Reference Library for Windows workloads Falco Threat Detection Rules
Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment.
This topic provides all the fields and events that apply to Falco rules for Windows workloads.
Fields
Field Class: windows
| Name | Type | Description | Versions |
|---|---|---|---|
fd.num | UINT64 | The unique number identifying the handle object | all |
fd.type | CHARBUF | Handle type. Can be file, directory, module, key, event, mutex, semaphore, driver, process, thread, section, etc. | all |
fd.typechar | CHARBUF | Handle type represented as a single character. Can be ‘f’ for file, 4 for IPv4 socket, 6 for IPv6 socket, ’e’ for event object, ’s’ for section, etc. | all |
fd.name | CHARBUF | Full handle name. If the handle is a file, this field contains the full path. If the handle is a registry key, this field represents the root and subkey union. The reasoning is similar with other handle types. | all |
fd.directory | CHARBUF | If the handle is a file, represents the directory that contains it | all |
fd.filename | CHARBUF | If the handle is a file, contains the filename without the path | all |
fd.cip | IPADDR | Client IP address | all |
fd.sip | IPADDR | Server IP address | all |
fd.lip | IPADDR | Local IP address | all |
fd.rip | IPADDR | Remote IP address | all |
fd.cport | UINT64 | Client port | all |
fd.sport | UINT64 | Server port | all |
fd.lport | UINT64 | Local port | all |
fd.rport | UINT64 | Remote port | all |
fd.l4proto | CHARBUF | IP protocol. Can be ’tcp’, ‘udp’ | all |
fd.sockfamily | CHARBUF | The socket family for network events | all |
fd.is_server | BOOL | Returns true if the process owning the handle is the server endpoint in the connection | all |
fd.uid | CHARBUF | Unique identifier for the handle | all |
fd.containername | CHARBUF | Chaining of the container identifier and the handle name. Useful when trying to identify which container a handle belongs to | all |
fd.containerdirectory | CHARBUF | Chaining of the container identifier and the directory name. Useful when trying to identify which container a directory belongs to | all |
fd.cproto | CHARBUF | Client protocol | all |
fd.sproto | CHARBUF | Server protocol | all |
fd.lproto | CHARBUF | Local protocol | all |
fd.rproto | CHARBUF | Remote protocol | all |
fd.cnet | IPNET | Matches the client IP network | all |
fd.snet | IPNET | Matches the server IP network | all |
fd.lnet | IPNET | Matches the local IP network | all |
fd.rnet | IPNET | Matches the remote IP network | all |
fd.connected | BOOL | Returns true if the socket is connected | all |
fd.cip.name | CHARBUF | Domain name associated with the client IP address | all |
fd.sip.name | CHARBUF | Domain name associated with the server IP address | all |
fd.lip.name | CHARBUF | Domain name associated with the local IP address | all |
fd.rip.name | CHARBUF | Domain name associated with the remote IP address | all |
fd.dev | CHARBUF | Device volume name for file handles | all |
fd.ino | CHARBUF | File identifier of the referenced file | all |
proc.pid | UINT64 | Identifier of the process generating the event | all |
proc.exe | CHARBUF | Full executable path of the process generating the event | all |
proc.name | CHARBUF | Name of the executable generating the event | all |
proc.args | CHARBUF | Arguments passed on the command line when starting the process generating the event | all |
proc.env | CHARBUF | Environment variables of the process generating the event | all |
proc.cmdline | CHARBUF | Full process command line, i.e. proc.name + proc.args | all |
proc.exeline | CHARBUF | Full process command line, i.e. proc.exe + proc.args | all |
proc.cwd | CHARBUF | The current working directory of the process generating the event. | all |
proc.nthreads | UINT64 | Number of threads that the process generating the event currently has, including the main process thread | all |
proc.nchilds | UINT64 | Number of threads that the process generating the event currently has, excluding the main process thread | all |
proc.ppid | UINT64 | Pid of the parent of the process generating the event | all |
proc.pname | CHARBUF | Name excluding the path of the parent of the process generating the event | all |
proc.pcmdline | CHARBUF | Full command line (proc.name + proc.args) of the parent of the process generating the event | all |
proc.apid | UINT64 | Pid of one of the process ancestors. E.g. proc.apid[1] returns the parent pid, proc.apid[2] returns the grandparent pid, and so on. proc.apid[0] is the pid of the current process | all |
proc.aname | CHARBUF | Name of one of the process ancestors. E.g. proc.aname[1] returns the parent name, proc.aname[2] returns the grandparent name, and so on. proc.aname[0] is the name of the current process | all |
