[Feature request] Able to extract all available fields into output_fields

[AmberSecurity]

Motivation

We use falcosidekick to deliver the alerts to our analysis platform(like SIEM), so we often need all of the available fields to support the analyzing.

But the output_fields in the JSON data is depended on the output specified in the rule. So we must enumerate these fileds in the observing rule for fetching them. This is inconvenient when analysis paltform like SIEM wants all of the available event fields.

Feature

Maybe we can increase a new field in falco rule to specify the fileds to be put into output_fileds.

current:

- rule: Event
  desc: Event
  condition: evt.num >= 0 and evt.type = execve
  output: >
    [eventname=%evt.type] dir=%evt.dir proc=%proc.name
  priority: NOTICE

better:

- rule: Event
  desc: Event
  condition: evt.num >= 0 and evt.type = execve
  output: >
    [eventname=%evt.type] dir=%evt.dir proc=%proc.name
  evidence_fields: proc.name, evt.type
  priority: NOTICE

The new evidence_fields can be like:

• evidence_fields: proc.name, evt.type
• evidence_fields: proc.*, evt.type
• evidence_fields: *

* as wildcard character. dence_fields: * can fetch all of the available event fields.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale