Linux Agent attributes and helpers

Docs > Datadog Security > Workload Protection > Linux Agent attributes and helpers

Linux Agent attributes and helpers

This documentation describes Linux attributes and helpers of the Datadog’s Security Language (SECL).

Rules using Linux attributes and helpers must include an OS rule filter field as follows.

id:[...]expression:[...]filters:- os == "linux"

Triggers

Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:

SECL Event	Type	Definition	Agent Version
`accept`	Network	An accept was executed	7.63
`bind`	Network	A bind was executed	7.37
`bpf`	Kernel	A BPF command was executed	7.33
`capabilities`	Process	[Experimental] A process used some capabilities	7.70
`capset`	Process	A process changed its capacity set	7.27
`cgroup_write`	Kernel	A process migrated another process to a cgroup	7.68
`chdir`	File	[Experimental] A process changed the current directory	7.52
`chmod`	File	A file’s permissions were changed	7.27
`chown`	File	A file’s owner was changed	7.27
`connect`	Network	A connect was executed	7.60
`dns`	Network	A DNS request was sent	7.36
`exec`	Process	A process was executed (does not trigger on fork syscalls).	7.27
`exit`	Process	A process was terminated	7.38
`imds`	Network	An IMDS event was captured	7.55
`link`	File	Create a new name/alias for a file	7.27
`load_module`	Kernel	A new kernel module was loaded	7.35
`mkdir`	File	A directory was created	7.27
`mmap`	Kernel	A mmap command was executed	7.35
`mount`	File	[Experimental] A filesystem was mounted	7.42
`mprotect`	Kernel	A mprotect command was executed	7.35
`network_flow_monitor`	Network	A network monitor event was sent	7.63
`open`	File	A file was opened	7.27
`packet`	Network	A raw network packet was captured	7.60
`prctl`	Process	A prctl command was executed	7.71
`ptrace`	Kernel	A ptrace command was executed	7.35
`removexattr`	File	Remove extended attributes	7.27
`rename`	File	A file/directory was renamed	7.27
`rmdir`	File	A directory was removed	7.27
`selinux`	Kernel	An SELinux operation was run	7.30
`setgid`	Process	A process changed its effective gid	7.27
`setrlimit`	Process	A setrlimit command was executed	7.68
`setsockopt`	Network	A setsockopt was executed	7.68
`setuid`	Process	A process changed its effective uid	7.27
`setxattr`	File	Set exteneded attributes	7.27
`signal`	Process	A signal was sent	7.35
`splice`	File	A splice command was executed	7.36
`sysctl`	Kernel	A sysctl parameter was read or modified	7.65
`unlink`	File	A file was deleted	7.27
`unload_module`	Kernel	A kernel module was deleted	7.35
`utimes`	File	Change file access/modification times	7.27

FIM triggers

In addition to regular triggers, fim.write.file.* fields allow to write rules that fire on all file events.

For example, the following rule:

(fim.write.file.path == "/tmp/test" || fim.write.file.name == "abc")
 && process.file.name == "def"
 && container.id != ""

will expand into the following rules under the hood:

open: ((open.file.path == "/tmp/test" || open.file.name == "abc")
 && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0
 && process.file.name == "def"
 && container.id != "")
chmod: (chmod.file.path == "/tmp/test" || chmod.file.name == "abc")
 && process.file.name == "def"
 && container.id != ""
chown: (chown.file.path == "/tmp/test" || chown.file.name == "abc")
 && process.file.name == "def"
 && container.id != ""
link: (link.file.path == "/tmp/test" || link.file.name == "abc")
 && process.file.name == "def"
 && container.id != ""
rename: (rename.file.path == "/tmp/test" || rename.file.name == "abc")
 && process.file.name == "def"
 && container.id != ""
rename: (rename.file.destination.path == "/tmp/test" || rename.file.destination.name == "abc")
 && process.file.name == "def"
 && container.id != ""
unlink: (unlink.file.path == "/tmp/test" || unlink.file.name == "abc")
 && process.file.name == "def"
 && container.id != ""
utimes: (utimes.file.path == "/tmp/test" || utimes.file.name == "abc")
 && process.file.name == "def"
 && container.id != ""

and match on all file-related events matching the path provided in the rule. Common fields are retained across all expanded rules.

Variables

SECL variables are predefined variables that can be used as values or as part of values.

For example, rule using a process.pid variable looks like this:

open.file.path == "/proc/${process.pid}/maps"

List of the available variables:

SECL Variable	Definition	Agent Version
`process.pid`	Process PID	7.33

CIDR and IP range

CIDR and IP matching is possible in SECL. One can use operators such as in, not in, or allin combined with CIDR or IP notations.

Such rules can be written as follows:

dns.question.name == "example.com" && network.destination.ip in [192.168.1.25, 10.0.0.0/24]

Helpers

Helpers exist in SECL that enable users to write advanced rules without needing to rely on generic techniques such as regex.

Command line arguments

The args_flags and args_options are helpers to ease the writing of CSM Threats rules based on command line arguments.

args_flags is used to catch arguments that start with either one or two hyphen characters but do not accept any associated value.

Examples:

version is part of args_flags for the command cat --version
l and n both are in args_flags for the command netstat -ln

args_options is used to catch arguments that start with either one or two hyphen characters and accepts a value either specified as the same argument but separated by the ‘=’ character or specified as the next argument.

Examples:

T=8 and width=8 both are in args_options for the command ls -T 8 --width=8
exec.args_options in [ r"s=.*\\" ] can be used to detect sudoedit was launched with -s argument and a command that ends with a \

File rights

The file.rights attribute can now be used in addition to file.mode. file.mode can hold values set by the kernel, while the file.rights only holds the values set by the user. These rights may be more familiar because they are in the chmod commands.

Event attributes

Common to all event types

Property	Definition
`event.async`	True if the syscall was asynchronous
`event.hostname`	Hostname associated with the event
`event.origin`	Origin of the event
`event.os`	Operating system of the event
`event.rule.tags`	Tags associated with the rule that’s used to evaluate the event
`event.service`	Service associated with the event
`event.signature`	Signature of the process pid and its cgroup with agent secret key
`event.source`	[Experimental] Source of the event. Can be either ‘runtime’ or ‘snapshot’.
`event.timestamp`	Timestamp of the event
`process.ancestors.args`	Arguments of the process (as a string, excluding argv0)
`process.ancestors.args_flags`	Flags in the process arguments
`process.ancestors.args_options`	Argument of the process as options
`process.ancestors.args_truncated`	Indicator of arguments truncation
`process.ancestors.argv`	Arguments of the process (as an array, excluding argv0)
`process.ancestors.argv0`	First argument of the process
`process.ancestors.auid`	Login UID of the process
`process.ancestors.cap_effective`	Effective capability set of the process
`process.ancestors.cap_permitted`	Permitted capability set of the process
`process.ancestors.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`process.ancestors.caps_used`	Bitmask of the capabilities that the process successfully used
`process.ancestors.cgroup.file.inode`	Inode of the file
`process.ancestors.cgroup.file.mount_id`	Mount ID of the file
`process.ancestors.cgroup.id`	ID of the cgroup
`process.ancestors.cgroup.version`	[Experimental] Version of the cgroup API
`process.ancestors.comm`	Comm attribute of the process
`process.ancestors.container.created_at`	Timestamp of the creation of the container
`process.ancestors.container.id`	ID of the container
`process.ancestors.container.tags`	Tags of the container
`process.ancestors.created_at`	Timestamp of the creation of the process
`process.ancestors.egid`	Effective GID of the process
`process.ancestors.egroup`	Effective group of the process
`process.ancestors.envp`	Environment variables of the process
`process.ancestors.envs`	Environment variable names of the process
`process.ancestors.envs_truncated`	Indicator of environment variables truncation
`process.ancestors.euid`	Effective UID of the process
`process.ancestors.euser`	Effective user of the process
`process.ancestors.file.change_time`	Change time (ctime) of the file
`process.ancestors.file.extension`	File’s extension
`process.ancestors.file.filesystem`	File’s filesystem
`process.ancestors.file.gid`	GID of the file’s owner
`process.ancestors.file.group`	Group of the file’s owner
`process.ancestors.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`process.ancestors.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`process.ancestors.file.inode`	Inode of the file
`process.ancestors.file.mode`	Mode of the file
`process.ancestors.file.modification_time`	Modification time (mtime) of the file
`process.ancestors.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`process.ancestors.file.mount_id`	Mount ID of the file
`process.ancestors.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`process.ancestors.file.name`	File’s basename
`process.ancestors.file.name.length`	Length of the corresponding element
`process.ancestors.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`process.ancestors.file.package.name`	[Experimental] Name of the package that provided this file
`process.ancestors.file.package.release`	[Experimental] Release of the package that provided this file
`process.ancestors.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`process.ancestors.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`process.ancestors.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`process.ancestors.file.package.version`	[Experimental] Full version of the package that provided this file
`process.ancestors.file.path`	File’s path
`process.ancestors.file.path.length`	Length of the corresponding element
`process.ancestors.file.rights`	Rights of the file
`process.ancestors.file.uid`	UID of the file’s owner
`process.ancestors.file.user`	User of the file’s owner
`process.ancestors.fsgid`	FileSystem-gid of the process
`process.ancestors.fsgroup`	FileSystem-group of the process
`process.ancestors.fsuid`	FileSystem-uid of the process
`process.ancestors.fsuser`	FileSystem-user of the process
`process.ancestors.gid`	GID of the process
`process.ancestors.group`	Group of the process
`process.ancestors.interpreter.file.change_time`	Change time (ctime) of the file
`process.ancestors.interpreter.file.extension`	File’s extension
`process.ancestors.interpreter.file.filesystem`	File’s filesystem
`process.ancestors.interpreter.file.gid`	GID of the file’s owner
`process.ancestors.interpreter.file.group`	Group of the file’s owner
`process.ancestors.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`process.ancestors.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`process.ancestors.interpreter.file.inode`	Inode of the file
`process.ancestors.interpreter.file.mode`	Mode of the file
`process.ancestors.interpreter.file.modification_time`	Modification time (mtime) of the file
`process.ancestors.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`process.ancestors.interpreter.file.mount_id`	Mount ID of the file
`process.ancestors.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`process.ancestors.interpreter.file.name`	File’s basename
`process.ancestors.interpreter.file.name.length`	Length of the corresponding element
`process.ancestors.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`process.ancestors.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`process.ancestors.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`process.ancestors.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`process.ancestors.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`process.ancestors.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`process.ancestors.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`process.ancestors.interpreter.file.path`	File’s path
`process.ancestors.interpreter.file.path.length`	Length of the corresponding element
`process.ancestors.interpreter.file.rights`	Rights of the file
`process.ancestors.interpreter.file.uid`	UID of the file’s owner
`process.ancestors.interpreter.file.user`	User of the file’s owner
`process.ancestors.is_exec`	Indicates whether the process entry is from a new binary execution
`process.ancestors.is_kworker`	Indicates whether the process is a kworker
`process.ancestors.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`process.ancestors.length`	Length of the corresponding element
`process.ancestors.mntns`	MNTNS ID of the process
`process.ancestors.netns`	NetNS ID of the process
`process.ancestors.pid`	Process ID of the process (also called thread group ID)
`process.ancestors.ppid`	Parent process ID
`process.ancestors.tid`	Thread ID of the thread
`process.ancestors.tty_name`	Name of the TTY associated with the process
`process.ancestors.uid`	UID of the process
`process.ancestors.user`	User of the process
`process.ancestors.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`process.ancestors.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`process.ancestors.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`process.ancestors.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`process.ancestors.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`process.ancestors.user_session.k8s_username`	Kubernetes username of the user that executed the process
`process.ancestors.user_session.session_type`	Type of the user session
`process.ancestors.user_session.ssh_auth_method`	SSH authentication method used by the user
`process.ancestors.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`process.ancestors.user_session.ssh_client_port`	SSH client port of the user that executed the process
`process.ancestors.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`process.ancestors.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host
`process.args`	Arguments of the process (as a string, excluding argv0)
`process.args_flags`	Flags in the process arguments
`process.args_options`	Argument of the process as options
`process.args_truncated`	Indicator of arguments truncation
`process.argv`	Arguments of the process (as an array, excluding argv0)
`process.argv0`	First argument of the process
`process.auid`	Login UID of the process
`process.cap_effective`	Effective capability set of the process
`process.cap_permitted`	Permitted capability set of the process
`process.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`process.caps_used`	Bitmask of the capabilities that the process successfully used
`process.cgroup.file.inode`	Inode of the file
`process.cgroup.file.mount_id`	Mount ID of the file
`process.cgroup.id`	ID of the cgroup
`process.cgroup.version`	[Experimental] Version of the cgroup API
`process.comm`	Comm attribute of the process
`process.container.created_at`	Timestamp of the creation of the container
`process.container.id`	ID of the container
`process.container.tags`	Tags of the container
`process.created_at`	Timestamp of the creation of the process
`process.egid`	Effective GID of the process
`process.egroup`	Effective group of the process
`process.envp`	Environment variables of the process
`process.envs`	Environment variable names of the process
`process.envs_truncated`	Indicator of environment variables truncation
`process.euid`	Effective UID of the process
`process.euser`	Effective user of the process
`process.file.change_time`	Change time (ctime) of the file
`process.file.extension`	File’s extension
`process.file.filesystem`	File’s filesystem
`process.file.gid`	GID of the file’s owner
`process.file.group`	Group of the file’s owner
`process.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`process.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`process.file.inode`	Inode of the file
`process.file.mode`	Mode of the file
`process.file.modification_time`	Modification time (mtime) of the file
`process.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`process.file.mount_id`	Mount ID of the file
`process.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`process.file.name`	File’s basename
`process.file.name.length`	Length of the corresponding element
`process.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`process.file.package.name`	[Experimental] Name of the package that provided this file
`process.file.package.release`	[Experimental] Release of the package that provided this file
`process.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`process.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`process.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`process.file.package.version`	[Experimental] Full version of the package that provided this file
`process.file.path`	File’s path
`process.file.path.length`	Length of the corresponding element
`process.file.rights`	Rights of the file
`process.file.uid`	UID of the file’s owner
`process.file.user`	User of the file’s owner
`process.fsgid`	FileSystem-gid of the process
`process.fsgroup`	FileSystem-group of the process
`process.fsuid`	FileSystem-uid of the process
`process.fsuser`	FileSystem-user of the process
`process.gid`	GID of the process
`process.group`	Group of the process
`process.interpreter.file.change_time`	Change time (ctime) of the file
`process.interpreter.file.extension`	File’s extension
`process.interpreter.file.filesystem`	File’s filesystem
`process.interpreter.file.gid`	GID of the file’s owner
`process.interpreter.file.group`	Group of the file’s owner
`process.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`process.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`process.interpreter.file.inode`	Inode of the file
`process.interpreter.file.mode`	Mode of the file
`process.interpreter.file.modification_time`	Modification time (mtime) of the file
`process.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`process.interpreter.file.mount_id`	Mount ID of the file
`process.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`process.interpreter.file.name`	File’s basename
`process.interpreter.file.name.length`	Length of the corresponding element
`process.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`process.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`process.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`process.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`process.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`process.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`process.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`process.interpreter.file.path`	File’s path
`process.interpreter.file.path.length`	Length of the corresponding element
`process.interpreter.file.rights`	Rights of the file
`process.interpreter.file.uid`	UID of the file’s owner
`process.interpreter.file.user`	User of the file’s owner
`process.is_exec`	Indicates whether the process entry is from a new binary execution
`process.is_kworker`	Indicates whether the process is a kworker
`process.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`process.mntns`	MNTNS ID of the process
`process.netns`	NetNS ID of the process
`process.parent.args`	Arguments of the process (as a string, excluding argv0)
`process.parent.args_flags`	Flags in the process arguments
`process.parent.args_options`	Argument of the process as options
`process.parent.args_truncated`	Indicator of arguments truncation
`process.parent.argv`	Arguments of the process (as an array, excluding argv0)
`process.parent.argv0`	First argument of the process
`process.parent.auid`	Login UID of the process
`process.parent.cap_effective`	Effective capability set of the process
`process.parent.cap_permitted`	Permitted capability set of the process
`process.parent.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`process.parent.caps_used`	Bitmask of the capabilities that the process successfully used
`process.parent.cgroup.file.inode`	Inode of the file
`process.parent.cgroup.file.mount_id`	Mount ID of the file
`process.parent.cgroup.id`	ID of the cgroup
`process.parent.cgroup.version`	[Experimental] Version of the cgroup API
`process.parent.comm`	Comm attribute of the process
`process.parent.container.created_at`	Timestamp of the creation of the container
`process.parent.container.id`	ID of the container
`process.parent.container.tags`	Tags of the container
`process.parent.created_at`	Timestamp of the creation of the process
`process.parent.egid`	Effective GID of the process
`process.parent.egroup`	Effective group of the process
`process.parent.envp`	Environment variables of the process
`process.parent.envs`	Environment variable names of the process
`process.parent.envs_truncated`	Indicator of environment variables truncation
`process.parent.euid`	Effective UID of the process
`process.parent.euser`	Effective user of the process
`process.parent.file.change_time`	Change time (ctime) of the file
`process.parent.file.extension`	File’s extension
`process.parent.file.filesystem`	File’s filesystem
`process.parent.file.gid`	GID of the file’s owner
`process.parent.file.group`	Group of the file’s owner
`process.parent.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`process.parent.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`process.parent.file.inode`	Inode of the file
`process.parent.file.mode`	Mode of the file
`process.parent.file.modification_time`	Modification time (mtime) of the file
`process.parent.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`process.parent.file.mount_id`	Mount ID of the file
`process.parent.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`process.parent.file.name`	File’s basename
`process.parent.file.name.length`	Length of the corresponding element
`process.parent.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`process.parent.file.package.name`	[Experimental] Name of the package that provided this file
`process.parent.file.package.release`	[Experimental] Release of the package that provided this file
`process.parent.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`process.parent.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`process.parent.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`process.parent.file.package.version`	[Experimental] Full version of the package that provided this file
`process.parent.file.path`	File’s path
`process.parent.file.path.length`	Length of the corresponding element
`process.parent.file.rights`	Rights of the file
`process.parent.file.uid`	UID of the file’s owner
`process.parent.file.user`	User of the file’s owner
`process.parent.fsgid`	FileSystem-gid of the process
`process.parent.fsgroup`	FileSystem-group of the process
`process.parent.fsuid`	FileSystem-uid of the process
`process.parent.fsuser`	FileSystem-user of the process
`process.parent.gid`	GID of the process
`process.parent.group`	Group of the process
`process.parent.interpreter.file.change_time`	Change time (ctime) of the file
`process.parent.interpreter.file.extension`	File’s extension
`process.parent.interpreter.file.filesystem`	File’s filesystem
`process.parent.interpreter.file.gid`	GID of the file’s owner
`process.parent.interpreter.file.group`	Group of the file’s owner
`process.parent.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`process.parent.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`process.parent.interpreter.file.inode`	Inode of the file
`process.parent.interpreter.file.mode`	Mode of the file
`process.parent.interpreter.file.modification_time`	Modification time (mtime) of the file
`process.parent.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`process.parent.interpreter.file.mount_id`	Mount ID of the file
`process.parent.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`process.parent.interpreter.file.name`	File’s basename
`process.parent.interpreter.file.name.length`	Length of the corresponding element
`process.parent.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`process.parent.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`process.parent.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`process.parent.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`process.parent.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`process.parent.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`process.parent.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`process.parent.interpreter.file.path`	File’s path
`process.parent.interpreter.file.path.length`	Length of the corresponding element
`process.parent.interpreter.file.rights`	Rights of the file
`process.parent.interpreter.file.uid`	UID of the file’s owner
`process.parent.interpreter.file.user`	User of the file’s owner
`process.parent.is_exec`	Indicates whether the process entry is from a new binary execution
`process.parent.is_kworker`	Indicates whether the process is a kworker
`process.parent.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`process.parent.mntns`	MNTNS ID of the process
`process.parent.netns`	NetNS ID of the process
`process.parent.pid`	Process ID of the process (also called thread group ID)
`process.parent.ppid`	Parent process ID
`process.parent.tid`	Thread ID of the thread
`process.parent.tty_name`	Name of the TTY associated with the process
`process.parent.uid`	UID of the process
`process.parent.user`	User of the process
`process.parent.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`process.parent.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`process.parent.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`process.parent.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`process.parent.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`process.parent.user_session.k8s_username`	Kubernetes username of the user that executed the process
`process.parent.user_session.session_type`	Type of the user session
`process.parent.user_session.ssh_auth_method`	SSH authentication method used by the user
`process.parent.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`process.parent.user_session.ssh_client_port`	SSH client port of the user that executed the process
`process.parent.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`process.parent.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host
`process.pid`	Process ID of the process (also called thread group ID)
`process.ppid`	Parent process ID
`process.tid`	Thread ID of the thread
`process.tty_name`	Name of the TTY associated with the process
`process.uid`	UID of the process
`process.user`	User of the process
`process.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`process.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`process.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`process.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`process.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`process.user_session.k8s_username`	Kubernetes username of the user that executed the process
`process.user_session.session_type`	Type of the user session
`process.user_session.ssh_auth_method`	SSH authentication method used by the user
`process.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`process.user_session.ssh_client_port`	SSH client port of the user that executed the process
`process.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`process.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host

Event `accept`

An accept was executed

Property	Definition
`accept.addr.family`	Address family
`accept.addr.hostname`	Address hostname (if available)
`accept.addr.hostname.length`	Length of the corresponding element
`accept.addr.hostname.root_domain`	Root domain of the corresponding element
`accept.addr.ip`	IP address
`accept.addr.is_public`	Whether the IP address belongs to a public network
`accept.addr.port`	Port number
`accept.retval`	Return value of the syscall

Event `bind`

A bind was executed

Property	Definition
`bind.addr.family`	Address family
`bind.addr.ip`	IP address
`bind.addr.is_public`	Whether the IP address belongs to a public network
`bind.addr.port`	Port number
`bind.protocol`	Socket Protocol
`bind.retval`	Return value of the syscall

Event `bpf`

A BPF command was executed

Property	Definition
`bpf.cmd`	BPF command name
`bpf.map.name`	Name of the eBPF map (added in 7.35)
`bpf.map.type`	Type of the eBPF map
`bpf.prog.attach_type`	Attach type of the eBPF program
`bpf.prog.helpers`	eBPF helpers used by the eBPF program (added in 7.35)
`bpf.prog.name`	Name of the eBPF program (added in 7.35)
`bpf.prog.tag`	Hash (sha1) of the eBPF program (added in 7.35)
`bpf.prog.type`	Type of the eBPF program
`bpf.retval`	Return value of the syscall

Event `capabilities`

This event type is experimental and may change in the future.

A process used some capabilities

Property	Definition
`capabilities.attempted`	Bitmask of the capabilities that the process attempted to use since it started running
`capabilities.used`	Bitmask of the capabilities that the process successfully used since it started running

Event `capset`

A process changed its capacity set

Property	Definition
`capset.cap_effective`	Effective capability set of the process
`capset.cap_permitted`	Permitted capability set of the process

Event `cgroup_write`

A process migrated another process to a cgroup

Property	Definition
`cgroup_write.file.change_time`	Change time (ctime) of the file
`cgroup_write.file.extension`	File’s extension
`cgroup_write.file.filesystem`	File’s filesystem
`cgroup_write.file.gid`	GID of the file’s owner
`cgroup_write.file.group`	Group of the file’s owner
`cgroup_write.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`cgroup_write.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`cgroup_write.file.inode`	Inode of the file
`cgroup_write.file.mode`	Mode of the file
`cgroup_write.file.modification_time`	Modification time (mtime) of the file
`cgroup_write.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`cgroup_write.file.mount_id`	Mount ID of the file
`cgroup_write.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`cgroup_write.file.name`	File’s basename
`cgroup_write.file.name.length`	Length of the corresponding element
`cgroup_write.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`cgroup_write.file.package.name`	[Experimental] Name of the package that provided this file
`cgroup_write.file.package.release`	[Experimental] Release of the package that provided this file
`cgroup_write.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`cgroup_write.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`cgroup_write.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`cgroup_write.file.package.version`	[Experimental] Full version of the package that provided this file
`cgroup_write.file.path`	File’s path
`cgroup_write.file.path.length`	Length of the corresponding element
`cgroup_write.file.rights`	Rights of the file
`cgroup_write.file.uid`	UID of the file’s owner
`cgroup_write.file.user`	User of the file’s owner
`cgroup_write.pid`	PID of the process added to the cgroup

Event `chdir`

This event type is experimental and may change in the future.

