Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
Critical Executing Binary Log Messages |
Base Rule |
General Information |
Information |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|
N/A |
<subject> |
Text/String |
N/A |
|
proc_exe |
N/A |
N/A |
First command line argument, collected from args. |
|
proc_sname |
<sname> |
Text/String |
Preserved Falco field |
|
gparent |
N/A |
N/A |
N/A |
|
proc_exe_ino_ctime |
N/A |
N/A |
Last status change of executable file as epoch timestamp. |
|
proc_exe_ino_mtime |
N/A |
N/A |
Last modification time of executable file as epoch timestamp. |
|
proc_exe_ino_ctime_duration_proc_start |
N/A |
N/A |
Number of nanoseconds between modifying status of executable image and spawning a new process using the changed executable image. |
|
proc_cwd |
N/A |
N/A |
Preserved Falco field |
|
container_start_ts |
N/A |
N/A |
N/A |
|
evt_type |
<command> |
Text/String |
Preserved Falco field |
|
user |
<login> |
Text/String |
N/A |
|
user_uid |
N/A |
N/A |
Preserved Falco field |
|
user_loginuid |
N/A |
N/A |
Audit user ID. If an invalid UID is encountered, returns -1. |
|
process |
<process> |
Text/String |
N/A |
|
proc_exepath |
<parentprocesspath> |
Text/String |
Preserved Falco field |
|
parent |
N/A |
N/A |
N/A |
|
command |
N/A |
N/A |
N/A |
|
terminal |
N/A |
N/A |
N/A |
|
exe_flags |
N/A |
N/A |
N/A |
|
container_id |
<serialnumber> |
Text/String/Number |
The truncated container ID (first 12 characters) extracted from the Linux cgroups by Falco within the kernel |
|
container_image |
N/A |
N/A |
N/A |
|
container_image_tag |
N/A |
N/A |
Preserved Falco field |
|
container_name |
<object> |
Text/String |
The container name |
|
k8s_ns |
N/A |
N/A |
Preserved Falco field |
|
k8s_pod_name |
N/A |
N/A |
Preserved Falco field |