Custom rules used for TrendAI Vision One™ Container Security are different from custom rules used by Falco. The existing fields
do not need to change, but new fields must be added to make the rules compatible with
TrendAI Vision One™.
- TrendAI Vision One™ custom rule field descriptions
- Modify Falco rules
- Supported Falco output fields
- Optional rule fields
TrendAI Vision One™ custom rule field descriptions
For TrendAI Vision One™ custom rules, some new fields must be included for the rules file to be valid:
| Field name | Field description | Example |
id |
The rule ID must start with "CR-" and should be unique across custom rules. The rule
ID must also be 20 characters or fewer, including the mandatory "CR-" prefix.
|
id: CR-00000001 |
userDefinedFields |
This field must be a YAML object.
Container Security events are produced using Falco
output_fields, allowing you to set additional outputs. Custom fields can be any string keys and string values where the values might include
falco output fields. Any falco output fields included in
userDefinedFields must also be present in the output field. |
userDefinedFields:
myField: "Sensitive file read access"
userDefinedFields:
myField: "Sensitive file read access"
cmdline: "%proc.cmdline"
custom3: "a string"
customField: "%user.name"
custom5: "%proc.pid"
|
action |
The mitigation action taken when this rule is detected. Allowed values:
log, isolate, and terminate. |
action: log |
Modify Falco rules
The following is an example of a Falco rule that monitors access to sensitive files:
- rule: Monitor Sensitive File Access
desc: Detect any read access to sensitive files
condition: >
(syscall.type = openat and fd.name startswith "/etc/" and
evt.arg.flags contains "O_RDONLY")
output: "Sensitive file read access (user=%user.name command=%proc.cmdline
file=%fd.name)"
priority: info
To make this rule compatible with TrendAI Vision One™, modify the rule to be similar to the following:
- rule: Monitor Sensitive File Access
id: CR-00000001
desc: Detect any read access to sensitive files
condition: >
(syscall.type = openat and fd.name startswith "/etc/" and
evt.arg.flags contains "O_RDONLY")
output: "Sensitive file read access (user=%user.name command=%proc.cmdline
file=%fd.name)"
userDefinedFields:
myField: "Sensitive file read access"
priority: info
action: log
In TrendAI Vision One™, the
output field is not directly used. Instead, the fields from the output are extracted to
create an event format that is compatible with TrendAI Vision One™. This means that the previous rule is functionally identical to the following rule
because fields within the “output” field are the same:- rule: Monitor Sensitive File Access
id: CR-00000001
desc: Detect any read access to sensitive files
condition: >
(syscall.type = openat and fd.name startswith "/etc/" and
evt.arg.flags contains "O_RDONLY")
output: %user.name %proc.cmdline %fd.name
userDefinedFields:
myField: "Sensitive file read access"
priority: info
action: log
Supported Falco output fields
Not all Falco output fields are supported by TrendAI Vision One™. The following table lists the supported falco fields and the name of the field in
TrendAI Vision One™.
 |
NoteTo use fields not supported by Container Security, use
userDefinedFields, as described in TrendAI Vision One™ custom rule field descriptions. |
|
Supported Falco fields
|
Name in TrendAI Vision One™
|
k8s.ns.name |
k8sNamespace |
k8s.pod.name |
k8sPodName |
k8s.pod.id |
k8sPodId |
container.name |
containerName |
container.id |
containerId |
container.image.repository |
containerImgRepo |
container.image.tag |
containerImgTag |
container.image.digest |
containerImageDigest |
proc.name |
processName |
proc.pid |
processPid |
proc.exeline |
processCmd |
proc.pname |
parentName |
proc.ppid |
parentPid |
proc.pcmdline |
parentCmd |
fd.filename |
objectFileName |
fd.directory |
objectFileDir |
fd.sip |
dst |
fd.sport |
dpt |
fd.cip |
src |
fd.cport |
spt |
fd.proto |
app |
fd.l4proto |
proto |
fd.name |
fileDesc |
Optional rule fields
The following rule fields are optional for Container Security custom rules and can
be written according to normal Falco rule guidelines.
Use the tags field to add generic tags to a rule:
tags: - container - filesystem
|
NoteThe tags field appears as
customTags in TrendAI Vision One™. |
Use the exceptions field to filter events. TrendAI™ services might trigger some events, which are typically minimal and can be safely
ignored. Add the following exception to your rule definition to filter these out within
the specified Kubernetes namespace:
exceptions: - name: trend_namespace fields: [k8s.ns.name] comps: [=] values: - [trendmicro-system]