参照資料: 警告テンプレートのスキーマ
このセクションでは、警告テンプレートで使用する警告スキーマについて説明します。
「種類」列で定義されている種類は、ネイティブの Go の種類か、ソフォスが定義したカスタムの種類です。このドキュメントでは、ネイティブの Go の種類には小文字の名前を使用し、カスタムの種類には大文字の名前を使用します。以下で定義するカスタムの種類すべてに対して、独自のセクションがあります。「使用例」列には、コピーして、特定の使用例のテンプレートに貼り付けることができるテンプレートの例が表示されます。入れ子のフィールドの場合、アクセスに必要な親フィールドの名前が含まれています (例: {{.ProcessInfo.Program}})。スライスの場合、データには range アクションや index 関数 (例: {{range .Lineage}} {{.Program.Path}} {{end}}) を使用してアクセスできます。ここで紹介する使用例は、警告テンプレートで警告フィールドを使用する唯一の方法ではないことに注意してください。警告スキーマは、JSON 形式と警告テンプレート形式では異なります。そのため、このドキュメントを参照することが重要です。詳細は、警告設定テンプレートを参照してください。
警告
警告は、Sophos Linux Sensor の最上位レベルの警告の種類です。
| Field | Type | Description | Usage Example |
|---|---|---|---|
| GroupID | string | The Unix group ID. | {{.GroupID}} |
| Timestamp | int64 | The Unix timestamp of when the Alert was generated. | {{.Timestamp}} |
| Description | string | The description of the Alert from Policy. | {{.Description}} |
| Comments | string | The comments on the Alert from Policy. | {{.Comments}} |
| UUID | string | The Universally Unique ID for this Alert. | {{.UUID}} |
| AlertLabels | map[string]string | The Alert labels from Policy. | {{.AlertLabels}} |
| Priority | Priority | The Alert's priority. | {{.Priority}} |
| Confidence | Confidence | The confidence that the Alert is not a false positive. | {{.Confidence}} |
| Location | AlertLocation | The location of where the Alert was generated. | {{.Location}} |
| ProcessInfo | ProcessInfo | The information about the process that generated the Alert (if available). | {{.ProcessInfo}} |
| Lineage | []ProcessInfo | The information about both the process and program's lineage (if enabled). | {{.Lineage}} |
| StrategyName | string | The name and release version of the Policy. | {{.StrategyName}} |
| PolicyType | Policy | The Policy's type (for example Program). | {{.PolicyType}} |
| Scope | Scope | The scope of the Alert's process. | {{.Scope}} |
| Notifications | []AlertNotification | The notifications associated with the Alert and its response actions. | {{.Notifications}} |
| MatchedObjects | []AlertFilterMatch | The objects that were matched that caused the Alert. | {{.MatchedObjects}} |
| MatchedRule | string | The policy rule that was matched that caused the Alert. | {{.MatchedRule}} |
| Metadata | map[string]string | The system metadata from the Alert process' host. | {{.Metadata}} |
| Categories | string | The MITRE categories this Alert belongs to. | {{.Categories}} |
AlertLocation
AlertLocation には、警告の Location フィールドからアクセスできます。
| Field | Type | Description | Usage Example |
|---|---|---|---|
| NodeName | string | Node name is the host name of the underlying node. | {{.Location.NodeName}} |
| PodName | string | Pod name from Kubernetes. | {{.Location.PodName}} |
| K8sNamespace | string | K8sNamespace is the kubernetes name space for the pod. | {{.Location.K8sNamespace}} |
| ContainerID | string | Unique Identifier for a running Container Instance. | {{.Location.ContainerID}} |
| ContainerName | string | Container Name a string name assigned to the container. | {{.Location.ContainerName}} |
| ImageID | string | Unique Image ID that the container was built from. | {{.Location.ImageID}} |
| ImageName | string | String name of the Image that the Container was built from. | {{.Location.ImageName}} |
| SensorID | string | The unique identifier for the sensor that this container is running on. | {{.Location.SensorID}} |
AlertNotification
AlertNotification には、スライスである警告の Notifications フィールドからアクセスできます。
| Field | Type | Description | Usage Example |
|---|---|---|---|
| Timestamp | int64 | The timestamp of the notification. | {{range .Notifications}} {{.Timestamp}} {{end}} |
| Name | string | The name of the notification. | {{range .Notifications}} {{.Name}} {{end}} |
| ActorUUID | string | The UUID of the notification's actor. | {{range .Notifications}} {{.ActorUUID}} {{end}} |
| Message | string | The message associated with the notification. | {{range .Notifications}} {{.Message}} {{end}} |
| MessageFields | AlertMessageFields | The message fields associated with the notification. | {{range .Notifications}} {{.MessageFields}} {{end}} |
AlertMessageFields
AlertMessageFields には、警告の Notification の MessageFields からアクセスできます。
| Field | Type | Description | Usage Example |
|---|---|---|---|
| ActionType | string | The type of response action taken for example "kill" or "stop". | {{range .Notifications}} {{.MessageFields.ActionType}} {{end}} |
| ActionTargetType | string | The type of target a response action is being taken against for example "process" or "container". | {{range .Notifications}} {{.MessageFields.ActionTargetType}} {{end}} |
| ActionResult | string | The outcome of a given action for example "successful" or "unsuccessful". | {{range .Notifications}} {{.MessageFields.ActionResult}} {{end}} |
| ActionResultDetails | string | Additional messages about the action's outcome. | {{range .Notifications}} {{.MessageFields.ActionResultDetails}} {{end}} |
| ConnectionDirection | string | The inbound/outbound nature of a network event. | {{range .Notifications}} {{.MessageFields.ConnectionDirection}} {{end}} |
| DisabledMechanism | string | The disabled security mechanism referenced in an alert. | {{range .Notifications}} {{.MessageFields.DisabledMechanism}} {{end}} |
| FilePath | string | The file path in a relevant event. | {{range .Notifications}} {{.MessageFields.FilePath}} {{end}} |
| FileSHA256Hash | string | The calculated content hash of the file at FilePath. | {{range .Notifications}} {{.MessageFields.FileSHA256Hash}} {{end}} |
| SourceFilePath | string | The source file path that was linked or moved into FilePath in a relevant event. | {{range .Notifications}} {{.MessageFields.SourceFilePath}} {{end}} |
| InstanceCount | int32 | The number of times the relevant event occurred. | {{range .Notifications}} {{.MessageFields.InstanceCount}} {{end}} |
| KernelFunction | string | The kernel function in a kernel payload event. | {{range .Notifications}} {{.MessageFields.KernelFunction}} {{end}} |
| LocalPort | uint16 | The local port in a network event. | {{range .Notifications}} {{.MessageFields.LocalPort}} {{end}} |
| ModifiedCredentialFields | string | The lists cred struct members that changed. | {{range .Notifications}} {{.MessageFields.ModifiedCredentialFields}} {{end}} |
| ModuleName | string | The kernel module loaded. | {{range .Notifications}} {{.MessageFields.ModuleName}} {{end}} |
| NewPermissionsMask | string | The octal version of new file permissions. | {{range .Notifications}} {{.MessageFields.NewPermissionsMask}} {{end}} |
| NewPermissionsStrings | string | The string list of new file permissions. | {{range .Notifications}} {{.MessageFields.NewPermissionsStrings}} {{end}} |
| NewUid | int32 | The newly assigned uid. | {{range .Notifications}} {{.MessageFields.NewUid}} {{end}} |
| NewEuid | int32 | The newly assigned euid. | {{range .Notifications}} {{.MessageFields.NewEuid}} {{end}} |
| NewSuid | int32 | The newly assigned suid. | {{range .Notifications}} {{.MessageFields.NewSuid}} {{end}} |
| NewFsuid | int32 | The newly assigned fsuid. | {{range .Notifications}} {{.MessageFields.NewFsuid}} {{end}} |
| NewGid | int32 | The newly assigned gid. | {{range .Notifications}} {{.MessageFields.NewGid}} {{end}} |
| NewEgid | int32 | The newly assigned egid. | {{range .Notifications}} {{.MessageFields.NewEgid}} {{end}} |
| NewSgid | int32 | The newly assigned sgid. | {{range .Notifications}} {{.MessageFields.NewSgid}} {{end}} |
| NewFsgid | int32 | The newly assigned fsgid. | {{range .Notifications}} {{.MessageFields.NewFsgid}} {{end}} |
| PtraceAction | string | The ptrace method used against a process. | {{range .Notifications}} {{.MessageFields.PtraceAction}} {{end}} |
| RemoteHost | string | The remote host in a network event. | {{range .Notifications}} {{.MessageFields.RemoteHost}} {{end}} |
| RemotePort | uint16 | The remote port in a network event. | {{range .Notifications}} {{.MessageFields.RemotePort}} {{end}} |
| SystemCall | string | The syscall name referenced in an alert. | {{range .Notifications}} {{.MessageFields.SystemCall}} {{end}} |
| DurationUnits | string | The time unit in which relevant events occurred. | {{range .Notifications}} {{.MessageFields.DurationUnits}} {{end}} |
| DurationValue | float64 | The number of time units in which relevant events occurred. | {{range .Notifications}} {{.MessageFields.DurationValue}} {{end}} |
| ModifiedElements | []ModifiedElement | A map of elements that have changed, along with their old and new values. | {{range .Notifications}} {{.MessageFields.ModifiedElements}} {{end}} |
| Operations | string | The list of operations that were performed during the event. | {{range .Notifications}} {{.MessageFields.Operations}} {{end}} |
ModifiedElement
ModifiedElement には、スライスである警告の Notifications フィールドの MessageFields.ModifiedElements からアクセスできます。
| Field | Type | Description | Usage Example |
|---|---|---|---|
| ElementName | string | The element's name. | {{range .Notifications}} {{range .MessageFields.ModifiedElements}} {{.ElementName}} {{end}} {{end}} |
| ExpectedValue | string | The "normal" value. | {{range .Notifications}} {{range .MessageFields.ModifiedElements}} {{.ExpectedValue}} {{end}} {{end}} |
| PreviousValue | string | The element's old value. | {{range .Notifications}} {{range .MessageFields.ModifiedElements}} {{.PreviousValue}} {{end}} {{end}} |
| NewValue | string | The element's new value. | {{range .Notifications}} {{range .MessageFields.ModifiedElements}} {{.NewValue}} {{end}} {{end}} |
AlertFilterMatch
AlertFilterMatch には、スライスである警告の MatchedObjects フィールドからアクセスできます。
| Field | Type | Description | Usage Example |
|---|---|---|---|
| MatchedField | string | The field name. | {{range .MatchedObjects}} {{.MatchedField}} {{end}} |
| MatchedValue | string | The field value. | {{range .MatchedObjects}} {{.MatchedValue}} {{end}} |
| MatchOperator | string | The operator used in the comparison. | {{range .MatchedObjects}} {{.MatchOperator}} {{end}} |
| MatchedPattern | string | What the field name was matched to. | {{range .MatchedObjects}} {{.MatchedPattern}} {{end}} |
| MatchedDescription | string | The user-supplied description of the pattern. | {{range .MatchedObjects}} {{.MatchedDescription}} {{end}} |
ProcessInfo
ProcessInfo には、警告の ProcessInfo フィールドと、スライスである警告の Lineage フィールドからアクセスできます。
以下にある使用例は、警告の ProcessInfo フィールドを使用したより簡単なパスを示しています。
警告の Lineage フィールドを使用してアクセスするには、次の手順を実行します。
{{range .Lineage}} {{.$FIELD}} {{end}}
$FIELD は、任意のフィールド名 (例: Uuid) で置き換えてください。
| Field | Type | Description | Usage Example |
|---|---|---|---|
| Uuid | string | The UUID of this process. | {{.ProcessInfo.Uuid}} |
| TimestampHostMono | uint64 | The Unix timestamp fork mono, or first seen host mono for this process. | {{.ProcessInfo.TimestampHostMono}} |
| ThreadGroup | *ThreadGroupInfo | The process this thread belongs to | {{.ThreadGroup}} |
| Tgid | uint32 | The process' ID in userland. same as .ThreadGroup.Tgid | {{.ProcessInfo.Tgid}} |
| Tid | uint32 | The process' ID in kerneland | {{.ProcessInfo.Tid}} |
| Program | *ProgramInfo | The current program. | {{.ProcessInfo.Program}} |
| CurrentWorkingDirectory | string | The current working directory of this process. | {{.ProcessInfo.CurrentWorkingDirectory}} |
| Privileges | []int | The process' privileges. | {{.ProcessInfo.Privileges}} |
| Username | string | The username for user ID of the task/thread. | {{.ProcessInfo.Username}} |
| Group | string | The group name for group ID of the task/thread. | {{.ProcessInfo.Group}} |
| EffectiveUsername | string | The effective username for user ID of the task/thread. | {{.ProcessInfo.EffectiveUsername}} |
| EffectiveGroup | string | The effective group for group ID of the task/thread. | {{.ProcessInfo.EffectiveGroup}} |
| SavedUsername | string | The saved username for saved user ID of the task/thread. | {{.ProcessInfo.SavedUsername}} |
| SavedGroupname | string | The saved group name for saved group ID of the task/thread. | {{.ProcessInfo.SavedGroupname}} |
| FileSystemUsername | string | The filesystem username for the FsUID of the task/thread. | {{.ProcessInfo.FileSystemUsername}} |
| FileSystemGroup | string | The filesystem group for the FsGID of the task/thread. | {{.ProcessInfo.FileSystemGroup}} |
| ExitTimestampHostMono | uint64 | The time the process exited. | {{.ProcessInfo.ExitTimestampHostMono}} |
ThreadGroupInfo
ThreadGroupInfo には、警告の ThreadGroupInfo フィールドと、警告の Lineage's の ThreadGroupInfo フィールドからアクセスできます。
以下にある使用例は、警告の ThreadGroupInfo フィールドを使用したより簡単なパスを示しています。
警告の Lineage フィールドを使用してアクセスするには、次の手順を実行します。
{{range .Lineage}} {{.ThreadGroupInfo.$FIELD}} {{end}}
$FIELD は、任意のフィールド名 (例: Parent) で置き換えてください。
| Field | Type | Description | Usage Example |
|---|---|---|---|
| Uuid | string | The thread uuid of the thread group leader | {{.Uuid}} |
| TimestampHostMono | uint64 | The Unix timestamp fork mono, or first seen host mono for this process. | {{.TimestampHostMono}} |
| Parent | *ThreadGroupInfo | The current parent, not necessarily creator | {{.Parent}} |
| PreviousState | *ThreadGroupInfo | The possible previous state of this process (for example before an execve(2)). | {{.PreviousState}} |
| Tgid | uint32 | The process' ID in userland | {{.Tgid}} |
| Leader | *ProcessInfo | The leading thread | {{.Leader}} |
| Program | *ProgramInfo | The current program. | {{.ProcessInfo.Program}} |
ProgramInfo
ProgramInfo には、警告の ProcessInfo フィールドと、警告の Lineage's の ProcessInfo フィールドからアクセスできます。
以下にある使用例は、警告の ProcessInfo フィールドを使用したより簡単なパスを示しています。
警告の Lineage フィールドを使用してアクセスするには、次の手順を実行します。
{{range .Lineage}} {{.Program.$FIELD}} {{end}}
$FIELD は、任意のフィールド名 (例: Path) で置き換えてください。
| Field | Type | Description | Usage Example |
|---|---|---|---|
| Path | string | The path to the program's executable. | {{.Program.Path}} |
| CmdLine | string | The command line. | {{.Program.CmdLine}} |
| Arguments | []string | The program's arguments. | {{.Program.Arguments}} |
| TimestampHostMono | uint64 | The timestamp of exec or first seen program event time. | {{.Program.TimestampHostMono}} |
| Complete | bool | Determines if the program exec event was not observed such as if this program existed before program tracking began. | {{.Program.Complete}} |
Enum の種類
Priority
| 文字列 | 整数 |
|---|---|
| Unknown | 0 |
| Info | 1 |
| Low | 2 |
| Medium | 3 |
| High | 4 |
Confidence
| 文字列 | 整数 |
|---|---|
| Zero | 0 |
| Low | 1 |
| MediumLow | 2 |
| MediumHigh | 4 |
| High | 5 |
| Max | 6 |
PolicyType
| 文字列 | 整数 |
|---|---|
| AppArmor | 0 |
| BPFExec | 1 |
| Chmod | 2 |
| 接続 | 3 |
| ContainerEscape | 4 |
| CloudMetadata | 5 |
| File | 6 |
| FileMonitor | 7 |
| FileAccess | 8 |
| Filter | 9 |
| InteractiveShell | 10 |
| KernelPayload | 11 |
| LoadKernelModule | 12 |
| MemoryProtection | 13 |
| NewFileExec | 14 |
| UnauthorizedKernelCredentialChange | 15 |
| Program | 16 |
| Ptrace | 17 |
| RemoteInteractiveShell | 18 |
| Segfault | 19 |
| SELinux | 20 |
| Sendto | 21 |
| SetPrivilege | 22 |
| Setrlimit | 23 |
| SmepSmap | 24 |
| SpectreMeltdown | 25 |
| StackPivotDetection | 26 |
| NetworkService | 27 |
| YaraScan | 28 |
| UserFaultFD | 29 |
| ShellCommand | 30 |
| Heartbeat | 31 |
| CoverageDrop | 32 |
| Kprobe | 33 |
| TagEvent | 34 |
| Uprobe | 35 |
スコープ
| 文字列 | 整数 |
|---|---|
| Other | 0 |
| Process | 1 |
| RootProcess | 2 |
| Container | 3 |
| Node | 4 |
| Subnet | 5 |
| Socket | 6 |
GroupingScope
| 文字列 | 整数 |
|---|---|
| None | 0 |
| Process | 1 |
| ParentProcess | 2 |
| Container | 3 |
| Host | 4 |