search

falcosecurity / falcosidekick

Connect Falco to your ecosystem
Apache License 2.0
546 stars 177 forks source link

Opsgenie output - Remove timestamp from the output field #711

Closed spyer closed 3 months ago

spyer commented 10 months ago

Describe the bug Opsgenie output duplicates time in the output field and it's messes up with alert grouping in opsgenie, resulting in hundreds of alerts for each log entry.

related rule (standard one):

- rule: Fileless execution via memfd_create
  desc: >
    Detect if a binary is executed from memory using the memfd_create technique. This is a well-known defense evasion
    technique for executing malware on a victim machine without storing the payload on disk and to avoid leaving traces
    about what has been executed. Adopters can whitelist processes that may use fileless execution for benign purposes
    by adding items to the list known_memfd_execution_processes.
  condition: >
    spawned_process
    and proc.is_exe_from_memfd=true
    and not known_memfd_execution_processes
  output: Fileless execution via memfd_create (container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
  priority: CRITICAL
  tags: [maturity_stable, host, container, process, mitre_defense_evasion, T1620]

Discussion on this issue can also be found here: https://lists.cncf.io/g/cncf-falco-dev/topic/falco_falcosidekick_and/84086875

How to reproduce it

Run falco + falco sidekick with opsgenie output

Expected behaviour Remove evt.time (which I thnik added by falco itself), since it's not in the rule template.
Or add capability to edit output field.

Screenshots falco

Environment

Issif commented 10 months ago

This is a good point and an easy fix. I'll work on that asap.

Thanks

poiana commented 7 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Issif commented 7 months ago

/remove-lifecycle stale

Issif commented 5 months ago

FYI, I created an issue to do the change at the Falco level, this is why PR is still WIP https://github.com/falcosecurity/falco/issues/2985

Issif commented 3 months ago

Will be fixed in the upcoming 2.29

spyer commented 3 months ago

Thank you!