Created
May 20, 2020 02:11
-
-
Save gjyoung1974/9499ec06ada06a51b455d91db6abd34b to your computer and use it in GitHub Desktop.
Prometheus alert rules for sysdig falco events
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Prometheus server ConfigMap entries | |
## | |
serverFiles: | |
## Alerts configuration | |
## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ | |
alerting_rules.yml: | |
groups: | |
- name: security | |
rules: | |
# - alert: PrometheusJobUp | |
# expr: 'up{job="prometheus"}' | |
# for: 1m | |
# labels: | |
# severity: page | |
# annotations: | |
# summary: 'Prometheus is up' | |
# reference: 'https://test.example.com' | |
# dashboard: 'https://some-dashboard.com' | |
# description: 'Prometheus is up' | |
- alert: SecuritySetuidSetgidbit | |
expr: 'falco_events{rule="Set Setuid or Setgid bit"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Set Setuid or Setgid bit' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'something has run SetUID or SetGIT bit' | |
- alert: SecurityContactK8SAPIServerFromContainer | |
expr: 'falco_events{rule="Contact K8S API Server From Container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Contact K8S API Server From Container' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Sometihgn has contacted the k8s API from inside a pod' | |
- alert: SecurityChangethreadnamespace | |
expr: 'falco_events{rule="Change thread namespace"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
summary: 'Change thread namespace' | |
description: | |
'Something has changed the thread namespace.' | |
- alert: DisallowedSSHConnection | |
expr: 'falco_events{rule="Disallowed SSH Connection"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect any new ssh connection to a host other than those in an allowed group of hosts' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect any new ssh connection to a host other than those in an allowed group of hosts' | |
- alert: UnexpectedOutboundConnectionDestination | |
expr: 'falco_events{rule="Unexpected outbound connection destination"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Unexpected outbound connection destination' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Unexpected outbound connection destination' | |
- alert: UnexpectedInboundConnectionSource | |
expr: 'falco_events{rule="Unexpected inbound connection source"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Unexpected inbound connection source' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Unexpected inbound connection source' | |
- alert: DisallowedSSHConnection | |
expr: 'falco_events{rule="Disallowed SSH Connection"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect any new ssh connection to a host other than those in an allowed group of hosts' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect any new ssh connection to a host other than those in an allowed group of hosts' | |
- alert: UnexpectedOutboundConnectionDestination | |
expr: 'falco_events{rule="Unexpected outbound connection destination"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Unexpected outbound connection destination' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Unexpected outbound connection destination' | |
- alert: UnexpectedInboundConnectionSource | |
expr: 'falco_events{rule="Unexpected inbound connection source"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Unexpected inbound connection source' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Unexpected inbound connection source' | |
- alert: ModifyShellConfigurationFile | |
expr: 'falco_events{rule="Modify Shell Configuration File"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect attempt to modify shell configuration files' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect attempt to modify shell configuration files' | |
- alert: ReadShellConfigurationFile | |
expr: 'falco_events{rule="Read Shell Configuration File"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect attempts to read shell configuration files by non-shell programs' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect attempts to read shell configuration files by non-shell programs' | |
- alert: ScheduleCronJobs | |
expr: 'falco_events{rule="Schedule Cron Jobs"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect cron jobs scheduled' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect cron jobs scheduled' | |
- alert: UpdatePackageRepository | |
expr: 'falco_events{rule="Update Package Repository"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect package repositories get updated' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect package repositories get updated' | |
- alert: WriteBelowBinaryDir | |
expr: 'falco_events{rule="Write below binary dir"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect an attempt to write to any file below a set of binary directories' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect an attempt to write to any file below a set of binary directories' | |
- alert: WriteBelowMonitoredDir | |
expr: 'falco_events{rule="Write below monitored dir"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect an attempt to write to any file below a set of binary directories' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect an attempt to write to any file below a set of binary directories' | |
- alert: ReadSSHinformation | |
expr: 'falco_events{rule="Read ssh information"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Any attempt to read files below ssh directories by non-ssh programs' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Any attempt to read files below ssh directories by non-ssh programs' | |
- alert: WriteBelowEtc | |
expr: 'falco_events{rule="Write below etc"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'an attempt to write to any file below /etc' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'an attempt to write to any file below /etc' | |
- alert: WriteBelowRoot | |
expr: 'falco_events{rule="Write below root"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'an attempt to write to any file directly below / or /root' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'an attempt to write to any file directly below / or /root' | |
- alert: ReadSensitiveFileTrustedAfterStartup | |
expr: 'falco_events{rule="Read sensitive file trusted after startup"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'an attempt to Read sensitive file trusted after startup' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'an attempt to Read sensitive file trusted after startup' | |
- alert: ReadSensitiveFileUntrusted | |
expr: 'falco_events{rule="Read sensitive file untrusted"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Only let rpm-related programs write to the rpm database' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Only let rpm-related programs write to the rpm database' | |
- alert: WriteBelowRPMDatabase | |
expr: 'falco_events{rule="Write below rpm database"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'an attempt to write to the rpm database by any non-rpm related program' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'an attempt to write to the rpm database by any non-rpm related program' | |
- alert: DBProgramSpawnedProcess | |
expr: 'falco_events{rule="DB program spawned process"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'DB program spawned process' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'DB program spawned process' | |
- alert: DBProgramSpawnedProcess | |
expr: 'falco_events{rule="DB program spawned process"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'DB program spawned process' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'DB program spawned process' | |
- alert: ModifyBinaryDirs | |
expr: 'falco_events{rule="Modify binary dirs"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'an attempt to modify any file below a set of binary directories.' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'an attempt to modify any file below a set of binary directories.' | |
- alert: MkdirBinaryDirs | |
expr: 'falco_events{rule="Mkdir binary dirs"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'an attempt to create a directory below a set of binary directories.' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'an attempt to create a directory below a set of binary directories.' | |
- alert: LaunchPrivilegedContainer | |
expr: 'falco_events{rule="Launch Privileged Containers"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect the initial process started in a privileged container. Exceptions are made for known trusted images.' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect the initial process started in a privileged container. Exceptions are made for known trusted images.' | |
- alert: LaunchSensitiveMountContainer | |
expr: 'falco_events{rule="Launch Sensitive Mount Container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Launch Sensitive Mount Container' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Launch Sensitive Mount Container' | |
- alert: LaunchDisallowedContainer | |
expr: 'falco_events{rule="Launch Disallowed Container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Launch Disallowed Container' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Launch Disallowed Container' | |
- alert: SystemUserInteractive | |
expr: 'falco_events{rule="System user interactive"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'an attempt to run interactive commands by a system (i.e. non-login) user' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'an attempt to run interactive commands by a system (i.e. non-login) user' | |
- alert: TerminalShellINContainer | |
expr: 'falco_events{rule="Terminal shell in container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'A shell was used as the entrypoint/exec point into a container with an attached terminal.' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'A shell was used as the entrypoint/exec point into a container with an attached terminal.' | |
- alert: SystemProcsNetworkActivity | |
expr: 'falco_events{rule="System procs network activity"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'any network activity performed by system binaries that are not expected to send or receive any network traffic' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'any network activity performed by system binaries that are not expected to send or receive any network traffic' | |
- alert: ProgramRunWithDisallowedHttpProxyEnv | |
expr: 'falco_events{rule="Program run with disallowed http proxy env"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'An attempt to run a program with a disallowed HTTP_PROXY environment variable' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'An attempt to run a program with a disallowed HTTP_PROXY environment variable' | |
- alert: InterpretedProcsInboundNetworkActivity | |
expr: 'falco_events{rule="Interpreted procs inbound network activity"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.)' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.)' | |
- alert: InterpretedProcsOutboundNetworkActivity | |
expr: 'falco_events{rule="Interpreted procs outbound network activity"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)' | |
- alert: InterpretedProcsOutboundNetworkActivity | |
expr: 'falco_events{rule="Interpreted procs outbound network activity"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)' | |
- alert: UnexpectedUDPTraffic | |
expr: 'falco_events{rule="Unexpected UDP Traffic"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'UDP traffic not on port 53 (DNS) or other commonly used ports' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'UDP traffic not on port 53 (DNS) or other commonly used ports' | |
- alert: NonSudoSetuid | |
expr: 'falco_events{rule="Non sudo setuid"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Non sudo setuid' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Non sudo setuid' | |
- alert: UserMgmtBinaries | |
expr: 'falco_events{rule="User mgmt binaries"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)' | |
- alert: CreateFilesBelowDev | |
expr: 'falco_events{rule="Create files below dev"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.' | |
- alert: ContactEC2InstanceMetadataServiceFromContainer | |
expr: 'falco_events{rule="Contact EC2 Instance Metadata Service From Container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect attempts to contact the EC2 Instance Metadata Service from a container.' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect attempts to contact the EC2 Instance Metadata Service from a container.' | |
- alert: ContactCloudMetadataServiceFromContainer | |
expr: 'falco_events{rule="Contact cloud metadata service from container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect attempts to contact the Cloud Instance Metadata Service from a container' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect attempts to contact the Cloud Instance Metadata Service from a container' | |
- alert: ContactK8SAPIServerFromContainer | |
expr: 'falco_events{rule="Contact K8S API Server From Container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect attempts to contact the K8S API Server from a container' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect attempts to contact the K8S API Server from a container' | |
- alert: UnexpectedK8sNodePortConnection | |
expr: 'falco_events{rule="Unexpected K8s NodePort Connection"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect attempts to use K8s NodePorts from a container' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect attempts to use K8s NodePorts from a container' | |
- alert: LaunchPackageManagementProcessInContainer | |
expr: 'falco_events{rule="Launch Package Management Process in Container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Package management process ran inside container' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Package management process ran inside container' | |
- alert: NetcatRemoteCodeExecutionInContainer | |
expr: 'falco_events{rule="Netcat Remote Code Execution in Container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Netcat Program runs inside container that allows remote code execution' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Netcat Program runs inside container that allows remote code execution' | |
- alert: LaunchSuspiciousNetworkToolInContainer | |
expr: 'falco_events{rule="Launch Suspicious Network Tool in Container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect network tools launched inside container' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect network tools launched inside container' | |
- alert: LaunchSuspiciousNetworkToolOnHost | |
expr: 'falco_events{rule="Launch Suspicious Network Tool on Host"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect network tools launched on the host' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect network tools launched on the host' | |
- alert: SearchPrivateKeysOrPasswords | |
expr: 'falco_events{rule="Search Private Keys or Passwords"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Search Private Keys or Passwords' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Search Private Keys or Passwords' | |
- alert: ClearLogActivities | |
expr: 'falco_events{rule="Clear Log Activitiess"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect clearing of critical log files' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect clearing of critical log files' | |
- alert: RemoveBulkDataFromDisk | |
expr: 'falco_events{rule="Remove Bulk Data from Disk"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect process running to clear bulk data from disk' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect process running to clear bulk data from disk' | |
- alert: DeleteOrRenameShellHistory | |
expr: 'falco_events{rule="Delete or rename shell history"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect shell history deletion' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect shell history deletion' | |
- alert: DeleteBashHistory | |
expr: 'falco_events{rule="Delete Bash History"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect bash history deletion' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect bash history deletion' | |
- alert: CreateHiddenFilesOrDirectories | |
expr: 'falco_events{rule="Create Hidden Files or Directories"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect hidden files or directories created' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect hidden files or directories created' | |
- alert: LaunchRemoteFileCopyToolsInContainers | |
expr: 'falco_events{rule="Launch Remote File Copy Tools in Container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect remote file copy tools launched in container' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect remote file copy tools launched in container' | |
- alert: CreateSymlinkOverSensitiveFiles | |
expr: 'falco_events{rule="Create Symlink Over Sensitive Files"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect symlink created over sensitive files' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect symlink created over sensitive files' | |
- alert: DetectOutboundConnectionsToCommonMinerPoolPorts | |
expr: 'falco_events{rule="Detect outbound connections to common miner pool ports"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Miners typically connect to miner pools on common ports.' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Miners typically connect to miner pools on common ports.' | |
- alert: DetectCryptoMinersUsingTheStratumProtocol | |
expr: 'falco_events{rule="Detect crypto miners using the Stratum protocol"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Miners typically specify the mining pool to connect to with a URI that begins with "stratum+tcp"' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Miners typically specify the mining pool to connect to with a URI that begins with "stratum+tcp"' | |
- alert: TheDockerClientIsExecutedInAContainer | |
expr: 'falco_events{rule="The docker client is executed in a container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect a k8s client tool executed inside a container' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect a k8s client tool executed inside a container' | |
- alert: PacketSocketCreatedInContainer | |
expr: 'falco_events{rule="Packet socket created in container"}' | |
for: 1m | |
labels: | |
severity: page | |
annotations: | |
summary: 'Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.' | |
reference: 'https://test.example.com' | |
dashboard: 'https://some-dashboard.com' | |
description: 'Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment