Reference Library for Amazon GuardDuty Falco Threat Detection Rules

Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment. This topic provides all the fields and events that apply to Falco rules for Amazon GuardDuty.

Fields

Field Class: JSON

NameTypeDescription
json.valueCHARBUFExtracts a value from a JSON-encoded input. Syntax is json.value[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901)
json.objCHARBUFThe full json message as a text string.
json.rawtimeCHARBUFThe time of the event, identical to evt.rawtime.
jevt.valueCHARBUFAlias for json.value, provided for backwards compatibility.
jevt.objCHARBUFAlias for json.obj, provided for backwards compatibility.
jevt.rawtimeCHARBUFAlias for json.rawtime, provided for backwards compatibility.

Field Class: GuardDuty

NameTypeDescription
guardduty.accountIdCHARBUFGuardDuty account ID
guardduty.regionCHARBUFGuardDuty region
guardduty.timeCHARBUFGuardDuty last updated event time
guardduty.idCHARBUFGuardDuty ID
guardduty.arnCHARBUFGuardDuty ARN
guardduty.typeCHARBUFGuardDuty type
guardduty.resourceTypeCHARBUFGuardDuty resource type
guardduty.actionTypeCHARBUFGuardDuty action type
guardduty.resourceRoleCHARBUFGuardDuty resource role
guardduty.eventFirstSeenCHARBUFGuardDuty event first seen
guardduty.eventLastSeenCHARBUFGuardDuty event last seen
guardduty.threatFilesSha256LIST(CHARBUF)GuardDuty threat files SHA-256
guardduty.archivedCHARBUFGuardDuty archived
guardduty.countCHARBUFGuardDuty count
guardduty.severityCHARBUFGuardDuty severity
guardduty.titleCHARBUFGuardDuty title
guardduty.descriptionCHARBUFGuardDuty description
guardduty.EC2.instanceIdCHARBUFGuardDuty EC2 instance ID
guardduty.EC2.instanceTypeCHARBUFGuardDuty EC2 instance type
guardduty.IAM.principalIdCHARBUFGuardDuty IAM principal ID
guardduty.IAM.userNameCHARBUFGuardDuty IAM user name
guardduty.S3.bucketNamesLIST(CHARBUF)GuardDuty S3 bucket names
guardduty.S3.permissionsLIST(CHARBUF)GuardDuty S3 permissions
guardduty.EKS.clusterNameCHARBUFGuardDuty EKS cluster name
guardduty.EKS.workloadNameCHARBUFGuardDuty EKS workload name
guardduty.EKS.namespaceCHARBUFGuardDuty EKS namespace
guardduty.EKS.containersLIST(CHARBUF)GuardDuty EKS containers
guardduty.EKS.userNameCHARBUFGuardDuty EKS user name
guardduty.EKS.serviceAccountCHARBUFGuardDuty EKS service account
guardduty.ECS.clusterNameCHARBUFGuardDuty ECS cluster name
guardduty.ECS.clusterStatusCHARBUFGuardDuty ECS cluster status
guardduty.ECS.taskCHARBUFGuardDuty ECS task
guardduty.ECS.containersLIST(CHARBUF)GuardDuty ECS containers
guardduty.container.runtimeCHARBUFGuardDuty container runtime
guardduty.container.nameCHARBUFGuardDuty container name
guardduty.container.imageCHARBUFGuardDuty container image
guardduty.container.privilegedCHARBUFGuardDuty container privileged
guardduty.RDS.dbInstanceIdCHARBUFGuardDuty RDS DB instance ID
guardduty.RDS.userNameCHARBUFGuardDuty RDS user name
guardduty.RDS.databaseCHARBUFGuardDuty RDS database
guardduty.RDS.applicationCHARBUFGuardDuty RDS application
guardduty.lambda.functionNameCHARBUFGuardDuty Lambda function name
guardduty.lambda.roleCHARBUFGuardDuty Lambda role
guardduty.runtime.exepathCHARBUFGuardDuty runtime executable path
guardduty.runtime.procnameCHARBUFGuardDuty runtime process name
guardduty.runtime.euidCHARBUFGuardDuty runtime effective user ID
guardduty.runtime.pidCHARBUFGuardDuty runtime process ID
guardduty.runtime.userCHARBUFGuardDuty runtime user
guardduty.runtime.cmdlineCHARBUFGuardDuty runtime command line
guardduty.runtime.scriptPathCHARBUFGuardDuty runtime script path
guardduty.runtime.threatFilePathCHARBUFGuardDuty runtime threat file path
guardduty.runtime.toolNameCHARBUFGuardDuty runtime tool name
guardduty.runtime.toolCategoryCHARBUFGuardDuty runtime tool category
guardduty.EBS.scannedVolumesLIST(CHARBUF)GuardDuty EBS scanned volumes
guardduty.EBS.skippedVolumesLIST(CHARBUF)GuardDuty EBS skipped volumes
guardduty.EBS.scanIdCHARBUFGuardDuty EBS scan ID
guardduty.EBS.scanTypeCHARBUFGuardDuty EBS scan type
guardduty.EBS.scanSeverityCHARBUFGuardDuty EBS scan severity
guardduty.EBS.highestThreatNameCHARBUFGuardDuty EBS highest threat name
guardduty.EBS.threatsLIST(CHARBUF)GuardDuty EBS threats
guardduty.EBS.maliciousFilesCountCHARBUFGuardDuty EBS malicious files count
guardduty.awsApiAction.apiCHARBUFGuardDuty AWS API action API
guardduty.awsApiAction.ipCHARBUFGuardDuty AWS API action IP
guardduty.awsApiAction.srcInstanceCHARBUFGuardDuty AWS API action source instance
guardduty.dnsAction.protocolCHARBUFGuardDuty DNS action protocol
guardduty.dnsAction.blockedCHARBUFGuardDuty DNS action blocked
guardduty.dnsAction.domainCHARBUFGuardDuty DNS action domain
guardduty.k8sApiAction.uriCHARBUFGuardDuty Kubernetes API action URI
guardduty.k8sApiAction.resourceNameCHARBUFGuardDuty Kubernetes API action resource name
guardduty.k8sApiAction.namespaceCHARBUFGuardDuty Kubernetes API action namespace
guardduty.k8sApiAction.ipCHARBUFGuardDuty Kubernetes API action IP
guardduty.networkAction.ipCHARBUFGuardDuty network action IP
guardduty.networkAction.portCHARBUFGuardDuty network action port
guardduty.networkAction.protocolCHARBUFGuardDuty network action protocol
guardduty.networkAction.directionCHARBUFGuardDuty network action direction
guardduty.networkAction.blockedCHARBUFGuardDuty network action blocked
guardduty.portProbeAction.portsLIST(CHARBUF)GuardDuty port probe action ports
guardduty.portProbeAction.srcIPsLIST(CHARBUF)GuardDuty port probe action source IPs
guardduty.portProbeAction.blockedCHARBUFGuardDuty port probe action blocked
guardduty.rdsLoginAction.appsLIST(CHARBUF)GuardDuty RDS login action applications
guardduty.rdsLoginAction.ipCHARBUFGuardDuty RDS login action IP