Reference Library for Falco Threat Detection Rules

Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment. Each of your rules attaches to raw events in your environment. From those events, you can extract data using fields to define outputs and conditions. This topic covers the raw events and fields supported by Sysdig Secure, including those defined in the output key of a rule, which are also displayed in the associated events in the Event feed.

Fields

In a Threat Detection rule, a field refers to a specific attribute of an event captured from the raw event. Use fields to define conditions and outputs within the rules, and specify which events should trigger events or actions based on the conditions you specify. Fields help Sysdig Secure identify and respond to suspicious or unauthorized activities within your environment. This topic provides a comprehensive understanding of all the supported fields you can include in a Threat Detection rule. These fields are generic to Falco and therefore available on every raw event. Refer to the source-specific pages linked below for fields available on non-syscall sources.

Linux workload

Field Class: evt

These fields can be used for all event types.

Event Sources: syscall

Name	Type	Description
`evt.num`	UINT64	The event number.
`evt.time`	CHARBUF	The event timestamp as a time string that includes the nanosecond part.
`evt.time.s`	CHARBUF	The event timestamp as a time string with no nanoseconds.
`evt.time.iso8601`	CHARBUF	The event timestamp in ISO 8601 format, including nanoseconds and time zone offset (in UTC).
`evt.datetime`	CHARBUF	The event timestamp as a time string that includes the date.
`evt.datetime.s`	CHARBUF	The event timestamp as a datetime string with no nanoseconds.
`evt.rawtime`	ABSTIME	The absolute event timestamp, i.e. nanoseconds from epoch.
`evt.rawtime.s`	ABSTIME	The integer part of the event timestamp (e.g. seconds since epoch).
`evt.rawtime.ns`	ABSTIME	The fractional part of the absolute event timestamp.
`evt.reltime`	RELTIME	The number of nanoseconds from the beginning of the capture.
`evt.reltime.s`	RELTIME	The number of seconds from the beginning of the capture.
`evt.reltime.ns`	RELTIME	The fractional part (in nanoseconds) of the time from the beginning of the capture.
`evt.pluginname`	CHARBUF	An event coming from a plugin-defined event source, the name of the plugin that generated it. The plugin must be currently loaded.
`evt.plugininfo`	CHARBUF	An event coming from a plugin-defined event source, a summary of the event as formatted by the plugin. The plugin must be currently loaded.
`evt.source`	CHARBUF	The name of the source that produced the event.
`evt.is_async`	BOOL	`true` for asynchronous events, `false` otherwise.
`evt.asynctype`	CHARBUF	If the event is asynchronous, the type of the event, for example, `container`.
`evt.hostname`	CHARBUF	The hostname of the underlying host can be customized by setting an environment variable, for example, `FALCO_HOSTNAME`, for the Falco agent. This is valuable in Kubernetes setups, where the hostname can match the pod name particularly in DaemonSet deployments. To achieve this, assign Kubernetes’ `spec.nodeName` to the environment variable. Notably, `spec.nodeName` generally includes the cluster name.

Events

These are the raw events from which Falco parses and extracts the fields. In a Linux workload, these correspond to syscalls. Refer to the different sources to learn about the events they source raw events from:

Linux workload