Linux Agent attributes and helpers

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Linux Agent attributes and helpers

This documentation describes Linux attributes and helpers of the Datadog’s Security Language (SECL).

Rules using Linux attributes and helpers must include an OS rule filter field as follows.

id: [...]
expression: [...]
filters:
  - os == "linux"

Triggers

Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:

SECL EventTypeDefinitionAgent Version
acceptNetworkAn accept was executed7.60
bindNetworkA bind was executed7.37
bpfKernelA BPF command was executed7.33
capsetProcessA process changed its capacity set7.27
chdirFile[Experimental] A process changed the current directory7.52
chmodFileA file’s permissions were changed7.27
chownFileA file’s owner was changed7.27
connectNetworkA connect was executed7.60
dnsNetworkA DNS request was sent7.36
execProcessA process was executed (does not trigger on fork syscalls).7.27
exitProcessA process was terminated7.38
imdsNetworkAn IMDS event was captured7.55
linkFileCreate a new name/alias for a file7.27
load_moduleKernelA new kernel module was loaded7.35
mkdirFileA directory was created7.27
mmapKernelA mmap command was executed7.35
mountFile[Experimental] A filesystem was mounted7.42
mprotectKernelA mprotect command was executed7.35
network_flow_monitorNetworkA network monitor event was sent7.63
openFileA file was opened7.27
packetNetworkA raw network packet was captured7.60
ptraceKernelA ptrace command was executed7.35
removexattrFileRemove extended attributes7.27
renameFileA file/directory was renamed7.27
rmdirFileA directory was removed7.27
selinuxKernelAn SELinux operation was run7.30
setgidProcessA process changed its effective gid7.27
setuidProcessA process changed its effective uid7.27
setxattrFileSet exteneded attributes7.27
signalProcessA signal was sent7.35
spliceFileA splice command was executed7.36
unlinkFileA file was deleted7.27
unload_moduleKernelA kernel module was deleted7.35
utimesFileChange file access/modification times7.27

Variables

SECL variables are predefined variables that can be used as values or as part of values.

For example, rule using a process.pid variable looks like this:

open.file.path == "/proc/${process.pid}/maps"

List of the available variables:

SECL VariableDefinitionAgent Version
process.pidProcess PID7.33

CIDR and IP range

CIDR and IP matching is possible in SECL. One can use operators such as in, not in, or allin combined with CIDR or IP notations.

Such rules can be written as follows:

dns.question.name == "example.com" && network.destination.ip in [192.168.1.25, 10.0.0.0/24]

Helpers

Helpers exist in SECL that enable users to write advanced rules without needing to rely on generic techniques such as regex.

Command line arguments

The args_flags and args_options are helpers to ease the writing of CSM Threats rules based on command line arguments.

args_flags is used to catch arguments that start with either one or two hyphen characters but do not accept any associated value.

Examples:

  • version is part of args_flags for the command cat --version
  • l and n both are in args_flags for the command netstat -ln

args_options is used to catch arguments that start with either one or two hyphen characters and accepts a value either specified as the same argument but separated by the ‘=’ character or specified as the next argument.

Examples:

  • T=8 and width=8 both are in args_options for the command ls -T 8 --width=8
  • exec.args_options in [ r"s=.*\\" ] can be used to detect sudoedit was launched with -s argument and a command that ends with a \

File rights

The file.rights attribute can now be used in addition to file.mode. file.mode can hold values set by the kernel, while the file.rights only holds the values set by the user. These rights may be more familiar because they are in the chmod commands.

Event attributes

Common to all event types

PropertyDefinition
cgroup.file.inodeInode of the file
cgroup.file.mount_idMount ID of the file
cgroup.idID of the cgroup
cgroup.manager[Experimental] Lifecycle manager of the cgroup
cgroup.version[Experimental] Version of the cgroup API
container.created_atTimestamp of the creation of the container
container.idID of the container
container.runtimeRuntime managing the container
container.tagsTags of the container
event.asyncTrue if the syscall was asynchronous
event.hostnameHostname associated with the event
event.originOrigin of the event
event.osOperating system of the event
event.serviceService associated with the event
event.timestampTimestamp of the event
process.ancestors.argsArguments of the process (as a string, excluding argv0)
process.ancestors.args_flagsFlags in the process arguments
process.ancestors.args_optionsArgument of the process as options
process.ancestors.args_truncatedIndicator of arguments truncation
process.ancestors.argvArguments of the process (as an array, excluding argv0)
process.ancestors.argv0First argument of the process
process.ancestors.auidLogin UID of the process
process.ancestors.cap_effectiveEffective capability set of the process
process.ancestors.cap_permittedPermitted capability set of the process
process.ancestors.cgroup.file.inodeInode of the file
process.ancestors.cgroup.file.mount_idMount ID of the file
process.ancestors.cgroup.idID of the cgroup
process.ancestors.cgroup.manager[Experimental] Lifecycle manager of the cgroup
process.ancestors.cgroup.version[Experimental] Version of the cgroup API
process.ancestors.commComm attribute of the process
process.ancestors.container.idContainer ID
process.ancestors.created_atTimestamp of the creation of the process
process.ancestors.egidEffective GID of the process
process.ancestors.egroupEffective group of the process
process.ancestors.envpEnvironment variables of the process
process.ancestors.envsEnvironment variable names of the process
process.ancestors.envs_truncatedIndicator of environment variables truncation
process.ancestors.euidEffective UID of the process
process.ancestors.euserEffective user of the process
process.ancestors.file.change_timeChange time (ctime) of the file
process.ancestors.file.filesystemFile’s filesystem
process.ancestors.file.gidGID of the file’s owner
process.ancestors.file.groupGroup of the file’s owner
process.ancestors.file.hashes[Experimental] List of cryptographic hashes computed for this file
process.ancestors.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
process.ancestors.file.inodeInode of the file
process.ancestors.file.modeMode of the file
process.ancestors.file.modification_timeModification time (mtime) of the file
process.ancestors.file.mount_idMount ID of the file
process.ancestors.file.nameFile’s basename
process.ancestors.file.name.lengthLength of the corresponding element
process.ancestors.file.package.name[Experimental] Name of the package that provided this file
process.ancestors.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
process.ancestors.file.package.version[Experimental] Full version of the package that provided this file
process.ancestors.file.pathFile’s path
process.ancestors.file.path.lengthLength of the corresponding element
process.ancestors.file.rightsRights of the file
process.ancestors.file.uidUID of the file’s owner
process.ancestors.file.userUser of the file’s owner
process.ancestors.fsgidFileSystem-gid of the process
process.ancestors.fsgroupFileSystem-group of the process
process.ancestors.fsuidFileSystem-uid of the process
process.ancestors.fsuserFileSystem-user of the process
process.ancestors.gidGID of the process
process.ancestors.groupGroup of the process
process.ancestors.interpreter.file.change_timeChange time (ctime) of the file
process.ancestors.interpreter.file.filesystemFile’s filesystem
process.ancestors.interpreter.file.gidGID of the file’s owner
process.ancestors.interpreter.file.groupGroup of the file’s owner
process.ancestors.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
process.ancestors.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
process.ancestors.interpreter.file.inodeInode of the file
process.ancestors.interpreter.file.modeMode of the file
process.ancestors.interpreter.file.modification_timeModification time (mtime) of the file
process.ancestors.interpreter.file.mount_idMount ID of the file
process.ancestors.interpreter.file.nameFile’s basename
process.ancestors.interpreter.file.name.lengthLength of the corresponding element
process.ancestors.interpreter.file.package.name[Experimental] Name of the package that provided this file
process.ancestors.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
process.ancestors.interpreter.file.package.version[Experimental] Full version of the package that provided this file
process.ancestors.interpreter.file.pathFile’s path
process.ancestors.interpreter.file.path.lengthLength of the corresponding element
process.ancestors.interpreter.file.rightsRights of the file
process.ancestors.interpreter.file.uidUID of the file’s owner
process.ancestors.interpreter.file.userUser of the file’s owner
process.ancestors.is_execIndicates whether the process entry is from a new binary execution
process.ancestors.is_kworkerIndicates whether the process is a kworker
process.ancestors.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
process.ancestors.lengthLength of the corresponding element
process.ancestors.pidProcess ID of the process (also called thread group ID)
process.ancestors.ppidParent process ID
process.ancestors.tidThread ID of the thread
process.ancestors.tty_nameName of the TTY associated with the process
process.ancestors.uidUID of the process
process.ancestors.userUser of the process
process.ancestors.user_session.k8s_groupsKubernetes groups of the user that executed the process
process.ancestors.user_session.k8s_uidKubernetes UID of the user that executed the process
process.ancestors.user_session.k8s_usernameKubernetes username of the user that executed the process
process.argsArguments of the process (as a string, excluding argv0)
process.args_flagsFlags in the process arguments
process.args_optionsArgument of the process as options
process.args_truncatedIndicator of arguments truncation
process.argvArguments of the process (as an array, excluding argv0)
process.argv0First argument of the process
process.auidLogin UID of the process
process.cap_effectiveEffective capability set of the process
process.cap_permittedPermitted capability set of the process
process.cgroup.file.inodeInode of the file
process.cgroup.file.mount_idMount ID of the file
process.cgroup.idID of the cgroup
process.cgroup.manager[Experimental] Lifecycle manager of the cgroup
process.cgroup.version[Experimental] Version of the cgroup API
process.commComm attribute of the process
process.container.idContainer ID
process.created_atTimestamp of the creation of the process
process.egidEffective GID of the process
process.egroupEffective group of the process
process.envpEnvironment variables of the process
process.envsEnvironment variable names of the process
process.envs_truncatedIndicator of environment variables truncation
process.euidEffective UID of the process
process.euserEffective user of the process
process.file.change_timeChange time (ctime) of the file
process.file.filesystemFile’s filesystem
process.file.gidGID of the file’s owner
process.file.groupGroup of the file’s owner
process.file.hashes[Experimental] List of cryptographic hashes computed for this file
process.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
process.file.inodeInode of the file
process.file.modeMode of the file
process.file.modification_timeModification time (mtime) of the file
process.file.mount_idMount ID of the file
process.file.nameFile’s basename
process.file.name.lengthLength of the corresponding element
process.file.package.name[Experimental] Name of the package that provided this file
process.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
process.file.package.version[Experimental] Full version of the package that provided this file
process.file.pathFile’s path
process.file.path.lengthLength of the corresponding element
process.file.rightsRights of the file
process.file.uidUID of the file’s owner
process.file.userUser of the file’s owner
process.fsgidFileSystem-gid of the process
process.fsgroupFileSystem-group of the process
process.fsuidFileSystem-uid of the process
process.fsuserFileSystem-user of the process
process.gidGID of the process
process.groupGroup of the process
process.interpreter.file.change_timeChange time (ctime) of the file
process.interpreter.file.filesystemFile’s filesystem
process.interpreter.file.gidGID of the file’s owner
process.interpreter.file.groupGroup of the file’s owner
process.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
process.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
process.interpreter.file.inodeInode of the file
process.interpreter.file.modeMode of the file
process.interpreter.file.modification_timeModification time (mtime) of the file
process.interpreter.file.mount_idMount ID of the file
process.interpreter.file.nameFile’s basename
process.interpreter.file.name.lengthLength of the corresponding element
process.interpreter.file.package.name[Experimental] Name of the package that provided this file
process.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
process.interpreter.file.package.version[Experimental] Full version of the package that provided this file
process.interpreter.file.pathFile’s path
process.interpreter.file.path.lengthLength of the corresponding element
process.interpreter.file.rightsRights of the file
process.interpreter.file.uidUID of the file’s owner
process.interpreter.file.userUser of the file’s owner
process.is_execIndicates whether the process entry is from a new binary execution
process.is_kworkerIndicates whether the process is a kworker
process.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
process.parent.argsArguments of the process (as a string, excluding argv0)
process.parent.args_flagsFlags in the process arguments
process.parent.args_optionsArgument of the process as options
process.parent.args_truncatedIndicator of arguments truncation
process.parent.argvArguments of the process (as an array, excluding argv0)
process.parent.argv0First argument of the process
process.parent.auidLogin UID of the process
process.parent.cap_effectiveEffective capability set of the process
process.parent.cap_permittedPermitted capability set of the process
process.parent.cgroup.file.inodeInode of the file
process.parent.cgroup.file.mount_idMount ID of the file
process.parent.cgroup.idID of the cgroup
process.parent.cgroup.manager[Experimental] Lifecycle manager of the cgroup
process.parent.cgroup.version[Experimental] Version of the cgroup API
process.parent.commComm attribute of the process
process.parent.container.idContainer ID
process.parent.created_atTimestamp of the creation of the process
process.parent.egidEffective GID of the process
process.parent.egroupEffective group of the process
process.parent.envpEnvironment variables of the process
process.parent.envsEnvironment variable names of the process
process.parent.envs_truncatedIndicator of environment variables truncation
process.parent.euidEffective UID of the process
process.parent.euserEffective user of the process
process.parent.file.change_timeChange time (ctime) of the file
process.parent.file.filesystemFile’s filesystem
process.parent.file.gidGID of the file’s owner
process.parent.file.groupGroup of the file’s owner
process.parent.file.hashes[Experimental] List of cryptographic hashes computed for this file
process.parent.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
process.parent.file.inodeInode of the file
process.parent.file.modeMode of the file
process.parent.file.modification_timeModification time (mtime) of the file
process.parent.file.mount_idMount ID of the file
process.parent.file.nameFile’s basename
process.parent.file.name.lengthLength of the corresponding element
process.parent.file.package.name[Experimental] Name of the package that provided this file
process.parent.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
process.parent.file.package.version[Experimental] Full version of the package that provided this file
process.parent.file.pathFile’s path
process.parent.file.path.lengthLength of the corresponding element
process.parent.file.rightsRights of the file
process.parent.file.uidUID of the file’s owner
process.parent.file.userUser of the file’s owner
process.parent.fsgidFileSystem-gid of the process
process.parent.fsgroupFileSystem-group of the process
process.parent.fsuidFileSystem-uid of the process
process.parent.fsuserFileSystem-user of the process
process.parent.gidGID of the process
process.parent.groupGroup of the process
process.parent.interpreter.file.change_timeChange time (ctime) of the file
process.parent.interpreter.file.filesystemFile’s filesystem
process.parent.interpreter.file.gidGID of the file’s owner
process.parent.interpreter.file.groupGroup of the file’s owner
process.parent.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
process.parent.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
process.parent.interpreter.file.inodeInode of the file
process.parent.interpreter.file.modeMode of the file
process.parent.interpreter.file.modification_timeModification time (mtime) of the file
process.parent.interpreter.file.mount_idMount ID of the file
process.parent.interpreter.file.nameFile’s basename
process.parent.interpreter.file.name.lengthLength of the corresponding element
process.parent.interpreter.file.package.name[Experimental] Name of the package that provided this file
process.parent.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
process.parent.interpreter.file.package.version[Experimental] Full version of the package that provided this file
process.parent.interpreter.file.pathFile’s path
process.parent.interpreter.file.path.lengthLength of the corresponding element
process.parent.interpreter.file.rightsRights of the file
process.parent.interpreter.file.uidUID of the file’s owner
process.parent.interpreter.file.userUser of the file’s owner
process.parent.is_execIndicates whether the process entry is from a new binary execution
process.parent.is_kworkerIndicates whether the process is a kworker
process.parent.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
process.parent.pidProcess ID of the process (also called thread group ID)
process.parent.ppidParent process ID
process.parent.tidThread ID of the thread
process.parent.tty_nameName of the TTY associated with the process
process.parent.uidUID of the process
process.parent.userUser of the process
process.parent.user_session.k8s_groupsKubernetes groups of the user that executed the process
process.parent.user_session.k8s_uidKubernetes UID of the user that executed the process
process.parent.user_session.k8s_usernameKubernetes username of the user that executed the process
process.pidProcess ID of the process (also called thread group ID)
process.ppidParent process ID
process.tidThread ID of the thread
process.tty_nameName of the TTY associated with the process
process.uidUID of the process
process.userUser of the process
process.user_session.k8s_groupsKubernetes groups of the user that executed the process
process.user_session.k8s_uidKubernetes UID of the user that executed the process
process.user_session.k8s_usernameKubernetes username of the user that executed the process

Event accept

An accept was executed

PropertyDefinition
accept.addr.familyAddress family
accept.addr.ipIP address
accept.addr.is_publicWhether the IP address belongs to a public network
accept.addr.portPort number
accept.retvalReturn value of the syscall

Event bind

A bind was executed

PropertyDefinition
bind.addr.familyAddress family
bind.addr.ipIP address
bind.addr.is_publicWhether the IP address belongs to a public network
bind.addr.portPort number
bind.protocolSocket Protocol
bind.retvalReturn value of the syscall

Event bpf

A BPF command was executed

PropertyDefinition
bpf.cmdBPF command name
bpf.map.nameName of the eBPF map (added in 7.35)
bpf.map.typeType of the eBPF map
bpf.prog.attach_typeAttach type of the eBPF program
bpf.prog.helperseBPF helpers used by the eBPF program (added in 7.35)
bpf.prog.nameName of the eBPF program (added in 7.35)
bpf.prog.tagHash (sha1) of the eBPF program (added in 7.35)
bpf.prog.typeType of the eBPF program
bpf.retvalReturn value of the syscall

Event capset

A process changed its capacity set

PropertyDefinition
capset.cap_effectiveEffective capability set of the process
capset.cap_permittedPermitted capability set of the process

Event chdir

This event type is experimental and may change in the future.