A process changed the current directory

Property	Definition
`chdir.file.change_time`	Change time (ctime) of the file
`chdir.file.extension`	File’s extension
`chdir.file.filesystem`	File’s filesystem
`chdir.file.gid`	GID of the file’s owner
`chdir.file.group`	Group of the file’s owner
`chdir.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`chdir.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`chdir.file.inode`	Inode of the file
`chdir.file.mode`	Mode of the file
`chdir.file.modification_time`	Modification time (mtime) of the file
`chdir.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`chdir.file.mount_id`	Mount ID of the file
`chdir.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`chdir.file.name`	File’s basename
`chdir.file.name.length`	Length of the corresponding element
`chdir.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`chdir.file.package.name`	[Experimental] Name of the package that provided this file
`chdir.file.package.release`	[Experimental] Release of the package that provided this file
`chdir.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`chdir.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`chdir.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`chdir.file.package.version`	[Experimental] Full version of the package that provided this file
`chdir.file.path`	File’s path
`chdir.file.path.length`	Length of the corresponding element
`chdir.file.rights`	Rights of the file
`chdir.file.uid`	UID of the file’s owner
`chdir.file.user`	User of the file’s owner
`chdir.retval`	Return value of the syscall
`chdir.syscall.path`	path argument of the syscall

Event `chmod`

A file’s permissions were changed

Property	Definition
`chmod.file.change_time`	Change time (ctime) of the file
`chmod.file.destination.mode`	New mode of the chmod-ed file
`chmod.file.destination.rights`	New rights of the chmod-ed file
`chmod.file.extension`	File’s extension
`chmod.file.filesystem`	File’s filesystem
`chmod.file.gid`	GID of the file’s owner
`chmod.file.group`	Group of the file’s owner
`chmod.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`chmod.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`chmod.file.inode`	Inode of the file
`chmod.file.mode`	Mode of the file
`chmod.file.modification_time`	Modification time (mtime) of the file
`chmod.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`chmod.file.mount_id`	Mount ID of the file
`chmod.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`chmod.file.name`	File’s basename
`chmod.file.name.length`	Length of the corresponding element
`chmod.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`chmod.file.package.name`	[Experimental] Name of the package that provided this file
`chmod.file.package.release`	[Experimental] Release of the package that provided this file
`chmod.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`chmod.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`chmod.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`chmod.file.package.version`	[Experimental] Full version of the package that provided this file
`chmod.file.path`	File’s path
`chmod.file.path.length`	Length of the corresponding element
`chmod.file.rights`	Rights of the file
`chmod.file.uid`	UID of the file’s owner
`chmod.file.user`	User of the file’s owner
`chmod.retval`	Return value of the syscall
`chmod.syscall.mode`	mode argument of the syscall
`chmod.syscall.path`	path argument of the syscall

Event `chown`

A file’s owner was changed

Property	Definition
`chown.file.change_time`	Change time (ctime) of the file
`chown.file.destination.gid`	New GID of the chown-ed file’s owner
`chown.file.destination.group`	New group of the chown-ed file’s owner
`chown.file.destination.uid`	New UID of the chown-ed file’s owner
`chown.file.destination.user`	New user of the chown-ed file’s owner
`chown.file.extension`	File’s extension
`chown.file.filesystem`	File’s filesystem
`chown.file.gid`	GID of the file’s owner
`chown.file.group`	Group of the file’s owner
`chown.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`chown.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`chown.file.inode`	Inode of the file
`chown.file.mode`	Mode of the file
`chown.file.modification_time`	Modification time (mtime) of the file
`chown.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`chown.file.mount_id`	Mount ID of the file
`chown.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`chown.file.name`	File’s basename
`chown.file.name.length`	Length of the corresponding element
`chown.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`chown.file.package.name`	[Experimental] Name of the package that provided this file
`chown.file.package.release`	[Experimental] Release of the package that provided this file
`chown.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`chown.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`chown.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`chown.file.package.version`	[Experimental] Full version of the package that provided this file
`chown.file.path`	File’s path
`chown.file.path.length`	Length of the corresponding element
`chown.file.rights`	Rights of the file
`chown.file.uid`	UID of the file’s owner
`chown.file.user`	User of the file’s owner
`chown.retval`	Return value of the syscall
`chown.syscall.gid`	GID argument of the syscall
`chown.syscall.path`	Path argument of the syscall
`chown.syscall.uid`	UID argument of the syscall

Event `connect`

A connect was executed

Property	Definition
`connect.addr.family`	Address family
`connect.addr.hostname`	Address hostname (if available)
`connect.addr.hostname.length`	Length of the corresponding element
`connect.addr.hostname.root_domain`	Root domain of the corresponding element
`connect.addr.ip`	IP address
`connect.addr.is_public`	Whether the IP address belongs to a public network
`connect.addr.port`	Port number
`connect.protocol`	Socket Protocol
`connect.retval`	Return value of the syscall

Event `dns`

A DNS request was sent

Property	Definition
`dns.id`	[Experimental] the DNS request ID
`dns.question.class`	the class looked up by the DNS question
`dns.question.count`	the total count of questions in the DNS request
`dns.question.length`	the total DNS request size in bytes
`dns.question.name`	the queried domain name
`dns.question.name.length`	Length of the corresponding element
`dns.question.name.root_domain`	Root domain of the corresponding element
`dns.question.type`	a two octet code which specifies the DNS question type
`dns.response.code`	Response code of the DNS response according to RFC 1035
`network.destination.ip`	IP address
`network.destination.is_public`	Whether the IP address belongs to a public network
`network.destination.port`	Port number
`network.device.ifname`	Interface ifname
`network.device.netns`	Interface NetNS ID
`network.l3_protocol`	L3 protocol of the network packet
`network.l4_protocol`	L4 protocol of the network packet
`network.network_direction`	Network direction of the network packet
`network.size`	Size in bytes of the network packet
`network.source.ip`	IP address
`network.source.is_public`	Whether the IP address belongs to a public network
`network.source.port`	Port number
`network.type`	Type of the network packet

Event `exec`

A process was executed (does not trigger on fork syscalls).

Property	Definition
`exec.args`	Arguments of the process (as a string, excluding argv0)
`exec.args_flags`	Flags in the process arguments
`exec.args_options`	Argument of the process as options
`exec.args_truncated`	Indicator of arguments truncation
`exec.argv`	Arguments of the process (as an array, excluding argv0)
`exec.argv0`	First argument of the process
`exec.auid`	Login UID of the process
`exec.cap_effective`	Effective capability set of the process
`exec.cap_permitted`	Permitted capability set of the process
`exec.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`exec.caps_used`	Bitmask of the capabilities that the process successfully used
`exec.cgroup.file.inode`	Inode of the file
`exec.cgroup.file.mount_id`	Mount ID of the file
`exec.cgroup.id`	ID of the cgroup
`exec.cgroup.version`	[Experimental] Version of the cgroup API
`exec.comm`	Comm attribute of the process
`exec.container.created_at`	Timestamp of the creation of the container
`exec.container.id`	ID of the container
`exec.container.tags`	Tags of the container
`exec.created_at`	Timestamp of the creation of the process
`exec.egid`	Effective GID of the process
`exec.egroup`	Effective group of the process
`exec.envp`	Environment variables of the process
`exec.envs`	Environment variable names of the process
`exec.envs_truncated`	Indicator of environment variables truncation
`exec.euid`	Effective UID of the process
`exec.euser`	Effective user of the process
`exec.file.change_time`	Change time (ctime) of the file
`exec.file.extension`	File’s extension
`exec.file.filesystem`	File’s filesystem
`exec.file.gid`	GID of the file’s owner
`exec.file.group`	Group of the file’s owner
`exec.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`exec.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`exec.file.inode`	Inode of the file
`exec.file.metadata.abi`	[Experimental] ABI of the file (only for executable files)
`exec.file.metadata.architecture`	[Experimental] Architecture of the file (only for executable files)
`exec.file.metadata.compression`	[Experimental] Compression type of the file (only for compressed files)
`exec.file.metadata.is_executable`	[Experimental] Tells if the file is executable or not
`exec.file.metadata.is_garble_obfuscated`	[Experimental] Tells if the binary has been obfuscated using garble
`exec.file.metadata.is_upx_packed`	[Experimental] Tells if the binary has been packed using UPX
`exec.file.metadata.size`	[Experimental] Size of the file
`exec.file.metadata.type`	[Experimental] Type of the file
`exec.file.mode`	Mode of the file
`exec.file.modification_time`	Modification time (mtime) of the file
`exec.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`exec.file.mount_id`	Mount ID of the file
`exec.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`exec.file.name`	File’s basename
`exec.file.name.length`	Length of the corresponding element
`exec.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`exec.file.package.name`	[Experimental] Name of the package that provided this file
`exec.file.package.release`	[Experimental] Release of the package that provided this file
`exec.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`exec.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`exec.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`exec.file.package.version`	[Experimental] Full version of the package that provided this file
`exec.file.path`	File’s path
`exec.file.path.length`	Length of the corresponding element
`exec.file.rights`	Rights of the file
`exec.file.uid`	UID of the file’s owner
`exec.file.user`	User of the file’s owner
`exec.fsgid`	FileSystem-gid of the process
`exec.fsgroup`	FileSystem-group of the process
`exec.fsuid`	FileSystem-uid of the process
`exec.fsuser`	FileSystem-user of the process
`exec.gid`	GID of the process
`exec.group`	Group of the process
`exec.interpreter.file.change_time`	Change time (ctime) of the file
`exec.interpreter.file.extension`	File’s extension
`exec.interpreter.file.filesystem`	File’s filesystem
`exec.interpreter.file.gid`	GID of the file’s owner
`exec.interpreter.file.group`	Group of the file’s owner
`exec.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`exec.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`exec.interpreter.file.inode`	Inode of the file
`exec.interpreter.file.mode`	Mode of the file
`exec.interpreter.file.modification_time`	Modification time (mtime) of the file
`exec.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`exec.interpreter.file.mount_id`	Mount ID of the file
`exec.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`exec.interpreter.file.name`	File’s basename
`exec.interpreter.file.name.length`	Length of the corresponding element
`exec.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`exec.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`exec.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`exec.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`exec.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`exec.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`exec.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`exec.interpreter.file.path`	File’s path
`exec.interpreter.file.path.length`	Length of the corresponding element
`exec.interpreter.file.rights`	Rights of the file
`exec.interpreter.file.uid`	UID of the file’s owner
`exec.interpreter.file.user`	User of the file’s owner
`exec.is_exec`	Indicates whether the process entry is from a new binary execution
`exec.is_kworker`	Indicates whether the process is a kworker
`exec.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`exec.mntns`	MNTNS ID of the process
`exec.netns`	NetNS ID of the process
`exec.pid`	Process ID of the process (also called thread group ID)
`exec.ppid`	Parent process ID
`exec.syscall.path`	path argument of the syscall
`exec.tid`	Thread ID of the thread
`exec.tty_name`	Name of the TTY associated with the process
`exec.uid`	UID of the process
`exec.user`	User of the process
`exec.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`exec.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`exec.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`exec.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`exec.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`exec.user_session.k8s_username`	Kubernetes username of the user that executed the process
`exec.user_session.session_type`	Type of the user session
`exec.user_session.ssh_auth_method`	SSH authentication method used by the user
`exec.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`exec.user_session.ssh_client_port`	SSH client port of the user that executed the process
`exec.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`exec.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host

Event `exit`

A process was terminated

Property	Definition
`exit.args`	Arguments of the process (as a string, excluding argv0)
`exit.args_flags`	Flags in the process arguments
`exit.args_options`	Argument of the process as options
`exit.args_truncated`	Indicator of arguments truncation
`exit.argv`	Arguments of the process (as an array, excluding argv0)
`exit.argv0`	First argument of the process
`exit.auid`	Login UID of the process
`exit.cap_effective`	Effective capability set of the process
`exit.cap_permitted`	Permitted capability set of the process
`exit.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`exit.caps_used`	Bitmask of the capabilities that the process successfully used
`exit.cause`	Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
`exit.cgroup.file.inode`	Inode of the file
`exit.cgroup.file.mount_id`	Mount ID of the file
`exit.cgroup.id`	ID of the cgroup
`exit.cgroup.version`	[Experimental] Version of the cgroup API
`exit.code`	Exit code of the process or number of the signal that caused the process to terminate
`exit.comm`	Comm attribute of the process
`exit.container.created_at`	Timestamp of the creation of the container
`exit.container.id`	ID of the container
`exit.container.tags`	Tags of the container
`exit.created_at`	Timestamp of the creation of the process
`exit.egid`	Effective GID of the process
`exit.egroup`	Effective group of the process
`exit.envp`	Environment variables of the process
`exit.envs`	Environment variable names of the process
`exit.envs_truncated`	Indicator of environment variables truncation
`exit.euid`	Effective UID of the process
`exit.euser`	Effective user of the process
`exit.file.change_time`	Change time (ctime) of the file
`exit.file.extension`	File’s extension
`exit.file.filesystem`	File’s filesystem
`exit.file.gid`	GID of the file’s owner
`exit.file.group`	Group of the file’s owner
`exit.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`exit.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`exit.file.inode`	Inode of the file
`exit.file.mode`	Mode of the file
`exit.file.modification_time`	Modification time (mtime) of the file
`exit.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`exit.file.mount_id`	Mount ID of the file
`exit.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`exit.file.name`	File’s basename
`exit.file.name.length`	Length of the corresponding element
`exit.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`exit.file.package.name`	[Experimental] Name of the package that provided this file
`exit.file.package.release`	[Experimental] Release of the package that provided this file
`exit.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`exit.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`exit.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`exit.file.package.version`	[Experimental] Full version of the package that provided this file
`exit.file.path`	File’s path
`exit.file.path.length`	Length of the corresponding element
`exit.file.rights`	Rights of the file
`exit.file.uid`	UID of the file’s owner
`exit.file.user`	User of the file’s owner
`exit.fsgid`	FileSystem-gid of the process
`exit.fsgroup`	FileSystem-group of the process
`exit.fsuid`	FileSystem-uid of the process
`exit.fsuser`	FileSystem-user of the process
`exit.gid`	GID of the process
`exit.group`	Group of the process
`exit.interpreter.file.change_time`	Change time (ctime) of the file
`exit.interpreter.file.extension`	File’s extension
`exit.interpreter.file.filesystem`	File’s filesystem
`exit.interpreter.file.gid`	GID of the file’s owner
`exit.interpreter.file.group`	Group of the file’s owner
`exit.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`exit.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`exit.interpreter.file.inode`	Inode of the file
`exit.interpreter.file.mode`	Mode of the file
`exit.interpreter.file.modification_time`	Modification time (mtime) of the file
`exit.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`exit.interpreter.file.mount_id`	Mount ID of the file
`exit.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`exit.interpreter.file.name`	File’s basename
`exit.interpreter.file.name.length`	Length of the corresponding element
`exit.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`exit.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`exit.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`exit.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`exit.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`exit.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`exit.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`exit.interpreter.file.path`	File’s path
`exit.interpreter.file.path.length`	Length of the corresponding element
`exit.interpreter.file.rights`	Rights of the file
`exit.interpreter.file.uid`	UID of the file’s owner
`exit.interpreter.file.user`	User of the file’s owner
`exit.is_exec`	Indicates whether the process entry is from a new binary execution
`exit.is_kworker`	Indicates whether the process is a kworker
`exit.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`exit.mntns`	MNTNS ID of the process
`exit.netns`	NetNS ID of the process
`exit.pid`	Process ID of the process (also called thread group ID)
`exit.ppid`	Parent process ID
`exit.tid`	Thread ID of the thread
`exit.tty_name`	Name of the TTY associated with the process
`exit.uid`	UID of the process
`exit.user`	User of the process
`exit.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`exit.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`exit.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`exit.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`exit.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`exit.user_session.k8s_username`	Kubernetes username of the user that executed the process
`exit.user_session.session_type`	Type of the user session
`exit.user_session.ssh_auth_method`	SSH authentication method used by the user
`exit.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`exit.user_session.ssh_client_port`	SSH client port of the user that executed the process
`exit.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`exit.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host

Event `imds`

An IMDS event was captured

Property	Definition
`imds.aws.is_imds_v2`	a boolean which specifies if the IMDS event follows IMDSv1 or IMDSv2 conventions
`imds.aws.security_credentials.type`	the security credentials type
`imds.cloud_provider`	the intended cloud provider of the IMDS event
`imds.host`	the host of the HTTP protocol
`imds.server`	the server header of a response
`imds.type`	the type of IMDS event
`imds.url`	the queried IMDS URL
`imds.user_agent`	the user agent of the HTTP client
`network.destination.ip`	IP address
`network.destination.is_public`	Whether the IP address belongs to a public network
`network.destination.port`	Port number
`network.device.ifname`	Interface ifname
`network.device.netns`	Interface NetNS ID
`network.l3_protocol`	L3 protocol of the network packet
`network.l4_protocol`	L4 protocol of the network packet
`network.network_direction`	Network direction of the network packet
`network.size`	Size in bytes of the network packet
`network.source.ip`	IP address
`network.source.is_public`	Whether the IP address belongs to a public network
`network.source.port`	Port number
`network.type`	Type of the network packet

Event `link`

Create a new name/alias for a file

Property	Definition
`link.file.change_time`	Change time (ctime) of the file
`link.file.destination.change_time`	Change time (ctime) of the file
`link.file.destination.extension`	File’s extension
`link.file.destination.filesystem`	File’s filesystem
`link.file.destination.gid`	GID of the file’s owner
`link.file.destination.group`	Group of the file’s owner
`link.file.destination.hashes`	[Experimental] List of cryptographic hashes computed for this file
`link.file.destination.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`link.file.destination.inode`	Inode of the file
`link.file.destination.mode`	Mode of the file
`link.file.destination.modification_time`	Modification time (mtime) of the file
`link.file.destination.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`link.file.destination.mount_id`	Mount ID of the file
`link.file.destination.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`link.file.destination.name`	File’s basename
`link.file.destination.name.length`	Length of the corresponding element
`link.file.destination.package.epoch`	[Experimental] Epoch of the package that provided this file
`link.file.destination.package.name`	[Experimental] Name of the package that provided this file
`link.file.destination.package.release`	[Experimental] Release of the package that provided this file
`link.file.destination.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`link.file.destination.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`link.file.destination.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`link.file.destination.package.version`	[Experimental] Full version of the package that provided this file
`link.file.destination.path`	File’s path
`link.file.destination.path.length`	Length of the corresponding element
`link.file.destination.rights`	Rights of the file
`link.file.destination.uid`	UID of the file’s owner
`link.file.destination.user`	User of the file’s owner
`link.file.extension`	File’s extension
`link.file.filesystem`	File’s filesystem
`link.file.gid`	GID of the file’s owner
`link.file.group`	Group of the file’s owner
`link.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`link.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`link.file.inode`	Inode of the file
`link.file.mode`	Mode of the file
`link.file.modification_time`	Modification time (mtime) of the file
`link.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`link.file.mount_id`	Mount ID of the file
`link.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`link.file.name`	File’s basename
`link.file.name.length`	Length of the corresponding element
`link.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`link.file.package.name`	[Experimental] Name of the package that provided this file
`link.file.package.release`	[Experimental] Release of the package that provided this file
`link.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`link.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`link.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`link.file.package.version`	[Experimental] Full version of the package that provided this file
`link.file.path`	File’s path
`link.file.path.length`	Length of the corresponding element
`link.file.rights`	Rights of the file
`link.file.uid`	UID of the file’s owner
`link.file.user`	User of the file’s owner
`link.retval`	Return value of the syscall
`link.syscall.destination.path`	Destination path argument of the syscall
`link.syscall.path`	Path argument of the syscall

Event `load_module`

A new kernel module was loaded

Property	Definition
`load_module.args`	Parameters (as a string) of the new kernel module
`load_module.args_truncated`	Indicates if the arguments were truncated or not
`load_module.argv`	Parameters (as an array) of the new kernel module
`load_module.file.change_time`	Change time (ctime) of the file
`load_module.file.extension`	File’s extension
`load_module.file.filesystem`	File’s filesystem
`load_module.file.gid`	GID of the file’s owner
`load_module.file.group`	Group of the file’s owner
`load_module.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`load_module.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`load_module.file.inode`	Inode of the file
`load_module.file.mode`	Mode of the file
`load_module.file.modification_time`	Modification time (mtime) of the file
`load_module.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`load_module.file.mount_id`	Mount ID of the file
`load_module.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`load_module.file.name`	File’s basename
`load_module.file.name.length`	Length of the corresponding element
`load_module.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`load_module.file.package.name`	[Experimental] Name of the package that provided this file
`load_module.file.package.release`	[Experimental] Release of the package that provided this file
`load_module.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`load_module.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`load_module.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`load_module.file.package.version`	[Experimental] Full version of the package that provided this file
`load_module.file.path`	File’s path
`load_module.file.path.length`	Length of the corresponding element
`load_module.file.rights`	Rights of the file
`load_module.file.uid`	UID of the file’s owner
`load_module.file.user`	User of the file’s owner
`load_module.loaded_from_memory`	Indicates if the kernel module was loaded from memory
`load_module.name`	Name of the new kernel module
`load_module.retval`	Return value of the syscall

Event `mkdir`

A directory was created

Property	Definition
`mkdir.file.change_time`	Change time (ctime) of the file
`mkdir.file.destination.mode`	Mode of the new directory
`mkdir.file.destination.rights`	Rights of the new directory
`mkdir.file.extension`	File’s extension
`mkdir.file.filesystem`	File’s filesystem
`mkdir.file.gid`	GID of the file’s owner
`mkdir.file.group`	Group of the file’s owner
`mkdir.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`mkdir.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`mkdir.file.inode`	Inode of the file
`mkdir.file.mode`	Mode of the file
`mkdir.file.modification_time`	Modification time (mtime) of the file
`mkdir.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`mkdir.file.mount_id`	Mount ID of the file
`mkdir.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`mkdir.file.name`	File’s basename
`mkdir.file.name.length`	Length of the corresponding element
`mkdir.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`mkdir.file.package.name`	[Experimental] Name of the package that provided this file
`mkdir.file.package.release`	[Experimental] Release of the package that provided this file
`mkdir.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`mkdir.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`mkdir.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`mkdir.file.package.version`	[Experimental] Full version of the package that provided this file
`mkdir.file.path`	File’s path
`mkdir.file.path.length`	Length of the corresponding element
`mkdir.file.rights`	Rights of the file
`mkdir.file.uid`	UID of the file’s owner
`mkdir.file.user`	User of the file’s owner
`mkdir.retval`	Return value of the syscall
`mkdir.syscall.mode`	Mode of the new directory
`mkdir.syscall.path`	Path argument of the syscall

Event `mmap`

A mmap command was executed

Property	Definition
`mmap.file.change_time`	Change time (ctime) of the file
`mmap.file.extension`	File’s extension
`mmap.file.filesystem`	File’s filesystem
`mmap.file.gid`	GID of the file’s owner
`mmap.file.group`	Group of the file’s owner
`mmap.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`mmap.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`mmap.file.inode`	Inode of the file
`mmap.file.mode`	Mode of the file
`mmap.file.modification_time`	Modification time (mtime) of the file
`mmap.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`mmap.file.mount_id`	Mount ID of the file
`mmap.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`mmap.file.name`	File’s basename
`mmap.file.name.length`	Length of the corresponding element
`mmap.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`mmap.file.package.name`	[Experimental] Name of the package that provided this file
`mmap.file.package.release`	[Experimental] Release of the package that provided this file
`mmap.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`mmap.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`mmap.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`mmap.file.package.version`	[Experimental] Full version of the package that provided this file
`mmap.file.path`	File’s path
`mmap.file.path.length`	Length of the corresponding element
`mmap.file.rights`	Rights of the file
`mmap.file.uid`	UID of the file’s owner
`mmap.file.user`	User of the file’s owner
`mmap.flags`	memory segment flags
`mmap.protection`	memory segment protection
`mmap.retval`	Return value of the syscall

Event `mount`

This event type is experimental and may change in the future.

