Created
March 6, 2018 18:26
-
-
Save mateobur/605928250d165df0fa37f3181378a6b6 to your computer and use it in GitHub Desktop.
Sysdig Secure Event JSON
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "timestamp": 1518849360000000, | |
| "timespan": 60000000, | |
| "alert": { | |
| "severity": 4, | |
| "editUrl": null, | |
| "scope": null, | |
| "name": "Policy 59: FILE POLICY: Read sensitive file untrusted", | |
| "description": "an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.", | |
| "id": null | |
| }, | |
| "event": { | |
| "id": null, | |
| "url": "https://secure.sysdig.com/#/events/f:1518849300,t:1518849360" | |
| }, | |
| "state": "ACTIVE", | |
| "resolved": false, | |
| "entities": [{ | |
| "entity": "", | |
| "metricValues": [{ | |
| "metric": "policyEvent", | |
| "aggregation": "count", | |
| "groupAggregation": "none", | |
| "value": 1 | |
| }], | |
| "additionalInfo": null, | |
| "policies": [{ | |
| "id": 59, | |
| "version": 9, | |
| "createdOn": 1496775488000, | |
| "modifiedOn": 1512474141000, | |
| "name": "FILE POLICY: Read sensitive file untrusted", | |
| "description": "an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.", | |
| "severity": 4, | |
| "enabled": true, | |
| "hostScope": true, | |
| "containerScope": true, | |
| "falcoConfiguration": { | |
| "onDefault": "DEFAULT_MATCH_EFFECT_NEXT", | |
| "fields": [], | |
| "ruleNameRegEx": "Read sensitive file untrusted" | |
| }, | |
| "notificationChannelIds": [ | |
| 14872 | |
| ], | |
| "actions": [{ | |
| "type": "POLICY_ACTION_CAPTURE", | |
| "beforeEventNs": 30000000000, | |
| "afterEventNs": 30000000000, | |
| "isLimitedToContainer": false | |
| }], | |
| "policyEventsCount": 295, | |
| "isBuiltin": false, | |
| "isManual": true | |
| }], | |
| "policyEvents": [{ | |
| "id": "513051281863028736", | |
| "version": 1, | |
| "containerId": "57c1820a87f1", | |
| "severity": 4, | |
| "metrics": [ | |
| "ip-10-0-8-165", | |
| "k8s_ftest_redis-3463099497-2xxw3_example-java-app_08285988-acff-11e7-b6b2-06fd27f1a4ca_0" | |
| ], | |
| "policyId": 59, | |
| "actionResults": [{ | |
| "type": "POLICY_ACTION_CAPTURE", | |
| "successful": true, | |
| "token": "e0abbbfb-ae65-4c5d-966a-78f88b0f67fb", | |
| "sysdigCaptureId": 432336 | |
| }], | |
| "output": "Sensitive file opened for reading by non-trusted program (user=root name=ftest command=ftest -i 25200 -a exfiltration file=/etc/shadow parent=docker-containe gparent=docker-containe ggparent=dockerd gggparent=systemd)", | |
| "ruleType": "RULE_TYPE_FALCO", | |
| "ruleSubtype": null, | |
| "matchedOnDefault": false, | |
| "fields": [{ | |
| "key": "falco.rule", | |
| "value": "Read sensitive file untrusted" | |
| }], | |
| "falsePositive": false, | |
| "timestamp": 1518849310380639, | |
| "hostMac": "06:90:90:7f:15:ea", | |
| "isAggregated": false | |
| }] | |
| }] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment