Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Prometheus alert rules for sysdig falco events
## Prometheus server ConfigMap entries
##
serverFiles:
## Alerts configuration
## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/
alerting_rules.yml:
groups:
- name: security
rules:
# - alert: PrometheusJobUp
# expr: 'up{job="prometheus"}'
# for: 1m
# labels:
# severity: page
# annotations:
# summary: 'Prometheus is up'
# reference: 'https://test.example.com'
# dashboard: 'https://some-dashboard.com'
# description: 'Prometheus is up'
- alert: SecuritySetuidSetgidbit
expr: 'falco_events{rule="Set Setuid or Setgid bit"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Set Setuid or Setgid bit'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'something has run SetUID or SetGIT bit'
- alert: SecurityContactK8SAPIServerFromContainer
expr: 'falco_events{rule="Contact K8S API Server From Container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Contact K8S API Server From Container'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Sometihgn has contacted the k8s API from inside a pod'
- alert: SecurityChangethreadnamespace
expr: 'falco_events{rule="Change thread namespace"}'
for: 1m
labels:
severity: page
annotations:
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
summary: 'Change thread namespace'
description:
'Something has changed the thread namespace.'
- alert: DisallowedSSHConnection
expr: 'falco_events{rule="Disallowed SSH Connection"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect any new ssh connection to a host other than those in an allowed group of hosts'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect any new ssh connection to a host other than those in an allowed group of hosts'
- alert: UnexpectedOutboundConnectionDestination
expr: 'falco_events{rule="Unexpected outbound connection destination"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Unexpected outbound connection destination'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Unexpected outbound connection destination'
- alert: UnexpectedInboundConnectionSource
expr: 'falco_events{rule="Unexpected inbound connection source"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Unexpected inbound connection source'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Unexpected inbound connection source'
- alert: DisallowedSSHConnection
expr: 'falco_events{rule="Disallowed SSH Connection"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect any new ssh connection to a host other than those in an allowed group of hosts'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect any new ssh connection to a host other than those in an allowed group of hosts'
- alert: UnexpectedOutboundConnectionDestination
expr: 'falco_events{rule="Unexpected outbound connection destination"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Unexpected outbound connection destination'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Unexpected outbound connection destination'
- alert: UnexpectedInboundConnectionSource
expr: 'falco_events{rule="Unexpected inbound connection source"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Unexpected inbound connection source'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Unexpected inbound connection source'
- alert: ModifyShellConfigurationFile
expr: 'falco_events{rule="Modify Shell Configuration File"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect attempt to modify shell configuration files'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect attempt to modify shell configuration files'
- alert: ReadShellConfigurationFile
expr: 'falco_events{rule="Read Shell Configuration File"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect attempts to read shell configuration files by non-shell programs'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect attempts to read shell configuration files by non-shell programs'
- alert: ScheduleCronJobs
expr: 'falco_events{rule="Schedule Cron Jobs"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect cron jobs scheduled'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect cron jobs scheduled'
- alert: UpdatePackageRepository
expr: 'falco_events{rule="Update Package Repository"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect package repositories get updated'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect package repositories get updated'
- alert: WriteBelowBinaryDir
expr: 'falco_events{rule="Write below binary dir"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect an attempt to write to any file below a set of binary directories'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect an attempt to write to any file below a set of binary directories'
- alert: WriteBelowMonitoredDir
expr: 'falco_events{rule="Write below monitored dir"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect an attempt to write to any file below a set of binary directories'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect an attempt to write to any file below a set of binary directories'
- alert: ReadSSHinformation
expr: 'falco_events{rule="Read ssh information"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Any attempt to read files below ssh directories by non-ssh programs'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Any attempt to read files below ssh directories by non-ssh programs'
- alert: WriteBelowEtc
expr: 'falco_events{rule="Write below etc"}'
for: 1m
labels:
severity: page
annotations:
summary: 'an attempt to write to any file below /etc'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'an attempt to write to any file below /etc'
- alert: WriteBelowRoot
expr: 'falco_events{rule="Write below root"}'
for: 1m
labels:
severity: page
annotations:
summary: 'an attempt to write to any file directly below / or /root'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'an attempt to write to any file directly below / or /root'
- alert: ReadSensitiveFileTrustedAfterStartup
expr: 'falco_events{rule="Read sensitive file trusted after startup"}'
for: 1m
labels:
severity: page
annotations:
summary: 'an attempt to Read sensitive file trusted after startup'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'an attempt to Read sensitive file trusted after startup'
- alert: ReadSensitiveFileUntrusted
expr: 'falco_events{rule="Read sensitive file untrusted"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Only let rpm-related programs write to the rpm database'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Only let rpm-related programs write to the rpm database'
- alert: WriteBelowRPMDatabase
expr: 'falco_events{rule="Write below rpm database"}'
for: 1m
labels:
severity: page
annotations:
summary: 'an attempt to write to the rpm database by any non-rpm related program'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'an attempt to write to the rpm database by any non-rpm related program'
- alert: DBProgramSpawnedProcess
expr: 'falco_events{rule="DB program spawned process"}'
for: 1m
labels:
severity: page
annotations:
summary: 'DB program spawned process'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'DB program spawned process'
- alert: DBProgramSpawnedProcess
expr: 'falco_events{rule="DB program spawned process"}'
for: 1m
labels:
severity: page
annotations:
summary: 'DB program spawned process'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'DB program spawned process'
- alert: ModifyBinaryDirs
expr: 'falco_events{rule="Modify binary dirs"}'
for: 1m
labels:
severity: page
annotations:
summary: 'an attempt to modify any file below a set of binary directories.'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'an attempt to modify any file below a set of binary directories.'
