Melissa Kilby

In addition, I opened a proposal for a formal container engine testing framework https://github.com/falcosecurity/libs/issues/1298.

/remove-lifecycle stale

Based on improvements made in: - https://github.com/falcosecurity/libs/pull/1433 - https://github.com/falcosecurity/libs/pull/1575 We will be able to better track cases where the container info is missing (leveraging new metrics and output fields). More...

/assign

We just merged https://github.com/falcosecurity/libs/pull/1595 -> Starting with Falco 0.38.0, we will have faster storage of container information into the container cache when running Falco w/ `--disable-cri-async`. This improvement should significantly...

Longer term, we have identified more improvement opportunities; however they will take more time. See https://github.com/falcosecurity/libs/issues/1708 for tracking (milestone TBD).

Another note: We have also improved our documentation https://falco.org/docs/reference/rules/supported-fields/#field-class-container and state that under certain circumstances there may be a delay: "In instances of userspace container engine lookup delays, this field...

@Caroline132 just double checking is it always null for any rule that triggered in a container workload? Or just sometimes null? If it is always null something is wrong. if...

Thank you for reporting back. Likely it's not related to the specific rule. I just opened a new ticket to track re-auditing the container engine as it has been on...

@Caroline132 thank you for reporting back. We will start investigating what could be done. First we need to run more thorough debugging to understand what the circumstances are when this...