Critical Executing Binary Log Messages
Vendor Documentation
https://falco.org/docs/outputs/formatting/ https://www.elastic.co/guide/en/integrations/current/falco.html#falco-logs-reference |
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
Critical Executing Binary Log Messages | Base Rule | General Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
N/A | <subject> | Text/String | N/A |
proc_exe | N/A | N/A | First command line argument, collected from args. |
proc_sname | <sname> | Text/String | Preserved Falco field |
gparent | N/A | N/A | N/A |
proc_exe_ino_ctime | N/A | N/A | Last status change of executable file as epoch timestamp. |
proc_exe_ino_mtime | N/A | N/A | Last modification time of executable file as epoch timestamp. |
proc_exe_ino_ctime_duration_proc_start | N/A | N/A | Number of nanoseconds between modifying status of executable image and spawning a new process using the changed executable image. |
proc_cwd | N/A | N/A | Preserved Falco field |
container_start_ts | N/A | N/A | N/A |
evt_type | <command> | Text/String | Preserved Falco field |
user | <login> | Text/String | N/A |
user_uid | N/A | N/A | Preserved Falco field |
user_loginuid | N/A | N/A | Audit user ID. If an invalid UID is encountered, returns -1. |
process | <process> | Text/String | N/A |
proc_exepath | <parentprocesspath> | Text/String | Preserved Falco field |
parent | N/A | N/A | N/A |
command | N/A | N/A | N/A |
terminal | N/A | N/A | N/A |
exe_flags | N/A | N/A | N/A |
container_id | <serialnumber> | Text/String/Number | The truncated container ID (first 12 characters) extracted from the Linux cgroups by Falco within the kernel |
container_image | N/A | N/A | N/A |
container_image_tag | N/A | N/A | Preserved Falco field |
container_name | <object> | Text/String | The container name |
k8s_ns | N/A | N/A | Preserved Falco field |
k8s_pod_name | N/A | N/A | Preserved Falco field |