern-datasource-layer-4e4bbe76-095b-4148-ba0f-c4c625d30465", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9bcb127d-f1a7-4d3d-9a67-aa5e64e27c72:indexpattern-datasource-layer-ec8cc475-7057-4045-832a-6b54d1d6071a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3e25fb05-fb7a-46c8-a37e-5e0059d7c579:indexpattern-datasource-layer-3262928f-5119-4364-a33d-048d27242eeb", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f87c7e28-2bd7-4672-b85c-a87aa09097c6:indexpattern-datasource-layer-a138435d-cbd0-4df4-bbfe-a090a3de9712", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "783e0fa2-9820-4c87-8a69-c3b744b67dd6:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/falco/kibana/search/falco-f0d52d00-50cb-4b23-8755-c6966a30462b.json b/packages/falco/kibana/search/falco-f0d52d00-50cb-4b23-8755-c6966a30462b.json new file mode 100644 index 00000000000..2bb93c10150 --- /dev/null +++ b/packages/falco/kibana/search/falco-f0d52d00-50cb-4b23-8755-c6966a30462b.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "columns": [ + "event.original", + "process.name", + "event.severity", + "rule.name" + ], + "description": "An updating stream of raw events from Falco", + "grid": { + "columns": { + "event.original": { + "width": 695 + } + } + }, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"falco.alerts\"" + } + } + }, + "rowsPerPage": 25, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Raw Alert Stream [Logs Falco]", + "usesAdHocDataView": false + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-07-16T17:23:55.934Z", + "id": "falco-f0d52d00-50cb-4b23-8755-c6966a30462b", + "managed": true, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/falco/manifest.yml b/packages/falco/manifest.yml new file mode 100644 index 00000000000..d57598231f0 --- /dev/null +++ b/packages/falco/manifest.yml @@ -0,0 +1,40 @@ +format_version: 3.1.2 +name: falco +title: Falco +version: 0.1.0 +description: Collect events and alerts from Falco using Elastic Agent +type: integration +categories: + - containers + - kubernetes + - monitoring + - security +conditions: + kibana: + version: "^8.13.3" + elastic: + subscription: "basic" +screenshots: + - src: /img/falco-application-dashboard-screenshot.png + title: Screenshot of main Falco dashboard + size: 600x600 + type: image/png +icons: + - src: /img/falco-stacked-color.svg + title: Falco logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: falco + title: Falco Alerts + description: Collect Alerts from Falco using Elastic Agent + inputs: + - type: tcp + title: Collect Falco Alerts via TCP + description: Collect Falco Alerts via TCP input + - type: logfile + title: Collect Falco Alerts via log file + description: Collect Falco Alerts via log file input +owner: + github: elastic/security-service-integrations + type: elastic diff --git a/packages/falco/validation.yml b/packages/falco/validation.yml new file mode 100644 index 00000000000..1189aa63c89 --- /dev/null +++ b/packages/falco/validation.yml @@ -0,0 +1,3 @@ +errors: + exclude_checks: + - SVR00004 # References in dashboards.