# A very simple config for introductory purpose. Not for the real-world!


# Binary directories
- macro: bin_dir
  condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)

# Core binaries
- macro: core_binaries
  condition: proc.name in (ls, mkdir, cat, less, ps)

# Network traffic to/from standard utility
- condition: (fd.typechar = 4 or fd.typechar=6) and core_binaries
  output: "%evt.time: %proc.name network with %fd.l4proto"

# System binary is modified
- condition: evt.type = write and bin_dir
  output: "%evt.time: System binary modified (file '%fd.filename' written by process %proc.name)"

# Shell running in container
- condition: container.id != host and proc.name = bash
  output: "%evt.time: Shell running in container (%proc.name, %container.id)"