search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.12k stars 876 forks source link

Standardisation capability of Falco rule output #3157

Open samsson opened 3 months ago

samsson commented 3 months ago

Motivation

When writing Falco rules, the output needs to be formatted separately for each rule. This must be copied from other rules of written from scratch that can easily introduce inconsistencies and overhead. A way to create template(s) for output format would streamline work and ensure consistency.

Feature

A macro based or other template facilitates creating a Falco rule output format that can be used in one or more Falco rules.
The macro would contain the same information as the output contains today while the rule output could contain the macro. Example:

macro: user_info_format
(username=%user.name loginuid=%user.loginuid)

- rule:....
  output: >
    detection rule triggered: user_info_format

Alternatives Something else than macro

Additional context

The thought was briefly mentioned here: https://github.com/falcosecurity/falco/issues/577#issuecomment-481077570 by: @mfdii

Andreagit97 commented 3 months ago

Thank you for reporting this! This seems a useful feature, we will consider it!

WoutResseler commented 2 months ago

Plus one, would be very nice!