A process changed the current directory

PropertyDefinition
chdir.file.change_timeChange time (ctime) of the file
chdir.file.filesystemFile’s filesystem
chdir.file.gidGID of the file’s owner
chdir.file.groupGroup of the file’s owner
chdir.file.hashes[Experimental] List of cryptographic hashes computed for this file
chdir.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
chdir.file.inodeInode of the file
chdir.file.modeMode of the file
chdir.file.modification_timeModification time (mtime) of the file
chdir.file.mount_idMount ID of the file
chdir.file.nameFile’s basename
chdir.file.name.lengthLength of the corresponding element
chdir.file.package.name[Experimental] Name of the package that provided this file
chdir.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
chdir.file.package.version[Experimental] Full version of the package that provided this file
chdir.file.pathFile’s path
chdir.file.path.lengthLength of the corresponding element
chdir.file.rightsRights of the file
chdir.file.uidUID of the file’s owner
chdir.file.userUser of the file’s owner
chdir.retvalReturn value of the syscall
chdir.syscall.pathpath argument of the syscall

Event chmod

A file’s permissions were changed

PropertyDefinition
chmod.file.change_timeChange time (ctime) of the file
chmod.file.destination.modeNew mode of the chmod-ed file
chmod.file.destination.rightsNew rights of the chmod-ed file
chmod.file.filesystemFile’s filesystem
chmod.file.gidGID of the file’s owner
chmod.file.groupGroup of the file’s owner
chmod.file.hashes[Experimental] List of cryptographic hashes computed for this file
chmod.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
chmod.file.inodeInode of the file
chmod.file.modeMode of the file
chmod.file.modification_timeModification time (mtime) of the file
chmod.file.mount_idMount ID of the file
chmod.file.nameFile’s basename
chmod.file.name.lengthLength of the corresponding element
chmod.file.package.name[Experimental] Name of the package that provided this file
chmod.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
chmod.file.package.version[Experimental] Full version of the package that provided this file
chmod.file.pathFile’s path
chmod.file.path.lengthLength of the corresponding element
chmod.file.rightsRights of the file
chmod.file.uidUID of the file’s owner
chmod.file.userUser of the file’s owner
chmod.retvalReturn value of the syscall
chmod.syscall.modemode argument of the syscall
chmod.syscall.pathpath argument of the syscall

Event chown

A file’s owner was changed

PropertyDefinition
chown.file.change_timeChange time (ctime) of the file
chown.file.destination.gidNew GID of the chown-ed file’s owner
chown.file.destination.groupNew group of the chown-ed file’s owner
chown.file.destination.uidNew UID of the chown-ed file’s owner
chown.file.destination.userNew user of the chown-ed file’s owner
chown.file.filesystemFile’s filesystem
chown.file.gidGID of the file’s owner
chown.file.groupGroup of the file’s owner
chown.file.hashes[Experimental] List of cryptographic hashes computed for this file
chown.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
chown.file.inodeInode of the file
chown.file.modeMode of the file
chown.file.modification_timeModification time (mtime) of the file
chown.file.mount_idMount ID of the file
chown.file.nameFile’s basename
chown.file.name.lengthLength of the corresponding element
chown.file.package.name[Experimental] Name of the package that provided this file
chown.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
chown.file.package.version[Experimental] Full version of the package that provided this file
chown.file.pathFile’s path
chown.file.path.lengthLength of the corresponding element
chown.file.rightsRights of the file
chown.file.uidUID of the file’s owner
chown.file.userUser of the file’s owner
chown.retvalReturn value of the syscall
chown.syscall.gidGID argument of the syscall
chown.syscall.pathPath argument of the syscall
chown.syscall.uidUID argument of the syscall

Event connect

A connect was executed

PropertyDefinition
connect.addr.familyAddress family
connect.addr.ipIP address
connect.addr.is_publicWhether the IP address belongs to a public network
connect.addr.portPort number
connect.protocolSocket Protocol
connect.retvalReturn value of the syscall

Event dns

A DNS request was sent

PropertyDefinition
dns.id[Experimental] the DNS request ID
dns.question.classthe class looked up by the DNS question
dns.question.countthe total count of questions in the DNS request
dns.question.lengththe total DNS request size in bytes
dns.question.namethe queried domain name
dns.question.name.lengthLength of the corresponding element
dns.question.typea two octet code which specifies the DNS question type
network.destination.ipIP address
network.destination.is_publicWhether the IP address belongs to a public network
network.destination.portPort number
network.device.ifnameInterface ifname
network.l3_protocolL3 protocol of the network packet
network.l4_protocolL4 protocol of the network packet
network.network_directionNetwork direction of the network packet
network.sizeSize in bytes of the network packet
network.source.ipIP address
network.source.is_publicWhether the IP address belongs to a public network
network.source.portPort number

Event exec

A process was executed (does not trigger on fork syscalls).

PropertyDefinition
exec.argsArguments of the process (as a string, excluding argv0)
exec.args_flagsFlags in the process arguments
exec.args_optionsArgument of the process as options
exec.args_truncatedIndicator of arguments truncation
exec.argvArguments of the process (as an array, excluding argv0)
exec.argv0First argument of the process
exec.auidLogin UID of the process
exec.cap_effectiveEffective capability set of the process
exec.cap_permittedPermitted capability set of the process
exec.cgroup.file.inodeInode of the file
exec.cgroup.file.mount_idMount ID of the file
exec.cgroup.idID of the cgroup
exec.cgroup.manager[Experimental] Lifecycle manager of the cgroup
exec.cgroup.version[Experimental] Version of the cgroup API
exec.commComm attribute of the process
exec.container.idContainer ID
exec.created_atTimestamp of the creation of the process
exec.egidEffective GID of the process
exec.egroupEffective group of the process
exec.envpEnvironment variables of the process
exec.envsEnvironment variable names of the process
exec.envs_truncatedIndicator of environment variables truncation
exec.euidEffective UID of the process
exec.euserEffective user of the process
exec.file.change_timeChange time (ctime) of the file
exec.file.filesystemFile’s filesystem
exec.file.gidGID of the file’s owner
exec.file.groupGroup of the file’s owner
exec.file.hashes[Experimental] List of cryptographic hashes computed for this file
exec.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
exec.file.inodeInode of the file
exec.file.modeMode of the file
exec.file.modification_timeModification time (mtime) of the file
exec.file.mount_idMount ID of the file
exec.file.nameFile’s basename
exec.file.name.lengthLength of the corresponding element
exec.file.package.name[Experimental] Name of the package that provided this file
exec.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
exec.file.package.version[Experimental] Full version of the package that provided this file
exec.file.pathFile’s path
exec.file.path.lengthLength of the corresponding element
exec.file.rightsRights of the file
exec.file.uidUID of the file’s owner
exec.file.userUser of the file’s owner
exec.fsgidFileSystem-gid of the process
exec.fsgroupFileSystem-group of the process
exec.fsuidFileSystem-uid of the process
exec.fsuserFileSystem-user of the process
exec.gidGID of the process
exec.groupGroup of the process
exec.interpreter.file.change_timeChange time (ctime) of the file
exec.interpreter.file.filesystemFile’s filesystem
exec.interpreter.file.gidGID of the file’s owner
exec.interpreter.file.groupGroup of the file’s owner
exec.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
exec.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
exec.interpreter.file.inodeInode of the file
exec.interpreter.file.modeMode of the file
exec.interpreter.file.modification_timeModification time (mtime) of the file
exec.interpreter.file.mount_idMount ID of the file
exec.interpreter.file.nameFile’s basename
exec.interpreter.file.name.lengthLength of the corresponding element
exec.interpreter.file.package.name[Experimental] Name of the package that provided this file
exec.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
exec.interpreter.file.package.version[Experimental] Full version of the package that provided this file
exec.interpreter.file.pathFile’s path
exec.interpreter.file.path.lengthLength of the corresponding element
exec.interpreter.file.rightsRights of the file
exec.interpreter.file.uidUID of the file’s owner
exec.interpreter.file.userUser of the file’s owner
exec.is_execIndicates whether the process entry is from a new binary execution
exec.is_kworkerIndicates whether the process is a kworker
exec.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
exec.pidProcess ID of the process (also called thread group ID)
exec.ppidParent process ID
exec.syscall.pathpath argument of the syscall
exec.tidThread ID of the thread
exec.tty_nameName of the TTY associated with the process
exec.uidUID of the process
exec.userUser of the process
exec.user_session.k8s_groupsKubernetes groups of the user that executed the process
exec.user_session.k8s_uidKubernetes UID of the user that executed the process
exec.user_session.k8s_usernameKubernetes username of the user that executed the process

Event exit

A process was terminated

PropertyDefinition
exit.argsArguments of the process (as a string, excluding argv0)
exit.args_flagsFlags in the process arguments
exit.args_optionsArgument of the process as options
exit.args_truncatedIndicator of arguments truncation
exit.argvArguments of the process (as an array, excluding argv0)
exit.argv0First argument of the process
exit.auidLogin UID of the process
exit.cap_effectiveEffective capability set of the process
exit.cap_permittedPermitted capability set of the process
exit.causeCause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
exit.cgroup.file.inodeInode of the file
exit.cgroup.file.mount_idMount ID of the file
exit.cgroup.idID of the cgroup
exit.cgroup.manager[Experimental] Lifecycle manager of the cgroup
exit.cgroup.version[Experimental] Version of the cgroup API
exit.codeExit code of the process or number of the signal that caused the process to terminate
exit.commComm attribute of the process
exit.container.idContainer ID
exit.created_atTimestamp of the creation of the process
exit.egidEffective GID of the process
exit.egroupEffective group of the process
exit.envpEnvironment variables of the process
exit.envsEnvironment variable names of the process
exit.envs_truncatedIndicator of environment variables truncation
exit.euidEffective UID of the process
exit.euserEffective user of the process
exit.file.change_timeChange time (ctime) of the file
exit.file.filesystemFile’s filesystem
exit.file.gidGID of the file’s owner
exit.file.groupGroup of the file’s owner
exit.file.hashes[Experimental] List of cryptographic hashes computed for this file
exit.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
exit.file.inodeInode of the file
exit.file.modeMode of the file
exit.file.modification_timeModification time (mtime) of the file
exit.file.mount_idMount ID of the file
exit.file.nameFile’s basename
exit.file.name.lengthLength of the corresponding element
exit.file.package.name[Experimental] Name of the package that provided this file
exit.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
exit.file.package.version[Experimental] Full version of the package that provided this file
exit.file.pathFile’s path
exit.file.path.lengthLength of the corresponding element
exit.file.rightsRights of the file
exit.file.uidUID of the file’s owner
exit.file.userUser of the file’s owner
exit.fsgidFileSystem-gid of the process
exit.fsgroupFileSystem-group of the process
exit.fsuidFileSystem-uid of the process
exit.fsuserFileSystem-user of the process
exit.gidGID of the process
exit.groupGroup of the process
exit.interpreter.file.change_timeChange time (ctime) of the file
exit.interpreter.file.filesystemFile’s filesystem
exit.interpreter.file.gidGID of the file’s owner
exit.interpreter.file.groupGroup of the file’s owner
exit.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
exit.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
exit.interpreter.file.inodeInode of the file
exit.interpreter.file.modeMode of the file
exit.interpreter.file.modification_timeModification time (mtime) of the file
exit.interpreter.file.mount_idMount ID of the file
exit.interpreter.file.nameFile’s basename
exit.interpreter.file.name.lengthLength of the corresponding element
exit.interpreter.file.package.name[Experimental] Name of the package that provided this file
exit.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
exit.interpreter.file.package.version[Experimental] Full version of the package that provided this file
exit.interpreter.file.pathFile’s path
exit.interpreter.file.path.lengthLength of the corresponding element
exit.interpreter.file.rightsRights of the file
exit.interpreter.file.uidUID of the file’s owner
exit.interpreter.file.userUser of the file’s owner
exit.is_execIndicates whether the process entry is from a new binary execution
exit.is_kworkerIndicates whether the process is a kworker
exit.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
exit.pidProcess ID of the process (also called thread group ID)
exit.ppidParent process ID
exit.tidThread ID of the thread
exit.tty_nameName of the TTY associated with the process
exit.uidUID of the process
exit.userUser of the process
exit.user_session.k8s_groupsKubernetes groups of the user that executed the process
exit.user_session.k8s_uidKubernetes UID of the user that executed the process
exit.user_session.k8s_usernameKubernetes username of the user that executed the process

Event imds

An IMDS event was captured

PropertyDefinition
imds.aws.is_imds_v2a boolean which specifies if the IMDS event follows IMDSv1 or IMDSv2 conventions
imds.aws.security_credentials.typethe security credentials type
imds.cloud_providerthe intended cloud provider of the IMDS event
imds.hostthe host of the HTTP protocol
imds.serverthe server header of a response
imds.typethe type of IMDS event
imds.urlthe queried IMDS URL
imds.user_agentthe user agent of the HTTP client
network.destination.ipIP address
network.destination.is_publicWhether the IP address belongs to a public network
network.destination.portPort number
network.device.ifnameInterface ifname
network.l3_protocolL3 protocol of the network packet
network.l4_protocolL4 protocol of the network packet
network.network_directionNetwork direction of the network packet
network.sizeSize in bytes of the network packet
network.source.ipIP address
network.source.is_publicWhether the IP address belongs to a public network
network.source.portPort number

Create a new name/alias for a file

PropertyDefinition
link.file.change_timeChange time (ctime) of the file
link.file.destination.change_timeChange time (ctime) of the file
link.file.destination.filesystemFile’s filesystem
link.file.destination.gidGID of the file’s owner
link.file.destination.groupGroup of the file’s owner
link.file.destination.hashes[Experimental] List of cryptographic hashes computed for this file
link.file.destination.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
link.file.destination.inodeInode of the file
link.file.destination.modeMode of the file
link.file.destination.modification_timeModification time (mtime) of the file
link.file.destination.mount_idMount ID of the file
link.file.destination.nameFile’s basename
link.file.destination.name.lengthLength of the corresponding element
link.file.destination.package.name[Experimental] Name of the package that provided this file
link.file.destination.package.source_version[Experimental] Full version of the source package of the package that provided this file
link.file.destination.package.version[Experimental] Full version of the package that provided this file
link.file.destination.pathFile’s path
link.file.destination.path.lengthLength of the corresponding element
link.file.destination.rightsRights of the file
link.file.destination.uidUID of the file’s owner
link.file.destination.userUser of the file’s owner
link.file.filesystemFile’s filesystem
link.file.gidGID of the file’s owner
link.file.groupGroup of the file’s owner
link.file.hashes[Experimental] List of cryptographic hashes computed for this file
link.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
link.file.inodeInode of the file
link.file.modeMode of the file
link.file.modification_timeModification time (mtime) of the file
link.file.mount_idMount ID of the file
link.file.nameFile’s basename
link.file.name.lengthLength of the corresponding element
link.file.package.name[Experimental] Name of the package that provided this file
link.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
link.file.package.version[Experimental] Full version of the package that provided this file
link.file.pathFile’s path
link.file.path.lengthLength of the corresponding element
link.file.rightsRights of the file
link.file.uidUID of the file’s owner
link.file.userUser of the file’s owner
link.retvalReturn value of the syscall
link.syscall.destination.pathDestination path argument of the syscall
link.syscall.pathPath argument of the syscall

Event load_module

A new kernel module was loaded

PropertyDefinition
load_module.argsParameters (as a string) of the new kernel module
load_module.args_truncatedIndicates if the arguments were truncated or not
load_module.argvParameters (as an array) of the new kernel module
load_module.file.change_timeChange time (ctime) of the file
load_module.file.filesystemFile’s filesystem
load_module.file.gidGID of the file’s owner
load_module.file.groupGroup of the file’s owner
load_module.file.hashes[Experimental] List of cryptographic hashes computed for this file
load_module.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
load_module.file.inodeInode of the file
load_module.file.modeMode of the file
load_module.file.modification_timeModification time (mtime) of the file
load_module.file.mount_idMount ID of the file
load_module.file.nameFile’s basename
load_module.file.name.lengthLength of the corresponding element
load_module.file.package.name[Experimental] Name of the package that provided this file
load_module.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
load_module.file.package.version[Experimental] Full version of the package that provided this file
load_module.file.pathFile’s path
load_module.file.path.lengthLength of the corresponding element
load_module.file.rightsRights of the file
load_module.file.uidUID of the file’s owner
load_module.file.userUser of the file’s owner
load_module.loaded_from_memoryIndicates if the kernel module was loaded from memory
load_module.nameName of the new kernel module
load_module.retvalReturn value of the syscall

Event mkdir

A directory was created

PropertyDefinition
mkdir.file.change_timeChange time (ctime) of the file
mkdir.file.destination.modeMode of the new directory
mkdir.file.destination.rightsRights of the new directory
mkdir.file.filesystemFile’s filesystem
mkdir.file.gidGID of the file’s owner
mkdir.file.groupGroup of the file’s owner
mkdir.file.hashes[Experimental] List of cryptographic hashes computed for this file
mkdir.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
mkdir.file.inodeInode of the file
mkdir.file.modeMode of the file
mkdir.file.modification_timeModification time (mtime) of the file
mkdir.file.mount_idMount ID of the file
mkdir.file.nameFile’s basename
mkdir.file.name.lengthLength of the corresponding element
mkdir.file.package.name[Experimental] Name of the package that provided this file
mkdir.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
mkdir.file.package.version[Experimental] Full version of the package that provided this file
mkdir.file.pathFile’s path
mkdir.file.path.lengthLength of the corresponding element
mkdir.file.rightsRights of the file
mkdir.file.uidUID of the file’s owner
mkdir.file.userUser of the file’s owner
mkdir.retvalReturn value of the syscall
mkdir.syscall.modeMode of the new directory
mkdir.syscall.pathPath argument of the syscall

Event mmap

A mmap command was executed

PropertyDefinition
mmap.file.change_timeChange time (ctime) of the file
mmap.file.filesystemFile’s filesystem
mmap.file.gidGID of the file’s owner
mmap.file.groupGroup of the file’s owner
mmap.file.hashes[Experimental] List of cryptographic hashes computed for this file
mmap.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
mmap.file.inodeInode of the file
mmap.file.modeMode of the file
mmap.file.modification_timeModification time (mtime) of the file
mmap.file.mount_idMount ID of the file
mmap.file.nameFile’s basename
mmap.file.name.lengthLength of the corresponding element
mmap.file.package.name[Experimental] Name of the package that provided this file
mmap.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
mmap.file.package.version[Experimental] Full version of the package that provided this file
mmap.file.pathFile’s path
mmap.file.path.lengthLength of the corresponding element
mmap.file.rightsRights of the file
mmap.file.uidUID of the file’s owner
mmap.file.userUser of the file’s owner
mmap.flagsmemory segment flags
mmap.protectionmemory segment protection
mmap.retvalReturn value of the syscall

Event mount

This event type is experimental and may change in the future.

A filesystem was mounted

PropertyDefinition
mount.fs_typeType of the mounted file system
mount.mountpoint.pathPath of the mount point
mount.retvalReturn value of the syscall
mount.root.pathRoot path of the mount
mount.source.pathSource path of a bind mount
mount.syscall.fs_typeFile system type argument of the syscall
mount.syscall.mountpoint.pathMount point path argument of the syscall
mount.syscall.source.pathSource path argument of the syscall

Event mprotect

A mprotect command was executed

PropertyDefinition
mprotect.req_protectionnew memory segment protection
mprotect.retvalReturn value of the syscall
mprotect.vm_protectioninitial memory segment protection

Event network_flow_monitor

A network monitor event was sent

PropertyDefinition
network_flow_monitor.device.ifnameInterface ifname
network_flow_monitor.flows.destination.ipIP address
network_flow_monitor.flows.destination.is_publicWhether the IP address belongs to a public network
network_flow_monitor.flows.destination.portPort number
network_flow_monitor.flows.egress.data_sizeAmount of data transmitted or received
network_flow_monitor.flows.egress.packet_countCount of network packets transmitted or received
network_flow_monitor.flows.ingress.data_sizeAmount of data transmitted or received
network_flow_monitor.flows.ingress.packet_countCount of network packets transmitted or received
network_flow_monitor.flows.l3_protocolL3 protocol of the network packet
network_flow_monitor.flows.l4_protocolL4 protocol of the network packet
network_flow_monitor.flows.lengthLength of the corresponding element
network_flow_monitor.flows.source.ipIP address
network_flow_monitor.flows.source.is_publicWhether the IP address belongs to a public network
network_flow_monitor.flows.source.portPort number

Event open

A file was opened

PropertyDefinition
open.file.change_timeChange time (ctime) of the file
open.file.destination.modeMode of the created file
open.file.filesystemFile’s filesystem
open.file.gidGID of the file’s owner
open.file.groupGroup of the file’s owner
open.file.hashes[Experimental] List of cryptographic hashes computed for this file
open.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
open.file.inodeInode of the file
open.file.modeMode of the file
open.file.modification_timeModification time (mtime) of the file
open.file.mount_idMount ID of the file
open.file.nameFile’s basename
open.file.name.lengthLength of the corresponding element
open.file.package.name[Experimental] Name of the package that provided this file
open.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
open.file.package.version[Experimental] Full version of the package that provided this file
open.file.pathFile’s path
open.file.path.lengthLength of the corresponding element
open.file.rightsRights of the file
open.file.uidUID of the file’s owner
open.file.userUser of the file’s owner
open.flagsFlags used when opening the file
open.retvalReturn value of the syscall
open.syscall.flagsFlags argument of the syscall
open.syscall.modeMode argument of the syscall
open.syscall.pathPath argument of the syscall

Event packet

A raw network packet was captured

PropertyDefinition
packet.destination.ipIP address
packet.destination.is_publicWhether the IP address belongs to a public network
packet.destination.portPort number
packet.device.ifnameInterface ifname
packet.filterpcap filter expression
packet.l3_protocolL3 protocol of the network packet
packet.l4_protocolL4 protocol of the network packet
packet.network_directionNetwork direction of the network packet
packet.sizeSize in bytes of the network packet
packet.source.ipIP address
packet.source.is_publicWhether the IP address belongs to a public network
packet.source.portPort number
packet.tls.versionTLS version

Event ptrace

A ptrace command was executed

PropertyDefinition
ptrace.requestptrace request
ptrace.retvalReturn value of the syscall
ptrace.tracee.ancestors.argsArguments of the process (as a string, excluding argv0)
ptrace.tracee.ancestors.args_flagsFlags in the process arguments
ptrace.tracee.ancestors.args_optionsArgument of the process as options
ptrace.tracee.ancestors.args_truncatedIndicator of arguments truncation
ptrace.tracee.ancestors.argvArguments of the process (as an array, excluding argv0)
ptrace.tracee.ancestors.argv0First argument of the process
ptrace.tracee.ancestors.auidLogin UID of the process
ptrace.tracee.ancestors.cap_effectiveEffective capability set of the process
ptrace.tracee.ancestors.cap_permittedPermitted capability set of the process
ptrace.tracee.ancestors.cgroup.file.inodeInode of the file
ptrace.tracee.ancestors.cgroup.file.mount_idMount ID of the file
ptrace.tracee.ancestors.cgroup.idID of the cgroup
ptrace.tracee.ancestors.cgroup.manager[Experimental] Lifecycle manager of the cgroup
ptrace.tracee.ancestors.cgroup.version[Experimental] Version of the cgroup API
ptrace.tracee.ancestors.commComm attribute of the process
ptrace.tracee.ancestors.container.idContainer ID
ptrace.tracee.ancestors.created_atTimestamp of the creation of the process
ptrace.tracee.ancestors.egidEffective GID of the process
ptrace.tracee.ancestors.egroupEffective group of the process
ptrace.tracee.ancestors.envpEnvironment variables of the process
ptrace.tracee.ancestors.envsEnvironment variable names of the process
ptrace.tracee.ancestors.envs_truncatedIndicator of environment variables truncation
ptrace.tracee.ancestors.euidEffective UID of the process
ptrace.tracee.ancestors.euserEffective user of the process
ptrace.tracee.ancestors.file.change_timeChange time (ctime) of the file
ptrace.tracee.ancestors.file.filesystemFile’s filesystem
ptrace.tracee.ancestors.file.gidGID of the file’s owner
ptrace.tracee.ancestors.file.groupGroup of the file’s owner
ptrace.tracee.ancestors.file.hashes[Experimental] List of cryptographic hashes computed for this file
ptrace.tracee.ancestors.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.ancestors.file.inodeInode of the file
ptrace.tracee.ancestors.file.modeMode of the file
ptrace.tracee.ancestors.file.modification_timeModification time (mtime) of the file
ptrace.tracee.ancestors.file.mount_idMount ID of the file
ptrace.tracee.ancestors.file.nameFile’s basename
ptrace.tracee.ancestors.file.name.lengthLength of the corresponding element
ptrace.tracee.ancestors.file.package.name[Experimental] Name of the package that provided this file
ptrace.tracee.ancestors.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
ptrace.tracee.ancestors.file.package.version[Experimental] Full version of the package that provided this file
ptrace.tracee.ancestors.file.pathFile’s path
ptrace.tracee.ancestors.file.path.lengthLength of the corresponding element
ptrace.tracee.ancestors.file.rightsRights of the file
ptrace.tracee.ancestors.file.uidUID of the file’s owner
ptrace.tracee.ancestors.file.userUser of the file’s owner
ptrace.tracee.ancestors.fsgidFileSystem-gid of the process
ptrace.tracee.ancestors.fsgroupFileSystem-group of the process
ptrace.tracee.ancestors.fsuidFileSystem-uid of the process
ptrace.tracee.ancestors.fsuserFileSystem-user of the process
ptrace.tracee.ancestors.gidGID of the process
ptrace.tracee.ancestors.groupGroup of the process
ptrace.tracee.ancestors.interpreter.file.change_timeChange time (ctime) of the file
ptrace.tracee.ancestors.interpreter.file.filesystemFile’s filesystem
ptrace.tracee.ancestors.interpreter.file.gidGID of the file’s owner
ptrace.tracee.ancestors.interpreter.file.groupGroup of the file’s owner
ptrace.tracee.ancestors.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
ptrace.tracee.ancestors.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.ancestors.interpreter.file.inodeInode of the file
ptrace.tracee.ancestors.interpreter.file.modeMode of the file
ptrace.tracee.ancestors.interpreter.file.modification_timeModification time (mtime) of the file
ptrace.tracee.ancestors.interpreter.file.mount_idMount ID of the file
ptrace.tracee.ancestors.interpreter.file.nameFile’s basename
ptrace.tracee.ancestors.interpreter.file.name.lengthLength of the corresponding element
ptrace.tracee.ancestors.interpreter.file.package.name[Experimental] Name of the package that provided this file
ptrace.tracee.ancestors.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
ptrace.tracee.ancestors.interpreter.file.package.version[Experimental] Full version of the package that provided this file
ptrace.tracee.ancestors.interpreter.file.pathFile’s path
ptrace.tracee.ancestors.interpreter.file.path.lengthLength of the corresponding element
ptrace.tracee.ancestors.interpreter.file.rightsRights of the file
ptrace.tracee.ancestors.interpreter.file.uidUID of the file’s owner
ptrace.tracee.ancestors.interpreter.file.userUser of the file’s owner
ptrace.tracee.ancestors.is_execIndicates whether the process entry is from a new binary execution
ptrace.tracee.ancestors.is_kworkerIndicates whether the process is a kworker
ptrace.tracee.ancestors.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
ptrace.tracee.ancestors.lengthLength of the corresponding element
ptrace.tracee.ancestors.pidProcess ID of the process (also called thread group ID)
ptrace.tracee.ancestors.ppidParent process ID
ptrace.tracee.ancestors.tidThread ID of the thread
ptrace.tracee.ancestors.tty_nameName of the TTY associated with the process
ptrace.tracee.ancestors.uidUID of the process
ptrace.tracee.ancestors.userUser of the process
ptrace.tracee.ancestors.user_session.k8s_groupsKubernetes groups of the user that executed the process
ptrace.tracee.ancestors.user_session.k8s_uidKubernetes UID of the user that executed the process
ptrace.tracee.ancestors.user_session.k8s_usernameKubernetes username of the user that executed the process
ptrace.tracee.argsArguments of the process (as a string, excluding argv0)
ptrace.tracee.args_flagsFlags in the process arguments
ptrace.tracee.args_optionsArgument of the process as options
ptrace.tracee.args_truncatedIndicator of arguments truncation
ptrace.tracee.argvArguments of the process (as an array, excluding argv0)
ptrace.tracee.argv0First argument of the process
ptrace.tracee.auidLogin UID of the process
ptrace.tracee.cap_effectiveEffective capability set of the process
ptrace.tracee.cap_permittedPermitted capability set of the process
ptrace.tracee.cgroup.file.inodeInode of the file
ptrace.tracee.cgroup.file.mount_idMount ID of the file
ptrace.tracee.cgroup.idID of the cgroup
ptrace.tracee.cgroup.manager[Experimental] Lifecycle manager of the cgroup
ptrace.tracee.cgroup.version[Experimental] Version of the cgroup API
ptrace.tracee.commComm attribute of the process
ptrace.tracee.container.idContainer ID
ptrace.tracee.created_atTimestamp of the creation of the process
ptrace.tracee.egidEffective GID of the process
ptrace.tracee.egroupEffective group of the process
ptrace.tracee.envpEnvironment variables of the process
ptrace.tracee.envsEnvironment variable names of the process
ptrace.tracee.envs_truncatedIndicator of environment variables truncation
ptrace.tracee.euidEffective UID of the process
ptrace.tracee.euserEffective user of the process
ptrace.tracee.file.change_timeChange time (ctime) of the file
ptrace.tracee.file.filesystemFile’s filesystem
ptrace.tracee.file.gidGID of the file’s owner
ptrace.tracee.file.groupGroup of the file’s owner
ptrace.tracee.file.hashes[Experimental] List of cryptographic hashes computed for this file
ptrace.tracee.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.file.inodeInode of the file
ptrace.tracee.file.modeMode of the file
ptrace.tracee.file.modification_timeModification time (mtime) of the file
ptrace.tracee.file.mount_idMount ID of the file
ptrace.tracee.file.nameFile’s basename
ptrace.tracee.file.name.lengthLength of the corresponding element
ptrace.tracee.file.package.name[Experimental] Name of the package that provided this file
ptrace.tracee.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
ptrace.tracee.file.package.version[Experimental] Full version of the package that provided this file
ptrace.tracee.file.pathFile’s path
ptrace.tracee.file.path.lengthLength of the corresponding element
ptrace.tracee.file.rightsRights of the file
ptrace.tracee.file.uidUID of the file’s owner
ptrace.tracee.file.userUser of the file’s owner
ptrace.tracee.fsgidFileSystem-gid of the process
ptrace.tracee.fsgroupFileSystem-group of the process
ptrace.tracee.fsuidFileSystem-uid of the process
ptrace.tracee.fsuserFileSystem-user of the process
ptrace.tracee.gidGID of the process
ptrace.tracee.groupGroup of the process
ptrace.tracee.interpreter.file.change_timeChange time (ctime) of the file
ptrace.tracee.interpreter.file.filesystemFile’s filesystem
ptrace.tracee.interpreter.file.gidGID of the file’s owner
ptrace.tracee.interpreter.file.groupGroup of the file’s owner
ptrace.tracee.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
ptrace.tracee.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.interpreter.file.inodeInode of the file
ptrace.tracee.interpreter.file.modeMode of the file
ptrace.tracee.interpreter.file.modification_timeModification time (mtime) of the file
ptrace.tracee.interpreter.file.mount_idMount ID of the file
ptrace.tracee.interpreter.file.nameFile’s basename
ptrace.tracee.interpreter.file.name.lengthLength of the corresponding element
ptrace.tracee.interpreter.file.package.name[Experimental] Name of the package that provided this file
ptrace.tracee.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
ptrace.tracee.interpreter.file.package.version[Experimental] Full version of the package that provided this file
ptrace.tracee.interpreter.file.pathFile’s path
ptrace.tracee.interpreter.file.path.lengthLength of the corresponding element
ptrace.tracee.interpreter.file.rightsRights of the file
ptrace.tracee.interpreter.file.uidUID of the file’s owner
ptrace.tracee.interpreter.file.userUser of the file’s owner
ptrace.tracee.is_execIndicates whether the process entry is from a new binary execution
ptrace.tracee.is_kworkerIndicates whether the process is a kworker
ptrace.tracee.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
ptrace.tracee.parent.argsArguments of the process (as a string, excluding argv0)
ptrace.tracee.parent.args_flagsFlags in the process arguments
ptrace.tracee.parent.args_optionsArgument of the process as options
ptrace.tracee.parent.args_truncatedIndicator of arguments truncation
ptrace.tracee.parent.argvArguments of the process (as an array, excluding argv0)
ptrace.tracee.parent.argv0First argument of the process
ptrace.tracee.parent.auidLogin UID of the process
ptrace.tracee.parent.cap_effectiveEffective capability set of the process
ptrace.tracee.parent.cap_permittedPermitted capability set of the process
ptrace.tracee.parent.cgroup.file.inodeInode of the file
ptrace.tracee.parent.cgroup.file.mount_idMount ID of the file
ptrace.tracee.parent.cgroup.idID of the cgroup
ptrace.tracee.parent.cgroup.manager[Experimental] Lifecycle manager of the cgroup
ptrace.tracee.parent.cgroup.version[Experimental] Version of the cgroup API
ptrace.tracee.parent.commComm attribute of the process
ptrace.tracee.parent.container.idContainer ID
ptrace.tracee.parent.created_atTimestamp of the creation of the process
ptrace.tracee.parent.egidEffective GID of the process
ptrace.tracee.parent.egroupEffective group of the process
ptrace.tracee.parent.envpEnvironment variables of the process
ptrace.tracee.parent.envsEnvironment variable names of the process
ptrace.tracee.parent.envs_truncatedIndicator of environment variables truncation
ptrace.tracee.parent.euidEffective UID of the process
ptrace.tracee.parent.euserEffective user of the process
ptrace.tracee.parent.file.change_timeChange time (ctime) of the file
ptrace.tracee.parent.file.filesystemFile’s filesystem
ptrace.tracee.parent.file.gidGID of the file’s owner
ptrace.tracee.parent.file.groupGroup of the file’s owner
ptrace.tracee.parent.file.hashes[Experimental] List of cryptographic hashes computed for this file
ptrace.tracee.parent.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.parent.file.inodeInode of the file
ptrace.tracee.parent.file.modeMode of the file
ptrace.tracee.parent.file.modification_timeModification time (mtime) of the file
ptrace.tracee.parent.file.mount_idMount ID of the file
ptrace.tracee.parent.file.nameFile’s basename
ptrace.tracee.parent.file.name.lengthLength of the corresponding element
ptrace.tracee.parent.file.package.name[Experimental] Name of the package that provided this file
ptrace.tracee.parent.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
ptrace.tracee.parent.file.package.version[Experimental] Full version of the package that provided this file
ptrace.tracee.parent.file.pathFile’s path
ptrace.tracee.parent.file.path.lengthLength of the corresponding element
ptrace.tracee.parent.file.rightsRights of the file
ptrace.tracee.parent.file.uidUID of the file’s owner
ptrace.tracee.parent.file.userUser of the file’s owner
ptrace.tracee.parent.fsgidFileSystem-gid of the process
ptrace.tracee.parent.fsgroupFileSystem-group of the process
ptrace.tracee.parent.fsuidFileSystem-uid of the process
ptrace.tracee.parent.fsuserFileSystem-user of the process
ptrace.tracee.parent.gidGID of the process
ptrace.tracee.parent.groupGroup of the process
ptrace.tracee.parent.interpreter.file.change_timeChange time (ctime) of the file
ptrace.tracee.parent.interpreter.file.filesystemFile’s filesystem
ptrace.tracee.parent.interpreter.file.gidGID of the file’s owner
ptrace.tracee.parent.interpreter.file.groupGroup of the file’s owner
ptrace.tracee.parent.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
ptrace.tracee.parent.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
ptrace.tracee.parent.interpreter.file.inodeInode of the file
ptrace.tracee.parent.interpreter.file.modeMode of the file
ptrace.tracee.parent.interpreter.file.modification_timeModification time (mtime) of the file
ptrace.tracee.parent.interpreter.file.mount_idMount ID of the file
ptrace.tracee.parent.interpreter.file.nameFile’s basename
ptrace.tracee.parent.interpreter.file.name.lengthLength of the corresponding element
ptrace.tracee.parent.interpreter.file.package.name[Experimental] Name of the package that provided this file
ptrace.tracee.parent.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
ptrace.tracee.parent.interpreter.file.package.version[Experimental] Full version of the package that provided this file
ptrace.tracee.parent.interpreter.file.pathFile’s path
ptrace.tracee.parent.interpreter.file.path.lengthLength of the corresponding element
ptrace.tracee.parent.interpreter.file.rightsRights of the file
ptrace.tracee.parent.interpreter.file.uidUID of the file’s owner
ptrace.tracee.parent.interpreter.file.userUser of the file’s owner
ptrace.tracee.parent.is_execIndicates whether the process entry is from a new binary execution
ptrace.tracee.parent.is_kworkerIndicates whether the process is a kworker
ptrace.tracee.parent.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
ptrace.tracee.parent.pidProcess ID of the process (also called thread group ID)
ptrace.tracee.parent.ppidParent process ID
ptrace.tracee.parent.tidThread ID of the thread
ptrace.tracee.parent.tty_nameName of the TTY associated with the process
ptrace.tracee.parent.uidUID of the process
ptrace.tracee.parent.userUser of the process
ptrace.tracee.parent.user_session.k8s_groupsKubernetes groups of the user that executed the process
ptrace.tracee.parent.user_session.k8s_uidKubernetes UID of the user that executed the process
ptrace.tracee.parent.user_session.k8s_usernameKubernetes username of the user that executed the process
ptrace.tracee.pidProcess ID of the process (also called thread group ID)
ptrace.tracee.ppidParent process ID
ptrace.tracee.tidThread ID of the thread
ptrace.tracee.tty_nameName of the TTY associated with the process
ptrace.tracee.uidUID of the process
ptrace.tracee.userUser of the process
ptrace.tracee.user_session.k8s_groupsKubernetes groups of the user that executed the process
ptrace.tracee.user_session.k8s_uidKubernetes UID of the user that executed the process
ptrace.tracee.user_session.k8s_usernameKubernetes username of the user that executed the process

