Create custom rules | Trend Micro Service Central

Views:

Custom rules used for Trend Vision One Container Security are different from custom rules used by Falco. The existing fields do not need to change, but new fields must be added to make the rules compatible with Trend Vision One.

Trend Vision One custom rule field descriptions
Modify Falco rules
Supported Falco output fields
Optional rule fields

Trend Vision One custom rule field descriptions

For Trend Vision One custom rules, some new fields must be included for the rules file to be valid:

Field name	Field description	Example
`id`	The rule ID must start with "CR-" and should be unique across custom rules. The rule ID must also be 20 characters or fewer, including the mandatory "CR-" prefix.	`id: CR-00000001`
`custom_fields`	This field must be a YAML object. Container Security events are produced using Falco `output_fields`, allowing you to set additional outputs. Custom fields can be any string keys and string values where the values might include falco output fields. Any falco output fields included in `custom_fields` must also be present in the output field.	custom_fields: myField: "Sensitive file read access" custom_fields: myField: "Sensitive file read access" cmdline: "%proc.cmdline" custom3: "a string" customField: "%user.name" custom5: "%proc.pid"
`action`	The mitigation action taken when this rule is detected. Allowed values: `log`, `isolate`, and `terminate`.	`action: log`

Modify Falco rules

The following is an example of a Falco rule that monitors access to sensitive files:

- rule: Monitor Sensitive File Access
  desc: Detect any read access to sensitive files
  condition: >
    (syscall.type = openat and fd.name startswith "/etc/" and
    evt.arg.flags contains "O_RDONLY")
  output: "Sensitive file read access (user=%user.name command=%proc.cmdline
    file=%fd.name)"
  priority: info

To make this rule compatible with Trend Vision One, modify the rule to be similar to the following:

- rule: Monitor Sensitive File Access
  id: CR-00000001
  desc: Detect any read access to sensitive files
  condition: >
    (syscall.type = openat and fd.name startswith "/etc/" and
    evt.arg.flags contains "O_RDONLY")
  output: "Sensitive file read access (user=%user.name command=%proc.cmdline
    file=%fd.name)"
  custom_fields:
     myField: "Sensitive file read access"
  priority: info
  action: log

In Trend Vision One, the output field is not directly used. Instead, the fields from the output are extracted to create an event format that is compatible with Trend Vision One. This means that the previous rule is functionally identical to the following rule because fields within the “output” field are the same:

- rule: Monitor Sensitive File Access
  id: CR-00000001
  desc: Detect any read access to sensitive files
  condition: >
    (syscall.type = openat and fd.name startswith "/etc/" and
    evt.arg.flags contains "O_RDONLY")
  output: %user.name %proc.cmdline %fd.name
  custom_fields:
    myField: "Sensitive file read access"
  priority: info
  action: log

Supported Falco output fields

Not all Falco output fields are supported by Trend Vision One. The following table lists the supported falco fields and the name of the field in Trend Vision One.

Note

To use fields not supported by Container Security, use custom_fields, as described in Trend Vision One custom rule field descriptions.

Supported Falco fields	Name in Trend Vision One
`k8s.ns.name`	`k8sNamespace`
`k8s.pod.name`	`k8sPodName`
`k8s.pod.id`	`k8sPodId`
`container.name`	`containerName`
`container.id`	`containerId`
`container.image.repository`	`containerImgRepo`
`container.image.tag`	`containerImgTag`
`container.image.digest`	`containerImageDigest`
`proc.name`	`processName`
`proc.pid`	`processPid`
`proc.exeline`	`processCmd`
`proc.pname`	`parentName`
`proc.ppid`	`parentPid`
`proc.pcmdline`	`parentCmd`
`fd.filename`	`objectFileName`
`fd.directory`	`objectFileDir`
`fd.sip`	`dst`
`fd.sport`	`dpt`
`fd.cip`	`src`
`fd.cport`	`spt`
`fd.proto`	`app`
`fd.l4proto`	`proto`
`fd.name`	`fileDesc`

Optional rule fields

The following rule fields are optional for Container Security custom rules and can be written according to normal Falco rule guidelines.

Use the tags field to add generic tags to a rule:

tags:
  - container
  - filesystem

Note

The tags field appears as customTags in Trend Vision One.

Use the exceptions field to filter events. Trend Micro services might trigger some events, which are typically minimal and can be safely ignored. Add the following exception to your rule definition to filter these out within the specified Kubernetes namespace:

exceptions:
  - name: trend_namespace
  fields: [k8s.ns.name]
  comps: [=]
  values:
  - [trendmicro-system]

Comments (0)