Reference Library for Falco Threat Detection Rules
Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment.
Each of your rules attaches to raw events in your environment. From those events, you can extract data using fields to define outputs and conditions.
This topic covers the raw events and fields supported by Sysdig Secure, including those defined in the output key of a rule, which are also displayed in the associated events in the Event feed.
Fields
In a Threat Detection rule, a field refers to a specific attribute of an event captured from the raw event. Use fields to define conditions and outputs within the rules, and specify which events should trigger events or actions based on the conditions you specify. Fields help Sysdig Secure identify and respond to suspicious or unauthorized activities within your environment. This topic provides a comprehensive understanding of all the supported fields you can include in a Threat Detection rule. Refer to the source-specific pages linked below for fields available on non-syscall sources:
