Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Standardisation capability of Falco rule output #3157

Open
samsson opened this issue Apr 8, 2024 · 5 comments
Open

Standardisation capability of Falco rule output #3157

samsson opened this issue Apr 8, 2024 · 5 comments
Labels
kind/feature lifecycle/stale
Milestone
TBD

Comments

@samsson
Copy link

samsson commented Apr 8, 2024

Motivation

When writing Falco rules, the output needs to be formatted separately for each rule. This must be copied from other rules of written from scratch that can easily introduce inconsistencies and overhead.
A way to create template(s) for output format would streamline work and ensure consistency.

Feature

A macro based or other template facilitates creating a Falco rule output format that can be used in one or more Falco rules.
The macro would contain the same information as the output contains today while the rule output could contain the macro.
Example:

macro: user_info_format
(username=%user.name loginuid=%user.loginuid)

- rule:....
  output: >
    detection rule triggered: user_info_format

Alternatives
Something else than macro

Additional context

The thought was briefly mentioned here: #577 (comment)
by: @mfdii
@Andreagit97 Andreagit97 added this to the TBD milestone Apr 9, 2024
@Andreagit97
Copy link
Member

Thank you for reporting this! This seems a useful feature, we will consider it!

@WoutResseler
Copy link

Plus one, would be very nice!

@poiana
Copy link
Contributor

poiana commented Jul 22, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@nicolasbrieussel
Copy link

/remove-lifecycle stale

@poiana
Copy link
Contributor

poiana commented Oct 24, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature lifecycle/stale
Projects
None yet
Milestone
TBD
Development

No branches or pull requests
5 participants
@samsson @WoutResseler @poiana @Andreagit97 @nicolasbrieussel