Skip to content

Commit

Permalink
Updated dashboard
Browse files Browse the repository at this point in the history
  • Loading branch information
@surabhipatel-crest
surabhipatel-crest committed Dec 10, 2024
1 parent f0b3a1d commit 713e6f8
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 10 deletions.
17 changes: 10 additions & 7 deletions falco/assets/dashboards/falco_alerts.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2391,9 +2391,10 @@
{
"id": 4652245226647702,
"definition": {
"title": "Top Event Types",
"title": "Top Event Names",
"title_size": "16",
"title_align": "left",
"time": {},
"type": "toplist",
"requests": [
{
Expand All @@ -2409,18 +2410,18 @@
],
"group_by": [
{
"facet": "@output_fields.evt.type",
"facet": "@evt.name",
"limit": 10,
"sort": {
"aggregation": "count",
"order": "desc",
"metric": "count"
}
},
"should_exclude_missing": true
}
],
"compute": {
"aggregation": "count",
"metric": "count"
"aggregation": "count"
},
"storage": "hot"
}
Expand Down Expand Up @@ -2671,6 +2672,7 @@
"title": "Event System Call Details",
"title_size": "16",
"title_align": "left",
"time": {},
"requests": [
{
"response_format": "event_list",
Expand All @@ -2694,7 +2696,7 @@
"width": "auto"
},
{
"field": "output_fields.evt.type",
"field": "evt.name",
"width": "auto"
},
{
Expand Down Expand Up @@ -2883,6 +2885,7 @@
"title": "Alert Log Details",
"title_size": "16",
"title_align": "left",
"time": {},
"requests": [
{
"response_format": "event_list",
Expand Down Expand Up @@ -2958,7 +2961,7 @@
"width": "auto"
},
{
"field": "output_fields.evt.type",
"field": "evt.name",
"width": "auto"
},
{
Expand Down
9 changes: 7 additions & 2 deletions falco/assets/logs/falco.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@ facets:
name: User Name
path: usr.name
source: log
- groups:
- Event
name: Event Name
path: evt.name
source: log
pipeline:
type: pipeline
name: Falco
Expand Down Expand Up @@ -45,12 +50,12 @@ pipeline:
preserveSource: false
overrideOnConflict: false
- type: attribute-remapper
name: Map `output_fields.evt.type` to `output_fields.evt.name`
name: Map `output_fields.evt.type` to `evt.name`
enabled: true
sources:
- output_fields.evt.type
sourceType: attribute
target: output_fields.evt.name
target: evt.name
targetType: attribute
preserveSource: false
overrideOnConflict: false
3 changes: 2 additions & 1 deletion falco/assets/logs/falco_tests.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@ tests:
}
result:
custom:
evt:
name: "openat"
hostname: "k8s-node1"
output: "09:48:02.285310579: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=containerd-shim ggparent=systemd gggparent=<NA> evt_type=openat user=root user_uid=0 user_loginuid=-1 process=cat proc_exepath=/usr/bin/cat parent=runc command=cat /etc/shadow terminal=0 container_id=c1f3a8646e7f container_image=docker.io/library/nginx container_image_tag=latest container_name=nginx k8s_ns=default k8s_pod_name=nginx-7854ff8877-vrlrs)"
output_fields:
Expand All @@ -63,7 +65,6 @@ tests:
name: "nginx"
evt:
time: 1730281682285310500
name: "openat"
fd:
name: "/etc/shadow"
k8s:
Expand Down

0 comments on commit 713e6f8

Please sign in to comment.