From ee2ab16b02c746d1c269af8895b513a5f98a9640 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 9 Oct 2017 16:34:26 -0700 Subject: [PATCH] Updated Falco Alerts (markdown) --- Falco-Alerts.md | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/Falco-Alerts.md b/Falco-Alerts.md index 5e1ffda..d122bcc 100644 --- a/Falco-Alerts.md +++ b/Falco-Alerts.md @@ -67,21 +67,29 @@ For all output channels, you can switch to JSON output either in the configurati * `rule`: the rule that resulted in the alert. * `priority`: the priority of the rule that generated the alert. * `output`: the formatted output string for the alert. +* `output_fields`: for each templated value in the output expression, the value of that field from the event that triggered the alert. Here's an example: ``` -{"output":"16:47:44.080226697: Warning Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow)","priority":"Warning","rule":"read_sensitive_file_untrusted","time":"2016-06-06T23:47:44.080226697Z"} +{"output":"16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)","priority":"Error","rule":"Write below binary dir","time":"2017-10-09T23:31:56.746609046Z", "output_fields": {"evt.t\ +ime":1507591916746609046,"fd.name":"/bin/hack","proc.cmdline":"touch /bin/hack","user.name":"root"}} ``` Here's the same output, pretty-printed: ``` { - "output": "16:47:44.080226697: Warning Sensitive file opened for reading by non-trusted program (user=root command=cat /etc/shadow file=/etc/shadow)", - "priority": "Warning", - "rule": "read_sensitive_file_untrusted", - "time": "2016-06-06T23:47:44.080226697Z" + "output" : "16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)" + "priority" : "Error", + "rule" : "Write below binary dir", + "time" : "2017-10-09T23:31:56.746609046Z", + "output_fields" : { + "user.name" : "root", + "evt.time" : 1507591916746609046, + "fd.name" : "/bin/hack", + "proc.cmdline" : "touch /bin/hack" + } } ```