Clémence Saussez

``` Mar 3 08:48:37 redacted-hostname falco: {"output":"08:48:37.630357321: Notice New SSH Connection (command= connection=x.x.x.x:50046->x.x.x.x:22 user= user_loginuid=-1 uid=4294967295 thread=7286)","priority":"Notice","rule":"New SSH Connection","source":"syscall","tags":["mitre_remote_service","network"],"time":"2022-03-03T08:48:37.630357321Z", "output_fields": {"evt.time":1646297317630357321,"fd.name":"x.x.x.x:50046->x.x.x.x:22","proc.cmdline":"","thread.tid":7286,"user.loginuid":-1,"user.name":null,"user.uid":4294967295}} Mar 3 08:48:37 redacted-hostname falco[15001]: % Total % Received...

Hi @andreabonanno, we use OSlogin on GCP vm's, it adds pam configurations, maybe it's a lead ? https://cloud.google.com/compute/docs/oslogin

I'll follow up after the 0.32 patch @jasondellaluce

Having the same issue, it trips on `:` `scp file 10.0.0.10:` `cat something | cut -d ' ' -f3 | sed "s/^/- ip : /g"` `curl -H "Host: something" https://10.0.0.10`...