kubernetes_falco.yml

name: Kubernetes Falco
id: 23c0eeed-840a-4711-a41b-6819c1ffbba5
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for Kubernetes Falco
source: kubernetes
sourcetype: kube:container:falco
supported_TA: []
fields:
- _time
- command
- container_id
- container_image
- container_image_tag
- container_name
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- evt_type
- exe_flags
- host
- index
- k8s_ns
- k8s_pod_name
- linecount
- parent
- proc_exepath
- process
- punct
- source
- sourcetype
- splunk_server
- terminal
- timeendpos
- timestartpos
- user
- user_loginuid
- user_uid
example_log: '12:18:18.691725165: Notice A shell was spawned in a container with an
  attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash
  proc_exepath=/usr/lib/splunk-otel-collector/agent-bundle/bin/bash parent=runc command=bash
  -il terminal=34816 exe_flags=EXE_WRITABLE container_id=7a2566e8e462 container_image=quay.io/signalfx/splunk-otel-collector
  container_image_tag=0.88.0 container_name=otel-collector k8s_ns=default k8s_pod_name=my-splunk-otel-collector-agent-9sdhr)'