Event removexattr

Remove extended attributes

PropertyDefinition
removexattr.file.change_timeChange time (ctime) of the file
removexattr.file.destination.nameName of the extended attribute
removexattr.file.destination.namespaceNamespace of the extended attribute
removexattr.file.filesystemFile’s filesystem
removexattr.file.gidGID of the file’s owner
removexattr.file.groupGroup of the file’s owner
removexattr.file.hashes[Experimental] List of cryptographic hashes computed for this file
removexattr.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
removexattr.file.inodeInode of the file
removexattr.file.modeMode of the file
removexattr.file.modification_timeModification time (mtime) of the file
removexattr.file.mount_idMount ID of the file
removexattr.file.nameFile’s basename
removexattr.file.name.lengthLength of the corresponding element
removexattr.file.package.name[Experimental] Name of the package that provided this file
removexattr.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
removexattr.file.package.version[Experimental] Full version of the package that provided this file
removexattr.file.pathFile’s path
removexattr.file.path.lengthLength of the corresponding element
removexattr.file.rightsRights of the file
removexattr.file.uidUID of the file’s owner
removexattr.file.userUser of the file’s owner
removexattr.retvalReturn value of the syscall

Event rename

A file/directory was renamed

PropertyDefinition
rename.file.change_timeChange time (ctime) of the file
rename.file.destination.change_timeChange time (ctime) of the file
rename.file.destination.filesystemFile’s filesystem
rename.file.destination.gidGID of the file’s owner
rename.file.destination.groupGroup of the file’s owner
rename.file.destination.hashes[Experimental] List of cryptographic hashes computed for this file
rename.file.destination.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
rename.file.destination.inodeInode of the file
rename.file.destination.modeMode of the file
rename.file.destination.modification_timeModification time (mtime) of the file
rename.file.destination.mount_idMount ID of the file
rename.file.destination.nameFile’s basename
rename.file.destination.name.lengthLength of the corresponding element
rename.file.destination.package.name[Experimental] Name of the package that provided this file
rename.file.destination.package.source_version[Experimental] Full version of the source package of the package that provided this file
rename.file.destination.package.version[Experimental] Full version of the package that provided this file
rename.file.destination.pathFile’s path
rename.file.destination.path.lengthLength of the corresponding element
rename.file.destination.rightsRights of the file
rename.file.destination.uidUID of the file’s owner
rename.file.destination.userUser of the file’s owner
rename.file.filesystemFile’s filesystem
rename.file.gidGID of the file’s owner
rename.file.groupGroup of the file’s owner
rename.file.hashes[Experimental] List of cryptographic hashes computed for this file
rename.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
rename.file.inodeInode of the file
rename.file.modeMode of the file
rename.file.modification_timeModification time (mtime) of the file
rename.file.mount_idMount ID of the file
rename.file.nameFile’s basename
rename.file.name.lengthLength of the corresponding element
rename.file.package.name[Experimental] Name of the package that provided this file
rename.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
rename.file.package.version[Experimental] Full version of the package that provided this file
rename.file.pathFile’s path
rename.file.path.lengthLength of the corresponding element
rename.file.rightsRights of the file
rename.file.uidUID of the file’s owner
rename.file.userUser of the file’s owner
rename.retvalReturn value of the syscall
rename.syscall.destination.pathDestination path argument of the syscall
rename.syscall.pathPath argument of the syscall

Event rmdir

A directory was removed

PropertyDefinition
rmdir.file.change_timeChange time (ctime) of the file
rmdir.file.filesystemFile’s filesystem
rmdir.file.gidGID of the file’s owner
rmdir.file.groupGroup of the file’s owner
rmdir.file.hashes[Experimental] List of cryptographic hashes computed for this file
rmdir.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
rmdir.file.inodeInode of the file
rmdir.file.modeMode of the file
rmdir.file.modification_timeModification time (mtime) of the file
rmdir.file.mount_idMount ID of the file
rmdir.file.nameFile’s basename
rmdir.file.name.lengthLength of the corresponding element
rmdir.file.package.name[Experimental] Name of the package that provided this file
rmdir.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
rmdir.file.package.version[Experimental] Full version of the package that provided this file
rmdir.file.pathFile’s path
rmdir.file.path.lengthLength of the corresponding element
rmdir.file.rightsRights of the file
rmdir.file.uidUID of the file’s owner
rmdir.file.userUser of the file’s owner
rmdir.retvalReturn value of the syscall
rmdir.syscall.pathPath argument of the syscall

Event selinux

An SELinux operation was run

PropertyDefinition
selinux.bool.nameSELinux boolean name
selinux.bool.stateSELinux boolean new value
selinux.bool_commit.stateIndicator of a SELinux boolean commit operation
selinux.enforce.statusSELinux enforcement status (one of “enforcing”, “permissive”, “disabled”)

Event setgid

A process changed its effective gid

PropertyDefinition
setgid.egidNew effective GID of the process
setgid.egroupNew effective group of the process
setgid.fsgidNew FileSystem GID of the process
setgid.fsgroupNew FileSystem group of the process
setgid.gidNew GID of the process
setgid.groupNew group of the process

Event setuid

A process changed its effective uid

PropertyDefinition
setuid.euidNew effective UID of the process
setuid.euserNew effective user of the process
setuid.fsuidNew FileSystem UID of the process
setuid.fsuserNew FileSystem user of the process
setuid.uidNew UID of the process
setuid.userNew user of the process

Event setxattr

Set exteneded attributes

PropertyDefinition
setxattr.file.change_timeChange time (ctime) of the file
setxattr.file.destination.nameName of the extended attribute
setxattr.file.destination.namespaceNamespace of the extended attribute
setxattr.file.filesystemFile’s filesystem
setxattr.file.gidGID of the file’s owner
setxattr.file.groupGroup of the file’s owner
setxattr.file.hashes[Experimental] List of cryptographic hashes computed for this file
setxattr.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
setxattr.file.inodeInode of the file
setxattr.file.modeMode of the file
setxattr.file.modification_timeModification time (mtime) of the file
setxattr.file.mount_idMount ID of the file
setxattr.file.nameFile’s basename
setxattr.file.name.lengthLength of the corresponding element
setxattr.file.package.name[Experimental] Name of the package that provided this file
setxattr.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
setxattr.file.package.version[Experimental] Full version of the package that provided this file
setxattr.file.pathFile’s path
setxattr.file.path.lengthLength of the corresponding element
setxattr.file.rightsRights of the file
setxattr.file.uidUID of the file’s owner
setxattr.file.userUser of the file’s owner
setxattr.retvalReturn value of the syscall

Event signal

A signal was sent

PropertyDefinition
signal.pidTarget PID
signal.retvalReturn value of the syscall
signal.target.ancestors.argsArguments of the process (as a string, excluding argv0)
signal.target.ancestors.args_flagsFlags in the process arguments
signal.target.ancestors.args_optionsArgument of the process as options
signal.target.ancestors.args_truncatedIndicator of arguments truncation
signal.target.ancestors.argvArguments of the process (as an array, excluding argv0)
signal.target.ancestors.argv0First argument of the process
signal.target.ancestors.auidLogin UID of the process
signal.target.ancestors.cap_effectiveEffective capability set of the process
signal.target.ancestors.cap_permittedPermitted capability set of the process
signal.target.ancestors.cgroup.file.inodeInode of the file
signal.target.ancestors.cgroup.file.mount_idMount ID of the file
signal.target.ancestors.cgroup.idID of the cgroup
signal.target.ancestors.cgroup.manager[Experimental] Lifecycle manager of the cgroup
signal.target.ancestors.cgroup.version[Experimental] Version of the cgroup API
signal.target.ancestors.commComm attribute of the process
signal.target.ancestors.container.idContainer ID
signal.target.ancestors.created_atTimestamp of the creation of the process
signal.target.ancestors.egidEffective GID of the process
signal.target.ancestors.egroupEffective group of the process
signal.target.ancestors.envpEnvironment variables of the process
signal.target.ancestors.envsEnvironment variable names of the process
signal.target.ancestors.envs_truncatedIndicator of environment variables truncation
signal.target.ancestors.euidEffective UID of the process
signal.target.ancestors.euserEffective user of the process
signal.target.ancestors.file.change_timeChange time (ctime) of the file
signal.target.ancestors.file.filesystemFile’s filesystem
signal.target.ancestors.file.gidGID of the file’s owner
signal.target.ancestors.file.groupGroup of the file’s owner
signal.target.ancestors.file.hashes[Experimental] List of cryptographic hashes computed for this file
signal.target.ancestors.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
signal.target.ancestors.file.inodeInode of the file
signal.target.ancestors.file.modeMode of the file
signal.target.ancestors.file.modification_timeModification time (mtime) of the file
signal.target.ancestors.file.mount_idMount ID of the file
signal.target.ancestors.file.nameFile’s basename
signal.target.ancestors.file.name.lengthLength of the corresponding element
signal.target.ancestors.file.package.name[Experimental] Name of the package that provided this file
signal.target.ancestors.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
signal.target.ancestors.file.package.version[Experimental] Full version of the package that provided this file
signal.target.ancestors.file.pathFile’s path
signal.target.ancestors.file.path.lengthLength of the corresponding element
signal.target.ancestors.file.rightsRights of the file
signal.target.ancestors.file.uidUID of the file’s owner
signal.target.ancestors.file.userUser of the file’s owner
signal.target.ancestors.fsgidFileSystem-gid of the process
signal.target.ancestors.fsgroupFileSystem-group of the process
signal.target.ancestors.fsuidFileSystem-uid of the process
signal.target.ancestors.fsuserFileSystem-user of the process
signal.target.ancestors.gidGID of the process
signal.target.ancestors.groupGroup of the process
signal.target.ancestors.interpreter.file.change_timeChange time (ctime) of the file
signal.target.ancestors.interpreter.file.filesystemFile’s filesystem
signal.target.ancestors.interpreter.file.gidGID of the file’s owner
signal.target.ancestors.interpreter.file.groupGroup of the file’s owner
signal.target.ancestors.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
signal.target.ancestors.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
signal.target.ancestors.interpreter.file.inodeInode of the file
signal.target.ancestors.interpreter.file.modeMode of the file
signal.target.ancestors.interpreter.file.modification_timeModification time (mtime) of the file
signal.target.ancestors.interpreter.file.mount_idMount ID of the file
signal.target.ancestors.interpreter.file.nameFile’s basename
signal.target.ancestors.interpreter.file.name.lengthLength of the corresponding element
signal.target.ancestors.interpreter.file.package.name[Experimental] Name of the package that provided this file
signal.target.ancestors.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
signal.target.ancestors.interpreter.file.package.version[Experimental] Full version of the package that provided this file
signal.target.ancestors.interpreter.file.pathFile’s path
signal.target.ancestors.interpreter.file.path.lengthLength of the corresponding element
signal.target.ancestors.interpreter.file.rightsRights of the file
signal.target.ancestors.interpreter.file.uidUID of the file’s owner
signal.target.ancestors.interpreter.file.userUser of the file’s owner
signal.target.ancestors.is_execIndicates whether the process entry is from a new binary execution
signal.target.ancestors.is_kworkerIndicates whether the process is a kworker
signal.target.ancestors.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
signal.target.ancestors.lengthLength of the corresponding element
signal.target.ancestors.pidProcess ID of the process (also called thread group ID)
signal.target.ancestors.ppidParent process ID
signal.target.ancestors.tidThread ID of the thread
signal.target.ancestors.tty_nameName of the TTY associated with the process
signal.target.ancestors.uidUID of the process
signal.target.ancestors.userUser of the process
signal.target.ancestors.user_session.k8s_groupsKubernetes groups of the user that executed the process
signal.target.ancestors.user_session.k8s_uidKubernetes UID of the user that executed the process
signal.target.ancestors.user_session.k8s_usernameKubernetes username of the user that executed the process
signal.target.argsArguments of the process (as a string, excluding argv0)
signal.target.args_flagsFlags in the process arguments
signal.target.args_optionsArgument of the process as options
signal.target.args_truncatedIndicator of arguments truncation
signal.target.argvArguments of the process (as an array, excluding argv0)
signal.target.argv0First argument of the process
signal.target.auidLogin UID of the process
signal.target.cap_effectiveEffective capability set of the process
signal.target.cap_permittedPermitted capability set of the process
signal.target.cgroup.file.inodeInode of the file
signal.target.cgroup.file.mount_idMount ID of the file
signal.target.cgroup.idID of the cgroup
signal.target.cgroup.manager[Experimental] Lifecycle manager of the cgroup
signal.target.cgroup.version[Experimental] Version of the cgroup API
signal.target.commComm attribute of the process
signal.target.container.idContainer ID
signal.target.created_atTimestamp of the creation of the process
signal.target.egidEffective GID of the process
signal.target.egroupEffective group of the process
signal.target.envpEnvironment variables of the process
signal.target.envsEnvironment variable names of the process
signal.target.envs_truncatedIndicator of environment variables truncation
signal.target.euidEffective UID of the process
signal.target.euserEffective user of the process
signal.target.file.change_timeChange time (ctime) of the file
signal.target.file.filesystemFile’s filesystem
signal.target.file.gidGID of the file’s owner
signal.target.file.groupGroup of the file’s owner
signal.target.file.hashes[Experimental] List of cryptographic hashes computed for this file
signal.target.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
signal.target.file.inodeInode of the file
signal.target.file.modeMode of the file
signal.target.file.modification_timeModification time (mtime) of the file
signal.target.file.mount_idMount ID of the file
signal.target.file.nameFile’s basename
signal.target.file.name.lengthLength of the corresponding element
signal.target.file.package.name[Experimental] Name of the package that provided this file
signal.target.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
signal.target.file.package.version[Experimental] Full version of the package that provided this file
signal.target.file.pathFile’s path
signal.target.file.path.lengthLength of the corresponding element
signal.target.file.rightsRights of the file
signal.target.file.uidUID of the file’s owner
signal.target.file.userUser of the file’s owner
signal.target.fsgidFileSystem-gid of the process
signal.target.fsgroupFileSystem-group of the process
signal.target.fsuidFileSystem-uid of the process
signal.target.fsuserFileSystem-user of the process
signal.target.gidGID of the process
signal.target.groupGroup of the process
signal.target.interpreter.file.change_timeChange time (ctime) of the file
signal.target.interpreter.file.filesystemFile’s filesystem
signal.target.interpreter.file.gidGID of the file’s owner
signal.target.interpreter.file.groupGroup of the file’s owner
signal.target.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
signal.target.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
signal.target.interpreter.file.inodeInode of the file
signal.target.interpreter.file.modeMode of the file
signal.target.interpreter.file.modification_timeModification time (mtime) of the file
signal.target.interpreter.file.mount_idMount ID of the file
signal.target.interpreter.file.nameFile’s basename
signal.target.interpreter.file.name.lengthLength of the corresponding element
signal.target.interpreter.file.package.name[Experimental] Name of the package that provided this file
signal.target.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
signal.target.interpreter.file.package.version[Experimental] Full version of the package that provided this file
signal.target.interpreter.file.pathFile’s path
signal.target.interpreter.file.path.lengthLength of the corresponding element
signal.target.interpreter.file.rightsRights of the file
signal.target.interpreter.file.uidUID of the file’s owner
signal.target.interpreter.file.userUser of the file’s owner
signal.target.is_execIndicates whether the process entry is from a new binary execution
signal.target.is_kworkerIndicates whether the process is a kworker
signal.target.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
signal.target.parent.argsArguments of the process (as a string, excluding argv0)
signal.target.parent.args_flagsFlags in the process arguments
signal.target.parent.args_optionsArgument of the process as options
signal.target.parent.args_truncatedIndicator of arguments truncation
signal.target.parent.argvArguments of the process (as an array, excluding argv0)
signal.target.parent.argv0First argument of the process
signal.target.parent.auidLogin UID of the process
signal.target.parent.cap_effectiveEffective capability set of the process
signal.target.parent.cap_permittedPermitted capability set of the process
signal.target.parent.cgroup.file.inodeInode of the file
signal.target.parent.cgroup.file.mount_idMount ID of the file
signal.target.parent.cgroup.idID of the cgroup
signal.target.parent.cgroup.manager[Experimental] Lifecycle manager of the cgroup
signal.target.parent.cgroup.version[Experimental] Version of the cgroup API
signal.target.parent.commComm attribute of the process
signal.target.parent.container.idContainer ID
signal.target.parent.created_atTimestamp of the creation of the process
signal.target.parent.egidEffective GID of the process
signal.target.parent.egroupEffective group of the process
signal.target.parent.envpEnvironment variables of the process
signal.target.parent.envsEnvironment variable names of the process
signal.target.parent.envs_truncatedIndicator of environment variables truncation
signal.target.parent.euidEffective UID of the process
signal.target.parent.euserEffective user of the process
signal.target.parent.file.change_timeChange time (ctime) of the file
signal.target.parent.file.filesystemFile’s filesystem
signal.target.parent.file.gidGID of the file’s owner
signal.target.parent.file.groupGroup of the file’s owner
signal.target.parent.file.hashes[Experimental] List of cryptographic hashes computed for this file
signal.target.parent.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
signal.target.parent.file.inodeInode of the file
signal.target.parent.file.modeMode of the file
signal.target.parent.file.modification_timeModification time (mtime) of the file
signal.target.parent.file.mount_idMount ID of the file
signal.target.parent.file.nameFile’s basename
signal.target.parent.file.name.lengthLength of the corresponding element
signal.target.parent.file.package.name[Experimental] Name of the package that provided this file
signal.target.parent.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
signal.target.parent.file.package.version[Experimental] Full version of the package that provided this file
signal.target.parent.file.pathFile’s path
signal.target.parent.file.path.lengthLength of the corresponding element
signal.target.parent.file.rightsRights of the file
signal.target.parent.file.uidUID of the file’s owner
signal.target.parent.file.userUser of the file’s owner
signal.target.parent.fsgidFileSystem-gid of the process
signal.target.parent.fsgroupFileSystem-group of the process
signal.target.parent.fsuidFileSystem-uid of the process
signal.target.parent.fsuserFileSystem-user of the process
signal.target.parent.gidGID of the process
signal.target.parent.groupGroup of the process
signal.target.parent.interpreter.file.change_timeChange time (ctime) of the file
signal.target.parent.interpreter.file.filesystemFile’s filesystem
signal.target.parent.interpreter.file.gidGID of the file’s owner
signal.target.parent.interpreter.file.groupGroup of the file’s owner
signal.target.parent.interpreter.file.hashes[Experimental] List of cryptographic hashes computed for this file
signal.target.parent.interpreter.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
signal.target.parent.interpreter.file.inodeInode of the file
signal.target.parent.interpreter.file.modeMode of the file
signal.target.parent.interpreter.file.modification_timeModification time (mtime) of the file
signal.target.parent.interpreter.file.mount_idMount ID of the file
signal.target.parent.interpreter.file.nameFile’s basename
signal.target.parent.interpreter.file.name.lengthLength of the corresponding element
signal.target.parent.interpreter.file.package.name[Experimental] Name of the package that provided this file
signal.target.parent.interpreter.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
signal.target.parent.interpreter.file.package.version[Experimental] Full version of the package that provided this file
signal.target.parent.interpreter.file.pathFile’s path
signal.target.parent.interpreter.file.path.lengthLength of the corresponding element
signal.target.parent.interpreter.file.rightsRights of the file
signal.target.parent.interpreter.file.uidUID of the file’s owner
signal.target.parent.interpreter.file.userUser of the file’s owner
signal.target.parent.is_execIndicates whether the process entry is from a new binary execution
signal.target.parent.is_kworkerIndicates whether the process is a kworker
signal.target.parent.is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
signal.target.parent.pidProcess ID of the process (also called thread group ID)
signal.target.parent.ppidParent process ID
signal.target.parent.tidThread ID of the thread
signal.target.parent.tty_nameName of the TTY associated with the process
signal.target.parent.uidUID of the process
signal.target.parent.userUser of the process
signal.target.parent.user_session.k8s_groupsKubernetes groups of the user that executed the process
signal.target.parent.user_session.k8s_uidKubernetes UID of the user that executed the process
signal.target.parent.user_session.k8s_usernameKubernetes username of the user that executed the process
signal.target.pidProcess ID of the process (also called thread group ID)
signal.target.ppidParent process ID
signal.target.tidThread ID of the thread
signal.target.tty_nameName of the TTY associated with the process
signal.target.uidUID of the process
signal.target.userUser of the process
signal.target.user_session.k8s_groupsKubernetes groups of the user that executed the process
signal.target.user_session.k8s_uidKubernetes UID of the user that executed the process
signal.target.user_session.k8s_usernameKubernetes username of the user that executed the process
signal.typeSignal type (ex: SIGHUP, SIGINT, SIGQUIT, etc)

Event splice

A splice command was executed

PropertyDefinition
splice.file.change_timeChange time (ctime) of the file
splice.file.filesystemFile’s filesystem
splice.file.gidGID of the file’s owner
splice.file.groupGroup of the file’s owner
splice.file.hashes[Experimental] List of cryptographic hashes computed for this file
splice.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
splice.file.inodeInode of the file
splice.file.modeMode of the file
splice.file.modification_timeModification time (mtime) of the file
splice.file.mount_idMount ID of the file
splice.file.nameFile’s basename
splice.file.name.lengthLength of the corresponding element
splice.file.package.name[Experimental] Name of the package that provided this file
splice.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
splice.file.package.version[Experimental] Full version of the package that provided this file
splice.file.pathFile’s path
splice.file.path.lengthLength of the corresponding element
splice.file.rightsRights of the file
splice.file.uidUID of the file’s owner
splice.file.userUser of the file’s owner
splice.pipe_entry_flagEntry flag of the “fd_out” pipe passed to the splice syscall
splice.pipe_exit_flagExit flag of the “fd_out” pipe passed to the splice syscall
splice.retvalReturn value of the syscall

A file was deleted

PropertyDefinition
unlink.file.change_timeChange time (ctime) of the file
unlink.file.filesystemFile’s filesystem
unlink.file.gidGID of the file’s owner
unlink.file.groupGroup of the file’s owner
unlink.file.hashes[Experimental] List of cryptographic hashes computed for this file
unlink.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
unlink.file.inodeInode of the file
unlink.file.modeMode of the file
unlink.file.modification_timeModification time (mtime) of the file
unlink.file.mount_idMount ID of the file
unlink.file.nameFile’s basename
unlink.file.name.lengthLength of the corresponding element
unlink.file.package.name[Experimental] Name of the package that provided this file
unlink.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
unlink.file.package.version[Experimental] Full version of the package that provided this file
unlink.file.pathFile’s path
unlink.file.path.lengthLength of the corresponding element
unlink.file.rightsRights of the file
unlink.file.uidUID of the file’s owner
unlink.file.userUser of the file’s owner
unlink.flagsFlags of the unlink syscall
unlink.retvalReturn value of the syscall
unlink.syscall.dirfdDirectory file descriptor argument of the syscall
unlink.syscall.flagsFlags argument of the syscall
unlink.syscall.pathPath argument of the syscall

Event unload_module

A kernel module was deleted

PropertyDefinition
unload_module.nameName of the kernel module that was deleted
unload_module.retvalReturn value of the syscall

Event utimes

Change file access/modification times

PropertyDefinition
utimes.file.change_timeChange time (ctime) of the file
utimes.file.filesystemFile’s filesystem
utimes.file.gidGID of the file’s owner
utimes.file.groupGroup of the file’s owner
utimes.file.hashes[Experimental] List of cryptographic hashes computed for this file
utimes.file.in_upper_layerIndicator of the file layer, for example, in an OverlayFS
utimes.file.inodeInode of the file
utimes.file.modeMode of the file
utimes.file.modification_timeModification time (mtime) of the file
utimes.file.mount_idMount ID of the file
utimes.file.nameFile’s basename
utimes.file.name.lengthLength of the corresponding element
utimes.file.package.name[Experimental] Name of the package that provided this file
utimes.file.package.source_version[Experimental] Full version of the source package of the package that provided this file
utimes.file.package.version[Experimental] Full version of the package that provided this file
utimes.file.pathFile’s path
utimes.file.path.lengthLength of the corresponding element
utimes.file.rightsRights of the file
utimes.file.uidUID of the file’s owner
utimes.file.userUser of the file’s owner
utimes.retvalReturn value of the syscall
utimes.syscall.pathPath argument of the syscall

Attributes documentation

*.args

Type: string

Definition: Arguments of the process (as a string, excluding argv0)

*.args has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

Example:

exec.args == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"

Matches any process with these exact arguments.

Example:

exec.args =~ "* -F * http*"

Matches any process that has the “-F” argument anywhere before an argument starting with “http”.

*.args_flags

Type: string

Definition: Flags in the process arguments

*.args_flags has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

Example:

exec.args_flags in ["s"] && exec.args_flags in ["V"]

Matches any process with both “-s” and “-V” flags in its arguments. Also matches “-sV”.

*.args_options

Type: string

Definition: Argument of the process as options

*.args_options has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

Example:

exec.args_options in ["p=0-1024"]

Matches any process that has either “-p 0-1024” or “–p=0-1024” in its arguments.

*.args_truncated

Type: bool

Definition: Indicator of arguments truncation

*.args_truncated has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.argv

Type: string

Definition: Arguments of the process (as an array, excluding argv0)

*.argv has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

Example:

exec.argv in ["127.0.0.1"]

Matches any process that has this IP address as one of its arguments.

*.argv0

Type: string

Definition: First argument of the process

*.argv0 has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.auid

Type: int

Definition: Login UID of the process

*.auid has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.cap_effective

Type: int

Definition: Effective capability set of the process

*.cap_effective has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

Constants: Kernel Capability constants

*.cap_permitted

Type: int

Definition: Permitted capability set of the process

*.cap_permitted has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

Constants: Kernel Capability constants

*.change_time

Type: int

Definition: Change time (ctime) of the file

*.change_time has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.comm

Type: string

Definition: Comm attribute of the process

*.comm has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.container.id

Type: string

Definition: Container ID

*.container.id has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.created_at

Type: int

Definition: Timestamp of the creation of the process

*.created_at has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.data_size

Type: int

Definition: Amount of data transmitted or received

*.data_size has 2 possible prefixes: network_flow_monitor.flows.egress network_flow_monitor.flows.ingress

*.egid

Type: int

Definition: Effective GID of the process

*.egid has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.egroup

Type: string

Definition: Effective group of the process

*.egroup has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.envp

Type: string

Definition: Environment variables of the process

*.envp has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.envs

Type: string

Definition: Environment variable names of the process

*.envs has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.envs_truncated

Type: bool

Definition: Indicator of environment variables truncation

*.envs_truncated has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.euid

Type: int

Definition: Effective UID of the process

*.euid has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.euser

Type: string

Definition: Effective user of the process

*.euser has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.file.destination.name

Type: string

Definition: Name of the extended attribute

*.file.destination.name has 2 possible prefixes: removexattr setxattr

*.file.destination.namespace

Type: string

Definition: Namespace of the extended attribute

*.file.destination.namespace has 2 possible prefixes: removexattr setxattr

*.filesystem

Type: string

Definition: File’s filesystem

*.filesystem has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.fsgid

Type: int

Definition: FileSystem-gid of the process

*.fsgid has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.fsgroup

Type: string

Definition: FileSystem-group of the process

*.fsgroup has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.fsuid

Type: int

Definition: FileSystem-uid of the process

*.fsuid has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.fsuser

Type: string

Definition: FileSystem-user of the process

*.fsuser has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.gid

Type: int

Definition: GID of the process

*.gid has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.gid

Type: int

Definition: GID of the file’s owner

*.gid has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.group

Type: string

Definition: Group of the process

*.group has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.group

Type: string

Definition: Group of the file’s owner

*.group has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.hashes

Type: string

Definition: [Experimental] List of cryptographic hashes computed for this file

*.hashes has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.id

Type: string

Definition: ID of the cgroup

*.id has 12 possible prefixes: cgroup exec.cgroup exit.cgroup process.ancestors.cgroup process.cgroup process.parent.cgroup ptrace.tracee.ancestors.cgroup ptrace.tracee.cgroup ptrace.tracee.parent.cgroup signal.target.ancestors.cgroup signal.target.cgroup signal.target.parent.cgroup

*.ifname

Type: string

Definition: Interface ifname

*.ifname has 3 possible prefixes: network.device network_flow_monitor.device packet.device

*.in_upper_layer

Type: bool

Definition: Indicator of the file layer, for example, in an OverlayFS

*.in_upper_layer has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.inode

Type: int

Definition: Inode of the file

*.inode has 51 possible prefixes: cgroup.file chdir.file chmod.file chown.file exec.cgroup.file exec.file exec.interpreter.file exit.cgroup.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.cgroup.file process.ancestors.file process.ancestors.interpreter.file process.cgroup.file process.file process.interpreter.file process.parent.cgroup.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.cgroup.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.cgroup.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.cgroup.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.cgroup.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.cgroup.file signal.target.file signal.target.interpreter.file signal.target.parent.cgroup.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.ip

Type: IP/CIDR

Definition: IP address

*.ip has 9 possible prefixes: accept.addr bind.addr connect.addr network.destination network.source network_flow_monitor.flows.destination network_flow_monitor.flows.source packet.destination packet.source

*.is_exec

Type: bool

Definition: Indicates whether the process entry is from a new binary execution

*.is_exec has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.is_kworker

Type: bool

Definition: Indicates whether the process is a kworker

*.is_kworker has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.is_public

Type: bool

Definition: Whether the IP address belongs to a public network

*.is_public has 9 possible prefixes: accept.addr bind.addr connect.addr network.destination network.source network_flow_monitor.flows.destination network_flow_monitor.flows.source packet.destination packet.source

*.is_thread

Type: bool

Definition: Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)

*.is_thread has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.k8s_groups

Type: string

Definition: Kubernetes groups of the user that executed the process

*.k8s_groups has 11 possible prefixes: exec.user_session exit.user_session process.ancestors.user_session process.parent.user_session process.user_session ptrace.tracee.ancestors.user_session ptrace.tracee.parent.user_session ptrace.tracee.user_session signal.target.ancestors.user_session signal.target.parent.user_session signal.target.user_session

*.k8s_uid

Type: string

Definition: Kubernetes UID of the user that executed the process

*.k8s_uid has 11 possible prefixes: exec.user_session exit.user_session process.ancestors.user_session process.parent.user_session process.user_session ptrace.tracee.ancestors.user_session ptrace.tracee.parent.user_session ptrace.tracee.user_session signal.target.ancestors.user_session signal.target.parent.user_session signal.target.user_session

*.k8s_username

Type: string

Definition: Kubernetes username of the user that executed the process

*.k8s_username has 11 possible prefixes: exec.user_session exit.user_session process.ancestors.user_session process.parent.user_session process.user_session ptrace.tracee.ancestors.user_session ptrace.tracee.parent.user_session ptrace.tracee.user_session signal.target.ancestors.user_session signal.target.parent.user_session signal.target.user_session

*.l3_protocol

Type: int

Definition: L3 protocol of the network packet

*.l3_protocol has 2 possible prefixes: network packet

Constants: L3 protocols

*.l4_protocol

Type: int

Definition: L4 protocol of the network packet

*.l4_protocol has 2 possible prefixes: network packet

Constants: L4 protocols

*.length

Type: int

Definition: Length of the corresponding element

*.length has 83 possible prefixes: chdir.file.name chdir.file.path chmod.file.name chmod.file.path chown.file.name chown.file.path dns.question.name exec.file.name exec.file.path exec.interpreter.file.name exec.interpreter.file.path exit.file.name exit.file.path exit.interpreter.file.name exit.interpreter.file.path link.file.destination.name link.file.destination.path link.file.name link.file.path load_module.file.name load_module.file.path mkdir.file.name mkdir.file.path mmap.file.name mmap.file.path network_flow_monitor.flows open.file.name open.file.path process.ancestors process.ancestors.file.name process.ancestors.file.path process.ancestors.interpreter.file.name process.ancestors.interpreter.file.path process.file.name process.file.path process.interpreter.file.name process.interpreter.file.path process.parent.file.name process.parent.file.path process.parent.interpreter.file.name process.parent.interpreter.file.path ptrace.tracee.ancestors ptrace.tracee.ancestors.file.name ptrace.tracee.ancestors.file.path ptrace.tracee.ancestors.interpreter.file.name ptrace.tracee.ancestors.interpreter.file.path ptrace.tracee.file.name ptrace.tracee.file.path ptrace.tracee.interpreter.file.name ptrace.tracee.interpreter.file.path ptrace.tracee.parent.file.name ptrace.tracee.parent.file.path ptrace.tracee.parent.interpreter.file.name ptrace.tracee.parent.interpreter.file.path removexattr.file.name removexattr.file.path rename.file.destination.name rename.file.destination.path rename.file.name rename.file.path rmdir.file.name rmdir.file.path setxattr.file.name setxattr.file.path signal.target.ancestors signal.target.ancestors.file.name signal.target.ancestors.file.path signal.target.ancestors.interpreter.file.name signal.target.ancestors.interpreter.file.path signal.target.file.name signal.target.file.path signal.target.interpreter.file.name signal.target.interpreter.file.path signal.target.parent.file.name signal.target.parent.file.path signal.target.parent.interpreter.file.name signal.target.parent.interpreter.file.path splice.file.name splice.file.path unlink.file.name unlink.file.path utimes.file.name utimes.file.path

*.manager

Type: string

Definition: [Experimental] Lifecycle manager of the cgroup

*.manager has 12 possible prefixes: cgroup exec.cgroup exit.cgroup process.ancestors.cgroup process.cgroup process.parent.cgroup ptrace.tracee.ancestors.cgroup ptrace.tracee.cgroup ptrace.tracee.parent.cgroup signal.target.ancestors.cgroup signal.target.cgroup signal.target.parent.cgroup

*.mode

Type: int

Definition: Mode of the file

*.mode has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

Constants: Inode mode constants

*.modification_time

Type: int

Definition: Modification time (mtime) of the file

*.modification_time has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.mount_id

Type: int

Definition: Mount ID of the file

*.mount_id has 51 possible prefixes: cgroup.file chdir.file chmod.file chown.file exec.cgroup.file exec.file exec.interpreter.file exit.cgroup.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.cgroup.file process.ancestors.file process.ancestors.interpreter.file process.cgroup.file process.file process.interpreter.file process.parent.cgroup.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.cgroup.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.cgroup.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.cgroup.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.cgroup.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.cgroup.file signal.target.file signal.target.interpreter.file signal.target.parent.cgroup.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.name

Type: string

Definition: File’s basename

*.name has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

Example:

exec.file.name == "apt"

Matches the execution of any file named apt.

*.network_direction

Type: int

Definition: Network direction of the network packet

*.network_direction has 2 possible prefixes: network packet

Constants: Network directions

*.package.name

Type: string

Definition: [Experimental] Name of the package that provided this file

*.package.name has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.package.source_version

Type: string

Definition: [Experimental] Full version of the source package of the package that provided this file

*.package.source_version has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.package.version

Type: string

Definition: [Experimental] Full version of the package that provided this file

*.package.version has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.packet_count

Type: int

Definition: Count of network packets transmitted or received

*.packet_count has 2 possible prefixes: network_flow_monitor.flows.egress network_flow_monitor.flows.ingress

*.path

Type: string

Definition: File’s path

*.path has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

Example:

exec.file.path == "/usr/bin/apt"

Matches the execution of the file located at /usr/bin/apt

Example:

open.file.path == "/etc/passwd"

Matches any process opening the /etc/passwd file.

*.pid

Type: int

Definition: Process ID of the process (also called thread group ID)

*.pid has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.port

Type: int

Definition: Port number

*.port has 9 possible prefixes: accept.addr bind.addr connect.addr network.destination network.source network_flow_monitor.flows.destination network_flow_monitor.flows.source packet.destination packet.source

*.ppid

Type: int

Definition: Parent process ID

*.ppid has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.retval

Type: int

Definition: Return value of the syscall

*.retval has 24 possible prefixes: accept bind bpf chdir chmod chown connect link load_module mkdir mmap mount mprotect open ptrace removexattr rename rmdir setxattr signal splice unlink unload_module utimes

Constants: Error constants

*.rights

Type: int

Definition: Rights of the file

*.rights has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

Constants: File mode constants

*.size

Type: int

Definition: Size in bytes of the network packet

*.size has 2 possible prefixes: network packet

*.tid

Type: int

Definition: Thread ID of the thread

*.tid has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.tty_name

Type: string

Definition: Name of the TTY associated with the process

*.tty_name has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.uid

Type: int

Definition: UID of the process

*.uid has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

*.uid

Type: int

Definition: UID of the file’s owner

*.uid has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.user

Type: string

Definition: User of the process

*.user has 11 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent signal.target signal.target.ancestors signal.target.parent

Example:

process.user == "root"

Constrain an event to be triggered by a process running as the root user.

*.user

Type: string

Definition: User of the file’s owner

*.user has 39 possible prefixes: chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

*.version

Type: int

Definition: [Experimental] Version of the cgroup API

*.version has 12 possible prefixes: cgroup exec.cgroup exit.cgroup process.ancestors.cgroup process.cgroup process.parent.cgroup ptrace.tracee.ancestors.cgroup ptrace.tracee.cgroup ptrace.tracee.parent.cgroup signal.target.ancestors.cgroup signal.target.cgroup signal.target.parent.cgroup

accept.addr.family

Type: int

Definition: Address family

bind.addr.family

Type: int

Definition: Address family

bind.protocol

Type: int

Definition: Socket Protocol

bpf.cmd

Type: int

Definition: BPF command name

Constants: BPF commands

bpf.map.name

Type: string

Definition: Name of the eBPF map (added in 7.35)

bpf.map.type

Type: int

Definition: Type of the eBPF map

Constants: BPF map types

bpf.prog.attach_type

Type: int

Definition: Attach type of the eBPF program

Constants: BPF attach types

bpf.prog.helpers

Type: int

Definition: eBPF helpers used by the eBPF program (added in 7.35)

Constants: BPF helper functions

bpf.prog.name

Type: string

Definition: Name of the eBPF program (added in 7.35)

bpf.prog.tag

Type: string

Definition: Hash (sha1) of the eBPF program (added in 7.35)

bpf.prog.type

Type: int

Definition: Type of the eBPF program

Constants: BPF program types

capset.cap_effective

Type: int

Definition: Effective capability set of the process

Constants: Kernel Capability constants

capset.cap_permitted

Type: int

Definition: Permitted capability set of the process

Constants: Kernel Capability constants

chdir.syscall.path

Type: string

Definition: path argument of the syscall

chmod.file.destination.mode

Type: int

Definition: New mode of the chmod-ed file

Constants: File mode constants

chmod.file.destination.rights

Type: int

Definition: New rights of the chmod-ed file

Constants: File mode constants

chmod.syscall.mode

Type: int

Definition: mode argument of the syscall

chmod.syscall.path

Type: string

Definition: path argument of the syscall

chown.file.destination.gid

Type: int

Definition: New GID of the chown-ed file’s owner

chown.file.destination.group

Type: string

Definition: New group of the chown-ed file’s owner

chown.file.destination.uid

Type: int

Definition: New UID of the chown-ed file’s owner

chown.file.destination.user

Type: string

Definition: New user of the chown-ed file’s owner

chown.syscall.gid

Type: int

Definition: GID argument of the syscall

chown.syscall.path

Type: string

Definition: Path argument of the syscall

chown.syscall.uid

Type: int

Definition: UID argument of the syscall

connect.addr.family

Type: int

Definition: Address family

connect.protocol

Type: int

Definition: Socket Protocol

container.created_at

Type: int

Definition: Timestamp of the creation of the container

container.id

Type: string

Definition: ID of the container

container.runtime

Type: string

Definition: Runtime managing the container

container.tags

Type: string

Definition: Tags of the container

dns.id

Type: int

Definition: [Experimental] the DNS request ID

dns.question.class

Type: int

Definition: the class looked up by the DNS question

Constants: DNS qclasses

dns.question.count

Type: int

Definition: the total count of questions in the DNS request

dns.question.length

Type: int

Definition: the total DNS request size in bytes

dns.question.name

Type: string

Definition: the queried domain name

dns.question.type

Type: int

Definition: a two octet code which specifies the DNS question type

Constants: DNS qtypes

event.async

Type: bool

Definition: True if the syscall was asynchronous

event.hostname

Type: string

Definition: Hostname associated with the event

event.origin

Type: string

Definition: Origin of the event

event.os

Type: string

Definition: Operating system of the event

event.service

Type: string

Definition: Service associated with the event

event.timestamp

Type: int

Definition: Timestamp of the event

exec.syscall.path

Type: string

Definition: path argument of the syscall

exit.cause

Type: int

Definition: Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)

exit.code

Type: int

Definition: Exit code of the process or number of the signal that caused the process to terminate

imds.aws.is_imds_v2

Type: bool

Definition: a boolean which specifies if the IMDS event follows IMDSv1 or IMDSv2 conventions

imds.aws.security_credentials.type

Type: string

Definition: the security credentials type

imds.cloud_provider

Type: string

Definition: the intended cloud provider of the IMDS event

imds.host

Type: string

Definition: the host of the HTTP protocol

imds.server

Type: string

Definition: the server header of a response

imds.type

Type: string

Definition: the type of IMDS event

imds.url

Type: string

Definition: the queried IMDS URL

imds.user_agent

Type: string

Definition: the user agent of the HTTP client

Type: string

Definition: Destination path argument of the syscall

Type: string

Definition: Path argument of the syscall

load_module.args

Type: string

Definition: Parameters (as a string) of the new kernel module

load_module.args_truncated

Type: bool

Definition: Indicates if the arguments were truncated or not

load_module.argv

Type: string

Definition: Parameters (as an array) of the new kernel module

load_module.loaded_from_memory

Type: bool

Definition: Indicates if the kernel module was loaded from memory

load_module.name

Type: string

Definition: Name of the new kernel module

mkdir.file.destination.mode

Type: int

Definition: Mode of the new directory

Constants: File mode constants

mkdir.file.destination.rights

Type: int

Definition: Rights of the new directory

Constants: File mode constants

mkdir.syscall.mode

Type: int

Definition: Mode of the new directory

mkdir.syscall.path

Type: string

Definition: Path argument of the syscall

mmap.flags

Type: int

Definition: memory segment flags

Constants: MMap flags

mmap.protection

Type: int

Definition: memory segment protection

Constants: Protection constants

mount.fs_type

Type: string

Definition: Type of the mounted file system

mount.mountpoint.path

Type: string

Definition: Path of the mount point

mount.root.path

Type: string

Definition: Root path of the mount

mount.source.path

Type: string

Definition: Source path of a bind mount

mount.syscall.fs_type

Type: string

Definition: File system type argument of the syscall

mount.syscall.mountpoint.path

Type: string

Definition: Mount point path argument of the syscall

mount.syscall.source.path

Type: string

Definition: Source path argument of the syscall

mprotect.req_protection

Type: int

Definition: new memory segment protection

Constants: Virtual Memory flags

mprotect.vm_protection

Type: int

Definition: initial memory segment protection

Constants: Virtual Memory flags

network_flow_monitor.flows.l3_protocol

Type: int

Definition: L3 protocol of the network packet

Constants: L3 protocols

network_flow_monitor.flows.l4_protocol

Type: int

Definition: L4 protocol of the network packet

Constants: L4 protocols

open.file.destination.mode

Type: int

Definition: Mode of the created file

Constants: File mode constants

open.flags

Type: int

Definition: Flags used when opening the file

Constants: Open flags

open.syscall.flags

Type: int

Definition: Flags argument of the syscall

open.syscall.mode

Type: int

Definition: Mode argument of the syscall

open.syscall.path

Type: string

Definition: Path argument of the syscall

packet.filter

Type: string

Definition: pcap filter expression

packet.tls.version

Type: int

Definition: TLS version

ptrace.request

Type: int

Definition: ptrace request

Constants: Ptrace constants

rename.syscall.destination.path

Type: string

Definition: Destination path argument of the syscall

rename.syscall.path

Type: string

Definition: Path argument of the syscall

rmdir.syscall.path

Type: string

Definition: Path argument of the syscall

selinux.bool.name

Type: string

Definition: SELinux boolean name

selinux.bool.state

Type: string

Definition: SELinux boolean new value

selinux.bool_commit.state

Type: bool

Definition: Indicator of a SELinux boolean commit operation

selinux.enforce.status

Type: string

Definition: SELinux enforcement status (one of “enforcing”, “permissive”, “disabled”)

setgid.egid

Type: int

Definition: New effective GID of the process

setgid.egroup

Type: string

Definition: New effective group of the process

setgid.fsgid

Type: int

Definition: New FileSystem GID of the process

setgid.fsgroup

Type: string

Definition: New FileSystem group of the process

setgid.gid

Type: int

Definition: New GID of the process

setgid.group

Type: string

Definition: New group of the process

setuid.euid

Type: int

Definition: New effective UID of the process

setuid.euser

Type: string

Definition: New effective user of the process

setuid.fsuid

Type: int

Definition: New FileSystem UID of the process

setuid.fsuser

Type: string

Definition: New FileSystem user of the process

setuid.uid

Type: int

Definition: New UID of the process

setuid.user

Type: string

Definition: New user of the process

signal.pid

Type: int

Definition: Target PID

signal.type

Type: int

Definition: Signal type (ex: SIGHUP, SIGINT, SIGQUIT, etc)

Constants: Signal constants

splice.pipe_entry_flag

Type: int

Definition: Entry flag of the “fd_out” pipe passed to the splice syscall

Constants: Pipe buffer flags

splice.pipe_exit_flag

Type: int

Definition: Exit flag of the “fd_out” pipe passed to the splice syscall

Constants: Pipe buffer flags

Type: int

Definition: Flags of the unlink syscall

Constants: Unlink flags

Type: int

Definition: Directory file descriptor argument of the syscall

Type: int

Definition: Flags argument of the syscall

Type: string

Definition: Path argument of the syscall

unload_module.name

Type: string

Definition: Name of the kernel module that was deleted

utimes.syscall.path

Type: string

Definition: Path argument of the syscall

Constants

Constants are used to improve the readability of your rules. Some constants are common to all architectures, others are specific to some architectures.

BPF attach types

BPF attach types are the supported eBPF program attach types.

NameArchitectures
BPF_CGROUP_INET_INGRESSall
BPF_CGROUP_INET_EGRESSall
BPF_CGROUP_INET_SOCK_CREATEall
BPF_CGROUP_SOCK_OPSall
BPF_SK_SKB_STREAM_PARSERall
BPF_SK_SKB_STREAM_VERDICTall
BPF_CGROUP_DEVICEall
BPF_SK_MSG_VERDICTall
BPF_CGROUP_INET4_BINDall
BPF_CGROUP_INET6_BINDall
BPF_CGROUP_INET4_CONNECTall
BPF_CGROUP_INET6_CONNECTall
BPF_CGROUP_INET4_POST_BINDall
BPF_CGROUP_INET6_POST_BINDall
BPF_CGROUP_UDP4_SENDMSGall
BPF_CGROUP_UDP6_SENDMSGall
BPF_LIRC_MODE2all
BPF_FLOW_DISSECTORall
BPF_CGROUP_SYSCTLall
BPF_CGROUP_UDP4_RECVMSGall
BPF_CGROUP_UDP6_RECVMSGall
BPF_CGROUP_GETSOCKOPTall
BPF_CGROUP_SETSOCKOPTall
BPF_TRACE_RAW_TPall
BPF_TRACE_FENTRYall
BPF_TRACE_FEXITall
BPF_MODIFY_RETURNall
BPF_LSM_MACall
BPF_TRACE_ITERall
BPF_CGROUP_INET4_GETPEERNAMEall
BPF_CGROUP_INET6_GETPEERNAMEall
BPF_CGROUP_INET4_GETSOCKNAMEall
BPF_CGROUP_INET6_GETSOCKNAMEall
BPF_XDP_DEVMAPall
BPF_CGROUP_INET_SOCK_RELEASEall
BPF_XDP_CPUMAPall
BPF_SK_LOOKUPall
BPF_XDPall
BPF_SK_SKB_VERDICTall

BPF commands

BPF commands are used to specify a command to a bpf syscall.

NameArchitectures
BPF_MAP_CREATEall
BPF_MAP_LOOKUP_ELEMall
BPF_MAP_UPDATE_ELEMall
BPF_MAP_DELETE_ELEMall
BPF_MAP_GET_NEXT_KEYall
BPF_PROG_LOADall
BPF_OBJ_PINall
BPF_OBJ_GETall
BPF_PROG_ATTACHall
BPF_PROG_DETACHall
BPF_PROG_TEST_RUNall
BPF_PROG_RUNall
BPF_PROG_GET_NEXT_IDall
BPF_MAP_GET_NEXT_IDall
BPF_PROG_GET_FD_BY_IDall
BPF_MAP_GET_FD_BY_IDall
BPF_OBJ_GET_INFO_BY_FDall
BPF_PROG_QUERYall
BPF_RAW_TRACEPOINT_OPENall
BPF_BTF_LOADall
BPF_BTF_GET_FD_BY_IDall
BPF_TASK_FD_QUERYall
BPF_MAP_LOOKUP_AND_DELETE_ELEMall
BPF_MAP_FREEZEall
BPF_BTF_GET_NEXT_IDall
BPF_MAP_LOOKUP_BATCHall
BPF_MAP_LOOKUP_AND_DELETE_BATCHall
BPF_MAP_UPDATE_BATCHall
BPF_MAP_DELETE_BATCHall
BPF_LINK_CREATEall
BPF_LINK_UPDATEall
BPF_LINK_GET_FD_BY_IDall
BPF_LINK_GET_NEXT_IDall
BPF_ENABLE_STATSall
BPF_ITER_CREATEall
BPF_LINK_DETACHall
BPF_PROG_BIND_MAPall

BPF helper functions

BPF helper functions are the supported BPF helper functions.

NameArchitectures
BPF_UNSPECall
BPF_MAP_LOOKUP_ELEMall
BPF_MAP_UPDATE_ELEMall
BPF_MAP_DELETE_ELEMall
BPF_PROBE_READall
BPF_KTIME_GET_NSall
BPF_TRACE_PRINTKall
BPF_GET_PRANDOM_U32all
BPF_GET_SMP_PROCESSOR_IDall
BPF_SKB_STORE_BYTESall
BPF_L3_CSUM_REPLACEall
BPF_L4_CSUM_REPLACEall
BPF_TAIL_CALLall
BPF_CLONE_REDIRECTall
BPF_GET_CURRENT_PID_TGIDall
BPF_GET_CURRENT_UID_GIDall
BPF_GET_CURRENT_COMMall
BPF_GET_CGROUP_CLASSIDall
BPF_SKB_VLAN_PUSHall
BPF_SKB_VLAN_POPall
BPF_SKB_GET_TUNNEL_KEYall
BPF_SKB_SET_TUNNEL_KEYall
BPF_PERF_EVENT_READall
BPF_REDIRECTall
BPF_GET_ROUTE_REALMall
BPF_PERF_EVENT_OUTPUTall
BPF_SKB_LOAD_BYTESall
BPF_GET_STACKIDall
BPF_CSUM_DIFFall
BPF_SKB_GET_TUNNEL_OPTall
BPF_SKB_SET_TUNNEL_OPTall
BPF_SKB_CHANGE_PROTOall
BPF_SKB_CHANGE_TYPEall
BPF_SKB_UNDER_CGROUPall
BPF_GET_HASH_RECALCall
BPF_GET_CURRENT_TASKall
BPF_PROBE_WRITE_USERall
BPF_CURRENT_TASK_UNDER_CGROUPall
BPF_SKB_CHANGE_TAILall
BPF_SKB_PULL_DATAall
BPF_CSUM_UPDATEall
BPF_SET_HASH_INVALIDall
BPF_GET_NUMA_NODE_IDall
BPF_SKB_CHANGE_HEADall
BPF_XDP_ADJUST_HEADall
BPF_PROBE_READ_STRall
BPF_GET_SOCKET_COOKIEall
BPF_GET_SOCKET_UIDall
BPF_SET_HASHall
BPF_SETSOCKOPTall
BPF_SKB_ADJUST_ROOMall
BPF_REDIRECT_MAPall
BPF_SK_REDIRECT_MAPall
BPF_SOCK_MAP_UPDATEall
BPF_XDP_ADJUST_METAall
BPF_PERF_EVENT_READ_VALUEall
BPF_PERF_PROG_READ_VALUEall
BPF_GETSOCKOPTall
BPF_OVERRIDE_RETURNall
BPF_SOCK_OPS_CB_FLAGS_SETall
BPF_MSG_REDIRECT_MAPall
BPF_MSG_APPLY_BYTESall
BPF_MSG_CORK_BYTESall
BPF_MSG_PULL_DATAall
BPF_BINDall
BPF_XDP_ADJUST_TAILall
BPF_SKB_GET_XFRM_STATEall
BPF_GET_STACKall
BPF_SKB_LOAD_BYTES_RELATIVEall
BPF_FIB_LOOKUPall
BPF_SOCK_HASH_UPDATEall
BPF_MSG_REDIRECT_HASHall
BPF_SK_REDIRECT_HASHall
BPF_LWT_PUSH_ENCAPall
BPF_LWT_SEG6_STORE_BYTESall
BPF_LWT_SEG6_ADJUST_SRHall
BPF_LWT_SEG6_ACTIONall
BPF_RC_REPEATall
BPF_RC_KEYDOWNall
BPF_SKB_CGROUP_IDall
BPF_GET_CURRENT_CGROUP_IDall
BPF_GET_LOCAL_STORAGEall
BPF_SK_SELECT_REUSEPORTall
BPF_SKB_ANCESTOR_CGROUP_IDall
BPF_SK_LOOKUP_TCPall
BPF_SK_LOOKUP_UDPall
BPF_SK_RELEASEall
BPF_MAP_PUSH_ELEMall
BPF_MAP_POP_ELEMall
BPF_MAP_PEEK_ELEMall
BPF_MSG_PUSH_DATAall
BPF_MSG_POP_DATAall
BPF_RC_POINTER_RELall
BPF_SPIN_LOCKall
BPF_SPIN_UNLOCKall
BPF_SK_FULLSOCKall
BPF_TCP_SOCKall
BPF_SKB_ECN_SET_CEall
BPF_GET_LISTENER_SOCKall
BPF_SKC_LOOKUP_TCPall
BPF_TCP_CHECK_SYNCOOKIEall
BPF_SYSCTL_GET_NAMEall
BPF_SYSCTL_GET_CURRENT_VALUEall
BPF_SYSCTL_GET_NEW_VALUEall
BPF_SYSCTL_SET_NEW_VALUEall
BPF_STRTOLall
BPF_STRTOULall
BPF_SK_STORAGE_GETall
BPF_SK_STORAGE_DELETEall
BPF_SEND_SIGNALall
BPF_TCP_GEN_SYNCOOKIEall
BPF_SKB_OUTPUTall
BPF_PROBE_READ_USERall
BPF_PROBE_READ_KERNELall
BPF_PROBE_READ_USER_STRall
BPF_PROBE_READ_KERNEL_STRall
BPF_TCP_SEND_ACKall
BPF_SEND_SIGNAL_THREADall
BPF_JIFFIES64all
BPF_READ_BRANCH_RECORDSall
BPF_GET_NS_CURRENT_PID_TGIDall
BPF_XDP_OUTPUTall
BPF_GET_NETNS_COOKIEall
BPF_GET_CURRENT_ANCESTOR_CGROUP_IDall
BPF_SK_ASSIGNall
BPF_KTIME_GET_BOOT_NSall
BPF_SEQ_PRINTFall
BPF_SEQ_WRITEall
BPF_SK_CGROUP_IDall
BPF_SK_ANCESTOR_CGROUP_IDall
BPF_RINGBUF_OUTPUTall
BPF_RINGBUF_RESERVEall
BPF_RINGBUF_SUBMITall
BPF_RINGBUF_DISCARDall
BPF_RINGBUF_QUERYall
BPF_CSUM_LEVELall
BPF_SKC_TO_TCP6_SOCKall
BPF_SKC_TO_TCP_SOCKall
BPF_SKC_TO_TCP_TIMEWAIT_SOCKall
BPF_SKC_TO_TCP_REQUEST_SOCKall
BPF_SKC_TO_UDP6_SOCKall
BPF_GET_TASK_STACKall
BPF_LOAD_HDR_OPTall
BPF_STORE_HDR_OPTall
BPF_RESERVE_HDR_OPTall
BPF_INODE_STORAGE_GETall
BPF_INODE_STORAGE_DELETEall
BPF_D_PATHall
BPF_COPY_FROM_USERall
BPF_SNPRINTF_BTFall
BPF_SEQ_PRINTF_BTFall
BPF_SKB_CGROUP_CLASSIDall
BPF_REDIRECT_NEIGHall
BPF_PER_CPU_PTRall
BPF_THIS_CPU_PTRall
BPF_REDIRECT_PEERall
BPF_TASK_STORAGE_GETall
BPF_TASK_STORAGE_DELETEall
BPF_GET_CURRENT_TASK_BTFall
BPF_BPRM_OPTS_SETall
BPF_KTIME_GET_COARSE_NSall
BPF_IMA_INODE_HASHall
BPF_SOCK_FROM_FILEall
BPF_CHECK_MTUall
BPF_FOR_EACH_MAP_ELEMall
BPF_SNPRINTFall

BPF map types

BPF map types are the supported eBPF map types.

NameArchitectures
BPF_MAP_TYPE_UNSPECall
BPF_MAP_TYPE_HASHall
BPF_MAP_TYPE_ARRAYall
BPF_MAP_TYPE_PROG_ARRAYall
BPF_MAP_TYPE_PERF_EVENT_ARRAYall
BPF_MAP_TYPE_PERCPU_HASHall
BPF_MAP_TYPE_PERCPU_ARRAYall
BPF_MAP_TYPE_STACK_TRACEall
BPF_MAP_TYPE_CGROUP_ARRAYall
BPF_MAP_TYPE_LRU_HASHall
BPF_MAP_TYPE_LRU_PERCPU_HASHall
BPF_MAP_TYPE_LPM_TRIEall
BPF_MAP_TYPE_ARRAY_OF_MAPSall
BPF_MAP_TYPE_HASH_OF_MAPSall
BPF_MAP_TYPE_DEVMAPall
BPF_MAP_TYPE_SOCKMAPall
BPF_MAP_TYPE_CPUMAPall
BPF_MAP_TYPE_XSKMAPall
BPF_MAP_TYPE_SOCKHASHall
BPF_MAP_TYPE_CGROUP_STORAGEall
BPF_MAP_TYPE_REUSEPORT_SOCKARRAYall
BPF_MAP_TYPE_PERCPU_CGROUP_STORAGEall
BPF_MAP_TYPE_QUEUEall
BPF_MAP_TYPE_STACKall
BPF_MAP_TYPE_SK_STORAGEall
BPF_MAP_TYPE_DEVMAP_HASHall
BPF_MAP_TYPE_STRUCT_OPSall
BPF_MAP_TYPE_RINGBUFall
BPF_MAP_TYPE_INODE_STORAGEall
BPF_MAP_TYPE_TASK_STORAGEall

BPF program types

BPF program types are the supported eBPF program types.

NameArchitectures
BPF_PROG_TYPE_UNSPECall
BPF_PROG_TYPE_SOCKET_FILTERall
BPF_PROG_TYPE_KPROBEall
BPF_PROG_TYPE_SCHED_CLSall
BPF_PROG_TYPE_SCHED_ACTall
BPF_PROG_TYPE_TRACEPOINTall
BPF_PROG_TYPE_XDPall
BPF_PROG_TYPE_PERF_EVENTall
BPF_PROG_TYPE_CGROUP_SKBall
BPF_PROG_TYPE_CGROUP_SOCKall
BPF_PROG_TYPE_LWT_INall
BPF_PROG_TYPE_LWT_OUTall
BPF_PROG_TYPE_LWT_XMITall
BPF_PROG_TYPE_SOCK_OPSall
BPF_PROG_TYPE_SK_SKBall
BPF_PROG_TYPE_CGROUP_DEVICEall
BPF_PROG_TYPE_SK_MSGall
BPF_PROG_TYPE_RAW_TRACEPOINTall
BPF_PROG_TYPE_CGROUP_SOCK_ADDRall
BPF_PROG_TYPE_LWT_SEG6LOCALall
BPF_PROG_TYPE_LIRC_MODE2all
BPF_PROG_TYPE_SK_REUSEPORTall
BPF_PROG_TYPE_FLOW_DISSECTORall
BPF_PROG_TYPE_CGROUP_SYSCTLall
BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLEall
BPF_PROG_TYPE_CGROUP_SOCKOPTall
BPF_PROG_TYPE_TRACINGall
BPF_PROG_TYPE_STRUCT_OPSall
BPF_PROG_TYPE_EXTall
BPF_PROG_TYPE_LSMall
BPF_PROG_TYPE_SK_LOOKUPall

Boolean constants

Boolean constants are the supported boolean constants.

NameArchitectures
trueall
falseall

DNS qclasses

DNS qclasses are the supported DNS query classes.

NameArchitectures
CLASS_INETall
CLASS_CSNETall
CLASS_CHAOSall
CLASS_HESIODall
CLASS_NONEall
CLASS_ANYall

DNS qtypes

DNS qtypes are the supported DNS query types.

NameArchitectures
Noneall
Aall
NSall
MDall
MFall
CNAMEall
SOAall
MBall
MGall
MRall
NULLall
PTRall
HINFOall
MINFOall
MXall
TXTall
RPall
AFSDBall
X25all
ISDNall
RTall
NSAPPTRall
SIGall
KEYall
PXall
GPOSall
AAAAall
LOCall
NXTall
EIDall
NIMLOCall
SRVall
ATMAall
NAPTRall
KXall
CERTall
DNAMEall
OPTall
APLall
DSall
SSHFPall
RRSIGall
NSECall
DNSKEYall
DHCIDall
NSEC3all
NSEC3PARAMall
TLSAall
SMIMEAall
HIPall
NINFOall
RKEYall
TALINKall
CDSall
CDNSKEYall
OPENPGPKEYall
CSYNCall
ZONEMDall
SVCBall
HTTPSall
SPFall
UINFOall
UIDall
GIDall
UNSPECall
NIDall
L32all
L64all
LPall
EUI48all
EUI64all
URIall
CAAall
AVCall
TKEYall
TSIGall
IXFRall
AXFRall
MAILBall
MAILAall
ANYall
TAall
DLVall
Reservedall

Error constants

Error constants are the supported error constants.

NameArchitectures
E2BIGall
EACCESall
EADDRINUSEall
EADDRNOTAVAILall
EADVall
EAFNOSUPPORTall
EAGAINall
EALREADYall
EBADEall
EBADFall
EBADFDall
EBADMSGall
EBADRall
EBADRQCall
EBADSLTall
EBFONTall
EBUSYall
ECANCELEDall
ECHILDall
ECHRNGall
ECOMMall
ECONNABORTEDall
ECONNREFUSEDall
ECONNRESETall
EDEADLKall
EDEADLOCKall
EDESTADDRREQall
EDOMall
EDOTDOTall
EDQUOTall
EEXISTall
EFAULTall
EFBIGall
EHOSTDOWNall
EHOSTUNREACHall
EIDRMall
EILSEQall
EINPROGRESSall
EINTRall
EINVALall
EIOall
EISCONNall
EISDIRall
EISNAMall
EKEYEXPIREDall
EKEYREJECTEDall
EKEYREVOKEDall
EL2HLTall
EL2NSYNCall
EL3HLTall
EL3RSTall
ELIBACCall
ELIBBADall
ELIBEXECall
ELIBMAXall
ELIBSCNall
ELNRNGall
ELOOPall
EMEDIUMTYPEall
EMFILEall
EMLINKall
EMSGSIZEall
EMULTIHOPall
ENAMETOOLONGall
ENAVAILall
ENETDOWNall
ENETRESETall
ENETUNREACHall
ENFILEall
ENOANOall
ENOBUFSall
ENOCSIall
ENODATAall
ENODEVall
ENOENTall
ENOEXECall
ENOKEYall
ENOLCKall
ENOLINKall
ENOMEDIUMall
ENOMEMall
ENOMSGall
ENONETall
ENOPKGall
ENOPROTOOPTall
ENOSPCall
ENOSRall
ENOSTRall
ENOSYSall
ENOTBLKall
ENOTCONNall
ENOTDIRall
ENOTEMPTYall
ENOTNAMall
ENOTRECOVERABLEall
ENOTSOCKall
ENOTSUPall
ENOTTYall
ENOTUNIQall
ENXIOall
EOPNOTSUPPall
EOVERFLOWall
EOWNERDEADall
EPERMall
EPFNOSUPPORTall
EPIPEall
EPROTOall
EPROTONOSUPPORTall
EPROTOTYPEall
ERANGEall
EREMCHGall
EREMOTEall
EREMOTEIOall
ERESTARTall
ERFKILLall
EROFSall
ESHUTDOWNall
ESOCKTNOSUPPORTall
ESPIPEall
ESRCHall
ESRMNTall
ESTALEall
ESTRPIPEall
ETIMEall
ETIMEDOUTall
ETOOMANYREFSall
ETXTBSYall
EUCLEANall
EUNATCHall
EUSERSall
EWOULDBLOCKall
EXDEVall
EXFULLall

File mode constants

File mode constants are the supported file permissions as well as constants for the set-user-ID, set-group-ID, and sticky bits.

NameArchitectures
S_ISUIDall
S_ISGIDall
S_ISVTXall
S_IRWXUall
S_IRUSRall
S_IWUSRall
S_IXUSRall
S_IRWXGall
S_IRGRPall
S_IWGRPall
S_IXGRPall
S_IRWXOall
S_IROTHall
S_IWOTHall
S_IXOTHall

Inode mode constants

Inode mode constants are the supported file type constants as well as the file mode constants.

NameArchitectures
S_IFMTall
S_IFSOCKall
S_IFLNKall
S_IFREGall
S_IFBLKall
S_IFDIRall
S_IFCHRall
S_IFIFOall
S_ISUIDall
S_ISGIDall
S_ISVTXall
S_IRWXUall
S_IRUSRall
S_IWUSRall
S_IXUSRall
S_IRWXGall
S_IRGRPall
S_IWGRPall
S_IXGRPall
S_IRWXOall
S_IROTHall
S_IWOTHall
S_IXOTHall

Kernel Capability constants

Kernel Capability constants are the supported Linux Kernel Capability.

NameArchitectures
CAP_AUDIT_CONTROLall
CAP_AUDIT_READall
CAP_AUDIT_WRITEall
CAP_BLOCK_SUSPENDall
CAP_BPFall
CAP_CHECKPOINT_RESTOREall
CAP_CHOWNall
CAP_DAC_OVERRIDEall
CAP_DAC_READ_SEARCHall
CAP_FOWNERall
CAP_FSETIDall
CAP_IPC_LOCKall
CAP_IPC_OWNERall
CAP_KILLall
CAP_LEASEall
CAP_LINUX_IMMUTABLEall
CAP_MAC_ADMINall
CAP_MAC_OVERRIDEall
CAP_MKNODall
CAP_NET_ADMINall
CAP_NET_BIND_SERVICEall
CAP_NET_BROADCASTall
CAP_NET_RAWall
CAP_PERFMONall
CAP_SETFCAPall
CAP_SETGIDall
CAP_SETPCAPall
CAP_SETUIDall
CAP_SYSLOGall
CAP_SYS_ADMINall
CAP_SYS_BOOTall
CAP_SYS_CHROOTall
CAP_SYS_MODULEall
CAP_SYS_NICEall
CAP_SYS_PACCTall
CAP_SYS_PTRACEall
CAP_SYS_RAWIOall
CAP_SYS_RESOURCEall
CAP_SYS_TIMEall
CAP_SYS_TTY_CONFIGall
CAP_WAKE_ALARMall

L3 protocols

L3 protocols are the supported Layer 3 protocols.

NameArchitectures
ETH_P_LOOPall
ETH_P_PUPall
ETH_P_PUPATall
ETH_P_TSNall
ETH_P_IPall
ETH_P_X25all
ETH_P_ARPall
ETH_P_BPQall
ETH_P_IEEEPUPall
ETH_P_IEEEPUPATall
ETH_P_BATMANall
ETH_P_DECall
ETH_P_DNADLall
ETH_P_DNARCall
ETH_P_DNARTall
ETH_P_LATall
ETH_P_DIAGall
ETH_P_CUSTall
ETH_P_SCAall
ETH_P_TEBall
ETH_P_RARPall
ETH_P_ATALKall
ETH_P_AARPall
ETH_P_8021_Qall
ETH_P_ERSPANall
ETH_P_IPXall
ETH_P_IPV6all
ETH_P_PAUSEall
ETH_P_SLOWall
ETH_P_WCCPall
ETH_P_MPLSUCall
ETH_P_MPLSMCall
ETH_P_ATMMPOAall
ETH_P_PPPDISCall
ETH_P_PPPSESall
ETH_P__LINK_CTLall
ETH_P_ATMFATEall
ETH_P_PAEall
ETH_P_AOEall
ETH_P_8021_ADall
ETH_P_802_EX1all
ETH_P_TIPCall
ETH_P_MACSECall
ETH_P_8021_AHall
ETH_P_MVRPall
ETH_P_1588all
ETH_P_NCSIall
ETH_P_PRPall
ETH_P_FCOEall
ETH_P_IBOEall
ETH_P_TDLSall
ETH_P_FIPall
ETH_P_80221all
ETH_P_HSRall
ETH_P_NSHall
ETH_P_LOOPBACKall
ETH_P_QINQ1all
ETH_P_QINQ2all
ETH_P_QINQ3all
ETH_P_EDSAall
ETH_P_IFEall
ETH_P_AFIUCVall
ETH_P_8023_MINall
ETH_P_IPV6_HOP_BY_HOPall
ETH_P_8023all
ETH_P_AX25all
ETH_P_ALLall
ETH_P_8022all
ETH_P_SNAPall
ETH_P_DDCMPall
ETH_P_WANPPPall
ETH_P_PPPMPall
ETH_P_LOCALTALKall
ETH_P_CANall
ETH_P_CANFDall
ETH_P_PPPTALKall
ETH_P_TR8022all
ETH_P_MOBITEXall
ETH_P_CONTROLall
ETH_P_IRDAall
ETH_P_ECONETall
ETH_P_HDLCall
ETH_P_ARCNETall
ETH_P_DSAall
ETH_P_TRAILERall
ETH_P_PHONETall
ETH_P_IEEE802154all
ETH_P_CAIFall
ETH_P_XDSAall
ETH_P_MAPall

L4 protocols

L4 protocols are the supported Layer 4 protocols.

NameArchitectures
IP_PROTO_IPall
IP_PROTO_ICMPall
IP_PROTO_IGMPall
IP_PROTO_IPIPall
IP_PROTO_TCPall
IP_PROTO_EGPall
IP_PROTO_IGPall
IP_PROTO_PUPall
IP_PROTO_UDPall
IP_PROTO_IDPall
IP_PROTO_TPall
IP_PROTO_DCCPall
IP_PROTO_IPV6all
IP_PROTO_RSVPall
IP_PROTO_GREall
IP_PROTO_ESPall
IP_PROTO_AHall
IP_PROTO_ICMPV6all
IP_PROTO_MTPall
IP_PROTO_BEETPHall
IP_PROTO_ENCAPall
IP_PROTO_PIMall
IP_PROTO_COMPall
IP_PROTO_SCTPall
IP_PROTO_UDPLITEall
IP_PROTO_MPLSall
IP_PROTO_RAWall

MMap flags

MMap flags are the supported flags for the mmap syscall.

NameArchitectures
MAP_SHAREDall
MAP_PRIVATEall
MAP_SHARED_VALIDATEall
MAP_ANONall
MAP_ANONYMOUSall
MAP_DENYWRITEall
MAP_EXECUTABLEall
MAP_FIXEDall
MAP_FIXED_NOREPLACEall
MAP_GROWSDOWNall
MAP_HUGETLBall
MAP_LOCKEDall
MAP_NONBLOCKall
MAP_NORESERVEall
MAP_POPULATEall
MAP_STACKall
MAP_SYNCall
MAP_UNINITIALIZEDall
MAP_HUGE_16KBall
MAP_HUGE_64KBall
MAP_HUGE_512KBall
MAP_HUGE_1MBall
MAP_HUGE_2MBall
MAP_HUGE_8MBall
MAP_HUGE_16MBall
MAP_HUGE_32MBall
MAP_HUGE_256MBall
MAP_HUGE_512MBall
MAP_HUGE_1GBall
MAP_HUGE_2GBall
MAP_HUGE_16GBall
MAP_32BITamd64

Network Address Family constants

Network Address Family constants are the supported network address families.

NameArchitectures
AF_UNSPECall
AF_LOCALall
AF_UNIXall
AF_FILEall
AF_INETall
AF_AX25all
AF_IPXall
AF_APPLETALKall
AF_NETROMall
AF_BRIDGEall
AF_ATMPVCall
AF_X25all
AF_INET6all
AF_ROSEall
AF_DECnetall
AF_NETBEUIall
AF_SECURITYall
AF_KEYall
AF_NETLINKall
AF_ROUTEall
AF_PACKETall
AF_ASHall
AF_ECONETall
AF_ATMSVCall
AF_RDSall
AF_SNAall
AF_IRDAall
AF_PPPOXall
AF_WANPIPEall
AF_LLCall
AF_IBall
AF_MPLSall
AF_CANall
AF_TIPCall
AF_BLUETOOTHall
AF_IUCVall
AF_RXRPCall
AF_ISDNall
AF_PHONETall
AF_IEEE802154all
AF_CAIFall
AF_ALGall
AF_NFCall
AF_VSOCKall
AF_KCMall
AF_QIPCRTRall
AF_SMCall
AF_XDPall
AF_MAXall

Network directions

Network directions are the supported directions of network packets.

NameArchitectures
INGRESSall
EGRESSall

Open flags

Open flags are the supported flags for the open syscall.

NameArchitectures
O_RDONLYall
O_WRONLYall
O_RDWRall
O_APPENDall
O_CREATall
O_EXCLall
O_SYNCall
O_TRUNCall
O_ACCMODEall
O_ASYNCall
O_CLOEXECall
O_DIRECTall
O_DIRECTORYall
O_DSYNCall
O_FSYNCall
O_NDELAYall
O_NOATIMEall
O_NOCTTYall
O_NOFOLLOWall
O_NONBLOCKall
O_RSYNCall

Pipe buffer flags

Pipe buffer flags are the supported flags for a pipe buffer.

NameArchitectures
PIPE_BUF_FLAG_LRUall
PIPE_BUF_FLAG_ATOMICall
PIPE_BUF_FLAG_GIFTall
PIPE_BUF_FLAG_PACKETall
PIPE_BUF_FLAG_CAN_MERGEall
PIPE_BUF_FLAG_WHOLEall
PIPE_BUF_FLAG_LOSSall

Protection constants

Protection constants are the supported protections for the mmap syscall.

NameArchitectures
PROT_NONEall
PROT_READall
PROT_WRITEall
PROT_EXECall
PROT_GROWSDOWNall
PROT_GROWSUPall

Ptrace constants

Ptrace constants are the supported ptrace commands for the ptrace syscall.

NameArchitectures
PTRACE_TRACEMEall
PTRACE_PEEKTEXTall
PTRACE_PEEKDATAall
PTRACE_PEEKUSRall
PTRACE_POKETEXTall
PTRACE_POKEDATAall
PTRACE_POKEUSRall
PTRACE_CONTall
PTRACE_KILLall
PTRACE_SINGLESTEPall
PTRACE_ATTACHall
PTRACE_DETACHall
PTRACE_SYSCALLall
PTRACE_SETOPTIONSall
PTRACE_GETEVENTMSGall
PTRACE_GETSIGINFOall
PTRACE_SETSIGINFOall
PTRACE_GETREGSETall
PTRACE_SETREGSETall
PTRACE_SEIZEall
PTRACE_INTERRUPTall
PTRACE_LISTENall
PTRACE_PEEKSIGINFOall
PTRACE_GETSIGMASKall
PTRACE_SETSIGMASKall
PTRACE_SECCOMP_GET_FILTERall
PTRACE_SECCOMP_GET_METADATAall
PTRACE_GET_SYSCALL_INFOall
PTRACE_GETFPREGSamd64, arm
PTRACE_SETFPREGSamd64, arm
PTRACE_GETFPXREGSamd64
PTRACE_SETFPXREGSamd64
PTRACE_OLDSETOPTIONSamd64, arm
PTRACE_GET_THREAD_AREAamd64, arm
PTRACE_SET_THREAD_AREAamd64
PTRACE_ARCH_PRCTLamd64
PTRACE_SYSEMUamd64, arm64
PTRACE_SYSEMU_SINGLESTEPamd64, arm64
PTRACE_SINGLEBLOCKamd64
PTRACE_GETCRUNCHREGSarm
PTRACE_GETFDPICarm
PTRACE_GETFDPIC_EXECarm
PTRACE_GETFDPIC_INTERParm
PTRACE_GETHBPREGSarm
PTRACE_GETVFPREGSarm
PTRACE_GETWMMXREGSarm
PTRACE_SETCRUNCHREGSarm
PTRACE_SETHBPREGSarm
PTRACE_SETVFPREGSarm
PTRACE_SETWMMXREGSarm
PTRACE_SET_SYSCALLarm
PTRACE_PEEKMTETAGSarm64
PTRACE_POKEMTETAGSarm64

Signal constants

Signal constants are the supported signals for the kill syscall.

NameArchitectures
SIGHUPall
SIGINTall
SIGQUITall
SIGILLall
SIGTRAPall
SIGABRTall
SIGIOTall
SIGBUSall
SIGFPEall
SIGKILLall
SIGUSR1all
SIGSEGVall
SIGUSR2all
SIGPIPEall
SIGALRMall
SIGTERMall
SIGSTKFLTall
SIGCHLDall
SIGCONTall
SIGSTOPall
SIGTSTPall
SIGTTINall
SIGTTOUall
SIGURGall
SIGXCPUall
SIGXFSZall
SIGVTALRMall
SIGPROFall
SIGWINCHall
SIGIOall
SIGPOLLall
SIGPWRall
SIGSYSall

Unlink flags are the supported flags for the unlink syscall.

NameArchitectures
AT_REMOVEDIRall

Virtual Memory flags

Virtual Memory flags define the protection of a virtual memory segment.

NameArchitectures
VM_NONEall
VM_READall
VM_WRITEall
VM_EXECall
VM_SHAREDall
VM_MAYREADall
VM_MAYWRITEall
VM_MAYEXECall
VM_MAYSHAREall
VM_GROWSDOWNall
VM_UFFD_MISSINGall
VM_PFNMAPall
VM_UFFD_WPall
VM_LOCKEDall
VM_IOall
VM_SEQ_READall
VM_RAND_READall
VM_DONTCOPYall
VM_DONTEXPANDall
VM_LOCKONFAULTall
VM_ACCOUNTall
VM_NORESERVEall
VM_HUGETLBall
VM_SYNCall
VM_ARCH_1all
VM_WIPEONFORKall
VM_DONTDUMPall
VM_SOFTDIRTYall
VM_MIXEDMAPall
VM_HUGEPAGEall
VM_NOHUGEPAGEall
VM_MERGEABLEall

お役に立つドキュメント、リンクや記事:

Get started with Datadog CSM ThreatsDOCUMENTATION more more
PREVIEWING: vishalshah/update-sql-reference