|
|
|
|
|
|
by westurner
641 days ago
|
|
|
It looks like the falco rules mention proc.ppid.duration, but there's not yet a rule that matches on ppid:
rules/falco_rules.yaml
https://github.com/falcosecurity/rules/blob/main/rules/falco... : > Tuning suggestions include looking at the duration of the parent process (proc.ppid.duration) to define your long-running app processes. Checking for newer fields such as proc.vpgid.name and proc.vpgid.exe instead of the direct parent process being a non-shell application could make the rule more robust. |
|
|