proc.duration | UINT64 | Number of nanoseconds since the process generating the event started | all |
proc.fdopencount | UINT64 | Number of open handles for the process | all |
thread.tid | UINT64 | Identifier of the thread generating the event | all |
thread.ismain | BOOL | Returns true if the thread generating the event is the main one in the process | all |
proc.sid | UINT64 | Session id of the process generating the event | all |
proc.sname | CHARBUF | Name of the process owner of the job object generating the event | all |
proc.tty | BOOL | Returns true if the process generating the event has attached a terminal | all |
proc.exepath | CHARBUF | Full executable path of the process generating the event | all |
proc.is_container_healthcheck | BOOL | Returns true if this process is running as a part of the container’s health check | all |
proc.is_container_liveness_probe | BOOL | Returns true if this process is running as a part of the container’s liveness probe | all |
proc.is_container_readiness_probe | BOOL | Returns true if this process is running as a part of the container’s readiness probe | all |
proc.is_exe_writable | BOOL | Returns true if process’ executable file is writable by the same user that spawned the process | all |
proc.privileges_permitted | CHARBUF | Granted process token privileges | all |
proc.privileges_inherited | CHARBUF | Inherited process token privileges | all |
evt.type | CHARBUF | The name of the event (e.g. WriteFile) | all |
evt.type.is | BOOL | Allows one to specify an event type, and returns true for events that are of that type. For example, evt.type.is[ReadFile] returns true for read file events, false for any other event | all |
syscall.type | CHARBUF | The name of the system call. For example, if CreateHandle event is caputed with the mutex handle type this filed would return the NtCreateMutex syscall name | all |
evt.category | CHARBUF | The event category. Example values are ‘file’ for file operations like CreateFile/CloseFile, ’net’ for network operations like Accept/Send, ‘registry’ for things like RegCreateKey, and so on | all |
evt.cpu | UINT64 | Number of the CPU where the event happened | all |
evt.args | CHARBUF | All the event arguments aggregated into a single string | all |
evt.arg | CHARBUF | String representation of the event argument specified by name | all |
evt.rawarg | CHARBUF | Raw representation of the event argument specified by name | all |
evt.info | CHARBUF | For most events, this field returns the same value as evt.args | all |
evt.buffer | CHARBUF | The binary data buffer for events that have one. For example, RegSetValue may write a binary content into registry value | all |
evt.buflen | UINT64 | The length of the binary data buffer for events that have one | all |
evt.res | CHARBUF | Event return value as a string. If the event failed, the result is an error code string (e.g. ‘The system cannot find the file specified.’). Otherwise, the result is the string ‘Success’ | all |
evt.rawres | UINT64 | Event return value as a number (e.g. -2). Useful for range comparisons | all |
evt.failed | BOOL | Returns true for events that returned an error status | all |
evt.is_io | BOOL | Returns true for events that produce read or write I/O, like WriteFile or Recv | all |
evt.is_io_read | BOOL | Returns true for events that produce read I/O, like ReadFile or Recv | all |
evt.io_io_write | BOOL | Returns true for events that produce write I/O, like WriteFile or Recv | all |
evt.io_dir | CHARBUF | Returns ‘r’ for events that produce read I/O like ReadFile or ‘w’ for events that trigger write I/O like WriteFile | all |
evt.is_wait | BOOL | Returns true for events that make the thread wait | all |
evt.count | UINT64 | This filter field always returns 1 and can be used to count events | all |
evt.count.error | UINT64 | This filter field returns 1 for events that returned with an error | all |
evt.count.error.file | UINT64 | This filter field returns 1 for events that returned with an error and are related to file I/O | all |
evt.count.error.net | UINT64 | This filter field returns 1 for events that returned with an error and are related to network I/O | all |
evt.count.error.memory | UINT64 | This filter field returns 1 for events that returned with an error and are related to memory allocation | all |
evt.count.error.other | UINT64 | This filter field returns 1 for events that returned with an error and are related to none of the previous categories | all |
evt.around | UINT64 | Accepts the event if it’s around the specified time interval. The syntax is evt.around[T]=D, where T is the value returned by %evt.rawtime for the event and D is a delta in milliseconds. For example, evt.around[1404996934793590564]=1000 will return the events with timestamp with one second before the timestamp and one second after it, for a total of two seconds of capture | all |
evt.abspath | UINT64 | Absolute path calculated from directory file handle | all |
evt.is_open_read | BOOL | Returns true for events where the file was opened for reading | all |
evt.is_open_write | BOOL | Returns true for events where the file was opened for writing | all |
evt.is_open_exec | BOOL | Returns true for events where the executable file is created | all |
user.uid | CHARBUF | User SID (Security Identifier) (e.g. S-1-5-18) | all |
user.name | CHARBUF | User name | all |
user.domain | CHARBUF | User domain (e.g. NT AUTHORITY) | all |
user.homedir | CHARBUF | Home directory of the user | all |
user.shell | CHARBUF | User’s shell | all |
user.loginuid | UINT64 | User’s logon session identifier | all |
user.loginname | CHARBUF | User’s logon name | all |
user.logintype | CHARBUF | Type of the logon session (e.g. INTERACTIVE) | all |
group.uid | CHARBUF | Group SID (Security Identifier) (e.g. S-1-5-32-544) | all |
group.name | CHARBUF | Group name (e.g. Administrators) | all |
container.id | CHARBUF | Unique container short identifier (e.g. 3ad7b26ded6d) | all |
container.full_id | CHARBUF | Unique container full identifier (e.g. 3ad7b26ded6d8e7b23da7d48fe889434573036c27ae5a74837233de441c3601e) | all |
container.name | CHARBUF | Container name | all |
container.type | CHARBUF | Container engine type (e.g. docker) | all |
container.image | CHARBUF | Container image name (e.g. falcosecurity/falco:latest) | all |
container.image.id | CHARBUF | Container image identifier (e.g. 6f7e2741b66b) | all |
container.image.repository | CHARBUF | Container image repository (e.g. falcosecurity/falco) | all |
container.image.tag | CHARBUF | Container image tag (e.g. stable, latest) | all |
container.image.digest | CHARBUF | Container image registry digest (e.g. sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27) | all |
container.mounts | CHARBUF | A space-separated list of mount information | all |
container.mount | CHARBUF | Information about a single mount, specified by number mount source (e.g. container.mount[C:\WINDOWS]) | all |
container.mount.source | CHARBUF | The mount source specified by mount destination (e.g. container.mount.source[C:\WINDOWS\System32]) | all |
container.mount.dest | CHARBUF | The mount dest specified by mount source (e.g. container.mount.source[C:\WINDOWS\System32]) | all |
container.mount.mode | CHARBUF | The mount mode specified by mount source (e.g. container.mount.mode[C:\WINDOWS]) | all |
container.mount.rdwr | CHARBUF | The mount the mount rdwr value specified by mount source (e.g. container.mount.rdwr[C:\WINDOWS]) | all |
container.mount.propagation | CHARBUF | The mount propagation value specified by mount source (e.g. container.mount.propagation[C:\WINDOWS]) | all |
container.healthcheck | CHARBUF | Container’s health check. Will be the null value (‘N/A’) if no healthcheck configured, ‘NONE’ if configured but explicitly not created, and the healthcheck command line otherwise | all |
container.liveness_probe | CHARBUF | Container’s liveness probe. Will be the null value (‘N/A’) if no liveness probe configured, the liveness probe command line otherwise | all |
container.readiness_probe | CHARBUF | Container’s readiness probe. Will be the null value (‘N/A’) if no readiness probe configured, the readiness probe command line otherwise | all |
container.start_ts | UINT64 | Container start as epoch timestamp in nanoseconds | all |
container.duration | UINT64 | Number of nanoseconds since container.start_ts | all |
container.ip | IPADDR | The container’s / pod’s primary ip address | all |
container.cni.json | CHARBUF | The container’s / pod’s CNI result field from the respective pod status info | all |
k8s.ns.name | CHARBUF | Kubernetes namespace name | all |
k8s.pod.name | CHARBUF | Kubernetes pod name | all |
k8s.pod.uid | CHARBUF | Kuberentes pod identifier | all |
k8s.pod.sandbox_id | CHARBUF | The truncated Kubernetes pod sandbox identifier | all |
k8s.pod.full_sandbox_id | CHARBUF | The full Kubernetes pod sandbox identifier | all |
k8s.pod.label | CHARBUF | Kubernetes pod label (e.g. k8s.pod.label[foo]) | all |
k8s.pod.labels | CHARBUF | Kubernetes pod comma-separated key/value labels (e.g. foo1:bar1,foo2:bar2) | all |
k8s.pod.ip | IPADDR | The Kubernetes pod IP, same as container.ip as each container in a pod shares the network stack of the sandbox pod | all |
k8s.pod.cni.json | CHARBUF | Pod CNI result in JSON format | all |
