Hello Team,
I have doubt about the problem for the Falco -
In Labs for the Falco. Last question is to modify the rule output as provided in the question. This same kind of question comes up in the Mock2 as well. However the rule modification is different in both solutions. Can you please check and provide what solution should be adopted.
I modified the rule in Mock 2 as per the labs. I tested the rule it worked as well, but after submitting exam (Mock 2) it shows my answer is wrong.
Hello @sachinsagy
The below rule is working fine.
- rule: Terminal shell in container
desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
condition: >
spawned_process and container
and shell_procs and proc.tty != 0
and container_entrypoint
and not user_expected_terminal_shell_in_container_conditions
output: >
%evt.time.s,%user.uid,%container.id,%container.image.repository
priority: ALERT
tags: [container, shell, mitre_execution]
I used rule output like this -
output: >
(%evt.time.s %user.uid %container.id %container.image.repository)
priority: ALERT
I checked the logs and result is as expected, rule is working fine. Looks good. Now, I wanted to know which rule should be used in exam. The one which I used here or one pasted in above chat
Hello @sachinsagy,
We don’t know what the question in the exam looks like and discussing the exam question is again the DNA.
Basically, you need to read the question, follow the instruction and verify it. A tip is to copy the existing rule and modify it, rather than create a new one from scratch so that you can avoid syntax issues.
Thanks,
Trung.