A filesystem was mounted

Property	Definition
`mount.detached`	Mount is detached from the VFS
`mount.fs_type`	Type of the mounted file system
`mount.mountpoint.path`	Path of the mount point
`mount.retval`	Return value of the syscall
`mount.root.path`	Root path of the mount
`mount.source.path`	Source path of a bind mount
`mount.syscall.fs_type`	File system type argument of the syscall
`mount.syscall.mountpoint.path`	Mount point path argument of the syscall
`mount.syscall.source.path`	Source path argument of the syscall
`mount.visible`	Mount is not visible in the VFS

Event `mprotect`

A mprotect command was executed

Property	Definition
`mprotect.req_protection`	new memory segment protection
`mprotect.retval`	Return value of the syscall
`mprotect.vm_protection`	initial memory segment protection

Event `network_flow_monitor`

A network monitor event was sent

Property	Definition
`network_flow_monitor.device.ifname`	Interface ifname
`network_flow_monitor.device.netns`	Interface NetNS ID
`network_flow_monitor.flows.destination.ip`	IP address
`network_flow_monitor.flows.destination.is_public`	Whether the IP address belongs to a public network
`network_flow_monitor.flows.destination.port`	Port number
`network_flow_monitor.flows.egress.data_size`	Amount of data transmitted or received
`network_flow_monitor.flows.egress.packet_count`	Count of network packets transmitted or received
`network_flow_monitor.flows.ingress.data_size`	Amount of data transmitted or received
`network_flow_monitor.flows.ingress.packet_count`	Count of network packets transmitted or received
`network_flow_monitor.flows.l3_protocol`	L3 protocol of the network packet
`network_flow_monitor.flows.l4_protocol`	L4 protocol of the network packet
`network_flow_monitor.flows.length`	Length of the corresponding element
`network_flow_monitor.flows.source.ip`	IP address
`network_flow_monitor.flows.source.is_public`	Whether the IP address belongs to a public network
`network_flow_monitor.flows.source.port`	Port number

Event `open`

A file was opened

Property	Definition
`open.file.change_time`	Change time (ctime) of the file
`open.file.destination.mode`	Mode of the created file
`open.file.extension`	File’s extension
`open.file.filesystem`	File’s filesystem
`open.file.gid`	GID of the file’s owner
`open.file.group`	Group of the file’s owner
`open.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`open.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`open.file.inode`	Inode of the file
`open.file.mode`	Mode of the file
`open.file.modification_time`	Modification time (mtime) of the file
`open.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`open.file.mount_id`	Mount ID of the file
`open.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`open.file.name`	File’s basename
`open.file.name.length`	Length of the corresponding element
`open.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`open.file.package.name`	[Experimental] Name of the package that provided this file
`open.file.package.release`	[Experimental] Release of the package that provided this file
`open.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`open.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`open.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`open.file.package.version`	[Experimental] Full version of the package that provided this file
`open.file.path`	File’s path
`open.file.path.length`	Length of the corresponding element
`open.file.rights`	Rights of the file
`open.file.uid`	UID of the file’s owner
`open.file.user`	User of the file’s owner
`open.flags`	Flags used when opening the file
`open.retval`	Return value of the syscall
`open.syscall.flags`	Flags argument of the syscall
`open.syscall.mode`	Mode argument of the syscall
`open.syscall.path`	Path argument of the syscall

Event `packet`

A raw network packet was captured

Property	Definition
`network.destination.ip`	IP address
`network.destination.is_public`	Whether the IP address belongs to a public network
`network.destination.port`	Port number
`network.device.ifname`	Interface ifname
`network.device.netns`	Interface NetNS ID
`network.l3_protocol`	L3 protocol of the network packet
`network.l4_protocol`	L4 protocol of the network packet
`network.network_direction`	Network direction of the network packet
`network.size`	Size in bytes of the network packet
`network.source.ip`	IP address
`network.source.is_public`	Whether the IP address belongs to a public network
`network.source.port`	Port number
`network.type`	Type of the network packet
`packet.destination.ip`	IP address
`packet.destination.is_public`	Whether the IP address belongs to a public network
`packet.destination.port`	Port number
`packet.device.ifname`	Interface ifname
`packet.device.netns`	Interface NetNS ID
`packet.filter`	pcap filter expression
`packet.l3_protocol`	L3 protocol of the network packet
`packet.l4_protocol`	L4 protocol of the network packet
`packet.network_direction`	Network direction of the network packet
`packet.size`	Size in bytes of the network packet
`packet.source.ip`	IP address
`packet.source.is_public`	Whether the IP address belongs to a public network
`packet.source.port`	Port number
`packet.tls.version`	TLS version
`packet.type`	Type of the network packet

Event `prctl`

A prctl command was executed

Property	Definition
`prctl.is_name_truncated`	Indicates that the name field is truncated
`prctl.new_name`	New name of the process
`prctl.option`	prctl option
`prctl.retval`	Return value of the syscall

Event `ptrace`

A ptrace command was executed

Property	Definition
`ptrace.request`	ptrace request
`ptrace.retval`	Return value of the syscall
`ptrace.tracee.ancestors.args`	Arguments of the process (as a string, excluding argv0)
`ptrace.tracee.ancestors.args_flags`	Flags in the process arguments
`ptrace.tracee.ancestors.args_options`	Argument of the process as options
`ptrace.tracee.ancestors.args_truncated`	Indicator of arguments truncation
`ptrace.tracee.ancestors.argv`	Arguments of the process (as an array, excluding argv0)
`ptrace.tracee.ancestors.argv0`	First argument of the process
`ptrace.tracee.ancestors.auid`	Login UID of the process
`ptrace.tracee.ancestors.cap_effective`	Effective capability set of the process
`ptrace.tracee.ancestors.cap_permitted`	Permitted capability set of the process
`ptrace.tracee.ancestors.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`ptrace.tracee.ancestors.caps_used`	Bitmask of the capabilities that the process successfully used
`ptrace.tracee.ancestors.cgroup.file.inode`	Inode of the file
`ptrace.tracee.ancestors.cgroup.file.mount_id`	Mount ID of the file
`ptrace.tracee.ancestors.cgroup.id`	ID of the cgroup
`ptrace.tracee.ancestors.cgroup.version`	[Experimental] Version of the cgroup API
`ptrace.tracee.ancestors.comm`	Comm attribute of the process
`ptrace.tracee.ancestors.container.created_at`	Timestamp of the creation of the container
`ptrace.tracee.ancestors.container.id`	ID of the container
`ptrace.tracee.ancestors.container.tags`	Tags of the container
`ptrace.tracee.ancestors.created_at`	Timestamp of the creation of the process
`ptrace.tracee.ancestors.egid`	Effective GID of the process
`ptrace.tracee.ancestors.egroup`	Effective group of the process
`ptrace.tracee.ancestors.envp`	Environment variables of the process
`ptrace.tracee.ancestors.envs`	Environment variable names of the process
`ptrace.tracee.ancestors.envs_truncated`	Indicator of environment variables truncation
`ptrace.tracee.ancestors.euid`	Effective UID of the process
`ptrace.tracee.ancestors.euser`	Effective user of the process
`ptrace.tracee.ancestors.file.change_time`	Change time (ctime) of the file
`ptrace.tracee.ancestors.file.extension`	File’s extension
`ptrace.tracee.ancestors.file.filesystem`	File’s filesystem
`ptrace.tracee.ancestors.file.gid`	GID of the file’s owner
`ptrace.tracee.ancestors.file.group`	Group of the file’s owner
`ptrace.tracee.ancestors.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`ptrace.tracee.ancestors.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`ptrace.tracee.ancestors.file.inode`	Inode of the file
`ptrace.tracee.ancestors.file.mode`	Mode of the file
`ptrace.tracee.ancestors.file.modification_time`	Modification time (mtime) of the file
`ptrace.tracee.ancestors.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`ptrace.tracee.ancestors.file.mount_id`	Mount ID of the file
`ptrace.tracee.ancestors.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`ptrace.tracee.ancestors.file.name`	File’s basename
`ptrace.tracee.ancestors.file.name.length`	Length of the corresponding element
`ptrace.tracee.ancestors.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`ptrace.tracee.ancestors.file.package.name`	[Experimental] Name of the package that provided this file
`ptrace.tracee.ancestors.file.package.release`	[Experimental] Release of the package that provided this file
`ptrace.tracee.ancestors.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`ptrace.tracee.ancestors.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`ptrace.tracee.ancestors.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`ptrace.tracee.ancestors.file.package.version`	[Experimental] Full version of the package that provided this file
`ptrace.tracee.ancestors.file.path`	File’s path
`ptrace.tracee.ancestors.file.path.length`	Length of the corresponding element
`ptrace.tracee.ancestors.file.rights`	Rights of the file
`ptrace.tracee.ancestors.file.uid`	UID of the file’s owner
`ptrace.tracee.ancestors.file.user`	User of the file’s owner
`ptrace.tracee.ancestors.fsgid`	FileSystem-gid of the process
`ptrace.tracee.ancestors.fsgroup`	FileSystem-group of the process
`ptrace.tracee.ancestors.fsuid`	FileSystem-uid of the process
`ptrace.tracee.ancestors.fsuser`	FileSystem-user of the process
`ptrace.tracee.ancestors.gid`	GID of the process
`ptrace.tracee.ancestors.group`	Group of the process
`ptrace.tracee.ancestors.interpreter.file.change_time`	Change time (ctime) of the file
`ptrace.tracee.ancestors.interpreter.file.extension`	File’s extension
`ptrace.tracee.ancestors.interpreter.file.filesystem`	File’s filesystem
`ptrace.tracee.ancestors.interpreter.file.gid`	GID of the file’s owner
`ptrace.tracee.ancestors.interpreter.file.group`	Group of the file’s owner
`ptrace.tracee.ancestors.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`ptrace.tracee.ancestors.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`ptrace.tracee.ancestors.interpreter.file.inode`	Inode of the file
`ptrace.tracee.ancestors.interpreter.file.mode`	Mode of the file
`ptrace.tracee.ancestors.interpreter.file.modification_time`	Modification time (mtime) of the file
`ptrace.tracee.ancestors.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`ptrace.tracee.ancestors.interpreter.file.mount_id`	Mount ID of the file
`ptrace.tracee.ancestors.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`ptrace.tracee.ancestors.interpreter.file.name`	File’s basename
`ptrace.tracee.ancestors.interpreter.file.name.length`	Length of the corresponding element
`ptrace.tracee.ancestors.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`ptrace.tracee.ancestors.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`ptrace.tracee.ancestors.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`ptrace.tracee.ancestors.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`ptrace.tracee.ancestors.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`ptrace.tracee.ancestors.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`ptrace.tracee.ancestors.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`ptrace.tracee.ancestors.interpreter.file.path`	File’s path
`ptrace.tracee.ancestors.interpreter.file.path.length`	Length of the corresponding element
`ptrace.tracee.ancestors.interpreter.file.rights`	Rights of the file
`ptrace.tracee.ancestors.interpreter.file.uid`	UID of the file’s owner
`ptrace.tracee.ancestors.interpreter.file.user`	User of the file’s owner
`ptrace.tracee.ancestors.is_exec`	Indicates whether the process entry is from a new binary execution
`ptrace.tracee.ancestors.is_kworker`	Indicates whether the process is a kworker
`ptrace.tracee.ancestors.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`ptrace.tracee.ancestors.length`	Length of the corresponding element
`ptrace.tracee.ancestors.mntns`	MNTNS ID of the process
`ptrace.tracee.ancestors.netns`	NetNS ID of the process
`ptrace.tracee.ancestors.pid`	Process ID of the process (also called thread group ID)
`ptrace.tracee.ancestors.ppid`	Parent process ID
`ptrace.tracee.ancestors.tid`	Thread ID of the thread
`ptrace.tracee.ancestors.tty_name`	Name of the TTY associated with the process
`ptrace.tracee.ancestors.uid`	UID of the process
`ptrace.tracee.ancestors.user`	User of the process
`ptrace.tracee.ancestors.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`ptrace.tracee.ancestors.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`ptrace.tracee.ancestors.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`ptrace.tracee.ancestors.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`ptrace.tracee.ancestors.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`ptrace.tracee.ancestors.user_session.k8s_username`	Kubernetes username of the user that executed the process
`ptrace.tracee.ancestors.user_session.session_type`	Type of the user session
`ptrace.tracee.ancestors.user_session.ssh_auth_method`	SSH authentication method used by the user
`ptrace.tracee.ancestors.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`ptrace.tracee.ancestors.user_session.ssh_client_port`	SSH client port of the user that executed the process
`ptrace.tracee.ancestors.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`ptrace.tracee.ancestors.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host
`ptrace.tracee.args`	Arguments of the process (as a string, excluding argv0)
`ptrace.tracee.args_flags`	Flags in the process arguments
`ptrace.tracee.args_options`	Argument of the process as options
`ptrace.tracee.args_truncated`	Indicator of arguments truncation
`ptrace.tracee.argv`	Arguments of the process (as an array, excluding argv0)
`ptrace.tracee.argv0`	First argument of the process
`ptrace.tracee.auid`	Login UID of the process
`ptrace.tracee.cap_effective`	Effective capability set of the process
`ptrace.tracee.cap_permitted`	Permitted capability set of the process
`ptrace.tracee.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`ptrace.tracee.caps_used`	Bitmask of the capabilities that the process successfully used
`ptrace.tracee.cgroup.file.inode`	Inode of the file
`ptrace.tracee.cgroup.file.mount_id`	Mount ID of the file
`ptrace.tracee.cgroup.id`	ID of the cgroup
`ptrace.tracee.cgroup.version`	[Experimental] Version of the cgroup API
`ptrace.tracee.comm`	Comm attribute of the process
`ptrace.tracee.container.created_at`	Timestamp of the creation of the container
`ptrace.tracee.container.id`	ID of the container
`ptrace.tracee.container.tags`	Tags of the container
`ptrace.tracee.created_at`	Timestamp of the creation of the process
`ptrace.tracee.egid`	Effective GID of the process
`ptrace.tracee.egroup`	Effective group of the process
`ptrace.tracee.envp`	Environment variables of the process
`ptrace.tracee.envs`	Environment variable names of the process
`ptrace.tracee.envs_truncated`	Indicator of environment variables truncation
`ptrace.tracee.euid`	Effective UID of the process
`ptrace.tracee.euser`	Effective user of the process
`ptrace.tracee.file.change_time`	Change time (ctime) of the file
`ptrace.tracee.file.extension`	File’s extension
`ptrace.tracee.file.filesystem`	File’s filesystem
`ptrace.tracee.file.gid`	GID of the file’s owner
`ptrace.tracee.file.group`	Group of the file’s owner
`ptrace.tracee.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`ptrace.tracee.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`ptrace.tracee.file.inode`	Inode of the file
`ptrace.tracee.file.mode`	Mode of the file
`ptrace.tracee.file.modification_time`	Modification time (mtime) of the file
`ptrace.tracee.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`ptrace.tracee.file.mount_id`	Mount ID of the file
`ptrace.tracee.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`ptrace.tracee.file.name`	File’s basename
`ptrace.tracee.file.name.length`	Length of the corresponding element
`ptrace.tracee.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`ptrace.tracee.file.package.name`	[Experimental] Name of the package that provided this file
`ptrace.tracee.file.package.release`	[Experimental] Release of the package that provided this file
`ptrace.tracee.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`ptrace.tracee.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`ptrace.tracee.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`ptrace.tracee.file.package.version`	[Experimental] Full version of the package that provided this file
`ptrace.tracee.file.path`	File’s path
`ptrace.tracee.file.path.length`	Length of the corresponding element
`ptrace.tracee.file.rights`	Rights of the file
`ptrace.tracee.file.uid`	UID of the file’s owner
`ptrace.tracee.file.user`	User of the file’s owner
`ptrace.tracee.fsgid`	FileSystem-gid of the process
`ptrace.tracee.fsgroup`	FileSystem-group of the process
`ptrace.tracee.fsuid`	FileSystem-uid of the process
`ptrace.tracee.fsuser`	FileSystem-user of the process
`ptrace.tracee.gid`	GID of the process
`ptrace.tracee.group`	Group of the process
`ptrace.tracee.interpreter.file.change_time`	Change time (ctime) of the file
`ptrace.tracee.interpreter.file.extension`	File’s extension
`ptrace.tracee.interpreter.file.filesystem`	File’s filesystem
`ptrace.tracee.interpreter.file.gid`	GID of the file’s owner
`ptrace.tracee.interpreter.file.group`	Group of the file’s owner
`ptrace.tracee.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`ptrace.tracee.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`ptrace.tracee.interpreter.file.inode`	Inode of the file
`ptrace.tracee.interpreter.file.mode`	Mode of the file
`ptrace.tracee.interpreter.file.modification_time`	Modification time (mtime) of the file
`ptrace.tracee.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`ptrace.tracee.interpreter.file.mount_id`	Mount ID of the file
`ptrace.tracee.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`ptrace.tracee.interpreter.file.name`	File’s basename
`ptrace.tracee.interpreter.file.name.length`	Length of the corresponding element
`ptrace.tracee.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`ptrace.tracee.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`ptrace.tracee.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`ptrace.tracee.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`ptrace.tracee.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`ptrace.tracee.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`ptrace.tracee.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`ptrace.tracee.interpreter.file.path`	File’s path
`ptrace.tracee.interpreter.file.path.length`	Length of the corresponding element
`ptrace.tracee.interpreter.file.rights`	Rights of the file
`ptrace.tracee.interpreter.file.uid`	UID of the file’s owner
`ptrace.tracee.interpreter.file.user`	User of the file’s owner
`ptrace.tracee.is_exec`	Indicates whether the process entry is from a new binary execution
`ptrace.tracee.is_kworker`	Indicates whether the process is a kworker
`ptrace.tracee.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`ptrace.tracee.mntns`	MNTNS ID of the process
`ptrace.tracee.netns`	NetNS ID of the process
`ptrace.tracee.parent.args`	Arguments of the process (as a string, excluding argv0)
`ptrace.tracee.parent.args_flags`	Flags in the process arguments
`ptrace.tracee.parent.args_options`	Argument of the process as options
`ptrace.tracee.parent.args_truncated`	Indicator of arguments truncation
`ptrace.tracee.parent.argv`	Arguments of the process (as an array, excluding argv0)
`ptrace.tracee.parent.argv0`	First argument of the process
`ptrace.tracee.parent.auid`	Login UID of the process
`ptrace.tracee.parent.cap_effective`	Effective capability set of the process
`ptrace.tracee.parent.cap_permitted`	Permitted capability set of the process
`ptrace.tracee.parent.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`ptrace.tracee.parent.caps_used`	Bitmask of the capabilities that the process successfully used
`ptrace.tracee.parent.cgroup.file.inode`	Inode of the file
`ptrace.tracee.parent.cgroup.file.mount_id`	Mount ID of the file
`ptrace.tracee.parent.cgroup.id`	ID of the cgroup
`ptrace.tracee.parent.cgroup.version`	[Experimental] Version of the cgroup API
`ptrace.tracee.parent.comm`	Comm attribute of the process
`ptrace.tracee.parent.container.created_at`	Timestamp of the creation of the container
`ptrace.tracee.parent.container.id`	ID of the container
`ptrace.tracee.parent.container.tags`	Tags of the container
`ptrace.tracee.parent.created_at`	Timestamp of the creation of the process
`ptrace.tracee.parent.egid`	Effective GID of the process
`ptrace.tracee.parent.egroup`	Effective group of the process
`ptrace.tracee.parent.envp`	Environment variables of the process
`ptrace.tracee.parent.envs`	Environment variable names of the process
`ptrace.tracee.parent.envs_truncated`	Indicator of environment variables truncation
`ptrace.tracee.parent.euid`	Effective UID of the process
`ptrace.tracee.parent.euser`	Effective user of the process
`ptrace.tracee.parent.file.change_time`	Change time (ctime) of the file
`ptrace.tracee.parent.file.extension`	File’s extension
`ptrace.tracee.parent.file.filesystem`	File’s filesystem
`ptrace.tracee.parent.file.gid`	GID of the file’s owner
`ptrace.tracee.parent.file.group`	Group of the file’s owner
`ptrace.tracee.parent.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`ptrace.tracee.parent.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`ptrace.tracee.parent.file.inode`	Inode of the file
`ptrace.tracee.parent.file.mode`	Mode of the file
`ptrace.tracee.parent.file.modification_time`	Modification time (mtime) of the file
`ptrace.tracee.parent.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`ptrace.tracee.parent.file.mount_id`	Mount ID of the file
`ptrace.tracee.parent.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`ptrace.tracee.parent.file.name`	File’s basename
`ptrace.tracee.parent.file.name.length`	Length of the corresponding element
`ptrace.tracee.parent.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`ptrace.tracee.parent.file.package.name`	[Experimental] Name of the package that provided this file
`ptrace.tracee.parent.file.package.release`	[Experimental] Release of the package that provided this file
`ptrace.tracee.parent.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`ptrace.tracee.parent.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`ptrace.tracee.parent.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`ptrace.tracee.parent.file.package.version`	[Experimental] Full version of the package that provided this file
`ptrace.tracee.parent.file.path`	File’s path
`ptrace.tracee.parent.file.path.length`	Length of the corresponding element
`ptrace.tracee.parent.file.rights`	Rights of the file
`ptrace.tracee.parent.file.uid`	UID of the file’s owner
`ptrace.tracee.parent.file.user`	User of the file’s owner
`ptrace.tracee.parent.fsgid`	FileSystem-gid of the process
`ptrace.tracee.parent.fsgroup`	FileSystem-group of the process
`ptrace.tracee.parent.fsuid`	FileSystem-uid of the process
`ptrace.tracee.parent.fsuser`	FileSystem-user of the process
`ptrace.tracee.parent.gid`	GID of the process
`ptrace.tracee.parent.group`	Group of the process
`ptrace.tracee.parent.interpreter.file.change_time`	Change time (ctime) of the file
`ptrace.tracee.parent.interpreter.file.extension`	File’s extension
`ptrace.tracee.parent.interpreter.file.filesystem`	File’s filesystem
`ptrace.tracee.parent.interpreter.file.gid`	GID of the file’s owner
`ptrace.tracee.parent.interpreter.file.group`	Group of the file’s owner
`ptrace.tracee.parent.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`ptrace.tracee.parent.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`ptrace.tracee.parent.interpreter.file.inode`	Inode of the file
`ptrace.tracee.parent.interpreter.file.mode`	Mode of the file
`ptrace.tracee.parent.interpreter.file.modification_time`	Modification time (mtime) of the file
`ptrace.tracee.parent.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`ptrace.tracee.parent.interpreter.file.mount_id`	Mount ID of the file
`ptrace.tracee.parent.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`ptrace.tracee.parent.interpreter.file.name`	File’s basename
`ptrace.tracee.parent.interpreter.file.name.length`	Length of the corresponding element
`ptrace.tracee.parent.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`ptrace.tracee.parent.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`ptrace.tracee.parent.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`ptrace.tracee.parent.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`ptrace.tracee.parent.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`ptrace.tracee.parent.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`ptrace.tracee.parent.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`ptrace.tracee.parent.interpreter.file.path`	File’s path
`ptrace.tracee.parent.interpreter.file.path.length`	Length of the corresponding element
`ptrace.tracee.parent.interpreter.file.rights`	Rights of the file
`ptrace.tracee.parent.interpreter.file.uid`	UID of the file’s owner
`ptrace.tracee.parent.interpreter.file.user`	User of the file’s owner
`ptrace.tracee.parent.is_exec`	Indicates whether the process entry is from a new binary execution
`ptrace.tracee.parent.is_kworker`	Indicates whether the process is a kworker
`ptrace.tracee.parent.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`ptrace.tracee.parent.mntns`	MNTNS ID of the process
`ptrace.tracee.parent.netns`	NetNS ID of the process
`ptrace.tracee.parent.pid`	Process ID of the process (also called thread group ID)
`ptrace.tracee.parent.ppid`	Parent process ID
`ptrace.tracee.parent.tid`	Thread ID of the thread
`ptrace.tracee.parent.tty_name`	Name of the TTY associated with the process
`ptrace.tracee.parent.uid`	UID of the process
`ptrace.tracee.parent.user`	User of the process
`ptrace.tracee.parent.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`ptrace.tracee.parent.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`ptrace.tracee.parent.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`ptrace.tracee.parent.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`ptrace.tracee.parent.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`ptrace.tracee.parent.user_session.k8s_username`	Kubernetes username of the user that executed the process
`ptrace.tracee.parent.user_session.session_type`	Type of the user session
`ptrace.tracee.parent.user_session.ssh_auth_method`	SSH authentication method used by the user
`ptrace.tracee.parent.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`ptrace.tracee.parent.user_session.ssh_client_port`	SSH client port of the user that executed the process
`ptrace.tracee.parent.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`ptrace.tracee.parent.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host
`ptrace.tracee.pid`	Process ID of the process (also called thread group ID)
`ptrace.tracee.ppid`	Parent process ID
`ptrace.tracee.tid`	Thread ID of the thread
`ptrace.tracee.tty_name`	Name of the TTY associated with the process
`ptrace.tracee.uid`	UID of the process
`ptrace.tracee.user`	User of the process
`ptrace.tracee.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`ptrace.tracee.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`ptrace.tracee.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`ptrace.tracee.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`ptrace.tracee.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`ptrace.tracee.user_session.k8s_username`	Kubernetes username of the user that executed the process
`ptrace.tracee.user_session.session_type`	Type of the user session
`ptrace.tracee.user_session.ssh_auth_method`	SSH authentication method used by the user
`ptrace.tracee.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`ptrace.tracee.user_session.ssh_client_port`	SSH client port of the user that executed the process
`ptrace.tracee.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`ptrace.tracee.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host

