fredleger/falco-snip.yaml

## falco-snip.yaml
customRules:
  my-rules.yaml: |-
    -  macro: greetings
       condition: >
         proc.name = cowsay
    - rule: Try to say use cowsay in Container
      desc: Detect use of greetings command in container
      condition: >
        spawned_process and
        container and
        greetings
      output: >
        Cowsay command launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
        container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
      priority: NOTICE
      tags: [dummy, process, demo]
	customRules:
	my-rules.yaml: \|-
	- macro: greetings
	condition: >
	proc.name = cowsay
	- rule: Try to say use cowsay in Container
	desc: Detect use of greetings command in container
	condition: >
	spawned_process and
	container and
	greetings
	output: >
	Cowsay command launched in container (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent_process=%proc.pname
	container_id=%container.id container_name=%container.name image=%container.image.repository:%container.image.tag)
	priority: NOTICE
	tags: [dummy, process, demo]