tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

select rules by tag

Open itaysk opened this issue 4 years ago • 7 comments

signatures have a tags field. tracee-rules --rules should allow the user to select tags of rules in addition to individual rules. should follow tracee-ebpf's flag conventions e.g -t event / event set

itaysk avatar Feb 10 '21 16:02 itaysk

Using the new rules as events experience, we can have tags treated the same way as sets. @josedonizetti WDYT?

yanivagman avatar Jan 30 '23 07:01 yanivagman

@yanivagman 100%, when creating the events from signatures we can pass all tags as sets https://github.com/aquasecurity/tracee/blob/main/pkg/events/events.go#L84

We can add a specific filter for it, but below it would be 100% the set logic, only an alias for it

josedonizetti avatar Feb 06 '23 19:02 josedonizetti

Great! We should think how we can also choose signatures according to their severity level

yanivagman avatar Feb 06 '23 19:02 yanivagman

would it make sense to make properties dynamic? So for every property one could filter with --trace property. severity=3? So any signature property can have the key used as a filter under property.*

josedonizetti avatar Feb 06 '23 20:02 josedonizetti

would it make sense to make properties dynamic? So for every property one could filter with --trace property. severity=3? So any signature property can have the key used as a filter under property.*

Yes, that can work. @idanr1986 @AsafEitani any comments from your side about that?

yanivagman avatar Feb 07 '23 07:02 yanivagman

Sounds good to me

AsafEitani avatar Feb 09 '23 19:02 AsafEitani

feels like the only real use case of this is to filter by severity. I suggested to promote severity to event metadata so it can be filtered like other fields, if that makes sense to you (need to discuss over there), then maybe we don't need to generalize filter by any property

itaysk avatar Feb 09 '23 20:02 itaysk