Event `removexattr`

Remove extended attributes

Property	Definition
`removexattr.file.change_time`	Change time (ctime) of the file
`removexattr.file.destination.name`	Name of the extended attribute
`removexattr.file.destination.namespace`	Namespace of the extended attribute
`removexattr.file.extension`	File’s extension
`removexattr.file.filesystem`	File’s filesystem
`removexattr.file.gid`	GID of the file’s owner
`removexattr.file.group`	Group of the file’s owner
`removexattr.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`removexattr.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`removexattr.file.inode`	Inode of the file
`removexattr.file.mode`	Mode of the file
`removexattr.file.modification_time`	Modification time (mtime) of the file
`removexattr.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`removexattr.file.mount_id`	Mount ID of the file
`removexattr.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`removexattr.file.name`	File’s basename
`removexattr.file.name.length`	Length of the corresponding element
`removexattr.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`removexattr.file.package.name`	[Experimental] Name of the package that provided this file
`removexattr.file.package.release`	[Experimental] Release of the package that provided this file
`removexattr.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`removexattr.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`removexattr.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`removexattr.file.package.version`	[Experimental] Full version of the package that provided this file
`removexattr.file.path`	File’s path
`removexattr.file.path.length`	Length of the corresponding element
`removexattr.file.rights`	Rights of the file
`removexattr.file.uid`	UID of the file’s owner
`removexattr.file.user`	User of the file’s owner
`removexattr.retval`	Return value of the syscall

Event `rename`

A file/directory was renamed

Property	Definition
`rename.file.change_time`	Change time (ctime) of the file
`rename.file.destination.change_time`	Change time (ctime) of the file
`rename.file.destination.extension`	File’s extension
`rename.file.destination.filesystem`	File’s filesystem
`rename.file.destination.gid`	GID of the file’s owner
`rename.file.destination.group`	Group of the file’s owner
`rename.file.destination.hashes`	[Experimental] List of cryptographic hashes computed for this file
`rename.file.destination.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`rename.file.destination.inode`	Inode of the file
`rename.file.destination.mode`	Mode of the file
`rename.file.destination.modification_time`	Modification time (mtime) of the file
`rename.file.destination.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`rename.file.destination.mount_id`	Mount ID of the file
`rename.file.destination.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`rename.file.destination.name`	File’s basename
`rename.file.destination.name.length`	Length of the corresponding element
`rename.file.destination.package.epoch`	[Experimental] Epoch of the package that provided this file
`rename.file.destination.package.name`	[Experimental] Name of the package that provided this file
`rename.file.destination.package.release`	[Experimental] Release of the package that provided this file
`rename.file.destination.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`rename.file.destination.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`rename.file.destination.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`rename.file.destination.package.version`	[Experimental] Full version of the package that provided this file
`rename.file.destination.path`	File’s path
`rename.file.destination.path.length`	Length of the corresponding element
`rename.file.destination.rights`	Rights of the file
`rename.file.destination.uid`	UID of the file’s owner
`rename.file.destination.user`	User of the file’s owner
`rename.file.extension`	File’s extension
`rename.file.filesystem`	File’s filesystem
`rename.file.gid`	GID of the file’s owner
`rename.file.group`	Group of the file’s owner
`rename.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`rename.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`rename.file.inode`	Inode of the file
`rename.file.mode`	Mode of the file
`rename.file.modification_time`	Modification time (mtime) of the file
`rename.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`rename.file.mount_id`	Mount ID of the file
`rename.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`rename.file.name`	File’s basename
`rename.file.name.length`	Length of the corresponding element
`rename.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`rename.file.package.name`	[Experimental] Name of the package that provided this file
`rename.file.package.release`	[Experimental] Release of the package that provided this file
`rename.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`rename.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`rename.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`rename.file.package.version`	[Experimental] Full version of the package that provided this file
`rename.file.path`	File’s path
`rename.file.path.length`	Length of the corresponding element
`rename.file.rights`	Rights of the file
`rename.file.uid`	UID of the file’s owner
`rename.file.user`	User of the file’s owner
`rename.retval`	Return value of the syscall
`rename.syscall.destination.path`	Destination path argument of the syscall
`rename.syscall.path`	Path argument of the syscall

Event `rmdir`

A directory was removed

Property	Definition
`rmdir.file.change_time`	Change time (ctime) of the file
`rmdir.file.extension`	File’s extension
`rmdir.file.filesystem`	File’s filesystem
`rmdir.file.gid`	GID of the file’s owner
`rmdir.file.group`	Group of the file’s owner
`rmdir.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`rmdir.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`rmdir.file.inode`	Inode of the file
`rmdir.file.mode`	Mode of the file
`rmdir.file.modification_time`	Modification time (mtime) of the file
`rmdir.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`rmdir.file.mount_id`	Mount ID of the file
`rmdir.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`rmdir.file.name`	File’s basename
`rmdir.file.name.length`	Length of the corresponding element
`rmdir.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`rmdir.file.package.name`	[Experimental] Name of the package that provided this file
`rmdir.file.package.release`	[Experimental] Release of the package that provided this file
`rmdir.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`rmdir.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`rmdir.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`rmdir.file.package.version`	[Experimental] Full version of the package that provided this file
`rmdir.file.path`	File’s path
`rmdir.file.path.length`	Length of the corresponding element
`rmdir.file.rights`	Rights of the file
`rmdir.file.uid`	UID of the file’s owner
`rmdir.file.user`	User of the file’s owner
`rmdir.retval`	Return value of the syscall
`rmdir.syscall.path`	Path argument of the syscall

Event `selinux`

An SELinux operation was run

Property	Definition
`selinux.bool.name`	SELinux boolean name
`selinux.bool.state`	SELinux boolean new value
`selinux.bool_commit.state`	Indicator of a SELinux boolean commit operation
`selinux.enforce.status`	SELinux enforcement status (one of “enforcing”, “permissive”, “disabled”)

Event `setgid`

A process changed its effective gid

Property	Definition
`setgid.egid`	New effective GID of the process
`setgid.egroup`	New effective group of the process
`setgid.fsgid`	New FileSystem GID of the process
`setgid.fsgroup`	New FileSystem group of the process
`setgid.gid`	New GID of the process
`setgid.group`	New group of the process

Event `setrlimit`

A setrlimit command was executed

Property	Definition
`setrlimit.resource`	Resource type being limited
`setrlimit.retval`	Return value of the syscall
`setrlimit.rlim_cur`	Current (soft) limit value
`setrlimit.rlim_max`	Maximum (hard) limit value
`setrlimit.target.ancestors.args`	Arguments of the process (as a string, excluding argv0)
`setrlimit.target.ancestors.args_flags`	Flags in the process arguments
`setrlimit.target.ancestors.args_options`	Argument of the process as options
`setrlimit.target.ancestors.args_truncated`	Indicator of arguments truncation
`setrlimit.target.ancestors.argv`	Arguments of the process (as an array, excluding argv0)
`setrlimit.target.ancestors.argv0`	First argument of the process
`setrlimit.target.ancestors.auid`	Login UID of the process
`setrlimit.target.ancestors.cap_effective`	Effective capability set of the process
`setrlimit.target.ancestors.cap_permitted`	Permitted capability set of the process
`setrlimit.target.ancestors.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`setrlimit.target.ancestors.caps_used`	Bitmask of the capabilities that the process successfully used
`setrlimit.target.ancestors.cgroup.file.inode`	Inode of the file
`setrlimit.target.ancestors.cgroup.file.mount_id`	Mount ID of the file
`setrlimit.target.ancestors.cgroup.id`	ID of the cgroup
`setrlimit.target.ancestors.cgroup.version`	[Experimental] Version of the cgroup API
`setrlimit.target.ancestors.comm`	Comm attribute of the process
`setrlimit.target.ancestors.container.created_at`	Timestamp of the creation of the container
`setrlimit.target.ancestors.container.id`	ID of the container
`setrlimit.target.ancestors.container.tags`	Tags of the container
`setrlimit.target.ancestors.created_at`	Timestamp of the creation of the process
`setrlimit.target.ancestors.egid`	Effective GID of the process
`setrlimit.target.ancestors.egroup`	Effective group of the process
`setrlimit.target.ancestors.envp`	Environment variables of the process
`setrlimit.target.ancestors.envs`	Environment variable names of the process
`setrlimit.target.ancestors.envs_truncated`	Indicator of environment variables truncation
`setrlimit.target.ancestors.euid`	Effective UID of the process
`setrlimit.target.ancestors.euser`	Effective user of the process
`setrlimit.target.ancestors.file.change_time`	Change time (ctime) of the file
`setrlimit.target.ancestors.file.extension`	File’s extension
`setrlimit.target.ancestors.file.filesystem`	File’s filesystem
`setrlimit.target.ancestors.file.gid`	GID of the file’s owner
`setrlimit.target.ancestors.file.group`	Group of the file’s owner
`setrlimit.target.ancestors.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`setrlimit.target.ancestors.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`setrlimit.target.ancestors.file.inode`	Inode of the file
`setrlimit.target.ancestors.file.mode`	Mode of the file
`setrlimit.target.ancestors.file.modification_time`	Modification time (mtime) of the file
`setrlimit.target.ancestors.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`setrlimit.target.ancestors.file.mount_id`	Mount ID of the file
`setrlimit.target.ancestors.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`setrlimit.target.ancestors.file.name`	File’s basename
`setrlimit.target.ancestors.file.name.length`	Length of the corresponding element
`setrlimit.target.ancestors.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`setrlimit.target.ancestors.file.package.name`	[Experimental] Name of the package that provided this file
`setrlimit.target.ancestors.file.package.release`	[Experimental] Release of the package that provided this file
`setrlimit.target.ancestors.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`setrlimit.target.ancestors.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`setrlimit.target.ancestors.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`setrlimit.target.ancestors.file.package.version`	[Experimental] Full version of the package that provided this file
`setrlimit.target.ancestors.file.path`	File’s path
`setrlimit.target.ancestors.file.path.length`	Length of the corresponding element
`setrlimit.target.ancestors.file.rights`	Rights of the file
`setrlimit.target.ancestors.file.uid`	UID of the file’s owner
`setrlimit.target.ancestors.file.user`	User of the file’s owner
`setrlimit.target.ancestors.fsgid`	FileSystem-gid of the process
`setrlimit.target.ancestors.fsgroup`	FileSystem-group of the process
`setrlimit.target.ancestors.fsuid`	FileSystem-uid of the process
`setrlimit.target.ancestors.fsuser`	FileSystem-user of the process
`setrlimit.target.ancestors.gid`	GID of the process
`setrlimit.target.ancestors.group`	Group of the process
`setrlimit.target.ancestors.interpreter.file.change_time`	Change time (ctime) of the file
`setrlimit.target.ancestors.interpreter.file.extension`	File’s extension
`setrlimit.target.ancestors.interpreter.file.filesystem`	File’s filesystem
`setrlimit.target.ancestors.interpreter.file.gid`	GID of the file’s owner
`setrlimit.target.ancestors.interpreter.file.group`	Group of the file’s owner
`setrlimit.target.ancestors.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`setrlimit.target.ancestors.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`setrlimit.target.ancestors.interpreter.file.inode`	Inode of the file
`setrlimit.target.ancestors.interpreter.file.mode`	Mode of the file
`setrlimit.target.ancestors.interpreter.file.modification_time`	Modification time (mtime) of the file
`setrlimit.target.ancestors.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`setrlimit.target.ancestors.interpreter.file.mount_id`	Mount ID of the file
`setrlimit.target.ancestors.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`setrlimit.target.ancestors.interpreter.file.name`	File’s basename
`setrlimit.target.ancestors.interpreter.file.name.length`	Length of the corresponding element
`setrlimit.target.ancestors.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`setrlimit.target.ancestors.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`setrlimit.target.ancestors.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`setrlimit.target.ancestors.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`setrlimit.target.ancestors.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`setrlimit.target.ancestors.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`setrlimit.target.ancestors.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`setrlimit.target.ancestors.interpreter.file.path`	File’s path
`setrlimit.target.ancestors.interpreter.file.path.length`	Length of the corresponding element
`setrlimit.target.ancestors.interpreter.file.rights`	Rights of the file
`setrlimit.target.ancestors.interpreter.file.uid`	UID of the file’s owner
`setrlimit.target.ancestors.interpreter.file.user`	User of the file’s owner
`setrlimit.target.ancestors.is_exec`	Indicates whether the process entry is from a new binary execution
`setrlimit.target.ancestors.is_kworker`	Indicates whether the process is a kworker
`setrlimit.target.ancestors.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`setrlimit.target.ancestors.length`	Length of the corresponding element
`setrlimit.target.ancestors.mntns`	MNTNS ID of the process
`setrlimit.target.ancestors.netns`	NetNS ID of the process
`setrlimit.target.ancestors.pid`	Process ID of the process (also called thread group ID)
`setrlimit.target.ancestors.ppid`	Parent process ID
`setrlimit.target.ancestors.tid`	Thread ID of the thread
`setrlimit.target.ancestors.tty_name`	Name of the TTY associated with the process
`setrlimit.target.ancestors.uid`	UID of the process
`setrlimit.target.ancestors.user`	User of the process
`setrlimit.target.ancestors.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`setrlimit.target.ancestors.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`setrlimit.target.ancestors.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`setrlimit.target.ancestors.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`setrlimit.target.ancestors.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`setrlimit.target.ancestors.user_session.k8s_username`	Kubernetes username of the user that executed the process
`setrlimit.target.ancestors.user_session.session_type`	Type of the user session
`setrlimit.target.ancestors.user_session.ssh_auth_method`	SSH authentication method used by the user
`setrlimit.target.ancestors.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`setrlimit.target.ancestors.user_session.ssh_client_port`	SSH client port of the user that executed the process
`setrlimit.target.ancestors.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`setrlimit.target.ancestors.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host
`setrlimit.target.args`	Arguments of the process (as a string, excluding argv0)
`setrlimit.target.args_flags`	Flags in the process arguments
`setrlimit.target.args_options`	Argument of the process as options
`setrlimit.target.args_truncated`	Indicator of arguments truncation
`setrlimit.target.argv`	Arguments of the process (as an array, excluding argv0)
`setrlimit.target.argv0`	First argument of the process
`setrlimit.target.auid`	Login UID of the process
`setrlimit.target.cap_effective`	Effective capability set of the process
`setrlimit.target.cap_permitted`	Permitted capability set of the process
`setrlimit.target.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`setrlimit.target.caps_used`	Bitmask of the capabilities that the process successfully used
`setrlimit.target.cgroup.file.inode`	Inode of the file
`setrlimit.target.cgroup.file.mount_id`	Mount ID of the file
`setrlimit.target.cgroup.id`	ID of the cgroup
`setrlimit.target.cgroup.version`	[Experimental] Version of the cgroup API
`setrlimit.target.comm`	Comm attribute of the process
`setrlimit.target.container.created_at`	Timestamp of the creation of the container
`setrlimit.target.container.id`	ID of the container
`setrlimit.target.container.tags`	Tags of the container
`setrlimit.target.created_at`	Timestamp of the creation of the process
`setrlimit.target.egid`	Effective GID of the process
`setrlimit.target.egroup`	Effective group of the process
`setrlimit.target.envp`	Environment variables of the process
`setrlimit.target.envs`	Environment variable names of the process
`setrlimit.target.envs_truncated`	Indicator of environment variables truncation
`setrlimit.target.euid`	Effective UID of the process
`setrlimit.target.euser`	Effective user of the process
`setrlimit.target.file.change_time`	Change time (ctime) of the file
`setrlimit.target.file.extension`	File’s extension
`setrlimit.target.file.filesystem`	File’s filesystem
`setrlimit.target.file.gid`	GID of the file’s owner
`setrlimit.target.file.group`	Group of the file’s owner
`setrlimit.target.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`setrlimit.target.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`setrlimit.target.file.inode`	Inode of the file
`setrlimit.target.file.mode`	Mode of the file
`setrlimit.target.file.modification_time`	Modification time (mtime) of the file
`setrlimit.target.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`setrlimit.target.file.mount_id`	Mount ID of the file
`setrlimit.target.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`setrlimit.target.file.name`	File’s basename
`setrlimit.target.file.name.length`	Length of the corresponding element
`setrlimit.target.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`setrlimit.target.file.package.name`	[Experimental] Name of the package that provided this file
`setrlimit.target.file.package.release`	[Experimental] Release of the package that provided this file
`setrlimit.target.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`setrlimit.target.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`setrlimit.target.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`setrlimit.target.file.package.version`	[Experimental] Full version of the package that provided this file
`setrlimit.target.file.path`	File’s path
`setrlimit.target.file.path.length`	Length of the corresponding element
`setrlimit.target.file.rights`	Rights of the file
`setrlimit.target.file.uid`	UID of the file’s owner
`setrlimit.target.file.user`	User of the file’s owner
`setrlimit.target.fsgid`	FileSystem-gid of the process
`setrlimit.target.fsgroup`	FileSystem-group of the process
`setrlimit.target.fsuid`	FileSystem-uid of the process
`setrlimit.target.fsuser`	FileSystem-user of the process
`setrlimit.target.gid`	GID of the process
`setrlimit.target.group`	Group of the process
`setrlimit.target.interpreter.file.change_time`	Change time (ctime) of the file
`setrlimit.target.interpreter.file.extension`	File’s extension
`setrlimit.target.interpreter.file.filesystem`	File’s filesystem
`setrlimit.target.interpreter.file.gid`	GID of the file’s owner
`setrlimit.target.interpreter.file.group`	Group of the file’s owner
`setrlimit.target.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`setrlimit.target.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`setrlimit.target.interpreter.file.inode`	Inode of the file
`setrlimit.target.interpreter.file.mode`	Mode of the file
`setrlimit.target.interpreter.file.modification_time`	Modification time (mtime) of the file
`setrlimit.target.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`setrlimit.target.interpreter.file.mount_id`	Mount ID of the file
`setrlimit.target.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`setrlimit.target.interpreter.file.name`	File’s basename
`setrlimit.target.interpreter.file.name.length`	Length of the corresponding element
`setrlimit.target.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`setrlimit.target.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`setrlimit.target.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`setrlimit.target.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`setrlimit.target.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`setrlimit.target.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`setrlimit.target.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`setrlimit.target.interpreter.file.path`	File’s path
`setrlimit.target.interpreter.file.path.length`	Length of the corresponding element
`setrlimit.target.interpreter.file.rights`	Rights of the file
`setrlimit.target.interpreter.file.uid`	UID of the file’s owner
`setrlimit.target.interpreter.file.user`	User of the file’s owner
`setrlimit.target.is_exec`	Indicates whether the process entry is from a new binary execution
`setrlimit.target.is_kworker`	Indicates whether the process is a kworker
`setrlimit.target.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`setrlimit.target.mntns`	MNTNS ID of the process
`setrlimit.target.netns`	NetNS ID of the process
`setrlimit.target.parent.args`	Arguments of the process (as a string, excluding argv0)
`setrlimit.target.parent.args_flags`	Flags in the process arguments
`setrlimit.target.parent.args_options`	Argument of the process as options
`setrlimit.target.parent.args_truncated`	Indicator of arguments truncation
`setrlimit.target.parent.argv`	Arguments of the process (as an array, excluding argv0)
`setrlimit.target.parent.argv0`	First argument of the process
`setrlimit.target.parent.auid`	Login UID of the process
`setrlimit.target.parent.cap_effective`	Effective capability set of the process
`setrlimit.target.parent.cap_permitted`	Permitted capability set of the process
`setrlimit.target.parent.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`setrlimit.target.parent.caps_used`	Bitmask of the capabilities that the process successfully used
`setrlimit.target.parent.cgroup.file.inode`	Inode of the file
`setrlimit.target.parent.cgroup.file.mount_id`	Mount ID of the file
`setrlimit.target.parent.cgroup.id`	ID of the cgroup
`setrlimit.target.parent.cgroup.version`	[Experimental] Version of the cgroup API
`setrlimit.target.parent.comm`	Comm attribute of the process
`setrlimit.target.parent.container.created_at`	Timestamp of the creation of the container
`setrlimit.target.parent.container.id`	ID of the container
`setrlimit.target.parent.container.tags`	Tags of the container
`setrlimit.target.parent.created_at`	Timestamp of the creation of the process
`setrlimit.target.parent.egid`	Effective GID of the process
`setrlimit.target.parent.egroup`	Effective group of the process
`setrlimit.target.parent.envp`	Environment variables of the process
`setrlimit.target.parent.envs`	Environment variable names of the process
`setrlimit.target.parent.envs_truncated`	Indicator of environment variables truncation
`setrlimit.target.parent.euid`	Effective UID of the process
`setrlimit.target.parent.euser`	Effective user of the process
`setrlimit.target.parent.file.change_time`	Change time (ctime) of the file
`setrlimit.target.parent.file.extension`	File’s extension
`setrlimit.target.parent.file.filesystem`	File’s filesystem
`setrlimit.target.parent.file.gid`	GID of the file’s owner
`setrlimit.target.parent.file.group`	Group of the file’s owner
`setrlimit.target.parent.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`setrlimit.target.parent.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`setrlimit.target.parent.file.inode`	Inode of the file
`setrlimit.target.parent.file.mode`	Mode of the file
`setrlimit.target.parent.file.modification_time`	Modification time (mtime) of the file
`setrlimit.target.parent.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`setrlimit.target.parent.file.mount_id`	Mount ID of the file
`setrlimit.target.parent.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`setrlimit.target.parent.file.name`	File’s basename
`setrlimit.target.parent.file.name.length`	Length of the corresponding element
`setrlimit.target.parent.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`setrlimit.target.parent.file.package.name`	[Experimental] Name of the package that provided this file
`setrlimit.target.parent.file.package.release`	[Experimental] Release of the package that provided this file
`setrlimit.target.parent.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`setrlimit.target.parent.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`setrlimit.target.parent.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`setrlimit.target.parent.file.package.version`	[Experimental] Full version of the package that provided this file
`setrlimit.target.parent.file.path`	File’s path
`setrlimit.target.parent.file.path.length`	Length of the corresponding element
`setrlimit.target.parent.file.rights`	Rights of the file
`setrlimit.target.parent.file.uid`	UID of the file’s owner
`setrlimit.target.parent.file.user`	User of the file’s owner
`setrlimit.target.parent.fsgid`	FileSystem-gid of the process
`setrlimit.target.parent.fsgroup`	FileSystem-group of the process
`setrlimit.target.parent.fsuid`	FileSystem-uid of the process
`setrlimit.target.parent.fsuser`	FileSystem-user of the process
`setrlimit.target.parent.gid`	GID of the process
`setrlimit.target.parent.group`	Group of the process
`setrlimit.target.parent.interpreter.file.change_time`	Change time (ctime) of the file
`setrlimit.target.parent.interpreter.file.extension`	File’s extension
`setrlimit.target.parent.interpreter.file.filesystem`	File’s filesystem
`setrlimit.target.parent.interpreter.file.gid`	GID of the file’s owner
`setrlimit.target.parent.interpreter.file.group`	Group of the file’s owner
`setrlimit.target.parent.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`setrlimit.target.parent.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`setrlimit.target.parent.interpreter.file.inode`	Inode of the file
`setrlimit.target.parent.interpreter.file.mode`	Mode of the file
`setrlimit.target.parent.interpreter.file.modification_time`	Modification time (mtime) of the file
`setrlimit.target.parent.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`setrlimit.target.parent.interpreter.file.mount_id`	Mount ID of the file
`setrlimit.target.parent.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`setrlimit.target.parent.interpreter.file.name`	File’s basename
`setrlimit.target.parent.interpreter.file.name.length`	Length of the corresponding element
`setrlimit.target.parent.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`setrlimit.target.parent.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`setrlimit.target.parent.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`setrlimit.target.parent.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`setrlimit.target.parent.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`setrlimit.target.parent.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`setrlimit.target.parent.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`setrlimit.target.parent.interpreter.file.path`	File’s path
`setrlimit.target.parent.interpreter.file.path.length`	Length of the corresponding element
`setrlimit.target.parent.interpreter.file.rights`	Rights of the file
`setrlimit.target.parent.interpreter.file.uid`	UID of the file’s owner
`setrlimit.target.parent.interpreter.file.user`	User of the file’s owner
`setrlimit.target.parent.is_exec`	Indicates whether the process entry is from a new binary execution
`setrlimit.target.parent.is_kworker`	Indicates whether the process is a kworker
`setrlimit.target.parent.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`setrlimit.target.parent.mntns`	MNTNS ID of the process
`setrlimit.target.parent.netns`	NetNS ID of the process
`setrlimit.target.parent.pid`	Process ID of the process (also called thread group ID)
`setrlimit.target.parent.ppid`	Parent process ID
`setrlimit.target.parent.tid`	Thread ID of the thread
`setrlimit.target.parent.tty_name`	Name of the TTY associated with the process
`setrlimit.target.parent.uid`	UID of the process
`setrlimit.target.parent.user`	User of the process
`setrlimit.target.parent.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`setrlimit.target.parent.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`setrlimit.target.parent.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`setrlimit.target.parent.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`setrlimit.target.parent.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`setrlimit.target.parent.user_session.k8s_username`	Kubernetes username of the user that executed the process
`setrlimit.target.parent.user_session.session_type`	Type of the user session
`setrlimit.target.parent.user_session.ssh_auth_method`	SSH authentication method used by the user
`setrlimit.target.parent.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`setrlimit.target.parent.user_session.ssh_client_port`	SSH client port of the user that executed the process
`setrlimit.target.parent.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`setrlimit.target.parent.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host
`setrlimit.target.pid`	Process ID of the process (also called thread group ID)
`setrlimit.target.ppid`	Parent process ID
`setrlimit.target.tid`	Thread ID of the thread
`setrlimit.target.tty_name`	Name of the TTY associated with the process
`setrlimit.target.uid`	UID of the process
`setrlimit.target.user`	User of the process
`setrlimit.target.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`setrlimit.target.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`setrlimit.target.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`setrlimit.target.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`setrlimit.target.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`setrlimit.target.user_session.k8s_username`	Kubernetes username of the user that executed the process
`setrlimit.target.user_session.session_type`	Type of the user session
`setrlimit.target.user_session.ssh_auth_method`	SSH authentication method used by the user
`setrlimit.target.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`setrlimit.target.user_session.ssh_client_port`	SSH client port of the user that executed the process
`setrlimit.target.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`setrlimit.target.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host

