event.json

{
  "hostname": "falco-6vmwl",
  "output": "15:26:08.771336620: Notice Ingress remote file copy tool launched in container (user=sonarqube user_loginuid=-1 command=wget --no-proxy --quiet -O /dev/null --timeout=1 --header=X-Sonar-Passcode: define_it http://10.X.Y.Z:9000/api/system/liveness pid=73098 parent_process=sh container_id=e5824e25f127 container_name=sonarqube image=docker.io/library/sonarqube:10.1.0-community exe_flags=0) k8s.ns=sonarqube k8s.pod=sonarqube-sonarqube-0 container=e5824e25f127",
  "priority": "Notice",
  "rule": "Launch Ingress Remote File Copy Tools in Container",
  "source": "syscall",
  "tags": [
    "TA0011",
    "container",
    "mitre_command_and_control",
    "network",
    "process"
  ],
  "time": "2024-04-30T15:26:08.771336620Z",
  "output_fields": {
    "container.id": "e5824e25f127",
    "container.image.repository": "docker.io/library/sonarqube",
    "container.image.tag": "10.1.0-community",
    "container.name": "sonarqube",
    "evt.arg.flags": "0",
    "evt.time": 1714490768771336620,
    "k8s.ns.name": "sonarqube",
    "k8s.pod.name": "sonarqube-sonarqube-0",
    "proc.cmdline": "wget --no-proxy --quiet -O /dev/null --timeout=1 --header=X-Sonar-Passcode: define_it http://10.X.Y.Z:9000/api/system/liveness",
    "proc.pid": 73098,
    "proc.pname": "sh",
    "user.loginuid": -1,
    "user.name": "sonarqube"
  }
}