{ "version": 5, "dashboardId": "7272369497879618455", "title": "Kubernetes / Security", "description": "Helps improve security visibility with real time alerts", "role": "", "owner": "", "created": "2024-12-10T22:13:14.878Z", "tabs": [ { "tabId": "77936", "name": "Description", "panels": [ { "id": "Panel_ID1149210", "type": "markdown", "title": "Overview Of Fields", "description": "", "config": { "show_legends": true, "legends_position": null, "decimals": 2, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "", "queries": [ { "query": "", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "", "stream_type": "logs", "x": [], "y": [], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 0, "w": 48, "h": 24, "i": 1 }, "htmlContent": "", "markdownContent": "Structured breakdown of the attributes in Falco transformed logs:\n\n### Metadata and Timestamps:\n- **`_timestamp`**: Epoch timestamp representing the event occurrence.\n- **`body_output_fields_evt_time`**: Timestamp of the event in nanoseconds.\n- **`body_time`**: ISO 8601 formatted event time.\n- **`time`**: Log recording time in ISO 8601 format.\n\n### Event Details:\n- **`body_hostname`**: Hostname of the system where the event occurred.\n- **`body_output`**: Detailed output message of the event.\n- **`body_priority`**: Priority level of the event.\n- **`body_rule`**: Rule triggered for the event.\n- **`body_source`**: Source of the event.\n- **`body_tags`**: Tags associated with the event.\n\n### Networking:\n- **`body_output_fields_fd_name`**: Connection details.\n- **`body_output_fields_fd_l4proto`**: Layer 4 protocol used.\n- **`body_output_fields_fd_lport`**: Local port.\n- **`body_output_fields_fd_rport`**: Remote port.\n- **`body_output_fields_fd_type`**: File descriptor type.\n\n### User Information:\n- **`body_output_fields_user_name`**: User initiating the process.\n- **`body_output_fields_user_uid`**: User ID.\n- **`body_output_fields_user_loginuid`**: Login UID.\n\n### Process Details:\n- **`body_output_fields_proc_cmdline`**: Command-line used for the process.\n- **`body_output_fields_proc_exepath`**: Path to the executable.\n- **`body_output_fields_proc_name`**: Process name.\n- **`body_output_fields_proc_pname`**: Parent process name.\n- **`body_output_fields_proc_tty`**: Terminal associated.\n\n### Container Details:\n- **`body_output_fields_container_id`**: Container ID.\n- **`body_output_fields_container_image_repository`**: Image repository.\n- **`body_output_fields_container_image_tag`**: Image tag.\n- **`body_output_fields_container_name`**: Container name.\n\n### Kubernetes Details:\n- **`body_output_fields_k8s_ns_name`**: Kubernetes namespace name.\n- **`body_output_fields_k8s_pod_name`**: Kubernetes pod name.\n\n### Additional Kubernetes Metadata:\n- **`k8s_app_instance`**: Application instance name.\n- **`k8s_container_name`**: Container name.\n- **`k8s_container_restart_count`**: Container restart count.\n- **`k8s_namespace_name`**: Namespace name.\n- **`k8s_node_name`**: Node name.\n- **`k8s_pod_name`**: Pod name.\n- **`k8s_pod_start_time`**: Pod start time.\n- **`k8s_pod_uid`**: Pod UID.\n\n### Logging:\n- **`log_iostream`**: Log stream (`stdout`).\n- **`logtag`**: Log tag.\n\n### Service and Severity:\n- **`service_name`**: Service name (`falco`).\n- **`severity`**: Severity level (`0`).\n\n### Other:\n- **`dropped_attributes_count`**: Number of attributes dropped (`0`).\n- **`falco_num_evts`**: This represents the current number of events processed or observed by Falco at the moment of the log generation. It indicates the cumulative count of events since the Falco process started.\n- **`falco_num_evts_prev`**: This represents the previous event count processed or observed by Falco at the time of the last log entry or check. It is used to measure the difference between the current (falco_num_evts) and previous (falco_num_evts_prev) counts to determine how many events were observed in a specific time interval." } ] }, { "tabId": "8921", "name": "Falco Rules", "panels": [ { "id": "Panel_ID9699410", "type": "metric", "title": "Contact K8S API Server From Container", "description": "Detect attempts to communicate with the K8S API Server from a container by non-profiled users. Kubernetes APIs play a pivotal role in configuring the cluster management lifecycle. Detecting potential unauthorized access to the API server is of utmost importance. Audit your complete infrastructure and pinpoint any potential machines from which the API server might be accessible based on your network layout. If Falco can't operate on all these machines, consider analyzing the Kubernetes audit logs (typically drained from control nodes, and Falco offers a k8saudit plugin) as an additional data source for detections within the control plane.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(body_output) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') AND body_output LIKE '%Unexpected connection to K8s API Server from container%'", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Body Output", "alias": "y_axis_1", "column": "body_output", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" }, { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Unexpected connection to K8s API Server from container", "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 0, "w": 24, "h": 9, "i": 1 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID6653810", "type": "metric", "title": "Netcat Remote Code Execution in Container", "description": "Netcat Program runs inside container that allows remote code execution and may be utilized as a part of a variety of reverse shell payload https://github.com/swisskyrepo/PayloadsAllTheThings/. These programs are of higher relevance as they are commonly installed on UNIX-like operating systems. Can fire in combination with the \"Redirect STDOUT/STDIN to Network Connection in Container\" rule as it utilizes a different evt.type.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Netcat runs inside container that allows remote code execution%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Netcat runs inside container that allows remote code execution", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 0, "w": 24, "h": 9, "i": 2 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID2000610", "type": "metric", "title": "Directory traversal monitored file read", "description": "Web applications can be vulnerable to directory traversal attacks that allow accessing files outside of the web app's root directory (e.g. Arbitrary File Read bugs). System directories like /etc are typically accessed via absolute paths. Access patterns outside of this (here path traversal) can be regarded as suspicious. This rule includes failed file open attempts.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') AND body_output LIKE '%Read monitored file via directory traversal%'", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" }, { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Read monitored file via directory traversal", "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 9, "w": 24, "h": 9, "i": 3 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID2808910", "type": "metric", "title": "Read sensitive file trusted after startup", "description": "An attempt to read any sensitive file (e.g. files containing user/password/authentication information) by a trusted program after startup. Trusted programs might read these files at startup to load initial state, but not afterwards. Can be customized as needed. In modern containerized cloud infrastructures, accessing traditional Linux sensitive files might be less relevant, yet it remains valuable for baseline detections. While we provide additional rules for SSH or cloud vendor-specific credentials, you can significantly enhance your security program by crafting custom rules for critical application credentials unique to your environment.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Sensitive file opened for reading by trusted program after startup%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Sensitive file opened for reading by trusted program after startup", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 9, "w": 24, "h": 9, "i": 4 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID6594510", "type": "metric", "title": "Read sensitive file untrusted", "description": "An attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs. Can be customized as needed. In modern containerized cloud infrastructures, accessing traditional Linux sensitive files might be less relevant, yet it remains valuable for baseline detections. While we provide additional rules for SSH or cloud vendor-specific credentials, you can significantly enhance your security program by crafting custom rules for critical application credentials unique to your environment.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Sensitive file opened for reading by non-trusted program%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Sensitive file opened for reading by non-trusted program", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 18, "w": 24, "h": 9, "i": 5 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID6743710", "type": "metric", "title": "Run shell untrusted", "description": "An attempt to spawn a shell below a non-shell application. The non-shell applications that are monitored are defined in the protected_shell_spawner macro, with protected_shell_spawning_binaries being the list you can easily customize. For Java parent processes, please note that Java often has a custom process name. Therefore, rely more on proc.exe to define Java applications. This rule can be noisier, as you can see in the exhaustive existing tuning. However, given it is very behavior-driven and broad, it is universally relevant to catch \ngeneral Remote Code Execution (RCE). Allocate time to tune this rule for your use cases and reduce noise. Tuning suggestions include looking at the duration of the parent process (proc.ppid.duration) to define your long-running app processes. Checking for newer fields such as proc.vpgid.name and proc.vpgid.exe instead of the direct parent process being a non-shell application could make the rule more robust.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Shell spawned by untrusted binary%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Shell spawned by untrusted binary", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 18, "w": 24, "h": 9, "i": 6 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID370110", "type": "metric", "title": "System user interactive", "description": "System (e.g. non-login) users spawning new processes. Can add custom service users (e.g. apache or mysqld). 'Interactive' is defined as new processes as descendants of an ssh session or login process. Consider further tuning by only looking at processes in a terminal / tty (proc.tty != 0). A newer field proc.is_vpgid_leader could be of help to distinguish if the process was \"directly\" executed, for instance, in a tty, or executed as a descendant process in the same process group, which, for example, is the case when subprocesses are spawned from a script. Consider this rule as a great template rule to monitor interactive accesses to your systems more broadly. However, such a custom rule would be unique to your environment. The rule \"Terminal shell in container\" that fires when using \"kubectl exec\" is more Kubernetes relevant, whereas this one could be more interesting for the underlying host.