Event `setsockopt`

A setsockopt was executed

Property	Definition
`setsockopt.filter_hash`	Hash of the currently attached filter using sha256. Only available if the optname is `SO_ATTACH_FILTER`
`setsockopt.filter_instructions`	Instructions of the currently attached filter. Only available if the optname is `SO_ATTACH_FILTER`
`setsockopt.filter_len`	Length of the currently attached filter. Only available if the optname is `SO_ATTACH_FILTER`
`setsockopt.is_filter_truncated`	Indicates that the currently attached filter is truncated. Only available if the optname is `SO_ATTACH_FILTER`
`setsockopt.level`	Socket level
`setsockopt.optname`	Socket option name
`setsockopt.retval`	Return value of the syscall
`setsockopt.socket_family`	Socket family
`setsockopt.socket_protocol`	Socket protocol
`setsockopt.socket_type`	Socket type
`setsockopt.used_immediates`	List of immediate values used in the currently attached filter. Only available if the optname is `SO_ATTACH_FILTER`

Event `setuid`

A process changed its effective uid

Property	Definition
`setuid.euid`	New effective UID of the process
`setuid.euser`	New effective user of the process
`setuid.fsuid`	New FileSystem UID of the process
`setuid.fsuser`	New FileSystem user of the process
`setuid.uid`	New UID of the process
`setuid.user`	New user of the process

Event `setxattr`

Set exteneded attributes

Property	Definition
`setxattr.file.change_time`	Change time (ctime) of the file
`setxattr.file.destination.name`	Name of the extended attribute
`setxattr.file.destination.namespace`	Namespace of the extended attribute
`setxattr.file.extension`	File’s extension
`setxattr.file.filesystem`	File’s filesystem
`setxattr.file.gid`	GID of the file’s owner
`setxattr.file.group`	Group of the file’s owner
`setxattr.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`setxattr.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`setxattr.file.inode`	Inode of the file
`setxattr.file.mode`	Mode of the file
`setxattr.file.modification_time`	Modification time (mtime) of the file
`setxattr.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`setxattr.file.mount_id`	Mount ID of the file
`setxattr.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`setxattr.file.name`	File’s basename
`setxattr.file.name.length`	Length of the corresponding element
`setxattr.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`setxattr.file.package.name`	[Experimental] Name of the package that provided this file
`setxattr.file.package.release`	[Experimental] Release of the package that provided this file
`setxattr.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`setxattr.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`setxattr.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`setxattr.file.package.version`	[Experimental] Full version of the package that provided this file
`setxattr.file.path`	File’s path
`setxattr.file.path.length`	Length of the corresponding element
`setxattr.file.rights`	Rights of the file
`setxattr.file.uid`	UID of the file’s owner
`setxattr.file.user`	User of the file’s owner
`setxattr.retval`	Return value of the syscall

Event `signal`

A signal was sent

Property	Definition
`signal.pid`	Target PID
`signal.retval`	Return value of the syscall
`signal.target.ancestors.args`	Arguments of the process (as a string, excluding argv0)
`signal.target.ancestors.args_flags`	Flags in the process arguments
`signal.target.ancestors.args_options`	Argument of the process as options
`signal.target.ancestors.args_truncated`	Indicator of arguments truncation
`signal.target.ancestors.argv`	Arguments of the process (as an array, excluding argv0)
`signal.target.ancestors.argv0`	First argument of the process
`signal.target.ancestors.auid`	Login UID of the process
`signal.target.ancestors.cap_effective`	Effective capability set of the process
`signal.target.ancestors.cap_permitted`	Permitted capability set of the process
`signal.target.ancestors.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`signal.target.ancestors.caps_used`	Bitmask of the capabilities that the process successfully used
`signal.target.ancestors.cgroup.file.inode`	Inode of the file
`signal.target.ancestors.cgroup.file.mount_id`	Mount ID of the file
`signal.target.ancestors.cgroup.id`	ID of the cgroup
`signal.target.ancestors.cgroup.version`	[Experimental] Version of the cgroup API
`signal.target.ancestors.comm`	Comm attribute of the process
`signal.target.ancestors.container.created_at`	Timestamp of the creation of the container
`signal.target.ancestors.container.id`	ID of the container
`signal.target.ancestors.container.tags`	Tags of the container
`signal.target.ancestors.created_at`	Timestamp of the creation of the process
`signal.target.ancestors.egid`	Effective GID of the process
`signal.target.ancestors.egroup`	Effective group of the process
`signal.target.ancestors.envp`	Environment variables of the process
`signal.target.ancestors.envs`	Environment variable names of the process
`signal.target.ancestors.envs_truncated`	Indicator of environment variables truncation
`signal.target.ancestors.euid`	Effective UID of the process
`signal.target.ancestors.euser`	Effective user of the process
`signal.target.ancestors.file.change_time`	Change time (ctime) of the file
`signal.target.ancestors.file.extension`	File’s extension
`signal.target.ancestors.file.filesystem`	File’s filesystem
`signal.target.ancestors.file.gid`	GID of the file’s owner
`signal.target.ancestors.file.group`	Group of the file’s owner
`signal.target.ancestors.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`signal.target.ancestors.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`signal.target.ancestors.file.inode`	Inode of the file
`signal.target.ancestors.file.mode`	Mode of the file
`signal.target.ancestors.file.modification_time`	Modification time (mtime) of the file
`signal.target.ancestors.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`signal.target.ancestors.file.mount_id`	Mount ID of the file
`signal.target.ancestors.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`signal.target.ancestors.file.name`	File’s basename
`signal.target.ancestors.file.name.length`	Length of the corresponding element
`signal.target.ancestors.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`signal.target.ancestors.file.package.name`	[Experimental] Name of the package that provided this file
`signal.target.ancestors.file.package.release`	[Experimental] Release of the package that provided this file
`signal.target.ancestors.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`signal.target.ancestors.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`signal.target.ancestors.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`signal.target.ancestors.file.package.version`	[Experimental] Full version of the package that provided this file
`signal.target.ancestors.file.path`	File’s path
`signal.target.ancestors.file.path.length`	Length of the corresponding element
`signal.target.ancestors.file.rights`	Rights of the file
`signal.target.ancestors.file.uid`	UID of the file’s owner
`signal.target.ancestors.file.user`	User of the file’s owner
`signal.target.ancestors.fsgid`	FileSystem-gid of the process
`signal.target.ancestors.fsgroup`	FileSystem-group of the process
`signal.target.ancestors.fsuid`	FileSystem-uid of the process
`signal.target.ancestors.fsuser`	FileSystem-user of the process
`signal.target.ancestors.gid`	GID of the process
`signal.target.ancestors.group`	Group of the process
`signal.target.ancestors.interpreter.file.change_time`	Change time (ctime) of the file
`signal.target.ancestors.interpreter.file.extension`	File’s extension
`signal.target.ancestors.interpreter.file.filesystem`	File’s filesystem
`signal.target.ancestors.interpreter.file.gid`	GID of the file’s owner
`signal.target.ancestors.interpreter.file.group`	Group of the file’s owner
`signal.target.ancestors.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`signal.target.ancestors.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`signal.target.ancestors.interpreter.file.inode`	Inode of the file
`signal.target.ancestors.interpreter.file.mode`	Mode of the file
`signal.target.ancestors.interpreter.file.modification_time`	Modification time (mtime) of the file
`signal.target.ancestors.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`signal.target.ancestors.interpreter.file.mount_id`	Mount ID of the file
`signal.target.ancestors.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`signal.target.ancestors.interpreter.file.name`	File’s basename
`signal.target.ancestors.interpreter.file.name.length`	Length of the corresponding element
`signal.target.ancestors.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`signal.target.ancestors.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`signal.target.ancestors.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`signal.target.ancestors.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`signal.target.ancestors.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`signal.target.ancestors.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`signal.target.ancestors.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`signal.target.ancestors.interpreter.file.path`	File’s path
`signal.target.ancestors.interpreter.file.path.length`	Length of the corresponding element
`signal.target.ancestors.interpreter.file.rights`	Rights of the file
`signal.target.ancestors.interpreter.file.uid`	UID of the file’s owner
`signal.target.ancestors.interpreter.file.user`	User of the file’s owner
`signal.target.ancestors.is_exec`	Indicates whether the process entry is from a new binary execution
`signal.target.ancestors.is_kworker`	Indicates whether the process is a kworker
`signal.target.ancestors.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`signal.target.ancestors.length`	Length of the corresponding element
`signal.target.ancestors.mntns`	MNTNS ID of the process
`signal.target.ancestors.netns`	NetNS ID of the process
`signal.target.ancestors.pid`	Process ID of the process (also called thread group ID)
`signal.target.ancestors.ppid`	Parent process ID
`signal.target.ancestors.tid`	Thread ID of the thread
`signal.target.ancestors.tty_name`	Name of the TTY associated with the process
`signal.target.ancestors.uid`	UID of the process
`signal.target.ancestors.user`	User of the process
`signal.target.ancestors.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`signal.target.ancestors.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`signal.target.ancestors.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`signal.target.ancestors.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`signal.target.ancestors.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`signal.target.ancestors.user_session.k8s_username`	Kubernetes username of the user that executed the process
`signal.target.ancestors.user_session.session_type`	Type of the user session
`signal.target.ancestors.user_session.ssh_auth_method`	SSH authentication method used by the user
`signal.target.ancestors.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`signal.target.ancestors.user_session.ssh_client_port`	SSH client port of the user that executed the process
`signal.target.ancestors.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`signal.target.ancestors.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host
`signal.target.args`	Arguments of the process (as a string, excluding argv0)
`signal.target.args_flags`	Flags in the process arguments
`signal.target.args_options`	Argument of the process as options
`signal.target.args_truncated`	Indicator of arguments truncation
`signal.target.argv`	Arguments of the process (as an array, excluding argv0)
`signal.target.argv0`	First argument of the process
`signal.target.auid`	Login UID of the process
`signal.target.cap_effective`	Effective capability set of the process
`signal.target.cap_permitted`	Permitted capability set of the process
`signal.target.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`signal.target.caps_used`	Bitmask of the capabilities that the process successfully used
`signal.target.cgroup.file.inode`	Inode of the file
`signal.target.cgroup.file.mount_id`	Mount ID of the file
`signal.target.cgroup.id`	ID of the cgroup
`signal.target.cgroup.version`	[Experimental] Version of the cgroup API
`signal.target.comm`	Comm attribute of the process
`signal.target.container.created_at`	Timestamp of the creation of the container
`signal.target.container.id`	ID of the container
`signal.target.container.tags`	Tags of the container
`signal.target.created_at`	Timestamp of the creation of the process
`signal.target.egid`	Effective GID of the process
`signal.target.egroup`	Effective group of the process
`signal.target.envp`	Environment variables of the process
`signal.target.envs`	Environment variable names of the process
`signal.target.envs_truncated`	Indicator of environment variables truncation
`signal.target.euid`	Effective UID of the process
`signal.target.euser`	Effective user of the process
`signal.target.file.change_time`	Change time (ctime) of the file
`signal.target.file.extension`	File’s extension
`signal.target.file.filesystem`	File’s filesystem
`signal.target.file.gid`	GID of the file’s owner
`signal.target.file.group`	Group of the file’s owner
`signal.target.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`signal.target.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`signal.target.file.inode`	Inode of the file
`signal.target.file.mode`	Mode of the file
`signal.target.file.modification_time`	Modification time (mtime) of the file
`signal.target.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`signal.target.file.mount_id`	Mount ID of the file
`signal.target.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`signal.target.file.name`	File’s basename
`signal.target.file.name.length`	Length of the corresponding element
`signal.target.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`signal.target.file.package.name`	[Experimental] Name of the package that provided this file
`signal.target.file.package.release`	[Experimental] Release of the package that provided this file
`signal.target.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`signal.target.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`signal.target.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`signal.target.file.package.version`	[Experimental] Full version of the package that provided this file
`signal.target.file.path`	File’s path
`signal.target.file.path.length`	Length of the corresponding element
`signal.target.file.rights`	Rights of the file
`signal.target.file.uid`	UID of the file’s owner
`signal.target.file.user`	User of the file’s owner
`signal.target.fsgid`	FileSystem-gid of the process
`signal.target.fsgroup`	FileSystem-group of the process
`signal.target.fsuid`	FileSystem-uid of the process
`signal.target.fsuser`	FileSystem-user of the process
`signal.target.gid`	GID of the process
`signal.target.group`	Group of the process
`signal.target.interpreter.file.change_time`	Change time (ctime) of the file
`signal.target.interpreter.file.extension`	File’s extension
`signal.target.interpreter.file.filesystem`	File’s filesystem
`signal.target.interpreter.file.gid`	GID of the file’s owner
`signal.target.interpreter.file.group`	Group of the file’s owner
`signal.target.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`signal.target.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`signal.target.interpreter.file.inode`	Inode of the file
`signal.target.interpreter.file.mode`	Mode of the file
`signal.target.interpreter.file.modification_time`	Modification time (mtime) of the file
`signal.target.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`signal.target.interpreter.file.mount_id`	Mount ID of the file
`signal.target.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`signal.target.interpreter.file.name`	File’s basename
`signal.target.interpreter.file.name.length`	Length of the corresponding element
`signal.target.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`signal.target.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`signal.target.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`signal.target.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`signal.target.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`signal.target.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`signal.target.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`signal.target.interpreter.file.path`	File’s path
`signal.target.interpreter.file.path.length`	Length of the corresponding element
`signal.target.interpreter.file.rights`	Rights of the file
`signal.target.interpreter.file.uid`	UID of the file’s owner
`signal.target.interpreter.file.user`	User of the file’s owner
`signal.target.is_exec`	Indicates whether the process entry is from a new binary execution
`signal.target.is_kworker`	Indicates whether the process is a kworker
`signal.target.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`signal.target.mntns`	MNTNS ID of the process
`signal.target.netns`	NetNS ID of the process
`signal.target.parent.args`	Arguments of the process (as a string, excluding argv0)
`signal.target.parent.args_flags`	Flags in the process arguments
`signal.target.parent.args_options`	Argument of the process as options
`signal.target.parent.args_truncated`	Indicator of arguments truncation
`signal.target.parent.argv`	Arguments of the process (as an array, excluding argv0)
`signal.target.parent.argv0`	First argument of the process
`signal.target.parent.auid`	Login UID of the process
`signal.target.parent.cap_effective`	Effective capability set of the process
`signal.target.parent.cap_permitted`	Permitted capability set of the process
`signal.target.parent.caps_attempted`	Bitmask of the capabilities that the process attempted to use
`signal.target.parent.caps_used`	Bitmask of the capabilities that the process successfully used
`signal.target.parent.cgroup.file.inode`	Inode of the file
`signal.target.parent.cgroup.file.mount_id`	Mount ID of the file
`signal.target.parent.cgroup.id`	ID of the cgroup
`signal.target.parent.cgroup.version`	[Experimental] Version of the cgroup API
`signal.target.parent.comm`	Comm attribute of the process
`signal.target.parent.container.created_at`	Timestamp of the creation of the container
`signal.target.parent.container.id`	ID of the container
`signal.target.parent.container.tags`	Tags of the container
`signal.target.parent.created_at`	Timestamp of the creation of the process
`signal.target.parent.egid`	Effective GID of the process
`signal.target.parent.egroup`	Effective group of the process
`signal.target.parent.envp`	Environment variables of the process
`signal.target.parent.envs`	Environment variable names of the process
`signal.target.parent.envs_truncated`	Indicator of environment variables truncation
`signal.target.parent.euid`	Effective UID of the process
`signal.target.parent.euser`	Effective user of the process
`signal.target.parent.file.change_time`	Change time (ctime) of the file
`signal.target.parent.file.extension`	File’s extension
`signal.target.parent.file.filesystem`	File’s filesystem
`signal.target.parent.file.gid`	GID of the file’s owner
`signal.target.parent.file.group`	Group of the file’s owner
`signal.target.parent.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`signal.target.parent.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`signal.target.parent.file.inode`	Inode of the file
`signal.target.parent.file.mode`	Mode of the file
`signal.target.parent.file.modification_time`	Modification time (mtime) of the file
`signal.target.parent.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`signal.target.parent.file.mount_id`	Mount ID of the file
`signal.target.parent.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`signal.target.parent.file.name`	File’s basename
`signal.target.parent.file.name.length`	Length of the corresponding element
`signal.target.parent.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`signal.target.parent.file.package.name`	[Experimental] Name of the package that provided this file
`signal.target.parent.file.package.release`	[Experimental] Release of the package that provided this file
`signal.target.parent.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`signal.target.parent.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`signal.target.parent.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`signal.target.parent.file.package.version`	[Experimental] Full version of the package that provided this file
`signal.target.parent.file.path`	File’s path
`signal.target.parent.file.path.length`	Length of the corresponding element
`signal.target.parent.file.rights`	Rights of the file
`signal.target.parent.file.uid`	UID of the file’s owner
`signal.target.parent.file.user`	User of the file’s owner
`signal.target.parent.fsgid`	FileSystem-gid of the process
`signal.target.parent.fsgroup`	FileSystem-group of the process
`signal.target.parent.fsuid`	FileSystem-uid of the process
`signal.target.parent.fsuser`	FileSystem-user of the process
`signal.target.parent.gid`	GID of the process
`signal.target.parent.group`	Group of the process
`signal.target.parent.interpreter.file.change_time`	Change time (ctime) of the file
`signal.target.parent.interpreter.file.extension`	File’s extension
`signal.target.parent.interpreter.file.filesystem`	File’s filesystem
`signal.target.parent.interpreter.file.gid`	GID of the file’s owner
`signal.target.parent.interpreter.file.group`	Group of the file’s owner
`signal.target.parent.interpreter.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`signal.target.parent.interpreter.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`signal.target.parent.interpreter.file.inode`	Inode of the file
`signal.target.parent.interpreter.file.mode`	Mode of the file
`signal.target.parent.interpreter.file.modification_time`	Modification time (mtime) of the file
`signal.target.parent.interpreter.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`signal.target.parent.interpreter.file.mount_id`	Mount ID of the file
`signal.target.parent.interpreter.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`signal.target.parent.interpreter.file.name`	File’s basename
`signal.target.parent.interpreter.file.name.length`	Length of the corresponding element
`signal.target.parent.interpreter.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`signal.target.parent.interpreter.file.package.name`	[Experimental] Name of the package that provided this file
`signal.target.parent.interpreter.file.package.release`	[Experimental] Release of the package that provided this file
`signal.target.parent.interpreter.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`signal.target.parent.interpreter.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`signal.target.parent.interpreter.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`signal.target.parent.interpreter.file.package.version`	[Experimental] Full version of the package that provided this file
`signal.target.parent.interpreter.file.path`	File’s path
`signal.target.parent.interpreter.file.path.length`	Length of the corresponding element
`signal.target.parent.interpreter.file.rights`	Rights of the file
`signal.target.parent.interpreter.file.uid`	UID of the file’s owner
`signal.target.parent.interpreter.file.user`	User of the file’s owner
`signal.target.parent.is_exec`	Indicates whether the process entry is from a new binary execution
`signal.target.parent.is_kworker`	Indicates whether the process is a kworker
`signal.target.parent.is_thread`	Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
`signal.target.parent.mntns`	MNTNS ID of the process
`signal.target.parent.netns`	NetNS ID of the process
`signal.target.parent.pid`	Process ID of the process (also called thread group ID)
`signal.target.parent.ppid`	Parent process ID
`signal.target.parent.tid`	Thread ID of the thread
`signal.target.parent.tty_name`	Name of the TTY associated with the process
`signal.target.parent.uid`	UID of the process
`signal.target.parent.user`	User of the process
`signal.target.parent.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`signal.target.parent.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`signal.target.parent.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`signal.target.parent.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`signal.target.parent.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`signal.target.parent.user_session.k8s_username`	Kubernetes username of the user that executed the process
`signal.target.parent.user_session.session_type`	Type of the user session
`signal.target.parent.user_session.ssh_auth_method`	SSH authentication method used by the user
`signal.target.parent.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`signal.target.parent.user_session.ssh_client_port`	SSH client port of the user that executed the process
`signal.target.parent.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`signal.target.parent.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host
`signal.target.pid`	Process ID of the process (also called thread group ID)
`signal.target.ppid`	Parent process ID
`signal.target.tid`	Thread ID of the thread
`signal.target.tty_name`	Name of the TTY associated with the process
`signal.target.uid`	UID of the process
`signal.target.user`	User of the process
`signal.target.user_session.id`	Unique identifier of the user session, alias for either ssh_session_id or k8s_session_id, depending on the session type
`signal.target.user_session.identity`	User identity of the user session, alias for either ssh_client_ip and ssh_client_port or k8s_username, depending on the session type
`signal.target.user_session.k8s_groups`	Kubernetes groups of the user that executed the process
`signal.target.user_session.k8s_session_id`	Unique identifier of the kubernetes session
`signal.target.user_session.k8s_uid`	Kubernetes UID of the user that executed the process
`signal.target.user_session.k8s_username`	Kubernetes username of the user that executed the process
`signal.target.user_session.session_type`	Type of the user session
`signal.target.user_session.ssh_auth_method`	SSH authentication method used by the user
`signal.target.user_session.ssh_client_ip`	SSH client IP of the user that executed the process
`signal.target.user_session.ssh_client_port`	SSH client port of the user that executed the process
`signal.target.user_session.ssh_public_key`	SSH public key used for authentication (if applicable)
`signal.target.user_session.ssh_session_id`	Unique identifier of the SSH user session on the host
`signal.type`	Signal type (ex: SIGHUP, SIGINT, SIGQUIT, etc)

Event `splice`

A splice command was executed

Property	Definition
`splice.file.change_time`	Change time (ctime) of the file
`splice.file.extension`	File’s extension
`splice.file.filesystem`	File’s filesystem
`splice.file.gid`	GID of the file’s owner
`splice.file.group`	Group of the file’s owner
`splice.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`splice.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`splice.file.inode`	Inode of the file
`splice.file.mode`	Mode of the file
`splice.file.modification_time`	Modification time (mtime) of the file
`splice.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`splice.file.mount_id`	Mount ID of the file
`splice.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`splice.file.name`	File’s basename
`splice.file.name.length`	Length of the corresponding element
`splice.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`splice.file.package.name`	[Experimental] Name of the package that provided this file
`splice.file.package.release`	[Experimental] Release of the package that provided this file
`splice.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`splice.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`splice.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`splice.file.package.version`	[Experimental] Full version of the package that provided this file
`splice.file.path`	File’s path
`splice.file.path.length`	Length of the corresponding element
`splice.file.rights`	Rights of the file
`splice.file.uid`	UID of the file’s owner
`splice.file.user`	User of the file’s owner
`splice.pipe_entry_flag`	Entry flag of the “fd_out” pipe passed to the splice syscall
`splice.pipe_exit_flag`	Exit flag of the “fd_out” pipe passed to the splice syscall
`splice.retval`	Return value of the syscall

Event `sysctl`

A sysctl parameter was read or modified

Property	Definition
`sysctl.action`	Action performed on the system control parameter
`sysctl.file_position`	Position in the sysctl control parameter file at which the action occurred
`sysctl.name`	Name of the system control parameter
`sysctl.name_truncated`	Indicates that the name field is truncated
`sysctl.old_value`	Old value of the system control parameter
`sysctl.old_value_truncated`	Indicates that the old value field is truncated
`sysctl.value`	New and/or current value for the system control parameter depending on the action type
`sysctl.value_truncated`	Indicates that the value field is truncated

