diff --git a/Falco-Alerts.md b/Falco-Alerts.md index 04422a9..d114d83 100644 --- a/Falco-Alerts.md +++ b/Falco-Alerts.md @@ -27,7 +27,7 @@ When run in the background via the `-d/--daemon` command line option, standard o When configured to send alerts to a file, a message is written to the file for each alert. The format is very similar to the Standard Output format: -``` +```yaml file_output: enabled: true keep_alive: false @@ -55,7 +55,7 @@ Syslog messages are sent with a facility of LOG_USER. The rule's priority is use When configured to send alerts to a program, for each alert the program is started and written to its standard input. For example, given a `falco.yaml` configuration of: -``` +```yaml program_output: enabled: true keep_alive: false @@ -70,7 +70,7 @@ If `keep_alive` is set to true, before the first alert falco will spawn the prog If you'd like to send falco notifications to a slack channel, here's the required configuration to massage the JSON output to a form required for the slack webhook endpoint: -``` +```yaml # Whether to output events in json or text json_output: true … @@ -83,7 +83,7 @@ program_output: If you'd like to send a stream of alerts over a network connection, here's an example: -``` +```yaml # Whether to output events in json or text json_output: true … @@ -107,14 +107,14 @@ For all output channels, you can switch to JSON output either in the configurati Here's an example: -``` +```javascript {"output":"16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)","priority":"Error","rule":"Write below binary dir","time":"2017-10-09T23:31:56.746609046Z", "output_fields": {"evt.t\ ime":1507591916746609046,"fd.name":"/bin/hack","proc.cmdline":"touch /bin/hack","user.name":"root"}} ``` Here's the same output, pretty-printed: -``` +```javascript { "output" : "16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)" "priority" : "Error",