Hi Guys!
I am trying to get to have this Gadget. To review Falco’s alerts, in Grafana.
I’m going to show you my log, so you have an idea and then the query I try to achieve that Top 5.
Log
Row
{
"hostname": "falco-jxzcl",
"output": "13:56:06.134216517: Notice A shell was spawned in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=runc command=sh -c clear; (bash || ash || sh) terminal=34818 exe_flags=EXE_WRITABLE container_id=0cea27665719 container_image=<NA> container_image_tag=<NA> container_name=<NA> k8s_ns=app-dominio k8s_pod_name=app-dominio-66d845bf8f-xkvjz)",
"priority": "Notice",
"rule": "Terminal shell in container",
"source": "syscall",
"tags": [
"T1059",
"container",
"maturity_stable",
"mitre_execution",
"shell"
],
"time": "2023-10-19T13:56:06.134216517Z",
"output_fields": {
"container.id": "0cea27665719",
"container.image.repository": null,
"container.image.tag": null,
"container.name": null,
"evt.arg.flags": "EXE_WRITABLE",
"evt.time": 1697723766134216400,
"evt.type": "execve",
"k8s.ns.name": "app-dominio",
"k8s.pod.name": "app-dominio-66d845bf8f-xkvjz",
"proc.cmdline": "sh -c clear; (bash || ash || sh)",
"proc.exepath": "/bin/busybox",
"proc.name": "sh",
"proc.pname": "runc",
"proc.tty": 34818,
"user.loginuid": -1,
"user.name": "root",
"user.uid": 0
}
}
Query
topk(5, sum by (output_fields_k8s_pod_name) (count_over_time({namespace=falco} | json | priority=$priority, output_fields_k8s_pod_name!="", output_fields_k8s_ns_name!="" [$__range])))
Any opinions? The idea is to draw, as I show in the image, a Top 5 of the PODs with more rule violations.
Variables
Like allways, thanks!