Event `unlink`

A file was deleted

Property	Definition
`unlink.file.change_time`	Change time (ctime) of the file
`unlink.file.extension`	File’s extension
`unlink.file.filesystem`	File’s filesystem
`unlink.file.gid`	GID of the file’s owner
`unlink.file.group`	Group of the file’s owner
`unlink.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`unlink.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`unlink.file.inode`	Inode of the file
`unlink.file.mode`	Mode of the file
`unlink.file.modification_time`	Modification time (mtime) of the file
`unlink.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`unlink.file.mount_id`	Mount ID of the file
`unlink.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`unlink.file.name`	File’s basename
`unlink.file.name.length`	Length of the corresponding element
`unlink.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`unlink.file.package.name`	[Experimental] Name of the package that provided this file
`unlink.file.package.release`	[Experimental] Release of the package that provided this file
`unlink.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`unlink.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`unlink.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`unlink.file.package.version`	[Experimental] Full version of the package that provided this file
`unlink.file.path`	File’s path
`unlink.file.path.length`	Length of the corresponding element
`unlink.file.rights`	Rights of the file
`unlink.file.uid`	UID of the file’s owner
`unlink.file.user`	User of the file’s owner
`unlink.flags`	Flags of the unlink syscall
`unlink.retval`	Return value of the syscall
`unlink.syscall.dirfd`	Directory file descriptor argument of the syscall
`unlink.syscall.flags`	Flags argument of the syscall
`unlink.syscall.path`	Path argument of the syscall

Event `unload_module`

A kernel module was deleted

Property	Definition
`unload_module.name`	Name of the kernel module that was deleted
`unload_module.retval`	Return value of the syscall

Event `utimes`

Change file access/modification times

Property	Definition
`utimes.file.change_time`	Change time (ctime) of the file
`utimes.file.extension`	File’s extension
`utimes.file.filesystem`	File’s filesystem
`utimes.file.gid`	GID of the file’s owner
`utimes.file.group`	Group of the file’s owner
`utimes.file.hashes`	[Experimental] List of cryptographic hashes computed for this file
`utimes.file.in_upper_layer`	Indicator of the file layer, for example, in an OverlayFS
`utimes.file.inode`	Inode of the file
`utimes.file.mode`	Mode of the file
`utimes.file.modification_time`	Modification time (mtime) of the file
`utimes.file.mount_detached`	Indicates whether the file’s mount is detached from the VFS
`utimes.file.mount_id`	Mount ID of the file
`utimes.file.mount_visible`	Indicates whether the file’s mount is visible in the VFS
`utimes.file.name`	File’s basename
`utimes.file.name.length`	Length of the corresponding element
`utimes.file.package.epoch`	[Experimental] Epoch of the package that provided this file
`utimes.file.package.name`	[Experimental] Name of the package that provided this file
`utimes.file.package.release`	[Experimental] Release of the package that provided this file
`utimes.file.package.source_epoch`	[Experimental] Epoch of the source package of the package that provided this file
`utimes.file.package.source_release`	[Experimental] Release of the source package of the package that provided this file
`utimes.file.package.source_version`	[Experimental] Full version of the source package of the package that provided this file
`utimes.file.package.version`	[Experimental] Full version of the package that provided this file
`utimes.file.path`	File’s path
`utimes.file.path.length`	Length of the corresponding element
`utimes.file.rights`	Rights of the file
`utimes.file.uid`	UID of the file’s owner
`utimes.file.user`	User of the file’s owner
`utimes.retval`	Return value of the syscall
`utimes.syscall.path`	Path argument of the syscall

Attributes documentation

`*.args`

Type: string

Definition: Arguments of the process (as a string, excluding argv0)

*.args has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

Example:

exec.args == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"

Matches any process with these exact arguments.

Example:

exec.args =~ "* -F * http*"

Matches any process that has the “-F” argument anywhere before an argument starting with “http”.

`*.args_flags`

Type: string

Definition: Flags in the process arguments

*.args_flags has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

Example:

exec.args_flags in ["s"] && exec.args_flags in ["V"]

Matches any process with both “-s” and “-V” flags in its arguments. Also matches “-sV”.

`*.args_options`

Type: string

Definition: Argument of the process as options

*.args_options has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

Example:

exec.args_options in ["p=0-1024"]

Matches any process that has either “-p 0-1024” or “–p=0-1024” in its arguments.

`*.args_truncated`

Type: bool

Definition: Indicator of arguments truncation

*.args_truncated has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

`*.argv`

Type: string

Definition: Arguments of the process (as an array, excluding argv0)

*.argv has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

Example:

exec.argv in ["127.0.0.1"]

Matches any process that has this IP address as one of its arguments.

`*.argv0`

Type: string

Definition: First argument of the process

*.argv0 has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

`*.l3_protocol`

Type: int

Definition: L3 protocol of the network packet

*.l3_protocol has 2 possible prefixes: network packet

Constants: L3 protocols

`*.l4_protocol`

Type: int

Definition: L4 protocol of the network packet

*.l4_protocol has 2 possible prefixes: network packet

Constants: L4 protocols

`*.length`

Type: int

Definition: Length of the corresponding element

*.length has 100 possible prefixes: accept.addr.hostname cgroup_write.file.name cgroup_write.file.path chdir.file.name chdir.file.path chmod.file.name chmod.file.path chown.file.name chown.file.path connect.addr.hostname dns.question.name exec.file.name exec.file.path exec.interpreter.file.name exec.interpreter.file.path exit.file.name exit.file.path exit.interpreter.file.name exit.interpreter.file.path link.file.destination.name link.file.destination.path link.file.name link.file.path load_module.file.name load_module.file.path mkdir.file.name mkdir.file.path mmap.file.name mmap.file.path network_flow_monitor.flows open.file.name open.file.path process.ancestors process.ancestors.file.name process.ancestors.file.path process.ancestors.interpreter.file.name process.ancestors.interpreter.file.path process.file.name process.file.path process.interpreter.file.name process.interpreter.file.path process.parent.file.name process.parent.file.path process.parent.interpreter.file.name process.parent.interpreter.file.path ptrace.tracee.ancestors ptrace.tracee.ancestors.file.name ptrace.tracee.ancestors.file.path ptrace.tracee.ancestors.interpreter.file.name ptrace.tracee.ancestors.interpreter.file.path ptrace.tracee.file.name ptrace.tracee.file.path ptrace.tracee.interpreter.file.name ptrace.tracee.interpreter.file.path ptrace.tracee.parent.file.name ptrace.tracee.parent.file.path ptrace.tracee.parent.interpreter.file.name ptrace.tracee.parent.interpreter.file.path removexattr.file.name removexattr.file.path rename.file.destination.name rename.file.destination.path rename.file.name rename.file.path rmdir.file.name rmdir.file.path setrlimit.target.ancestors setrlimit.target.ancestors.file.name setrlimit.target.ancestors.file.path setrlimit.target.ancestors.interpreter.file.name setrlimit.target.ancestors.interpreter.file.path setrlimit.target.file.name setrlimit.target.file.path setrlimit.target.interpreter.file.name setrlimit.target.interpreter.file.path setrlimit.target.parent.file.name setrlimit.target.parent.file.path setrlimit.target.parent.interpreter.file.name setrlimit.target.parent.interpreter.file.path setxattr.file.name setxattr.file.path signal.target.ancestors signal.target.ancestors.file.name signal.target.ancestors.file.path signal.target.ancestors.interpreter.file.name signal.target.ancestors.interpreter.file.path signal.target.file.name signal.target.file.path signal.target.interpreter.file.name signal.target.interpreter.file.path signal.target.parent.file.name signal.target.parent.file.path signal.target.parent.interpreter.file.name signal.target.parent.interpreter.file.path splice.file.name splice.file.path unlink.file.name unlink.file.path utimes.file.name utimes.file.path

`*.mntns`

Type: int

Definition: MNTNS ID of the process

*.mntns has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

`*.mode`

Type: int

Definition: Mode of the file

*.mode has 46 possible prefixes: cgroup_write.file chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setrlimit.target.ancestors.file setrlimit.target.ancestors.interpreter.file setrlimit.target.file setrlimit.target.interpreter.file setrlimit.target.parent.file setrlimit.target.parent.interpreter.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

Constants: Inode mode constants

`*.modification_time`

Type: int

Definition: Modification time (mtime) of the file

*.modification_time has 46 possible prefixes: cgroup_write.file chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setrlimit.target.ancestors.file setrlimit.target.ancestors.interpreter.file setrlimit.target.file setrlimit.target.interpreter.file setrlimit.target.parent.file setrlimit.target.parent.interpreter.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

`*.mount_detached`

Type: bool

Definition: Indicates whether the file’s mount is detached from the VFS

*.mount_detached has 46 possible prefixes: cgroup_write.file chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setrlimit.target.ancestors.file setrlimit.target.ancestors.interpreter.file setrlimit.target.file setrlimit.target.interpreter.file setrlimit.target.parent.file setrlimit.target.parent.interpreter.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

`*.mount_id`

Type: int

Definition: Mount ID of the file

*.mount_id has 60 possible prefixes: cgroup_write.file chdir.file chmod.file chown.file exec.cgroup.file exec.file exec.interpreter.file exit.cgroup.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.cgroup.file process.ancestors.file process.ancestors.interpreter.file process.cgroup.file process.file process.interpreter.file process.parent.cgroup.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.cgroup.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.cgroup.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.cgroup.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setrlimit.target.ancestors.cgroup.file setrlimit.target.ancestors.file setrlimit.target.ancestors.interpreter.file setrlimit.target.cgroup.file setrlimit.target.file setrlimit.target.interpreter.file setrlimit.target.parent.cgroup.file setrlimit.target.parent.file setrlimit.target.parent.interpreter.file setxattr.file signal.target.ancestors.cgroup.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.cgroup.file signal.target.file signal.target.interpreter.file signal.target.parent.cgroup.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

`*.mount_visible`

Type: bool

Definition: Indicates whether the file’s mount is visible in the VFS

*.mount_visible has 46 possible prefixes: cgroup_write.file chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setrlimit.target.ancestors.file setrlimit.target.ancestors.interpreter.file setrlimit.target.file setrlimit.target.interpreter.file setrlimit.target.parent.file setrlimit.target.parent.interpreter.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

`*.name`

Type: string

Definition: File’s basename

*.name has 46 possible prefixes: cgroup_write.file chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setrlimit.target.ancestors.file setrlimit.target.ancestors.interpreter.file setrlimit.target.file setrlimit.target.interpreter.file setrlimit.target.parent.file setrlimit.target.parent.interpreter.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

Example:

exec.file.name == "apt"

Matches the execution of any file named apt.

`*.netns`

Type: int

Definition: Interface NetNS ID

*.netns has 3 possible prefixes: network.device network_flow_monitor.device packet.device

`*.netns`

Type: int

Definition: NetNS ID of the process

*.netns has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

`*.network_direction`

Type: int

exec.file.path == "/usr/bin/apt"

Matches the execution of the file located at /usr/bin/apt

Example:

open.file.path == "/etc/passwd"

Matches any process opening the /etc/passwd file.

`*.pid`

Type: int

Definition: Process ID of the process (also called thread group ID)

*.pid has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

`*.port`

Type: int

Definition: Port number

*.port has 9 possible prefixes: accept.addr bind.addr connect.addr network.destination network.source network_flow_monitor.flows.destination network_flow_monitor.flows.source packet.destination packet.source

Type: string

Definition: Root domain of the corresponding element

*.root_domain has 3 possible prefixes: accept.addr.hostname connect.addr.hostname dns.question.name

`*.session_type`

Type: int

Definition: Type of the user session

*.session_type has 14 possible prefixes: exec.user_session exit.user_session process.ancestors.user_session process.parent.user_session process.user_session ptrace.tracee.ancestors.user_session ptrace.tracee.parent.user_session ptrace.tracee.user_session setrlimit.target.ancestors.user_session setrlimit.target.parent.user_session setrlimit.target.user_session signal.target.ancestors.user_session signal.target.parent.user_session signal.target.user_session

`*.size`

Type: int

Definition: Size in bytes of the network packet

*.size has 2 possible prefixes: network packet

`*.ssh_auth_method`

Constants: Network Protocol Types

`*.uid`

Type: int

Definition: UID of the process

*.uid has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

`*.uid`

Type: int

Definition: UID of the file’s owner

*.uid has 46 possible prefixes: cgroup_write.file chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setrlimit.target.ancestors.file setrlimit.target.ancestors.interpreter.file setrlimit.target.file setrlimit.target.interpreter.file setrlimit.target.parent.file setrlimit.target.parent.interpreter.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

`*.user`

Type: string

Definition: User of the process

*.user has 14 possible prefixes: exec exit process process.ancestors process.parent ptrace.tracee ptrace.tracee.ancestors ptrace.tracee.parent setrlimit.target setrlimit.target.ancestors setrlimit.target.parent signal.target signal.target.ancestors signal.target.parent

Example:

process.user == "root"

Constrain an event to be triggered by a process running as the root user.

`*.user`

Type: string

Definition: User of the file’s owner

*.user has 46 possible prefixes: cgroup_write.file chdir.file chmod.file chown.file exec.file exec.interpreter.file exit.file exit.interpreter.file link.file link.file.destination load_module.file mkdir.file mmap.file open.file process.ancestors.file process.ancestors.interpreter.file process.file process.interpreter.file process.parent.file process.parent.interpreter.file ptrace.tracee.ancestors.file ptrace.tracee.ancestors.interpreter.file ptrace.tracee.file ptrace.tracee.interpreter.file ptrace.tracee.parent.file ptrace.tracee.parent.interpreter.file removexattr.file rename.file rename.file.destination rmdir.file setrlimit.target.ancestors.file setrlimit.target.ancestors.interpreter.file setrlimit.target.file setrlimit.target.interpreter.file setrlimit.target.parent.file setrlimit.target.parent.interpreter.file setxattr.file signal.target.ancestors.file signal.target.ancestors.interpreter.file signal.target.file signal.target.interpreter.file signal.target.parent.file signal.target.parent.interpreter.file splice.file unlink.file utimes.file

`*.version`

Type: int

`bpf.map.name`

Type: string

Definition: Name of the eBPF map (added in 7.35)

`bpf.map.type`

Type: int

Definition: Type of the eBPF map

Constants: BPF map types

`bpf.prog.attach_type`

Type: int

Definition: Attach type of the eBPF program

Constants: BPF attach types

`bpf.prog.helpers`

Type: int

Definition: eBPF helpers used by the eBPF program (added in 7.35)

Constants: BPF helper functions

`bpf.prog.name`

Type: string

Definition: Name of the eBPF program (added in 7.35)

Type: int

Definition: PID of the process added to the cgroup

`chdir.syscall.path`

Type: string

Definition: path argument of the syscall

`chmod.file.destination.mode`

Type: int

Definition: New mode of the chmod-ed file

Constants: File mode constants

`chmod.file.destination.rights`

Constants: DNS qclasses

`dns.question.count`

Type: int

Definition: the total count of questions in the DNS request

`dns.question.length`

Type: int

Definition: the total DNS request size in bytes

`dns.question.name`

Type: string

Definition: the queried domain name

`dns.question.type`

Type: int

Definition: a two octet code which specifies the DNS question type

Constants: DNS qtypes

`dns.response.code`

Type: int

Type: bool

Definition: [Experimental] Tells if the file is executable or not

`exec.file.metadata.is_garble_obfuscated`

Type: bool

Definition: [Experimental] Tells if the binary has been obfuscated using garble

`exec.file.metadata.is_upx_packed`

Type: bool

Definition: [Experimental] Tells if the binary has been packed using UPX

`exec.file.metadata.size`

Type: int

Definition: [Experimental] Size of the file

`exec.file.metadata.type`

Constants: File mode constants

`mkdir.file.destination.rights`

Type: int

Definition: Rights of the new directory

Constants: File mode constants

`mkdir.syscall.mode`

Type: int

Definition: Mode of the new directory

`mkdir.syscall.path`

Type: string

Definition: Path argument of the syscall

`mmap.flags`

Type: int

Definition: memory segment flags

Constants: MMap flags

`mmap.protection`

Type: int

`signal.type`

Type: int

Definition: Signal type (ex: SIGHUP, SIGINT, SIGQUIT, etc)

Constants: Signal constants

`splice.pipe_entry_flag`

Type: int

Definition: Entry flag of the “fd_out” pipe passed to the splice syscall

Constants: Pipe buffer flags

`splice.pipe_exit_flag`

Type: int

Definition: Exit flag of the “fd_out” pipe passed to the splice syscall

Constants: Pipe buffer flags

`sysctl.action`

Constants are used to improve the readability of your rules. Some constants are common to all architectures, others are specific to some architectures.

`ABI`

ABI used for binary compilation.

Name	Architectures
`BIT32`	all
`BIT64`	all
`UNKNOWN_ABI`	all

`Architecture`

Architecture of the binary.

Name	Architectures
`X86`	all
`X86_64`	all
`ARM`	all
`ARM64`	all
`UNKNOWN_ARCHITECTURE`	all

`BPF attach types`

BPF attach types are the supported eBPF program attach types.

Name	Architectures
`BPF_CGROUP_INET_INGRESS`	all
`BPF_CGROUP_INET_EGRESS`	all
`BPF_CGROUP_INET_SOCK_CREATE`	all
`BPF_CGROUP_SOCK_OPS`	all
`BPF_SK_SKB_STREAM_PARSER`	all
`BPF_SK_SKB_STREAM_VERDICT`	all
`BPF_CGROUP_DEVICE`	all
`BPF_SK_MSG_VERDICT`	all
`BPF_CGROUP_INET4_BIND`	all
`BPF_CGROUP_INET6_BIND`	all
`BPF_CGROUP_INET4_CONNECT`	all
`BPF_CGROUP_INET6_CONNECT`	all
`BPF_CGROUP_INET4_POST_BIND`	all
`BPF_CGROUP_INET6_POST_BIND`	all
`BPF_CGROUP_UDP4_SENDMSG`	all
`BPF_CGROUP_UDP6_SENDMSG`	all
`BPF_LIRC_MODE2`	all
`BPF_FLOW_DISSECTOR`	all
`BPF_CGROUP_SYSCTL`	all
`BPF_CGROUP_UDP4_RECVMSG`	all
`BPF_CGROUP_UDP6_RECVMSG`	all
`BPF_CGROUP_GETSOCKOPT`	all
`BPF_CGROUP_SETSOCKOPT`	all
`BPF_TRACE_RAW_TP`	all
`BPF_TRACE_FENTRY`	all
`BPF_TRACE_FEXIT`	all
`BPF_MODIFY_RETURN`	all
`BPF_LSM_MAC`	all
`BPF_TRACE_ITER`	all
`BPF_CGROUP_INET4_GETPEERNAME`	all
`BPF_CGROUP_INET6_GETPEERNAME`	all
`BPF_CGROUP_INET4_GETSOCKNAME`	all
`BPF_CGROUP_INET6_GETSOCKNAME`	all
`BPF_XDP_DEVMAP`	all
`BPF_CGROUP_INET_SOCK_RELEASE`	all
`BPF_XDP_CPUMAP`	all
`BPF_SK_LOOKUP`	all
`BPF_XDP`	all
`BPF_SK_SKB_VERDICT`	all

`BPF commands`

BPF commands are used to specify a command to a bpf syscall.

Name	Architectures
`BPF_MAP_CREATE`	all
`BPF_MAP_LOOKUP_ELEM`	all
`BPF_MAP_UPDATE_ELEM`	all
`BPF_MAP_DELETE_ELEM`	all
`BPF_MAP_GET_NEXT_KEY`	all
`BPF_PROG_LOAD`	all
`BPF_OBJ_PIN`	all
`BPF_OBJ_GET`	all
`BPF_PROG_ATTACH`	all
`BPF_PROG_DETACH`	all
`BPF_PROG_TEST_RUN`	all
`BPF_PROG_RUN`	all
`BPF_PROG_GET_NEXT_ID`	all
`BPF_MAP_GET_NEXT_ID`	all
`BPF_PROG_GET_FD_BY_ID`	all
`BPF_MAP_GET_FD_BY_ID`	all
`BPF_OBJ_GET_INFO_BY_FD`	all
`BPF_PROG_QUERY`	all
`BPF_RAW_TRACEPOINT_OPEN`	all
`BPF_BTF_LOAD`	all
`BPF_BTF_GET_FD_BY_ID`	all
`BPF_TASK_FD_QUERY`	all
`BPF_MAP_LOOKUP_AND_DELETE_ELEM`	all
`BPF_MAP_FREEZE`	all
`BPF_BTF_GET_NEXT_ID`	all
`BPF_MAP_LOOKUP_BATCH`	all
`BPF_MAP_LOOKUP_AND_DELETE_BATCH`	all
`BPF_MAP_UPDATE_BATCH`	all
`BPF_MAP_DELETE_BATCH`	all
`BPF_LINK_CREATE`	all
`BPF_LINK_UPDATE`	all
`BPF_LINK_GET_FD_BY_ID`	all
`BPF_LINK_GET_NEXT_ID`	all
`BPF_ENABLE_STATS`	all
`BPF_ITER_CREATE`	all
`BPF_LINK_DETACH`	all
`BPF_PROG_BIND_MAP`	all

`BPF helper functions`

BPF helper functions are the supported BPF helper functions.

Name	Architectures
`BPF_UNSPEC`	all
`BPF_MAP_LOOKUP_ELEM`	all
`BPF_MAP_UPDATE_ELEM`	all
`BPF_MAP_DELETE_ELEM`	all
`BPF_PROBE_READ`	all
`BPF_KTIME_GET_NS`	all
`BPF_TRACE_PRINTK`	all
`BPF_GET_PRANDOM_U32`	all
`BPF_GET_SMP_PROCESSOR_ID`	all
`BPF_SKB_STORE_BYTES`	all
`BPF_L3_CSUM_REPLACE`	all
`BPF_L4_CSUM_REPLACE`	all
`BPF_TAIL_CALL`	all
`BPF_CLONE_REDIRECT`	all
`BPF_GET_CURRENT_PID_TGID`	all
`BPF_GET_CURRENT_UID_GID`	all
`BPF_GET_CURRENT_COMM`	all
`BPF_GET_CGROUP_CLASSID`	all
`BPF_SKB_VLAN_PUSH`	all
`BPF_SKB_VLAN_POP`	all
`BPF_SKB_GET_TUNNEL_KEY`	all
`BPF_SKB_SET_TUNNEL_KEY`	all
`BPF_PERF_EVENT_READ`	all
`BPF_REDIRECT`	all
`BPF_GET_ROUTE_REALM`	all
`BPF_PERF_EVENT_OUTPUT`	all
`BPF_SKB_LOAD_BYTES`	all
`BPF_GET_STACKID`	all
`BPF_CSUM_DIFF`	all
`BPF_SKB_GET_TUNNEL_OPT`	all
`BPF_SKB_SET_TUNNEL_OPT`	all
`BPF_SKB_CHANGE_PROTO`	all
`BPF_SKB_CHANGE_TYPE`	all
`BPF_SKB_UNDER_CGROUP`	all
`BPF_GET_HASH_RECALC`	all
`BPF_GET_CURRENT_TASK`	all
`BPF_PROBE_WRITE_USER`	all
`BPF_CURRENT_TASK_UNDER_CGROUP`	all
`BPF_SKB_CHANGE_TAIL`	all
`BPF_SKB_PULL_DATA`	all
`BPF_CSUM_UPDATE`	all
`BPF_SET_HASH_INVALID`	all
`BPF_GET_NUMA_NODE_ID`	all
`BPF_SKB_CHANGE_HEAD`	all
`BPF_XDP_ADJUST_HEAD`	all
`BPF_PROBE_READ_STR`	all
`BPF_GET_SOCKET_COOKIE`	all
`BPF_GET_SOCKET_UID`	all
`BPF_SET_HASH`	all
`BPF_SETSOCKOPT`	all
`BPF_SKB_ADJUST_ROOM`	all
`BPF_REDIRECT_MAP`	all
`BPF_SK_REDIRECT_MAP`	all
`BPF_SOCK_MAP_UPDATE`	all
`BPF_XDP_ADJUST_META`	all
`BPF_PERF_EVENT_READ_VALUE`	all
`BPF_PERF_PROG_READ_VALUE`	all
`BPF_GETSOCKOPT`	all
`BPF_OVERRIDE_RETURN`	all
`BPF_SOCK_OPS_CB_FLAGS_SET`	all
`BPF_MSG_REDIRECT_MAP`	all
`BPF_MSG_APPLY_BYTES`	all
`BPF_MSG_CORK_BYTES`	all
`BPF_MSG_PULL_DATA`	all
`BPF_BIND`	all
`BPF_XDP_ADJUST_TAIL`	all
`BPF_SKB_GET_XFRM_STATE`	all
`BPF_GET_STACK`	all
`BPF_SKB_LOAD_BYTES_RELATIVE`	all
`BPF_FIB_LOOKUP`	all
`BPF_SOCK_HASH_UPDATE`	all
`BPF_MSG_REDIRECT_HASH`	all
`BPF_SK_REDIRECT_HASH`	all
`BPF_LWT_PUSH_ENCAP`	all
`BPF_LWT_SEG6_STORE_BYTES`	all
`BPF_LWT_SEG6_ADJUST_SRH`	all
`BPF_LWT_SEG6_ACTION`	all
`BPF_RC_REPEAT`	all
`BPF_RC_KEYDOWN`	all
`BPF_SKB_CGROUP_ID`	all
`BPF_GET_CURRENT_CGROUP_ID`	all
`BPF_GET_LOCAL_STORAGE`	all
`BPF_SK_SELECT_REUSEPORT`	all
`BPF_SKB_ANCESTOR_CGROUP_ID`	all
`BPF_SK_LOOKUP_TCP`	all
`BPF_SK_LOOKUP_UDP`	all
`BPF_SK_RELEASE`	all
`BPF_MAP_PUSH_ELEM`	all
`BPF_MAP_POP_ELEM`	all
`BPF_MAP_PEEK_ELEM`	all
`BPF_MSG_PUSH_DATA`	all
`BPF_MSG_POP_DATA`	all
`BPF_RC_POINTER_REL`	all
`BPF_SPIN_LOCK`	all
`BPF_SPIN_UNLOCK`	all
`BPF_SK_FULLSOCK`	all
`BPF_TCP_SOCK`	all
`BPF_SKB_ECN_SET_CE`	all
`BPF_GET_LISTENER_SOCK`	all
`BPF_SKC_LOOKUP_TCP`	all
`BPF_TCP_CHECK_SYNCOOKIE`	all
`BPF_SYSCTL_GET_NAME`	all
`BPF_SYSCTL_GET_CURRENT_VALUE`	all
`BPF_SYSCTL_GET_NEW_VALUE`	all
`BPF_SYSCTL_SET_NEW_VALUE`	all
`BPF_STRTOL`	all
`BPF_STRTOUL`	all
`BPF_SK_STORAGE_GET`	all
`BPF_SK_STORAGE_DELETE`	all
`BPF_SEND_SIGNAL`	all
`BPF_TCP_GEN_SYNCOOKIE`	all
`BPF_SKB_OUTPUT`	all
`BPF_PROBE_READ_USER`	all
`BPF_PROBE_READ_KERNEL`	all
`BPF_PROBE_READ_USER_STR`	all
`BPF_PROBE_READ_KERNEL_STR`	all
`BPF_TCP_SEND_ACK`	all
`BPF_SEND_SIGNAL_THREAD`	all
`BPF_JIFFIES64`	all
`BPF_READ_BRANCH_RECORDS`	all
`BPF_GET_NS_CURRENT_PID_TGID`	all
`BPF_XDP_OUTPUT`	all
`BPF_GET_NETNS_COOKIE`	all
`BPF_GET_CURRENT_ANCESTOR_CGROUP_ID`	all
`BPF_SK_ASSIGN`	all
`BPF_KTIME_GET_BOOT_NS`	all
`BPF_SEQ_PRINTF`	all
`BPF_SEQ_WRITE`	all
`BPF_SK_CGROUP_ID`	all
`BPF_SK_ANCESTOR_CGROUP_ID`	all
`BPF_RINGBUF_OUTPUT`	all
`BPF_RINGBUF_RESERVE`	all
`BPF_RINGBUF_SUBMIT`	all
`BPF_RINGBUF_DISCARD`	all
`BPF_RINGBUF_QUERY`	all
`BPF_CSUM_LEVEL`	all
`BPF_SKC_TO_TCP6_SOCK`	all
`BPF_SKC_TO_TCP_SOCK`	all
`BPF_SKC_TO_TCP_TIMEWAIT_SOCK`	all
`BPF_SKC_TO_TCP_REQUEST_SOCK`	all
`BPF_SKC_TO_UDP6_SOCK`	all
`BPF_GET_TASK_STACK`	all
`BPF_LOAD_HDR_OPT`	all
`BPF_STORE_HDR_OPT`	all
`BPF_RESERVE_HDR_OPT`	all
`BPF_INODE_STORAGE_GET`	all
`BPF_INODE_STORAGE_DELETE`	all
`BPF_D_PATH`	all
`BPF_COPY_FROM_USER`	all
`BPF_SNPRINTF_BTF`	all
`BPF_SEQ_PRINTF_BTF`	all
`BPF_SKB_CGROUP_CLASSID`	all
`BPF_REDIRECT_NEIGH`	all
`BPF_PER_CPU_PTR`	all
`BPF_THIS_CPU_PTR`	all
`BPF_REDIRECT_PEER`	all
`BPF_TASK_STORAGE_GET`	all
`BPF_TASK_STORAGE_DELETE`	all
`BPF_GET_CURRENT_TASK_BTF`	all
`BPF_BPRM_OPTS_SET`	all
`BPF_KTIME_GET_COARSE_NS`	all
`BPF_IMA_INODE_HASH`	all
`BPF_SOCK_FROM_FILE`	all
`BPF_CHECK_MTU`	all
`BPF_FOR_EACH_MAP_ELEM`	all
`BPF_SNPRINTF`	all

`BPF map types`

BPF map types are the supported eBPF map types.

Name	Architectures
`BPF_MAP_TYPE_UNSPEC`	all
`BPF_MAP_TYPE_HASH`	all
`BPF_MAP_TYPE_ARRAY`	all
`BPF_MAP_TYPE_PROG_ARRAY`	all
`BPF_MAP_TYPE_PERF_EVENT_ARRAY`	all
`BPF_MAP_TYPE_PERCPU_HASH`	all
`BPF_MAP_TYPE_PERCPU_ARRAY`	all
`BPF_MAP_TYPE_STACK_TRACE`	all
`BPF_MAP_TYPE_CGROUP_ARRAY`	all
`BPF_MAP_TYPE_LRU_HASH`	all
`BPF_MAP_TYPE_LRU_PERCPU_HASH`	all
`BPF_MAP_TYPE_LPM_TRIE`	all
`BPF_MAP_TYPE_ARRAY_OF_MAPS`	all
`BPF_MAP_TYPE_HASH_OF_MAPS`	all
`BPF_MAP_TYPE_DEVMAP`	all
`BPF_MAP_TYPE_SOCKMAP`	all
`BPF_MAP_TYPE_CPUMAP`	all
`BPF_MAP_TYPE_XSKMAP`	all
`BPF_MAP_TYPE_SOCKHASH`	all
`BPF_MAP_TYPE_CGROUP_STORAGE`	all
`BPF_MAP_TYPE_REUSEPORT_SOCKARRAY`	all
`BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE`	all
`BPF_MAP_TYPE_QUEUE`	all
`BPF_MAP_TYPE_STACK`	all
`BPF_MAP_TYPE_SK_STORAGE`	all
`BPF_MAP_TYPE_DEVMAP_HASH`	all
`BPF_MAP_TYPE_STRUCT_OPS`	all
`BPF_MAP_TYPE_RINGBUF`	all
`BPF_MAP_TYPE_INODE_STORAGE`	all
`BPF_MAP_TYPE_TASK_STORAGE`	all

`BPF program types`

BPF program types are the supported eBPF program types.

Name	Architectures
`BPF_PROG_TYPE_UNSPEC`	all
`BPF_PROG_TYPE_SOCKET_FILTER`	all
`BPF_PROG_TYPE_KPROBE`	all
`BPF_PROG_TYPE_SCHED_CLS`	all
`BPF_PROG_TYPE_SCHED_ACT`	all
`BPF_PROG_TYPE_TRACEPOINT`	all
`BPF_PROG_TYPE_XDP`	all
`BPF_PROG_TYPE_PERF_EVENT`	all
`BPF_PROG_TYPE_CGROUP_SKB`	all
`BPF_PROG_TYPE_CGROUP_SOCK`	all
`BPF_PROG_TYPE_LWT_IN`	all
`BPF_PROG_TYPE_LWT_OUT`	all
`BPF_PROG_TYPE_LWT_XMIT`	all
`BPF_PROG_TYPE_SOCK_OPS`	all
`BPF_PROG_TYPE_SK_SKB`	all
`BPF_PROG_TYPE_CGROUP_DEVICE`	all
`BPF_PROG_TYPE_SK_MSG`	all
`BPF_PROG_TYPE_RAW_TRACEPOINT`	all
`BPF_PROG_TYPE_CGROUP_SOCK_ADDR`	all
`BPF_PROG_TYPE_LWT_SEG6LOCAL`	all
`BPF_PROG_TYPE_LIRC_MODE2`	all
`BPF_PROG_TYPE_SK_REUSEPORT`	all
`BPF_PROG_TYPE_FLOW_DISSECTOR`	all
`BPF_PROG_TYPE_CGROUP_SYSCTL`	all
`BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE`	all
`BPF_PROG_TYPE_CGROUP_SOCKOPT`	all
`BPF_PROG_TYPE_TRACING`	all
`BPF_PROG_TYPE_STRUCT_OPS`	all
`BPF_PROG_TYPE_EXT`	all
`BPF_PROG_TYPE_LSM`	all
`BPF_PROG_TYPE_SK_LOOKUP`	all

`Boolean constants`

Boolean constants are the supported boolean constants.

Name	Architectures
`true`	all
`false`	all

`CompressionType`

Compression algorithm.

Name	Architectures
`NONE`	all
`GZIP`	all
`ZIP`	all
`ZSTD`	all
`7Z`	all
`BZIP2`	all
`XZ`	all

`DNS Responses`

DNS Responses are the supported response codes

Name	Architectures
`NOERROR`	all
`FORMERR`	all
`SERVFAIL`	all
`NXDOMAIN`	all
`NOTIMP`	all
`REFUSED`	all
`YXDOMAIN`	all
`YXRRSET`	all
`NXRRSET`	all
`NOTAUTH`	all
`NOTZONE`	all
`BADVERS`	all
`BADSIG`	all
`BADKEY`	all
`BADTIME`	all
`BADMODE`	all
`BADNAME`	all
`BADALG`	all

`DNS qclasses`

DNS qclasses are the supported DNS query classes.

Name	Architectures
`CLASS_INET`	all
`CLASS_CSNET`	all
`CLASS_CHAOS`	all
`CLASS_HESIOD`	all
`CLASS_NONE`	all
`CLASS_ANY`	all

`DNS qtypes`

DNS qtypes are the supported DNS query types.

Name	Architectures
`None`	all
`A`	all
`NS`	all
`MD`	all
`MF`	all
`CNAME`	all
`SOA`	all
`MB`	all
`MG`	all
`MR`	all
`NULL`	all
`PTR`	all
`HINFO`	all
`MINFO`	all
`MX`	all
`TXT`	all
`RP`	all
`AFSDB`	all
`X25`	all
`ISDN`	all
`RT`	all
`NSAPPTR`	all
`SIG`	all
`KEY`	all
`PX`	all
`GPOS`	all
`AAAA`	all
`LOC`	all
`NXT`	all
`EID`	all
`NIMLOC`	all
`SRV`	all
`ATMA`	all
`NAPTR`	all
`KX`	all
`CERT`	all
`DNAME`	all
`OPT`	all
`APL`	all
`DS`	all
`SSHFP`	all
`RRSIG`	all
`NSEC`	all
`DNSKEY`	all
`DHCID`	all
`NSEC3`	all
`NSEC3PARAM`	all
`TLSA`	all
`SMIMEA`	all
`HIP`	all
`NINFO`	all
`RKEY`	all
`TALINK`	all
`CDS`	all
`CDNSKEY`	all
`OPENPGPKEY`	all
`CSYNC`	all
`ZONEMD`	all
`SVCB`	all
`HTTPS`	all
`SPF`	all
`UINFO`	all
`UID`	all
`GID`	all
`UNSPEC`	all
`NID`	all
`L32`	all
`L64`	all
`LP`	all
`EUI48`	all
`EUI64`	all
`URI`	all
`CAA`	all
`AVC`	all
`TKEY`	all
`TSIG`	all
`IXFR`	all
`AXFR`	all
`MAILB`	all
`MAILA`	all
`ANY`	all
`TA`	all
`DLV`	all
`Reserved`	all

`Error constants`

Error constants are the supported error constants.

Name	Architectures
`E2BIG`	all
`EACCES`	all
`EADDRINUSE`	all
`EADDRNOTAVAIL`	all
`EADV`	all
`EAFNOSUPPORT`	all
`EAGAIN`	all
`EALREADY`	all
`EBADE`	all
`EBADF`	all
`EBADFD`	all
`EBADMSG`	all
`EBADR`	all
`EBADRQC`	all
`EBADSLT`	all
`EBFONT`	all
`EBUSY`	all
`ECANCELED`	all
`ECHILD`	all
`ECHRNG`	all
`ECOMM`	all
`ECONNABORTED`	all
`ECONNREFUSED`	all
`ECONNRESET`	all
`EDEADLK`	all
`EDEADLOCK`	all
`EDESTADDRREQ`	all
`EDOM`	all
`EDOTDOT`	all
`EDQUOT`	all
`EEXIST`	all
`EFAULT`	all
`EFBIG`	all
`EHOSTDOWN`	all
`EHOSTUNREACH`	all
`EIDRM`	all
`EILSEQ`	all
`EINPROGRESS`	all
`EINTR`	all
`EINVAL`	all
`EIO`	all
`EISCONN`	all
`EISDIR`	all
`EISNAM`	all
`EKEYEXPIRED`	all
`EKEYREJECTED`	all
`EKEYREVOKED`	all
`EL2HLT`	all
`EL2NSYNC`	all
`EL3HLT`	all
`EL3RST`	all
`ELIBACC`	all
`ELIBBAD`	all
`ELIBEXEC`	all
`ELIBMAX`	all
`ELIBSCN`	all
`ELNRNG`	all
`ELOOP`	all
`EMEDIUMTYPE`	all
`EMFILE`	all
`EMLINK`	all
`EMSGSIZE`	all
`EMULTIHOP`	all
`ENAMETOOLONG`	all
`ENAVAIL`	all
`ENETDOWN`	all
`ENETRESET`	all
`ENETUNREACH`	all
`ENFILE`	all
`ENOANO`	all
`ENOBUFS`	all
`ENOCSI`	all
`ENODATA`	all
`ENODEV`	all
`ENOENT`	all
`ENOEXEC`	all
`ENOKEY`	all
`ENOLCK`	all
`ENOLINK`	all
`ENOMEDIUM`	all
`ENOMEM`	all
`ENOMSG`	all
`ENONET`	all
`ENOPKG`	all
`ENOPROTOOPT`	all
`ENOSPC`	all
`ENOSR`	all
`ENOSTR`	all
`ENOSYS`	all
`ENOTBLK`	all
`ENOTCONN`	all
`ENOTDIR`	all
`ENOTEMPTY`	all
`ENOTNAM`	all
`ENOTRECOVERABLE`	all
`ENOTSOCK`	all
`ENOTSUP`	all
`ENOTTY`	all
`ENOTUNIQ`	all
`ENXIO`	all
`EOPNOTSUPP`	all
`EOVERFLOW`	all
`EOWNERDEAD`	all
`EPERM`	all
`EPFNOSUPPORT`	all
`EPIPE`	all
`EPROTO`	all
`EPROTONOSUPPORT`	all
`EPROTOTYPE`	all
`ERANGE`	all
`EREMCHG`	all
`EREMOTE`	all
`EREMOTEIO`	all
`ERESTART`	all
`ERFKILL`	all
`EROFS`	all
`ESHUTDOWN`	all
`ESOCKTNOSUPPORT`	all
`ESPIPE`	all
`ESRCH`	all
`ESRMNT`	all
`ESTALE`	all
`ESTRPIPE`	all
`ETIME`	all
`ETIMEDOUT`	all
`ETOOMANYREFS`	all
`ETXTBSY`	all
`EUCLEAN`	all
`EUNATCH`	all
`EUSERS`	all
`EWOULDBLOCK`	all
`EXDEV`	all
`EXFULL`	all

`File mode constants`

File mode constants are the supported file permissions as well as constants for the set-user-ID, set-group-ID, and sticky bits.

Name	Architectures
`S_ISUID`	all
`S_ISGID`	all
`S_ISVTX`	all
`S_IRWXU`	all
`S_IRUSR`	all
`S_IWUSR`	all
`S_IXUSR`	all
`S_IRWXG`	all
`S_IRGRP`	all
`S_IWGRP`	all
`S_IXGRP`	all
`S_IRWXO`	all
`S_IROTH`	all
`S_IWOTH`	all
`S_IXOTH`	all

`FileType`

File types.

Name	Architectures
`EMPTY`	all
`SHELL_SCRIPT`	all
`TEXT`	all
`COMPRESSED`	all
`ENCRYPTED`	all
`BINARY`	all
`LINUX_EXECUTABLE`	all
`WINDOWS_EXECUTABLE`	all
`MACOS_EXECUTABLE`	all
`FILE_LESS`	all

`Inode mode constants`

Inode mode constants are the supported file type constants as well as the file mode constants.

Name	Architectures
`S_IFMT`	all
`S_IFSOCK`	all
`S_IFLNK`	all
`S_IFREG`	all
`S_IFBLK`	all
`S_IFDIR`	all
`S_IFCHR`	all
`S_IFIFO`	all
`S_ISUID`	all
`S_ISGID`	all
`S_ISVTX`	all
`S_IRWXU`	all
`S_IRUSR`	all
`S_IWUSR`	all
`S_IXUSR`	all
`S_IRWXG`	all
`S_IRGRP`	all
`S_IWGRP`	all
`S_IXGRP`	all
`S_IRWXO`	all
`S_IROTH`	all
`S_IWOTH`	all
`S_IXOTH`	all

`Kernel Capability constants`

Kernel Capability constants are the supported Linux Kernel Capability.

Name	Architectures
`CAP_AUDIT_CONTROL`	all
`CAP_AUDIT_READ`	all
`CAP_AUDIT_WRITE`	all
`CAP_BLOCK_SUSPEND`	all
`CAP_BPF`	all
`CAP_CHECKPOINT_RESTORE`	all
`CAP_CHOWN`	all
`CAP_DAC_OVERRIDE`	all
`CAP_DAC_READ_SEARCH`	all
`CAP_FOWNER`	all
`CAP_FSETID`	all
`CAP_IPC_LOCK`	all
`CAP_IPC_OWNER`	all
`CAP_KILL`	all
`CAP_LEASE`	all
`CAP_LINUX_IMMUTABLE`	all
`CAP_MAC_ADMIN`	all
`CAP_MAC_OVERRIDE`	all
`CAP_MKNOD`	all
`CAP_NET_ADMIN`	all
`CAP_NET_BIND_SERVICE`	all
`CAP_NET_BROADCAST`	all
`CAP_NET_RAW`	all
`CAP_PERFMON`	all
`CAP_SETFCAP`	all
`CAP_SETGID`	all
`CAP_SETPCAP`	all
`CAP_SETUID`	all
`CAP_SYSLOG`	all
`CAP_SYS_ADMIN`	all
`CAP_SYS_BOOT`	all
`CAP_SYS_CHROOT`	all
`CAP_SYS_MODULE`	all
`CAP_SYS_NICE`	all
`CAP_SYS_PACCT`	all
`CAP_SYS_PTRACE`	all
`CAP_SYS_RAWIO`	all
`CAP_SYS_RESOURCE`	all
`CAP_SYS_TIME`	all
`CAP_SYS_TTY_CONFIG`	all
`CAP_WAKE_ALARM`	all

`L3 protocols`

L3 protocols are the supported Layer 3 protocols.

Name	Architectures
`ETH_P_LOOP`	all
`ETH_P_PUP`	all
`ETH_P_PUPAT`	all
`ETH_P_TSN`	all
`ETH_P_IP`	all
`ETH_P_X25`	all
`ETH_P_ARP`	all
`ETH_P_BPQ`	all
`ETH_P_IEEEPUP`	all
`ETH_P_IEEEPUPAT`	all
`ETH_P_BATMAN`	all
`ETH_P_DEC`	all
`ETH_P_DNADL`	all
`ETH_P_DNARC`	all
`ETH_P_DNART`	all
`ETH_P_LAT`	all
`ETH_P_DIAG`	all
`ETH_P_CUST`	all
`ETH_P_SCA`	all
`ETH_P_TEB`	all
`ETH_P_RARP`	all
`ETH_P_ATALK`	all
`ETH_P_AARP`	all
`ETH_P_8021_Q`	all
`ETH_P_ERSPAN`	all
`ETH_P_IPX`	all
`ETH_P_IPV6`	all
`ETH_P_PAUSE`	all
`ETH_P_SLOW`	all
`ETH_P_WCCP`	all
`ETH_P_MPLSUC`	all
`ETH_P_MPLSMC`	all
`ETH_P_ATMMPOA`	all
`ETH_P_PPPDISC`	all
`ETH_P_PPPSES`	all
`ETH_P__LINK_CTL`	all
`ETH_P_ATMFATE`	all
`ETH_P_PAE`	all
`ETH_P_AOE`	all
`ETH_P_8021_AD`	all
`ETH_P_802_EX1`	all
`ETH_P_TIPC`	all
`ETH_P_MACSEC`	all
`ETH_P_8021_AH`	all
`ETH_P_MVRP`	all
`ETH_P_1588`	all
`ETH_P_NCSI`	all
`ETH_P_PRP`	all
`ETH_P_FCOE`	all
`ETH_P_IBOE`	all
`ETH_P_TDLS`	all
`ETH_P_FIP`	all
`ETH_P_80221`	all
`ETH_P_HSR`	all
`ETH_P_NSH`	all
`ETH_P_LOOPBACK`	all
`ETH_P_QINQ1`	all
`ETH_P_QINQ2`	all
`ETH_P_QINQ3`	all
`ETH_P_EDSA`	all
`ETH_P_IFE`	all
`ETH_P_AFIUCV`	all
`ETH_P_8023_MIN`	all
`ETH_P_IPV6_HOP_BY_HOP`	all
`ETH_P_8023`	all
`ETH_P_AX25`	all
`ETH_P_ALL`	all
`ETH_P_8022`	all
`ETH_P_SNAP`	all
`ETH_P_DDCMP`	all
`ETH_P_WANPPP`	all
`ETH_P_PPPMP`	all
`ETH_P_LOCALTALK`	all
`ETH_P_CAN`	all
`ETH_P_CANFD`	all
`ETH_P_PPPTALK`	all
`ETH_P_TR8022`	all
`ETH_P_MOBITEX`	all
`ETH_P_CONTROL`	all
`ETH_P_IRDA`	all
`ETH_P_ECONET`	all
`ETH_P_HDLC`	all
`ETH_P_ARCNET`	all
`ETH_P_DSA`	all
`ETH_P_TRAILER`	all
`ETH_P_PHONET`	all
`ETH_P_IEEE802154`	all
`ETH_P_CAIF`	all
`ETH_P_XDSA`	all
`ETH_P_MAP`	all

`L4 protocols`

L4 protocols are the supported Layer 4 protocols.

Name	Architectures
`IP_PROTO_IP`	all
`IP_PROTO_ICMP`	all
`IP_PROTO_IGMP`	all
`IP_PROTO_IPIP`	all
`IP_PROTO_TCP`	all
`IP_PROTO_EGP`	all
`IP_PROTO_IGP`	all
`IP_PROTO_PUP`	all
`IP_PROTO_UDP`	all
`IP_PROTO_IDP`	all
`IP_PROTO_TP`	all
`IP_PROTO_DCCP`	all
`IP_PROTO_IPV6`	all
`IP_PROTO_RSVP`	all
`IP_PROTO_GRE`	all
`IP_PROTO_ESP`	all
`IP_PROTO_AH`	all
`IP_PROTO_ICMPV6`	all
`IP_PROTO_MTP`	all
`IP_PROTO_BEETPH`	all
`IP_PROTO_ENCAP`	all
`IP_PROTO_PIM`	all
`IP_PROTO_COMP`	all
`IP_PROTO_SCTP`	all
`IP_PROTO_UDPLITE`	all
`IP_PROTO_MPLS`	all
`IP_PROTO_RAW`	all

`LinkageType`

Linkage types.

Name	Architectures
`NONE`	all
`STATIC`	all
`DYNAMIC`	all

`MMap flags`

MMap flags are the supported flags for the mmap syscall.

