Reference Library for Azure Platform Logs Falco Threat Detection Rules
Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment.
This topic provides all the fields and events that apply to Falco rules for Azure Platform Logs.
Fields
Field Class: JSON
| Name | Type | Description |
|---|
json.value | CHARBUF | Extracts a value from a JSON-encoded input. Syntax is json.value[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901) |
json.obj | CHARBUF | The full json message as a text string. |
json.rawtime | CHARBUF | The time of the event, identical to evt.rawtime. |
jevt.value | CHARBUF | Alias for json.value, provided for backwards compatibility. |
jevt.obj | CHARBUF | Alias for json.obj, provided for backwards compatibility. |
jevt.rawtime | CHARBUF | Alias for json.rawtime, provided for backwards compatibility. |
| Name | Type | Description |
|---|
azure.compute.containerregistry | CHARBUF | Azure Container Registry name |
azure.compute.functions | CHARBUF | Azure Function name |
azure.databases.sqlserver | CHARBUF | Azure SQL name |
azure.networking.virtualnetwork | CHARBUF | Azure Virtual Network name |
azure.location | CHARBUF | Azure location Display Name |
azure.resourceGroup | CHARBUF | Azure resource group name |
azure.resourceType | CHARBUF | Azure resource type |
azure.resourceId | CHARBUF | Azure resource ID |
azure.storage.blobservices.container | CHARBUF | Azure Blob Service container name |
azure.storage.storageaccounts | CHARBUF | Azure Storage Accounts |
azure.subscriptionId | CHARBUF | Azure Subscription ID |
azure.tenantId | CHARBUF | Azure Tenant ID |
azure.user | CHARBUF | Azure User name |
azure.requestBody | CHARBUF | Extracts from requestBody json a value in input. Syntax is azure.requestBody[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901) |
azure.responseBody | CHARBUF | Extracts from responseBody json a value in input. Syntax is azure.responseBody[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901) |
azure.statusMessage | CHARBUF | Extracts from statusMessage json a value in input. Syntax is azure.statusMessage[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901) |
azure.time | CHARBUF | Timestamp of the event in ISO 8601 format |
