# This file is automatically generated, DO NOT MODIFY.
"TRUE","Cmd // Interactive Command Executions","evt.type == \x22execve\x22 and evt.dir == \x22<\x22 and (proc.pname == \x22bash\x22 or proc.pname == \x22zsh\x22 or proc.pname == \x22tcsh\x22 or proc.pname == \x22ksh\x22 or proc.pname == \x22fish\x22)","List the command executions (eceve system call)"
"TRUE","Cmd // All Command Executions","evt.type == \x22execve\x22","List the command executions (eceve system call)"
"TRUE","File // All File Activity","evt.category == \x22file\x22","Display activity on files"
"TRUE","File // Opens","evt.type == \x22open\x22 || evt.type == \x22openat\x22 || evt.type == \x22openat2\x22","Display file open events (open, openat...)"
"TRUE","File // Reads/Writes","evt.category==\x22file\x22 && evt.is_io == True",""
"TRUE","File // Writes","evt.category==\x22file\x22 && evt.is_io == True  && evt.is_io_write == True",""
"FALSE","File // Opens W","(evt.type == \x22open\x22 || evt.type == \x22openat\x22 || evt.type == \x22openat2\x22) && (evt.is_open_write == True)","Display file open events (open, openat...) where the file has been open with \x22write\x22 flags"
"TRUE","File // File Deletions","evt.type == \x22unlink\x22 || evt.type == \x22unlinkat\x22 || evt.type == \x22rmdir\x22",""
"TRUE","File // Symlink Creation","(evt.type == \x22symlink\x22 || evt.type == \x22symlinkat\x22) && evt.dir == \x22<\x22",""
"TRUE","Network // All Network Activity","evt.category==\x22net\x22","Display activity on the network"
"TRUE","Network // Reads/Writes","evt.category==\x22net\x22 && evt.is_io == True",""
"TRUE","Network // Outbound Connection Requests","evt.type == \x22connect\x22","Show the client-side network connection attempts"
"TRUE","Network // Inbound Connection Requests","evt.type == \x22accept\x22","Show the server-side network connection reception"
"TRUE","Network // Port Opens","evt.type == \x22bind\x22","Show the server-side network connection reception"
"FALSE","I/O","evt.is_io == True","Show all IO system calls (read/write/sendto...)"
"FALSE","I/O W","(evt.is_io == True) && (evt.is_io_write == True)","Show all of the I/O system calls that write content on file descriptors (write, sendto...)"
"TRUE","Misc // Falco Events","sysdig.event_name == \x22notification\x22","This finds the Falco notifications that have been embedded into captures. It allows to quickly go to the place where something happened"
"TRUE","Misc // Process/Thread Creation","evt.type == \x22clone\x22 || evt.type == \x22clone3\x22 || evt.type == \x22fork\x22 || evt.type == \x22vfork\x22","Selects that system calls that failed"
"TRUE","Misc // Failed System Calls","(evt.failed == True) && !(evt.res == \x22EAGAIN\x22) && !(evt.res == \x22EALREADY\x22)","Selects that system calls that failed"
"TRUE","Misc // Writes to Log Files","evt.is_io_write == True && evt.dir == \x22<\x22 && (fd.name contains \x22/var/log\x22 || fd.name contains \x22.log\x22 || fd.name contains \x22_log\x22)","Selects that system calls that failed"
"TRUE","Misc // Writes to System Files","evt.is_io_write == True && evt.dir == \x22<\x22 && (fd.name matches \x22^/bin/\x22 || fd.name matches \x22^/sbin/\x22 || fd.name matches \x22^/boot/\x22 || fd.name matches \x22^/etc/\x22 || fd.name matches \x22^/lib/\x22 || fd.name matches \x22^/usr/bin/\x22 || fd.name matches \x22^/usr/sbin/\x22 || fd.name matches \x22^/usr/share/\x22 || fd.name matches \x22^/usr/lib\x22)","Selects that system calls that failed"
"TRUE","Misc // Kernel Modules Loading","evt.type==init_module || evt.type==finit_module","Selects that system calls that failed"