Name	Architectures
`MAP_SHARED`	all
`MAP_PRIVATE`	all
`MAP_SHARED_VALIDATE`	all
`MAP_ANON`	all
`MAP_ANONYMOUS`	all
`MAP_DENYWRITE`	all
`MAP_EXECUTABLE`	all
`MAP_FIXED`	all
`MAP_FIXED_NOREPLACE`	all
`MAP_GROWSDOWN`	all
`MAP_HUGETLB`	all
`MAP_LOCKED`	all
`MAP_NONBLOCK`	all
`MAP_NORESERVE`	all
`MAP_POPULATE`	all
`MAP_STACK`	all
`MAP_SYNC`	all
`MAP_UNINITIALIZED`	all
`MAP_HUGE_16KB`	all
`MAP_HUGE_64KB`	all
`MAP_HUGE_512KB`	all
`MAP_HUGE_1MB`	all
`MAP_HUGE_2MB`	all
`MAP_HUGE_8MB`	all
`MAP_HUGE_16MB`	all
`MAP_HUGE_32MB`	all
`MAP_HUGE_256MB`	all
`MAP_HUGE_512MB`	all
`MAP_HUGE_1GB`	all
`MAP_HUGE_2GB`	all
`MAP_HUGE_16GB`	all
`MAP_32BIT`	amd64

`Network Address Family constants`

Network Address Family constants are the supported network address families.

Name	Architectures
`AF_UNSPEC`	all
`AF_LOCAL`	all
`AF_UNIX`	all
`AF_FILE`	all
`AF_INET`	all
`AF_AX25`	all
`AF_IPX`	all
`AF_APPLETALK`	all
`AF_NETROM`	all
`AF_BRIDGE`	all
`AF_ATMPVC`	all
`AF_X25`	all
`AF_INET6`	all
`AF_ROSE`	all
`AF_DECnet`	all
`AF_NETBEUI`	all
`AF_SECURITY`	all
`AF_KEY`	all
`AF_NETLINK`	all
`AF_ROUTE`	all
`AF_PACKET`	all
`AF_ASH`	all
`AF_ECONET`	all
`AF_ATMSVC`	all
`AF_RDS`	all
`AF_SNA`	all
`AF_IRDA`	all
`AF_PPPOX`	all
`AF_WANPIPE`	all
`AF_LLC`	all
`AF_IB`	all
`AF_MPLS`	all
`AF_CAN`	all
`AF_TIPC`	all
`AF_BLUETOOTH`	all
`AF_IUCV`	all
`AF_RXRPC`	all
`AF_ISDN`	all
`AF_PHONET`	all
`AF_IEEE802154`	all
`AF_CAIF`	all
`AF_ALG`	all
`AF_NFC`	all
`AF_VSOCK`	all
`AF_KCM`	all
`AF_QIPCRTR`	all
`AF_SMC`	all
`AF_XDP`	all
`AF_MAX`	all

`Network Protocol Types`

Types of specific network protocols.

Name	Architectures
`ICMP_ECHO_REQUEST`	all
`ICMP_ECHO_REPLY`	all
`ICMP_ROUTER_SOLICITATION`	all
`ICMP_ROUTER_ADVERTISEMENT`	all
`ICMP_NEIGHBOR_SOLICITATION`	all
`ICMP_NEIGHBOR_ADVERTISEMENT`	all
`ICMP_V6_ECHO_REQUEST`	all
`ICMP_V6_ECHO_REPLY`	all
`ICMP_V6_ROUTER_SOLICITATION`	all
`ICMP_V6_ROUTER_ADVERTISEMENT`	all
`ICMP_V6_NEIGHBOR_SOLICITATION`	all
`ICMP_V6_NEIGHBOR_ADVERTISEMENT`	all

`Network directions`

Network directions are the supported directions of network packets.

Name	Architectures
`INGRESS`	all
`EGRESS`	all

`Open flags`

Open flags are the supported flags for the open syscall.

Name	Architectures
`O_RDONLY`	all
`O_WRONLY`	all
`O_RDWR`	all
`O_APPEND`	all
`O_CREAT`	all
`O_EXCL`	all
`O_SYNC`	all
`O_TRUNC`	all
`O_ACCMODE`	all
`O_ASYNC`	all
`O_CLOEXEC`	all
`O_DIRECT`	all
`O_DIRECTORY`	all
`O_DSYNC`	all
`O_FSYNC`	all
`O_NDELAY`	all
`O_NOATIME`	all
`O_NOCTTY`	all
`O_NOFOLLOW`	all
`O_NONBLOCK`	all
`O_RSYNC`	all

`Pipe buffer flags`

Pipe buffer flags are the supported flags for a pipe buffer.

Name	Architectures
`PIPE_BUF_FLAG_LRU`	all
`PIPE_BUF_FLAG_ATOMIC`	all
`PIPE_BUF_FLAG_GIFT`	all
`PIPE_BUF_FLAG_PACKET`	all
`PIPE_BUF_FLAG_CAN_MERGE`	all
`PIPE_BUF_FLAG_WHOLE`	all
`PIPE_BUF_FLAG_LOSS`	all

`PrCtl Options`

PrCtl Options are the supported options for the prctl event

Name	Architectures
`PR_CAP_AMBIENT`	all
`PR_CAPBSET_READ`	all
`PR_CAPBSET_DROP`	all
`PR_SET_CHILD_SUBREAPER`	all
`PR_GET_CHILD_SUBREAPER`	all
`PR_SET_DUMPABLE`	all
`PR_GET_DUMPABLE`	all
`PR_SET_ENDIAN`	all
`PR_GET_ENDIAN`	all
`PR_SET_FP_MODE`	all
`PR_GET_FP_MODE`	all
`PR_SET_FPEMU`	all
`PR_GET_FPEMU`	all
`PR_SET_FPEXC`	all
`PR_GET_FPEXC`	all
`PR_SET_IO_FLUSHER`	all
`PR_GET_IO_FLUSHER`	all
`PR_SET_KEEPCAPS`	all
`PR_GET_KEEPCAPS`	all
`PR_MCE_KILL`	all
`PR_MCE_KILL_GET`	all
`PR_SET_MM`	all
`PR_SET_VMA`	all
`PR_MPX_ENABLE_MANAGEMENT`	all
`PR_MPX_DISABLE_MANAGEMENT`	all
`PR_SET_NAME`	all
`PR_GET_NAME`	all
`PR_SET_NO_NEW_PRIVS`	all
`PR_GET_NO_NEW_PRIVS`	all
`PR_PAC_RESET_KEYS`	all
`PR_SET_PDEATHSIG`	all
`PR_GET_PDEATHSIG`	all
`PR_SET_PTRACER`	all
`PR_SET_SECCOMP`	all
`PR_GET_SECCOMP`	all
`PR_SET_SECUREBITS`	all
`PR_GET_SECUREBITS`	all
`PR_GET_SPECULATION_CTRL`	all
`PR_SET_SPECULATION_CTRL`	all
`PR_SVE_SET_VL`	all
`PR_SVE_GET_VL`	all
`PR_SET_SYSCALL_USER_DISPATCH`	all
`PR_SET_TAGGED_ADDR_CTRL`	all
`PR_GET_TAGGED_ADDR_CTRL`	all
`PR_TASK_PERF_EVENTS_DISABLE`	all
`PR_TASK_PERF_EVENTS_ENABLE`	all
`PR_SET_THP_DISABLE`	all
`PR_GET_THP_DISABLE`	all
`PR_GET_TID_ADDRESS`	all
`PR_SET_TIMERSLACK`	all
`PR_GET_TIMERSLACK`	all
`PR_SET_TIMING`	all
`PR_GET_TIMING`	all
`PR_SET_TSC`	all
`PR_GET_TSC`	all
`PR_SET_UNALIGN`	all
`PR_GET_UNALIGN`	all
`PR_GET_AUXV`	all
`PR_SET_MDWE`	all
`PR_GET_MDWE`	all
`PR_RISCV_SET_ICACHE_FLUSH_CTX`	all

`Protection constants`

Protection constants are the supported protections for the mmap syscall.

Name	Architectures
`PROT_NONE`	all
`PROT_READ`	all
`PROT_WRITE`	all
`PROT_EXEC`	all
`PROT_GROWSDOWN`	all
`PROT_GROWSUP`	all

`Ptrace constants`

Ptrace constants are the supported ptrace commands for the ptrace syscall.

Name	Architectures
`PTRACE_TRACEME`	all
`PTRACE_PEEKTEXT`	all
`PTRACE_PEEKDATA`	all
`PTRACE_PEEKUSR`	all
`PTRACE_POKETEXT`	all
`PTRACE_POKEDATA`	all
`PTRACE_POKEUSR`	all
`PTRACE_CONT`	all
`PTRACE_KILL`	all
`PTRACE_SINGLESTEP`	all
`PTRACE_ATTACH`	all
`PTRACE_DETACH`	all
`PTRACE_SYSCALL`	all
`PTRACE_SETOPTIONS`	all
`PTRACE_GETEVENTMSG`	all
`PTRACE_GETSIGINFO`	all
`PTRACE_SETSIGINFO`	all
`PTRACE_GETREGSET`	all
`PTRACE_SETREGSET`	all
`PTRACE_SEIZE`	all
`PTRACE_INTERRUPT`	all
`PTRACE_LISTEN`	all
`PTRACE_PEEKSIGINFO`	all
`PTRACE_GETSIGMASK`	all
`PTRACE_SETSIGMASK`	all
`PTRACE_SECCOMP_GET_FILTER`	all
`PTRACE_SECCOMP_GET_METADATA`	all
`PTRACE_GET_SYSCALL_INFO`	all
`PTRACE_GETFPREGS`	amd64, arm
`PTRACE_SETFPREGS`	amd64, arm
`PTRACE_GETFPXREGS`	amd64
`PTRACE_SETFPXREGS`	amd64
`PTRACE_OLDSETOPTIONS`	amd64, arm
`PTRACE_GET_THREAD_AREA`	amd64, arm
`PTRACE_SET_THREAD_AREA`	amd64
`PTRACE_ARCH_PRCTL`	amd64
`PTRACE_SYSEMU`	amd64, arm64
`PTRACE_SYSEMU_SINGLESTEP`	amd64, arm64
`PTRACE_SINGLEBLOCK`	amd64
`PTRACE_GETCRUNCHREGS`	arm
`PTRACE_GETFDPIC`	arm
`PTRACE_GETFDPIC_EXEC`	arm
`PTRACE_GETFDPIC_INTERP`	arm
`PTRACE_GETHBPREGS`	arm
`PTRACE_GETVFPREGS`	arm
`PTRACE_GETWMMXREGS`	arm
`PTRACE_SETCRUNCHREGS`	arm
`PTRACE_SETHBPREGS`	arm
`PTRACE_SETVFPREGS`	arm
`PTRACE_SETWMMXREGS`	arm
`PTRACE_SET_SYSCALL`	arm
`PTRACE_PEEKMTETAGS`	arm64
`PTRACE_POKEMTETAGS`	arm64

`Resource limit types`

Resource limit types are the supported resource types for setrlimit syscall.

Name	Architectures
`RLIMIT_CPU`	all
`RLIMIT_FSIZE`	all
`RLIMIT_DATA`	all
`RLIMIT_STACK`	all
`RLIMIT_CORE`	all
`RLIMIT_RSS`	all
`RLIMIT_NPROC`	all
`RLIMIT_NOFILE`	all
`RLIMIT_MEMLOCK`	all
`RLIMIT_AS`	all
`RLIMIT_LOCKS`	all
`RLIMIT_SIGPENDING`	all
`RLIMIT_MSGQUEUE`	all
`RLIMIT_NICE`	all
`RLIMIT_RTPRIO`	all
`RLIMIT_RTTIME`	all

`SSHAuthMethod`

SSH authentication methods.

Name	Architectures
`password`	all
`public_key`	all
`unknown`	all

`SetSockopt Levels`

SetSockopt Levels are the supported levels for the setsockopt event.

Name	Architectures
`IPPROTO_IP`	all
`SOL_SOCKET`	all
`IPPROTO_TCP`	all
`IPPROTO_UDP`	all
`IPPROTO_IPV6`	all
`IPPROTO_ICMPV6`	all

`SetSockopt Options`

SetSockopt Options are the supported options for the setsockopt event when the level is IPPROTO_IP.

Name	Architectures
`IP_TOS`	all
`IP_TTL`	all
`IP_HDRINCL`	all
`IP_OPTIONS`	all
`IP_ROUTER_ALERT`	all
`IP_RECVOPTS`	all
`IP_RETOPTS`	all
`IP_PKTINFO`	all
`IP_PKTOPTIONS`	all
`IP_MTU_DISCOVER`	all
`IP_RECVERR`	all
`IP_RECVTTL`	all
`IP_RECVTOS`	all
`IP_MTU`	all
`IP_FREEBIND`	all
`IP_IPSEC_POLICY`	all
`IP_XFRM_POLICY`	all
`IP_PASSSEC`	all
`IP_TRANSPARENT`	all
`IP_ORIGDSTADDR`	all
`IP_MINTTL`	all
`IP_NODEFRAG`	all
`IP_CHECKSUM`	all
`IP_BIND_ADDRESS_NO_PORT`	all
`IP_RECVFRAGSIZE`	all
`IP_RECVERR_RFC4884`	all
`IP_MULTICAST_IF`	all
`IP_MULTICAST_TTL`	all
`IP_MULTICAST_LOOP`	all
`IP_ADD_MEMBERSHIP`	all
`IP_DROP_MEMBERSHIP`	all
`IP_UNBLOCK_SOURCE`	all
`IP_BLOCK_SOURCE`	all
`IP_ADD_SOURCE_MEMBERSHIP`	all
`IP_DROP_SOURCE_MEMBERSHIP`	all
`IP_MSFILTER`	all
`MCAST_JOIN_GROUP`	all
`MCAST_BLOCK_SOURCE`	all
`MCAST_UNBLOCK_SOURCE`	all
`MCAST_LEAVE_GROUP`	all
`MCAST_JOIN_SOURCE_GROUP`	all
`MCAST_LEAVE_SOURCE_GROUP`	all
`MCAST_MSFILTER`	all
`IP_MULTICAST_ALL`	all
`IP_UNICAST_IF`	all
`SO_DEBUG`	all
`SO_REUSEADDR`	all
`SO_TYPE`	all
`SO_ERROR`	all
`SO_DONTROUTE`	all
`SO_BROADCAST`	all
`SO_SNDBUF`	all
`SO_RCVBUF`	all
`SO_KEEPALIVE`	all
`SO_OOBINLINE`	all
`SO_NO_CHECK`	all
`SO_PRIORITY`	all
`SO_LINGER`	all
`SO_BSDCOMPAT`	all
`SO_REUSEPORT`	all
`SO_PASSCRED`	all
`SO_PEERCRED`	all
`SO_RCVLOWAT`	all
`SO_SNDLOWAT`	all
`SO_RCVTIMEO_OLD`	all
`SO_SNDTIMEO_OLD`	all
`SO_SECURITY_AUTHENTICATION`	all
`SO_SECURITY_ENCRYPTION_TRANSPORT`	all
`SO_SECURITY_ENCRYPTION_NETWORK`	all
`SO_BINDTODEVICE`	all
`SO_ATTACH_FILTER`	all
`SO_DETACH_FILTER`	all
`SO_PEERNAME`	all
`SO_TIMESTAMP_OLD`	all
`SO_ACCEPTCONN`	all
`SO_PEERSEC`	all
`SO_SNDBUFFORCE`	all
`SO_RCVBUFFORCE`	all
`SO_PASSSEC`	all
`SO_TIMESTAMPNS_OLD`	all
`SO_MARK`	all
`SO_TIMESTAMPING_OLD`	all
`SO_PROTOCOL`	all
`SO_DOMAIN`	all
`SO_RXQ_OVFL`	all
`SO_WIFI_STATUS`	all
`SO_PEEK_OFF`	all
`SO_NOFCS`	all
`SO_LOCK_FILTER`	all
`SO_SELECT_ERR_QUEUE`	all
`SO_BUSY_POLL`	all
`SO_MAX_PACING_RATE`	all
`SO_BPF_EXTENSIONS`	all
`SO_INCOMING_CPU`	all
`SO_ATTACH_BPF`	all
`SO_ATTACH_REUSEPORT_CBPF`	all
`SO_ATTACH_REUSEPORT_EBPF`	all
`SO_CNX_ADVICE`	all
`SCM_TIMESTAMPING_OPT_STATS`	all
`SO_MEMINFO`	all
`SO_INCOMING_NAPI_ID`	all
`SO_COOKIE`	all
`SCM_TIMESTAMPING_PKTINFO`	all
`SO_PEERGROUPS`	all
`SO_ZEROCOPY`	all
`SO_TXTIME`	all
`SO_BINDTOIFINDEX`	all
`SO_TIMESTAMP_NEW`	all
`SO_TIMESTAMPNS_NEW`	all
`SO_TIMESTAMPING_NEW`	all
`SO_RCVTIMEO_NEW`	all
`SO_SNDTIMEO_NEW`	all
`SO_DETACH_REUSEPORT_BPF`	all
`SO_PREFER_BUSY_POLL`	all
`SO_BUSY_POLL_BUDGET`	all
`SO_NETNS_COOKIE`	all
`SO_BUF_LOCK`	all
`SO_RESERVE_MEM`	all
`SO_TXREHASH`	all
`SO_RCVMARK`	all
`SO_PASSPIDFD`	all
`SO_PEERPIDFD`	all
`SO_DEVMEM_LINEAR`	all
`SO_DEVMEM_DMABUF`	all
`SO_DEVMEM_DONTNEED`	all
`SCM_TS_OPT_ID`	all
`SO_RCVPRIORITY`	all
`TCP_NODELAY`	all
`TCP_MAXSEG`	all
`TCP_CORK`	all
`TCP_KEEPIDLE`	all
`TCP_KEEPINTVL`	all
`TCP_KEEPCNT`	all
`TCP_SYNCNT`	all
`TCP_LINGER2`	all
`TCP_DEFER_ACCEPT`	all
`TCP_WINDOW_CLAMP`	all
`TCP_INFO`	all
`TCP_QUICKACK`	all
`TCP_CONGESTION`	all
`TCP_MD5SIG`	all
`TCP_THIN_LINEAR_TIMEOUTS`	all
`TCP_THIN_DUPACK`	all
`TCP_USER_TIMEOUT`	all
`TCP_REPAIR`	all
`TCP_REPAIR_QUEUE`	all
`TCP_QUEUE_SEQ`	all
`TCP_REPAIR_OPTIONS`	all
`TCP_FASTOPEN`	all
`TCP_TIMESTAMP`	all
`TCP_NOTSENT_LOWAT`	all
`TCP_CC_INFO`	all
`TCP_SAVE_SYN`	all
`TCP_SAVED_SYN`	all
`TCP_REPAIR_WINDOW`	all
`TCP_FASTOPEN_CONNECT`	all
`TCP_ULP`	all
`TCP_MD5SIG_EXT`	all
`TCP_FASTOPEN_KEY`	all
`TCP_FASTOPEN_NO_COOKIE`	all
`TCP_ZEROCOPY_RECEIVE`	all
`TCP_INQ`	all
`TCP_TX_DELAY`	all
`IPV6_ADDRFORM`	all
`IPV6_2292PKTINFO`	all
`IPV6_2292HOPOPTS`	all
`IPV6_2292DSTOPTS`	all
`IPV6_2292RTHDR`	all
`IPV6_2292PKTOPTIONS`	all
`IPV6_2292HOPLIMIT`	all
`IPV6_FLOWINFO`	all
`IPV6_UNICAST_HOPS`	all
`IPV6_MULTICAST_IF`	all
`IPV6_MULTICAST_HOPS`	all
`IPV6_MULTICAST_LOOP`	all
`IPV6_ADD_MEMBERSHIP`	all
`IPV6_DROP_MEMBERSHIP`	all
`IPV6_ROUTER_ALERT`	all
`IPV6_MTU_DISCOVER`	all
`IPV6_MTU`	all
`IPV6_RECVERR`	all
`IPV6_V6ONLY`	all
`IPV6_JOIN_ANYCAST`	all
`IPV6_LEAVE_ANYCAST`	all
`IPV6_MULTICAST_ALL`	all
`IPV6_ROUTER_ALERT_ISOLATE`	all
`IPV6_RECVERR_RFC4884`	all
`IPV6_FLOWLABEL_MGR`	all
`IPV6_FLOWINFO_SEND`	all
`IPV6_IPSEC_POLICY`	all
`IPV6_XFRM_POLICY`	all
`IPV6_HDRINCL`	all
`IPV6_RECVPKTINFO`	all
`IPV6_PKTINFO`	all
`IPV6_RECVHOPLIMIT`	all
`IPV6_HOPLIMIT`	all
`IPV6_RECVHOPOPTS`	all
`IPV6_HOPOPTS`	all
`IPV6_RTHDRDSTOPTS`	all
`IPV6_RECVRTHDR`	all
`IPV6_RTHDR`	all
`IPV6_RECVDSTOPTS`	all
`IPV6_DSTOPTS`	all
`IPV6_RECVPATHMTU`	all
`IPV6_PATHMTU`	all
`IPV6_DONTFRAG`	all
`IPV6_RECVTCLASS`	all
`IPV6_TCLASS`	all
`IPV6_AUTOFLOWLABEL`	all
`IPV6_ADDR_PREFERENCES`	all
`IPV6_MINHOPCOUNT`	all
`IPV6_ORIGDSTADDR`	all
`IPV6_TRANSPARENT`	all
`IPV6_UNICAST_IF`	all
`IPV6_RECVFRAGSIZE`	all
`IPV6_FREEBIND`	all

`Signal constants`

Signal constants are the supported signals for the kill syscall.

Name	Architectures
`SIGHUP`	all
`SIGINT`	all
`SIGQUIT`	all
`SIGILL`	all
`SIGTRAP`	all
`SIGABRT`	all
`SIGIOT`	all
`SIGBUS`	all
`SIGFPE`	all
`SIGKILL`	all
`SIGUSR1`	all
`SIGSEGV`	all
`SIGUSR2`	all
`SIGPIPE`	all
`SIGALRM`	all
`SIGTERM`	all
`SIGSTKFLT`	all
`SIGCHLD`	all
`SIGCONT`	all
`SIGSTOP`	all
`SIGTSTP`	all
`SIGTTIN`	all
`SIGTTOU`	all
`SIGURG`	all
`SIGXCPU`	all
`SIGXFSZ`	all
`SIGVTALRM`	all
`SIGPROF`	all
`SIGWINCH`	all
`SIGIO`	all
`SIGPOLL`	all
`SIGPWR`	all
`SIGSYS`	all

`Socket types`

Socket types are the supported socket types.

Name	Architectures
`SOCK_STREAM`	all
`SOCK_DGRAM`	all
`SOCK_RAW`	all
`SOCK_RDM`	all
`SOCK_SEQPACKET`	all
`SOCK_DCCP`	all
`SOCK_PACKET`	all

`SysCtl Actions`

SysCtl Actions are the supported actions for the sysctl event.

Name	Architectures
`SYSCTL_READ`	all
`SYSCTL_WRITE`	all

`Unlink flags`

Unlink flags are the supported flags for the unlink syscall.

Name	Architectures
`AT_REMOVEDIR`	all

`UserSessionTypes`

UserSessionTypes are the supported user session types.

Name	Architectures
`unknown`	all
`k8s`	all
`ssh`	all

`Virtual Memory flags`

Virtual Memory flags define the protection of a virtual memory segment.

Name	Architectures
`VM_NONE`	all
`VM_READ`	all
`VM_WRITE`	all
`VM_EXEC`	all
`VM_SHARED`	all
`VM_MAYREAD`	all
`VM_MAYWRITE`	all
`VM_MAYEXEC`	all
`VM_MAYSHARE`	all
`VM_GROWSDOWN`	all
`VM_UFFD_MISSING`	all
`VM_PFNMAP`	all
`VM_UFFD_WP`	all
`VM_LOCKED`	all
`VM_IO`	all
`VM_SEQ_READ`	all
`VM_RAND_READ`	all
`VM_DONTCOPY`	all
`VM_DONTEXPAND`	all
`VM_LOCKONFAULT`	all
`VM_ACCOUNT`	all
`VM_NORESERVE`	all
`VM_HUGETLB`	all
`VM_SYNC`	all
`VM_ARCH_1`	all
`VM_WIPEONFORK`	all
`VM_DONTDUMP`	all
`VM_SOFTDIRTY`	all
`VM_MIXEDMAP`	all
`VM_HUGEPAGE`	all
`VM_NOHUGEPAGE`	all
`VM_MERGEABLE`	all

Additional helpful documentation, links, and articles:

Get started with Datadog Workload ProtectionDOCUMENTATION

URL: https://docs.datadoghq.com/security/workload_protection/linux_expressions/