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%System user ran an interactive command%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "System user ran an interactive command", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 27, "w": 24, "h": 9, "i": 7 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID3520310", "type": "metric", "title": "Terminal shell in container", "description": "A shell was used as the entrypoint/exec point into a container with an attached terminal. Parent process may have legitimately already exited and be null (read container_entrypoint macro). Common when using \"kubectl exec\" in Kubernetes. Correlate with k8saudit exec logs if possible to find user or serviceaccount token used (fuzzy correlation by namespace and pod name). Rather than considering it a standalone rule, it may be best used as generic auditing rule while examining other triggered rules in this container/tty.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%A shell was spawned in a container with an attached terminal%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "A shell was spawned in a container with an attached terminal", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 27, "w": 24, "h": 9, "i": 8 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID5936010", "type": "metric", "title": "Search Private Keys or Passwords", "description": "Detect attempts to search for private keys or passwords using the grep or find command. This is often seen with unsophisticated attackers, as there are many ways to access files using bash built-ins that could go unnoticed. Regardless, this serves as a solid baseline detection that can be tailored to cover these gaps while maintaining an acceptable noise level.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Grep private keys or passwords activities found%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Grep private keys or passwords activities found", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 36, "w": 24, "h": 9, "i": 9 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID6912310", "type": "metric", "title": "Clear Log Activities", "description": "Detect clearing of critical access log files, typically done to erase evidence that could be attributed to an adversary's actions. To effectively customize and operationalize this detection, check for potentially missing log file destinations relevant to your environment, and adjust the profiled containers you wish not to be alerted on.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Log files were tampered%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Log files were tampered", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 36, "w": 24, "h": 9, "i": 10 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID7339310", "type": "metric", "title": "Remove Bulk Data from Disk", "description": "Detect a process running to clear bulk data from disk with the intention to destroy data, possibly interrupting availability to systems. Profile your environment and use user_known_remove_data_activities to tune this rule.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Bulk data has been removed from disk%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Bulk data has been removed from disk", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 45, "w": 24, "h": 9, "i": 11 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID9455810", "type": "metric", "title": "Create Symlink Over Sensitive Files", "description": "Detect symlinks created over a curated list of sensitive files or subdirectories under /etc/ or root directories. Can be customized as needed. Refer to further and equivalent guidance within the rule \"Read sensitive file untrusted\".", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Symlinks created over sensitive files%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Symlinks created over sensitive files", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 45, "w": 24, "h": 9, "i": 12 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID5477010", "type": "metric", "title": "Create Hardlink Over Sensitive Files", "description": "Detect hardlink created over a curated list of sensitive files or subdirectories under /etc/ or root directories. Can be customized as needed. Refer to further and equivalent guidance within the rule \"Read sensitive file untrusted\".", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') AND body_output LIKE '%Hardlinks created over sensitive files%'", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" }, { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Hardlinks created over sensitive files", "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 54, "w": 24, "h": 9, "i": 13 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID9234210", "type": "metric", "title": "Packet socket created in container", "description": "Detect new packet socket at the device driver (OSI Layer 2) level in a container. Packet socket could be used for ARP Spoofing and privilege escalation (CVE-2020-14386) by an attacker. Noise can be reduced by using the user_known_packet_socket_binaries template list.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Packet socket was created in a container%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Packet socket was created in a container", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 54, "w": 24, "h": 9, "i": 14 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID3373010", "type": "metric", "title": "Redirect STDOUT/STDIN to Network Connection in Container", "description": "Detect redirection of stdout/stdin to a network connection within a container, achieved by utilizing a variant of the dup syscall (potential reverse shell or remote code execution \nhttps://github.com/swisskyrepo/PayloadsAllTheThings/). This detection is behavior-based and may generate noise in the system, and can be adjusted using the user_known_stand_streams_redirect_activities template macro. Tuning can be performed similarly to existing detections based on process lineage or container images, and/or it can be limited to interactive tty (tty != 0).", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Redirect stdout/stdin to network connection%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Redirect stdout/stdin to network connection", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 63, "w": 24, "h": 9, "i": 15 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID6590910", "type": "metric", "title": "Linux Kernel Module Injection Detected", "description": "Inject Linux Kernel Modules from containers using insmod or modprobe with init_module and finit_module syscalls, given the precondition of sys_module effective capabilities. Profile the environment and consider\nallowed_container_images_loading_kernel_module to reduce noise and account for legitimate cases.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') AND body_output LIKE '%Linux Kernel Module injection from container%'", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" }, { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Linux Kernel Module injection from container", "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 63, "w": 24, "h": 9, "i": 16 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID6195710", "type": "metric", "title": "Debugfs Launched in Privileged Container", "description": "Detect file system debugger debugfs launched inside a privileged container which might lead to container escape. This rule has a more narrow scope.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') AND body_output LIKE '%Debugfs launched started in a privileged container%'", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" }, { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Debugfs launched started in a privileged container", "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 72, "w": 24, "h": 9, "i": 17 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID354010", "type": "metric", "title": "Detect release_agent File Container Escapes", "description": "Detect an attempt to exploit a container escape using release_agent file. By running a container with certains capabilities, a privileged user can modify release_agent file and escape from the container.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') AND body_output LIKE '%Detect an attempt to exploit a container escape using release_agent file%'", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" }, { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Detect an attempt to exploit a container escape using release_agent file", "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 72, "w": 24, "h": 9, "i": 18 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID5472710", "type": "metric", "title": "PTRACE attached to process", "description": "Detect an attempt to inject potentially malicious code into a process using PTRACE in order to evade process-based defenses or elevate privileges. Common anti-patterns are debuggers. Additionally, profiling your environment via the known_ptrace_procs template macro can reduce noise. A successful ptrace syscall generates multiple logs at once.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Detected ptrace PTRACE_ATTACH attempt%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Detected ptrace PTRACE_ATTACH attempt", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 81, "w": 24, "h": 9, "i": 19 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID7359510", "type": "metric", "title": "PTRACE anti-debug attempt", "description": "Detect usage of the PTRACE system call with the PTRACE_TRACEME argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity. Read more about PTRACE in the \"PTRACE attached to process\" rule.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Detected potential PTRACE_TRACEME anti-debug attempt%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Detected potential PTRACE_TRACEME anti-debug attempt", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 81, "w": 24, "h": 9, "i": 20 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID3740310", "type": "metric", "title": "Find AWS Credentials", "description": "Detect attempts to search for private keys or passwords using the grep or find command, particularly targeting standard AWS credential locations. This is often seen with unsophisticated attackers, as there are many ways to access files using bash built-ins that could go unnoticed. Regardless, this serves as a solid baseline detection that can be tailored to cover these gaps while maintaining an acceptable noise level. This rule complements the rule \"Search Private Keys or Passwords\".", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body LIKE '%Detected AWS credentials search activity%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body", "operator": "Contains", "value": "Detected AWS credentials search activity", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 90, "w": 24, "h": 9, "i": 21 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID5861110", "type": "metric", "title": "Execution from /dev/shm", "description": "This rule detects file execution in the /dev/shm directory, a tactic often used by threat actors to store their readable, writable, and occasionally executable files. /dev/shm acts as a link to the host or other containers, creating vulnerabilities for their compromise as well. Notably, /dev/shm remains unchanged even after a container restart. Consider this rule alongside the newer \"Drop and execute new binary in container\" rule.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') AND body_output LIKE '%File execution detected from /dev/shm%'", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" }, { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "File execution detected from /dev/shm", "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 90, "w": 24, "h": 9, "i": 22 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID2422510", "type": "metric", "title": "Drop and execute new binary in container", "description": "Detect if an executable not belonging to the base image of a container is being executed. The drop and execute pattern can be observed very often after an attacker gained an initial foothold. is_exe_upper_layer filter field only applies for container runtimes that use overlayfs as union mount filesystem. Adopters can utilize the provided template list known_drop_and_execute_containers containing allowed container images known to execute binaries not included in their base image. Alternatively, you could exclude non-production namespaces in Kubernetes settings by adjusting the rule further. This helps reduce noise by applying application \nand environment-specific knowledge to this rule. Common anti-patterns include administrators or SREs performing \nad-hoc debugging.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Executing binary not part of base image%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Executing binary not part of base image", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 99, "w": 24, "h": 9, "i": 23 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID478910", "type": "metric", "title": "Disallowed SSH Connection Non Standard Port", "description": "Detect any new outbound SSH connection from the host or container using a non-standard port. This rule holds the potential to detect a family of reverse shells that cause the victim machine to connect back out over SSH, with STDIN piped from the SSH connection to a shell's STDIN, and STDOUT of the shell piped back over SSH. Such an attack can be launched against any app that is vulnerable to command injection. The upstream rule only covers a limited selection of non-standard ports. We suggest adding more ports, potentially incorporating ranges based on your environment's knowledge and custom SSH port \nconfigurations. This rule can complement the \"Redirect STDOUT/STDIN to Network Connection in Container\" or \"Disallowed SSH Connection\" rule.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Disallowed SSH Connection%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Disallowed SSH Connection", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 99, "w": 24, "h": 9, "i": 24 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID2329410", "type": "metric", "title": "Fileless execution via memfd_create", "description": "Detect if a binary is executed from memory using the memfd_create technique. This is a well-known defense evasion technique for executing malware on a victim machine without storing the payload on disk and to avoid leaving traces about what has been executed. Adopters can whitelist processes that may use fileless execution for benign purposes by adding items to the list known_memfd_execution_processes.", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(_timestamp) as \"y_axis_1\" FROM \"default\" WHERE body_output LIKE '%Fileless execution via memfd_create%' AND k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Timestamp", "alias": "y_axis_1", "column": "_timestamp", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "condition", "values": [], "column": "body_output", "operator": "Contains", "value": "Fileless execution via memfd_create", "logicalOperator": "AND", "filterType": "condition" }, { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 108, "w": 24, "h": 9, "i": 25 }, "htmlContent": "", "markdownContent": "" } ] }, { "tabId": "73490", "name": "Statistics", "panels": [ { "id": "Panel_ID2391410", "type": "table", "title": "Sweeped Containers", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_container_name as \"x_axis_1\", count(body_output_fields_container_name) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY y_axis_1 DESC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Container Name", "alias": "x_axis_1", "column": "body_output_fields_container_name", "color": null, "isDerived": false } ], "y": [ { "label": "count", "alias": "y_axis_1", "column": "body_output_fields_container_name", "color": "#5960b2", "aggregationFunction": "count", "sortBy": "DESC", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 0, "w": 12, "h": 8, "i": 1 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID1206010", "type": "table", "title": "Event Types", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_evt_type as \"x_axis_1\", count(body_output_fields_evt_type) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY y_axis_1 DESC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Evt Type", "alias": "x_axis_1", "column": "body_output_fields_evt_type", "color": null, "isDerived": false } ], "y": [ { "label": "Count of Evt Type", "alias": "y_axis_1", "column": "body_output_fields_evt_type", "color": "#5960b2", "aggregationFunction": "count", "sortBy": "DESC", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 12, "y": 0, "w": 12, "h": 8, "i": 2 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID987310", "type": "table", "title": "Protocol", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_fd_l4proto as \"x_axis_1\", count(body_output_fields_fd_l4proto) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY y_axis_1 DESC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Fd L4proto", "alias": "x_axis_1", "column": "body_output_fields_fd_l4proto", "color": null, "isDerived": false } ], "y": [ { "label": "Count of Fd L4proto", "alias": "y_axis_1", "column": "body_output_fields_fd_l4proto", "color": "#5960b2", "aggregationFunction": "count", "sortBy": "DESC", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 0, "w": 12, "h": 8, "i": 3 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID1707210", "type": "table", "title": "FD", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_fd_name as \"x_axis_1\", body_output_fields_fd_l4proto as \"x_axis_2\", body_output_fields_fd_rport as \"x_axis_3\", body_output_fields_fd_type as \"x_axis_4\", count(body_output_fields_fd_name) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1, x_axis_2, x_axis_3, x_axis_4", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Body Output Fields Fd Name", "alias": "x_axis_1", "column": "body_output_fields_fd_name", "color": null, "isDerived": false }, { "label": "Body Output Fields Fd L4proto", "alias": "x_axis_2", "column": "body_output_fields_fd_l4proto", "color": null, "isDerived": false }, { "label": "Body Output Fields Fd Rport", "alias": "x_axis_3", "column": "body_output_fields_fd_rport", "color": null, "isDerived": false }, { "label": "Body Output Fields Fd Type", "alias": "x_axis_4", "column": "body_output_fields_fd_type", "color": null, "isDerived": false } ], "y": [ { "label": "count", "alias": "y_axis_1", "column": "body_output_fields_fd_name", "color": "#c23531", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 36, "y": 0, "w": 12, "h": 8, "i": 4 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID1232810", "type": "table", "title": "Namespace Sweeped", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_k8s_ns_name as \"x_axis_1\", count(body_output_fields_k8s_ns_name) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Body Output Fields K8s Ns Name", "alias": "x_axis_1", "column": "body_output_fields_k8s_ns_name", "color": null, "isDerived": false } ], "y": [ { "label": "Body Output Fields K8s Ns Name", "alias": "y_axis_1", "column": "body_output_fields_k8s_ns_name", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 8, "w": 12, "h": 8, "i": 5 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID9907910", "type": "table", "title": "Pods Sweeped", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_k8s_pod_name as \"x_axis_1\", count(body_output_fields_k8s_pod_name) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Body Output Fields K8s Pod Name", "alias": "x_axis_1", "column": "body_output_fields_k8s_pod_name", "color": null, "isDerived": false } ], "y": [ { "label": "Body Output Fields K8s Pod Name", "alias": "y_axis_1", "column": "body_output_fields_k8s_pod_name", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 12, "y": 8, "w": 12, "h": 8, "i": 6 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID8633210", "type": "table", "title": "Commands Monitored", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_proc_cmdline as \"x_axis_1\", count(body_output_fields_proc_cmdline) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Body Output Fields Proc Cmdline", "alias": "x_axis_1", "column": "body_output_fields_proc_cmdline", "color": null, "isDerived": false } ], "y": [ { "label": "Body Output Fields Proc Cmdline", "alias": "y_axis_1", "column": "body_output_fields_proc_cmdline", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 8, "w": 12, "h": 8, "i": 7 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID5379110", "type": "table", "title": "Process Monitored", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_proc_name as \"x_axis_1\", body_output_fields_proc_pname as \"x_axis_2\", body_output_fields_proc_tty as \"x_axis_3\", count(body_output_fields_proc_name) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1, x_axis_2, x_axis_3", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Body Output Fields Proc Name", "alias": "x_axis_1", "column": "body_output_fields_proc_name", "color": null, "isDerived": false }, { "label": "Body Output Fields Proc Pname", "alias": "x_axis_2", "column": "body_output_fields_proc_pname", "color": null, "isDerived": false }, { "label": "Body Output Fields Proc Tty", "alias": "x_axis_3", "column": "body_output_fields_proc_tty", "color": null, "isDerived": false } ], "y": [ { "label": "Body Output Fields Proc Name", "alias": "y_axis_1", "column": "body_output_fields_proc_name", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 36, "y": 8, "w": 12, "h": 8, "i": 8 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID5466810", "type": "table", "title": "Process Monitored", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_user_loginuid as \"x_axis_1\", body_output_fields_user_name as \"x_axis_2\", count(body_output_fields_proc_name) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1, x_axis_2", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "User Loginuid", "alias": "x_axis_1", "column": "body_output_fields_user_loginuid", "color": null, "isDerived": false }, { "label": "User Name", "alias": "x_axis_2", "column": "body_output_fields_user_name", "color": null, "isDerived": false } ], "y": [ { "label": "Events by Users", "alias": "y_axis_1", "column": "body_output_fields_proc_name", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 16, "w": 12, "h": 8, "i": 9 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID1382010", "type": "table", "title": "Hosts level Events", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_evt_hostname as \"x_axis_1\", body_output_fields_evt_source as \"x_axis_2\", count(body_output_fields_evt_hostname) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1, x_axis_2", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Evt Hostname", "alias": "x_axis_1", "column": "body_output_fields_evt_hostname", "color": null, "isDerived": false }, { "label": "Evt Source", "alias": "x_axis_2", "column": "body_output_fields_evt_source", "color": null, "isDerived": false } ], "y": [ { "label": "Count by Evt Hostname", "alias": "y_axis_1", "column": "body_output_fields_evt_hostname", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 12, "y": 16, "w": 12, "h": 8, "i": 10 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID5021610", "type": "table", "title": "SCAP over Hosts", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "mappings": [], "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT body_output_fields_evt_hostname as \"x_axis_1\", body_output_fields_scap_engine_name as \"x_axis_2\", count(body_output_fields_evt_hostname) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1, x_axis_2 ORDER BY y_axis_1 DESC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Evt Hostname", "alias": "x_axis_1", "column": "body_output_fields_evt_hostname", "color": null, "isDerived": false }, { "label": "Scap Engine Name", "alias": "x_axis_2", "column": "body_output_fields_scap_engine_name", "color": null, "isDerived": false } ], "y": [ { "label": "Count by Evt Hostname", "alias": "y_axis_1", "column": "body_output_fields_evt_hostname", "color": "#5960b2", "aggregationFunction": "count", "sortBy": "DESC", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 16, "w": 12, "h": 8, "i": 11 }, "htmlContent": "", "markdownContent": "" } ] }, { "tabId": "61176", "name": "Analysis", "panels": [ { "id": "Panel_ID8623810", "type": "area", "title": "Retrieved Events", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_n_retrieved_evts) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Retrieved Evts", "alias": "y_axis_2", "column": "body_output_fields_falco_n_retrieved_evts", "color": "#c23531", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 0, "w": 24, "h": 9, "i": 3 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID7023210", "type": "area", "title": "Retrieved Events Drops", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_n_retrieve_evts_drops) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Retrieve Evts Drops", "alias": "y_axis_1", "column": "body_output_fields_falco_n_retrieve_evts_drops", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 0, "w": 24, "h": 9, "i": 4 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID9682610", "type": "area", "title": "Stored Events", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_n_stored_evts) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Body Output Fields Falco N Stored Evts", "alias": "y_axis_2", "column": "body_output_fields_falco_n_stored_evts", "color": "#c23531", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 9, "w": 24, "h": 9, "i": 5 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID8760310", "type": "gauge", "title": "Number of Events", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT count(body_output_fields_falco_num_evts) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco')", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [], "y": [ { "label": "Body Output Fields Falco Num Evts", "alias": "y_axis_2", "column": "body_output_fields_falco_num_evts", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 9, "w": 24, "h": 9, "i": 6 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID1354110", "type": "area", "title": "Falco Rules Contact K8s Api Server From Container", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_rules_contact_k8s_api_server_from_container) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Falco Rules Contact K8s Api Server From Container", "alias": "y_axis_2", "column": "body_output_fields_falco_rules_contact_k8s_api_server_from_container", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 18, "w": 24, "h": 9, "i": 7 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID3570510", "type": "area", "title": "Falco Rules Matches Total", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_rules_matches_total) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Falco Rules Matches Total", "alias": "y_axis_2", "column": "body_output_fields_falco_rules_matches_total", "color": "#c23531", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 18, "w": 24, "h": 9, "i": 8 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID2327610", "type": "area", "title": "Falco Sha256 Rules File Falco Rules Yaml", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_sha256_rules_file_falco_rules_yaml) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Falco Sha256 Rules File Falco Rules Yaml", "alias": "y_axis_2", "column": "body_output_fields_falco_sha256_rules_file_falco_rules_yaml", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 28, "w": 24, "h": 9, "i": 9 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID2329510", "type": "area", "title": "Falco Rules Create Hardlink Over Sensitive Files", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_rules_create_hardlink_over_sensitive_files) as \"y_axis_1\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Falco Rules Create Hardlink Over Sensitive Files", "alias": "y_axis_1", "column": "body_output_fields_falco_rules_create_hardlink_over_sensitive_files", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 28, "w": 24, "h": 9, "i": 10 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID6200210", "type": "area", "title": "Falco Rules Read Sensitive File Untrusted", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_rules_read_sensitive_file_untrusted) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Falco Rules Read Sensitive File Untrusted", "alias": "y_axis_2", "column": "body_output_fields_falco_rules_read_sensitive_file_untrusted", "color": "#c23531", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 38, "w": 24, "h": 9, "i": 11 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID9859110", "type": "area", "title": "Falco Rules Search Private Keys Or Passwords", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_rules_search_private_keys_or_passwords) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Falco Rules Search Private Keys Or Passwords", "alias": "y_axis_2", "column": "body_output_fields_falco_rules_search_private_keys_or_passwords", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 38, "w": 24, "h": 9, "i": 12 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID4651510", "type": "area", "title": "Falco Rules Create Symlink Over Sensitive Files", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_rules_create_symlink_over_sensitive_files) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Falco Rules Create Symlink Over Sensitive Files", "alias": "y_axis_2", "column": "body_output_fields_falco_rules_create_symlink_over_sensitive_files", "color": "#c23531", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 48, "w": 24, "h": 9, "i": 13 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID6754910", "type": "area", "title": "Falco Rules Find Aws Credentials", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_rules_find_aws_credentials) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Falco Rules Find Aws Credentials", "alias": "y_axis_2", "column": "body_output_fields_falco_rules_find_aws_credentials", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 48, "w": 24, "h": 9, "i": 14 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID6358810", "type": "area", "title": "Falco Rules Remove Bulk Data From Disk", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_rules_remove_bulk_data_from_disk) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Falco Rules Remove Bulk Data From Disk", "alias": "y_axis_2", "column": "body_output_fields_falco_rules_remove_bulk_data_from_disk", "color": "#c23531", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 0, "y": 58, "w": 24, "h": 9, "i": 15 }, "htmlContent": "", "markdownContent": "" }, { "id": "Panel_ID5383710", "type": "area", "title": "Falco Rules Terminal Shell In Container", "description": "", "config": { "show_legends": true, "legends_position": null, "unit": "numbers", "decimals": 0, "line_thickness": 1.5, "top_results_others": false, "axis_border_show": false, "label_option": { "rotate": 0 }, "show_symbol": false, "line_interpolation": "smooth", "legend_width": { "unit": "px" }, "base_map": { "type": "osm" }, "map_type": { "type": "world" }, "map_view": { "zoom": 1, "lat": 0, "lng": 0 }, "map_symbol_style": { "size": "by Value", "size_by_value": { "min": 1, "max": 100 }, "size_fixed": 2 }, "drilldown": [], "mark_line": [], "override_config": [], "connect_nulls": false, "no_value_replacement": "", "wrap_table_cells": false, "table_transpose": false, "table_dynamic_columns": false, "color": { "mode": "palette-classic-by-series", "fixedColor": [ "#53ca53" ], "seriesBy": "last" } }, "queryType": "sql", "queries": [ { "query": "SELECT histogram(_timestamp) as \"x_axis_1\", count(body_output_fields_falco_rules_terminal_shell_in_container) as \"y_axis_2\" FROM \"default\" WHERE k8s_namespace_name IN ('falco') GROUP BY x_axis_1 ORDER BY x_axis_1 ASC", "vrlFunctionQuery": "", "customQuery": false, "fields": { "stream": "default", "stream_type": "logs", "x": [ { "label": "Timestamp", "alias": "x_axis_1", "column": "_timestamp", "color": null, "aggregationFunction": "histogram", "sortBy": "ASC", "isDerived": false } ], "y": [ { "label": "Falco Rules Terminal Shell In Container", "alias": "y_axis_2", "column": "body_output_fields_falco_rules_terminal_shell_in_container", "color": "#5960b2", "aggregationFunction": "count", "isDerived": false } ], "z": [], "breakdown": [], "filter": { "filterType": "group", "logicalOperator": "AND", "conditions": [ { "type": "list", "values": [ "falco" ], "column": "k8s_namespace_name", "operator": null, "value": null, "logicalOperator": "AND", "filterType": "condition" } ] } }, "config": { "promql_legend": "", "layer_type": "scatter", "weight_fixed": 1, "limit": 0, "min": 0, "max": 100, "time_shift": [] } } ], "layout": { "x": 24, "y": 58, "w": 24, "h": 9, "i": 16 }, "htmlContent": "", "markdownContent": "" } ] } ], "variables": { "list": [], "showDynamicFilters": true }, "defaultDatetimeDuration": { "type": "relative", "relativeTimePeriod": "15m" } }