From 713e6f8427bd5ea28842813a9ed0f09fbb15b273 Mon Sep 17 00:00:00 2001 From: surabhipatel_crest Date: Tue, 10 Dec 2024 16:08:03 +0530 Subject: [PATCH] Updated dashboard --- falco/assets/dashboards/falco_alerts.json | 17 ++++++++++------- falco/assets/logs/falco.yaml | 9 +++++++-- falco/assets/logs/falco_tests.yaml | 3 ++- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/falco/assets/dashboards/falco_alerts.json b/falco/assets/dashboards/falco_alerts.json index 4b797799217b8..00a5c6ea9ef3d 100644 --- a/falco/assets/dashboards/falco_alerts.json +++ b/falco/assets/dashboards/falco_alerts.json @@ -2391,9 +2391,10 @@ { "id": 4652245226647702, "definition": { - "title": "Top Event Types", + "title": "Top Event Names", "title_size": "16", "title_align": "left", + "time": {}, "type": "toplist", "requests": [ { @@ -2409,18 +2410,18 @@ ], "group_by": [ { - "facet": "@output_fields.evt.type", + "facet": "@evt.name", "limit": 10, "sort": { "aggregation": "count", "order": "desc", "metric": "count" - } + }, + "should_exclude_missing": true } ], "compute": { - "aggregation": "count", - "metric": "count" + "aggregation": "count" }, "storage": "hot" } @@ -2671,6 +2672,7 @@ "title": "Event System Call Details", "title_size": "16", "title_align": "left", + "time": {}, "requests": [ { "response_format": "event_list", @@ -2694,7 +2696,7 @@ "width": "auto" }, { - "field": "output_fields.evt.type", + "field": "evt.name", "width": "auto" }, { @@ -2883,6 +2885,7 @@ "title": "Alert Log Details", "title_size": "16", "title_align": "left", + "time": {}, "requests": [ { "response_format": "event_list", @@ -2958,7 +2961,7 @@ "width": "auto" }, { - "field": "output_fields.evt.type", + "field": "evt.name", "width": "auto" }, { diff --git a/falco/assets/logs/falco.yaml b/falco/assets/logs/falco.yaml index 6e4959059bb56..9488d4ac17d48 100644 --- a/falco/assets/logs/falco.yaml +++ b/falco/assets/logs/falco.yaml @@ -7,6 +7,11 @@ facets: name: User Name path: usr.name source: log + - groups: + - Event + name: Event Name + path: evt.name + source: log pipeline: type: pipeline name: Falco @@ -45,12 +50,12 @@ pipeline: preserveSource: false overrideOnConflict: false - type: attribute-remapper - name: Map `output_fields.evt.type` to `output_fields.evt.name` + name: Map `output_fields.evt.type` to `evt.name` enabled: true sources: - output_fields.evt.type sourceType: attribute - target: output_fields.evt.name + target: evt.name targetType: attribute preserveSource: false overrideOnConflict: false diff --git a/falco/assets/logs/falco_tests.yaml b/falco/assets/logs/falco_tests.yaml index 3a7d38054439f..c425506ae75f4 100644 --- a/falco/assets/logs/falco_tests.yaml +++ b/falco/assets/logs/falco_tests.yaml @@ -52,6 +52,8 @@ tests: } result: custom: + evt: + name: "openat" hostname: "k8s-node1" output: "09:48:02.285310579: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=containerd-shim ggparent=systemd gggparent= evt_type=openat user=root user_uid=0 user_loginuid=-1 process=cat proc_exepath=/usr/bin/cat parent=runc command=cat /etc/shadow terminal=0 container_id=c1f3a8646e7f container_image=docker.io/library/nginx container_image_tag=latest container_name=nginx k8s_ns=default k8s_pod_name=nginx-7854ff8877-vrlrs)" output_fields: @@ -63,7 +65,6 @@ tests: name: "nginx" evt: time: 1730281682285310500 - name: "openat" fd: name: "/etc/shadow" k8s: