Skip to content

Using Metaevent Filters

Investigations collects all of the metaevents for any tables you've turned on and writes them to a blob storage location of your choice. This can generate a lot of data, particularly for certain workloads, such as a microservice that outputs data to Kafka or a static webserver serving files from a single directory. In these instances, it may be helpful to remove any connection events that are writing data out on port 9092 or file events from the directory on the webserver.

This is where filters come in. Filters let you specify a set of rules that determine whether or not to generate a metaevent. Doing this reduces duplicate events, allowing faster query times, less bandwidth usage, and better sensor performance.

Syntax

Metaevent filters are specified on a per-table basis and use the same rule syntax as custom detections. The first step in writing a filter is determining whether it should default match or default ignore. You must specify a default action before adding custom rules.

  • default match means that the sensor will match all incoming metaevents by default, and your rules would then ignore metaevents that shouldn't be saved. An example of this would be a Kafka worker node matching all connection metaevents and ignoring those making a connection to port 9092.
  • default ignore means that the sensor will ignore all metaevents by default. Your rules would then match specific cases that need to be output. An example would be ignoring all file events but matching on file creation and modification for file integrity monitoring.

The next step to creating a filter is determining which fields to filter on. Each metaevent type has a set of valid fields that you can filter, ranging from container id to file path to connection port. You can find a full reference at the end of this document. These event types can then be compared to relevant values and either matched or ignored when they meet the condition. For example, to filter all traffic to port 9092, the rule would look like this: ignore outboundPort == 9092

Once you have your rules, you can construct them into a filter. A filter is a set of rules organized into a list. If a filter has multiple rules, all rules are evaluated in the order shown. The filter for the prior Kafka example would look like this:

filter: 
  - ignore outboundPort == 9092
  - default match

That filter when applied in a config file would look like this:

investigations:
  metaevent_dispatcher_enabled: true
  enable_incremental_flush: false
  reporting_interval: 5s
  sinks:
    - name: <a_folder_name>
      backend: aws
      automated: true
      type: parquet
  flight_recorder:
    enabled: true
    tables:
      ... all other tables ...
      - name: "connection_events"
        rows: 1000
        enabled: true
        filter:
          - ignore outboundPort == 9092
          - default match

Another example that uses multiple rules is file integrity monitoring for a static web server. In this case, only file creation and modifications are saved as we would expect to see file reads:

filter: 
  - match operation == "create"
  - match operation == "modify"
  - default ignore

When applied in a config file, that filter would look like the following example:

investigations: 
  reporting_interval: 5s 
  sinks: 
    - name: <a_folder_name>
      backend: file
      automated: true
      type: json
  flight_recorder:
    enabled: true 
    tables:
      ... all other tables ... 
      - name: "file_events"
        rows: 1000 
        enabled: true 
        filter: 
          - match eventType == "FILE_OPERATION_CREATE"
          - match eventType == "FILE_OPERATION_MODIFY"
          - default ignore

Success and Errors:

Once a filter has been added to a sensor config and the sensor has been restarted, there should be a log entry like the following example:

2021-04-30T13:00:00.337Z INFO Program filtering active

That line means that the filters were syntactically correct and are applied. If something is wrong with the filter, such as a type or an incorrect field name, there will be a log entry like the following example:

2021-04-30T12:55:43.382Z WARN Investigations event filters could not be applied: "evntType" is not a valid field for this strategy. Valid fields are [ancestorProgramName commandLine containerId
containerIsPrivileged containerLifetime containerName currentWorkingDirectory fileContainerId fileHash filePath gid group hasIncidentID hasNetworkServiceAncestor imageId imageName lineage loginGid loginG
roup loginUid loginUser namespace operation parentProgramArguments parentProgramName podName programArguments programDepth programHash programLifetime programName sourceFilePath uid userName] (in policy "
file_operation_metaevent_filter", rule "match evntType == \"FILE_OPERATION_CREATE\""). unexpected $end in rule: match eventType == "FILE_OPERATION_CREATE" Invalid expression in rule: match eventType == "
FILE_OPERATION_CREATE"

In this case, an "e" was missed in eventType.

Reference

All of the fields that be used by filters:

Field Event type Description
containerId all The Container Id that the process is running in
containerName all The container name
containerLifetime all Length of time that the container has been running when the event occurred.
containerIsPrivileged all The container is running with cap_sys_admin privileges
imageId all Image id of the container in which the event occurred
imageName all Image name of the container in which the event occurred
namespace all Name of the kubernetes namespace in which the program's container resides
podName all Name of the kubernetes pod in which the program's container resides
programName all Name of the program which generated the event
parentProgramName all Name of the parent of the program which generated the event
programArguments all Arguments passed to the program which generated the event
parentProgramArguments all Arguments passed to the parent of the program which generated the event
programLifetime all Lifetime of the program as duration.
programDepth all Exec depth of process
ancestorProgramName all Any matching ancestor of the program which generated the event
lineage all Program lineage (currently based on program path without arguments) for the event
programHash all SHA256 hash of the program in which the event occurred
hasNetworkServiceAncestor all The program is descended from a network service
currentWorkingDirectory all Current working directory of the program which generated the event
hasIncidentID all The program or one of its ancestors has produced an alert
commandLine all Command line input as observed by a shell program
userName all Username of the program which generated the event
group all Group name of the program which generated the event
uid all UID of the program which generated the event
gid all GID of the program which generated the event
loginUser all Username of the login which generated the event
loginGroup all Group name of the login which generated the event
loginUid all UID of the login which generated the event
loginGid all GID of the login which generated the event
eventType all The type of action that generated the event. Reference below.
filePath file_events File path for a file event. For file events that reference both a source and a target, refers to the target path.
operation file_events Operation type for a file event. Possible values are: open, create, link, modify, append, rename, delete, setattr, or getattr.
sourceFilePath file_events Source path for a file event
fileContainerId file_events Id of the container in which the file resides
fileHash file_events SHA256 hash of the file path on which the event occurred
remoteHost connections Host IP address for a connection event
outboundPort connections Outbound port for a connection event
interfaceIP connections IP address of network service event
inboundPort connections Inbound port for a connection event
creatorProgramName process_events Name of the program which last modified the new file
creatorParentProgramName process_events Name of the parent of the program which last modified the new file
creatorAncestorProgramName process_events Any matching ancestor of the program which modified the file
creatorLineage process_events Lineage of the program which modified the file
creatorProgramArguments process_events Arguments passed to the program which modified the new file
creatorParentProgramArguments process_events Arguments passed to the parent of the program which modified the new file
creatorUserName process_events Username of the program which modified the new file
creatorGroup process_events Group name of the program which modified the new file
creatorUid process_events UID of the program which modified the new file
creatorGid process_events GID of the program which modified the new file
creatorLoginUser process_events Username of the login which modified the new file
creatorLoginGroup process_events Group name of the login which modified the new file
creatorLoginUid process_events UID of the login which modified the new file
creatorLoginGid process_events GID of the login which modified the new file
targetUid process_events The program is attempting to change its UID to the targetUid
targetEuid process_events The program is attempting to change its EUID to the targetEuid
targetSuid process_events The program is attempting to change its SUID to the targetSuid
targetFsuid process_events The program is attempting to change its FSUID to the targetFsuid
targetGid process_events The program is attempting to change its GID to the targetGid
targetEgid process_events The program is attempting to change its EGID to the targetEgid
targetSgid process_events The program is attempting to change its SGID to the targetSgid
targetFsgid process_events The program is attempting to change its FSGID to the targetFsgid

eventType Possible Values:

  • CONTAINER_EVENT_START
  • CONTAINER_EVENT_TYPE_CREATED
  • CONTAINER_EVENT_TYPE_RUNNING
  • CONTAINER_EVENT_TYPE_EXITED
  • CONTAINER_EVENT_TYPE_DESTROYED
  • CONTAINER_EVENT_TYPE_UPDATED
  • CONTAINER_EVENT_END
  • PROCESS_EVENT_START
  • PROCESS_EVENT_TYPE_FORK
  • PROCESS_EVENT_TYPE_EXEC
  • PROCESS_EVENT_TYPE_EXIT
  • PROCESS_EVENT_TYPE_UPDATE
  • PROCESS_EVENT_TYPE_UPDATE_CONTAINER
  • PROCESS_EVENT_TYPE_UPDATE_CREDENTIALS
  • PROCESS_EVENT_END
  • FILE_EVENT_START
  • FILE_EVENT_TYPE_OPEN_READ_ONLY
  • FILE_EVENT_TYPE_CREATE
  • FILE_EVENT_TYPE_DELETE
  • FILE_EVENT_TYPE_HARD_LINK
  • FILE_EVENT_TYPE_SYM_LINK
  • FILE_EVENT_TYPE_MODIFY
  • FILE_EVENT_TYPE_RENAME
  • FILE_EVENT_TYPE_OPEN_FOR_WRITE
  • FILE_EVENT_TYPE_CLOSE_FOR_WRITE
  • FILE_EVENT_TYPE_ATTRIBUTE_CHANGE
  • FILE_EVENT_TYPE_GET_ATTRIBUTES
  • FILE_EVENT_END
  • NETWORK_EVENT_START
  • SYSCALL_EVENT_ACCEPT
  • SYSCALL_ACCEPT_ENTER_EVENT
  • SYSCALL_ACCEPT_EXIT_EVENT
  • SYSCALL_EVENT_BIND
  • SYSCALL_BIND_ENTER_EVENT
  • SYSCALL_BIND_EXIT_EVENT
  • SYSCALL_EVENT_CONNECT
  • SYSCALL_CONNECT_ENTER_EVENT
  • SYSCALL_CONNECT_EXIT_EVENT
  • SYSCALL_EVENT_LISTEN
  • SYSCALL_LISTEN_ENTER_EVENT
  • SYSCALL_LISTEN_EXIT_EVENT
  • SYSCALL_EVENT_RECVFROM
  • SYSCALL_RECVFROM_ENTER_EVENT
  • SYSCALL_RECVFROM_EXIT_EVENT
  • SYSCALL_EVENT_SENDTO
  • SYSCALL_SENDTO_ENTER_EVENT
  • SYSCALL_SENDTO_EXIT_EVENT
  • NETWORK_EVENT_CONNECT
  • NETWORK_EVENT_END
  • NETWORKBOUND_IO_EVENT
  • INTERACTIVE_SHELL_EVENT
  • NETWORK_SERVICE_CREATED_EVENT
  • FILE_EVENT_TYPE_WRITE_BATCH_RAW
  • FILE_EVENT_TYPE_WRITE_BATCH
  • SHELL_COMMAND_EVENT
  • NEW_FILE_EXEC_EVENT
  • SET_CAPABILITIES_EVENT
  • COMMAND_LINE_ACTIVITY_EVENT