- alert: MkdirBinaryDirs
expr: 'falco_events{rule="Mkdir binary dirs"}'
for: 1m
labels:
severity: page
annotations:
summary: 'an attempt to create a directory below a set of binary directories.'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'an attempt to create a directory below a set of binary directories.'
- alert: LaunchPrivilegedContainer
expr: 'falco_events{rule="Launch Privileged Containers"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect the initial process started in a privileged container. Exceptions are made for known trusted images.'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect the initial process started in a privileged container. Exceptions are made for known trusted images.'
- alert: LaunchSensitiveMountContainer
expr: 'falco_events{rule="Launch Sensitive Mount Container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Launch Sensitive Mount Container'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Launch Sensitive Mount Container'
- alert: LaunchDisallowedContainer
expr: 'falco_events{rule="Launch Disallowed Container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Launch Disallowed Container'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Launch Disallowed Container'
- alert: SystemUserInteractive
expr: 'falco_events{rule="System user interactive"}'
for: 1m
labels:
severity: page
annotations:
summary: 'an attempt to run interactive commands by a system (i.e. non-login) user'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'an attempt to run interactive commands by a system (i.e. non-login) user'
- alert: TerminalShellINContainer
expr: 'falco_events{rule="Terminal shell in container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'A shell was used as the entrypoint/exec point into a container with an attached terminal.'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'A shell was used as the entrypoint/exec point into a container with an attached terminal.'
- alert: SystemProcsNetworkActivity
expr: 'falco_events{rule="System procs network activity"}'
for: 1m
labels:
severity: page
annotations:
summary: 'any network activity performed by system binaries that are not expected to send or receive any network traffic'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'any network activity performed by system binaries that are not expected to send or receive any network traffic'
- alert: ProgramRunWithDisallowedHttpProxyEnv
expr: 'falco_events{rule="Program run with disallowed http proxy env"}'
for: 1m
labels:
severity: page
annotations:
summary: 'An attempt to run a program with a disallowed HTTP_PROXY environment variable'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'An attempt to run a program with a disallowed HTTP_PROXY environment variable'
- alert: InterpretedProcsInboundNetworkActivity
expr: 'falco_events{rule="Interpreted procs inbound network activity"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.)'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Any inbound network activity performed by any interpreted program (perl, python, ruby, etc.)'
- alert: InterpretedProcsOutboundNetworkActivity
expr: 'falco_events{rule="Interpreted procs outbound network activity"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)'
- alert: InterpretedProcsOutboundNetworkActivity
expr: 'falco_events{rule="Interpreted procs outbound network activity"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Any outbound network activity performed by any interpreted program (perl, python, ruby, etc.)'
- alert: UnexpectedUDPTraffic
expr: 'falco_events{rule="Unexpected UDP Traffic"}'
for: 1m
labels:
severity: page
annotations:
summary: 'UDP traffic not on port 53 (DNS) or other commonly used ports'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'UDP traffic not on port 53 (DNS) or other commonly used ports'
- alert: NonSudoSetuid
expr: 'falco_events{rule="Non sudo setuid"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Non sudo setuid'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Non sudo setuid'
- alert: UserMgmtBinaries
expr: 'falco_events{rule="User mgmt binaries"}'
for: 1m
labels:
severity: page
annotations:
summary: 'https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'https://bugs.launchpad.net/ubuntu/+source/rkhunter/+bug/86153)'
- alert: CreateFilesBelowDev
expr: 'falco_events{rule="Create files below dev"}'
for: 1m
labels:
severity: page
annotations:
summary: 'creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'creating any files below /dev other than known programs that manage devices. Some rootkits hide files in /dev.'
- alert: ContactEC2InstanceMetadataServiceFromContainer
expr: 'falco_events{rule="Contact EC2 Instance Metadata Service From Container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect attempts to contact the EC2 Instance Metadata Service from a container.'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect attempts to contact the EC2 Instance Metadata Service from a container.'
- alert: ContactCloudMetadataServiceFromContainer
expr: 'falco_events{rule="Contact cloud metadata service from container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect attempts to contact the Cloud Instance Metadata Service from a container'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect attempts to contact the Cloud Instance Metadata Service from a container'
- alert: ContactK8SAPIServerFromContainer
expr: 'falco_events{rule="Contact K8S API Server From Container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect attempts to contact the K8S API Server from a container'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect attempts to contact the K8S API Server from a container'
- alert: UnexpectedK8sNodePortConnection
expr: 'falco_events{rule="Unexpected K8s NodePort Connection"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect attempts to use K8s NodePorts from a container'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect attempts to use K8s NodePorts from a container'
- alert: LaunchPackageManagementProcessInContainer
expr: 'falco_events{rule="Launch Package Management Process in Container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Package management process ran inside container'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Package management process ran inside container'
- alert: NetcatRemoteCodeExecutionInContainer
expr: 'falco_events{rule="Netcat Remote Code Execution in Container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Netcat Program runs inside container that allows remote code execution'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Netcat Program runs inside container that allows remote code execution'
- alert: LaunchSuspiciousNetworkToolInContainer
expr: 'falco_events{rule="Launch Suspicious Network Tool in Container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect network tools launched inside container'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect network tools launched inside container'
- alert: LaunchSuspiciousNetworkToolOnHost
expr: 'falco_events{rule="Launch Suspicious Network Tool on Host"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect network tools launched on the host'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect network tools launched on the host'
- alert: SearchPrivateKeysOrPasswords
expr: 'falco_events{rule="Search Private Keys or Passwords"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Search Private Keys or Passwords'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Search Private Keys or Passwords'
- alert: ClearLogActivities
expr: 'falco_events{rule="Clear Log Activitiess"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect clearing of critical log files'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect clearing of critical log files'
- alert: RemoveBulkDataFromDisk
expr: 'falco_events{rule="Remove Bulk Data from Disk"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect process running to clear bulk data from disk'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect process running to clear bulk data from disk'
- alert: DeleteOrRenameShellHistory
expr: 'falco_events{rule="Delete or rename shell history"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect shell history deletion'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect shell history deletion'
- alert: DeleteBashHistory
expr: 'falco_events{rule="Delete Bash History"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect bash history deletion'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect bash history deletion'
- alert: CreateHiddenFilesOrDirectories
expr: 'falco_events{rule="Create Hidden Files or Directories"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect hidden files or directories created'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect hidden files or directories created'
- alert: LaunchRemoteFileCopyToolsInContainers
expr: 'falco_events{rule="Launch Remote File Copy Tools in Container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect remote file copy tools launched in container'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect remote file copy tools launched in container'
- alert: CreateSymlinkOverSensitiveFiles
expr: 'falco_events{rule="Create Symlink Over Sensitive Files"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect symlink created over sensitive files'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect symlink created over sensitive files'
- alert: DetectOutboundConnectionsToCommonMinerPoolPorts
expr: 'falco_events{rule="Detect outbound connections to common miner pool ports"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Miners typically connect to miner pools on common ports.'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Miners typically connect to miner pools on common ports.'
- alert: DetectCryptoMinersUsingTheStratumProtocol
expr: 'falco_events{rule="Detect crypto miners using the Stratum protocol"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Miners typically specify the mining pool to connect to with a URI that begins with "stratum+tcp"'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Miners typically specify the mining pool to connect to with a URI that begins with "stratum+tcp"'
- alert: TheDockerClientIsExecutedInAContainer
expr: 'falco_events{rule="The docker client is executed in a container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect a k8s client tool executed inside a container'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect a k8s client tool executed inside a container'
- alert: PacketSocketCreatedInContainer
expr: 'falco_events{rule="Packet socket created in container"}'
for: 1m
labels:
severity: page
annotations:
summary: 'Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.'
reference: 'https://test.example.com'
dashboard: 'https://some-dashboard.com'
description: 'Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used to do ARP Spoofing by attacker.'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment