Undefined Support New Policy Criteria and Fields for Alerting on Host Path Activity
| Section | Attribute | Description | Allowed Values | Regex, NOT, AND, OR | Phase |
| Process Activity | Sensitive Host Path Operation | Monitor sensitive host paths for activity indicating modification attempt. | File Path String (e.g. /etc/sshd/ssh_config) | X (not supported) | Runtime |
Policy Criteria for Sensitive File Activity (docs) **
Scoping
Only events triggered within a Kubernetes context are affected by inclusion scopes; events outside of a Kubernetes context will always be reported.
Violation Fields
These fields (green/yellow) are an extension of files found in the ProcessIndicator API for Runtime process alerts. See also documentation for responding to violations.
| Field Name | Type | Description | [^Crownstrike analysis - spec suggestion for FIO - Lakhdar HAMMACHE (contractor) - Confluence - ~62738d517dd556006afdd578-Crownstrike analysis - spec suggestion for FIO-180625-080853 (1).pdf] |
| cluster_id | string | ID of the cluster. | |
| node_name | string | Hostname | ComputerName |
| time | google.protobuf.Timestamp | The time of occurrence. | timestamp |
| file_event_type | string | Type of file event (FILE_INTEGRITY) | |
| file_path | string | The file path. | ObjectName |
| file_operation | string | The operation detected (WRITE, CREATE,UNLINK,RENAME,SETATTR). | ObjectAccessOperationType |
| is_external_mount | boolean | True if the file is from a namespace that differs from the process root mount namespace. | IsFromDifferentMountNamespace |
| namespace | string | K8s namespace (if any) | |
| deployment_id | string | K8s deployment_id (if any) | |
| pod_id | string | K8s deployment_id (if any) | |
| container_name | string | Name of the process container (if any) | |
| image_id | string | Image used by process container (if any) | |
| container_id | string | ID of the process container (if any) | |
| process_name | string | The name of the process. | ImageFileName |
| args | string | The arguments passed to the process. | CommandLine |
| exec_file_path | string | The file path of the process executable. | |
| pid | uint32 | The host process ID. | RawProcessId |
| uid | uint32 | The real user ID. | RUID |
| gid | uint32 | The real group ID. | |
| username | string | The username | |
| parent_uid[] | uint32 | The user ID of the ith parent process | |
| parent_exec_file_path[] | string | The executable file path of the ith parent process. | ParentImageFileName / GrandparentImageFileName |
Details to be available in the alert description.
