Agent Expressions

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Agent expression syntax

Cloud Workload Security (CWS) first evaluates activity within the Datadog Agent against Agent expressions to decide what activity to collect. This portion of a CWS rule is called the Agent expression. Agent expressions use Datadog’s Security Language (SECL). The standard format of a SECL expression is as follows:

<event-type>.<event-attribute> <operator> <value> <event-attribute> ...

Using this format, an example rule looks like this:

open.file.path == "/etc/shadow" && file.path not in ["/usr/sbin/vipw"]


Triggers are events that correspond to types of activity seen by the system. The currently supported set of triggers is:

SECL EventTypeDefinitionAgent Version
bindNetwork[Experimental] A bind was executed7.37
bpfKernelA BPF command was executed7.33
capsetProcessA process changed its capacity set7.27
chmodFileA file’s permissions were changed7.27
chownFileA file’s owner was changed7.27
dnsNetworkA DNS request was sent7.36
execProcessA process was executed or forked7.27
linkFileCreate a new name/alias for a file7.27
load_moduleKernelA new kernel module was loaded7.35
mkdirFileA directory was created7.27
mmapKernelA mmap command was executed7.35
mprotectKernelA mprotect command was executed7.35
openFileA file was opened7.27
ptraceKernelA ptrace command was executed7.35
removexattrFileRemove extended attributes7.27
renameFileA file/directory was renamed7.27
rmdirFileA directory was removed7.27
selinuxKernelAn SELinux operation was run7.30
setgidProcessA process changed its effective gid7.27
setuidProcessA process changed its effective uid7.27
setxattrFileSet exteneded attributes7.27
signalProcessA signal was sent7.35
spliceFileA splice command was executed7.36
unlinkFileA file was deleted7.27
unload_moduleKernelA kernel module was deleted7.35
utimesFileChange file access/modification times7.27


SECL operators are used to combine event attributes together into a full expression. The following operators are available:

SECL OperatorTypesDefinitionAgent Version
!=FileNot equal7.27
>=FileGreater or equal7.27
<=FileLesser or equal7.27
^FileBinary not7.27
in [elem1, ...]FileElement is contained in list7.27
not in [elem1, ...]FileElement is not contained in list7.27
=~FileString matching7.27
!~FileString not matching7.27
&FileBinary and7.27
|FileBinary or7.27
&&FileLogical and7.27
||FileLogical or7.27
in CIDRNetworkElement is in the IP range7.37
not in CIDRNetworkElement is not in the IP range7.37
allin CIDRNetworkAll the elements are in the IP range7.37
in [CIDR1, ...]NetworkElement is in the IP ranges7.37
not in [CIDR1, ...]NetworkElement is not in the IP ranges7.37
allin [CIDR1, ...]NetworkAll the elements are in the IP ranges7.37

Patterns and regular expressions

Patterns or regular expressions can be used in SECL expressions. They can be used with the in, not in, =~, and !~ operators.

FormatExampleSupported FieldsAgent Version
r"regexp"r"rc[0-9]+"All except .path7.27

Patterns on .path fields will be used as Glob. * will match files and folders at the same level. **, introduced in 7.34, can be used at the end of a path in order to match all the files and subfolders.


You can use SECL to write rules based on durations, which trigger on events that occur during a specific time period. For example, trigger on an event where a secret file is accessed more than a certain length of time after a process is created. Such a rule could be written as follows:

open.file.path == "/etc/secret" && == "java" && process.created_at > 5s

Durations are numbers with a unit suffix. The supported suffixes are “s”, “m”, “h”.


SECL variables are predefined variables that can be used as values or as part of values.

For example, rule using a variable looks like this:

open.file.path == "/proc/${}/maps"

List of the available variables:

SECL VariableDefinitionAgent Version
process.pidProcess PID7.33

CIDR and IP range

CIDR and IP matching is possible in SECL. One can use operators such as in, not in, or allin combined with CIDR or IP notations.

Such rules can be written as follows: == "" && network.destination.ip in ["", ""]


Helpers exist in SECL that enable users to write advanced rules without needing to rely on generic techniques such as regex.

Command line arguments

The args_flags and args_options are helpers to ease the writing of CWS rules based on command line arguments.

args_flags is used to catch arguments that start with either one or two hyphen characters but do not accept any associated value.


  • version is part of args_flags for the command cat --version
  • l and n both are in args_flags for the command netstat -ln

args_options is used to catch arguments that start with either one or two hyphen characters and accepts a value either specified as the same argument but separated by the ‘=’ character or specified as the next argument.


  • T=8 and width=8 both are in args_options for the command ls -T 8 --width=8
  • exec.args_options ~= [ “s=.*\’” ] can be used to detect sudoedit was launched with -s argument and a command that ends with a \

File rights

The file.rights attribute can now be used in addition to file.mode. file.mode can hold values set by the kernel, while the file.rights only holds the values set by the user. These rights may be more familiar because they are in the chmod commands.

Event types

Common to all event types

container.idstringID of the container
container.tagsstringTags of the container
network.destination.ipIP/CIDRIP address
network.destination.portintPort number
network.device.ifindexintinterface ifindex
network.device.ifnamestringinterface ifname
network.l3_protocolintl3 protocol of the network packet
network.l4_protocolintl4 protocol of the network packet
network.sizeintsize in bytes of the network packet
network.source.ipIP/CIDRIP address
network.source.portintPort number
process.ancestors.argsstringArguments of the process (as a string)
process.ancestors.args_flagsstringArguments of the process (as an array)
process.ancestors.args_optionsstringArguments of the process (as an array)
process.ancestors.args_truncatedboolIndicator of arguments truncation
process.ancestors.argvstringArguments of the process (as an array)
process.ancestors.argv0stringFirst argument of the process
process.ancestors.cap_effectiveintEffective capability set of the process
process.ancestors.cap_permittedintPermitted capability set of the process
process.ancestors.commstringComm attribute of the process
process.ancestors.container.idstringContainer ID
process.ancestors.cookieintCookie of the process
process.ancestors.created_atintTimestamp of the creation of the process
process.ancestors.egidintEffective GID of the process
process.ancestors.egroupstringEffective group of the process
process.ancestors.envpstringEnvironment variables of the process
process.ancestors.envsstringEnvironment variable names of the process
process.ancestors.envs_truncatedboolIndicator of environment variables truncation
process.ancestors.euidintEffective UID of the process
process.ancestors.euserstringEffective user of the process
process.ancestors.file.change_timeintChange time of the file
process.ancestors.file.filesystemstringFile’s filesystem
process.ancestors.file.gidintGID of the file’s owner
process.ancestors.file.groupstringGroup of the file’s owner
process.ancestors.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
process.ancestors.file.inodeintInode of the file
process.ancestors.file.modeintMode/rights of the file
process.ancestors.file.modification_timeintModification time of the file
process.ancestors.file.mount_idintMount ID of the file
process.ancestors.file.namestringFile’s basename
process.ancestors.file.pathstringFile’s path
process.ancestors.file.rightsintMode/rights of the file
process.ancestors.file.uidintUID of the file’s owner
process.ancestors.file.userstringUser of the file’s owner
process.ancestors.fsgidintFileSystem-gid of the process
process.ancestors.fsgroupstringFileSystem-group of the process
process.ancestors.fsuidintFileSystem-uid of the process
process.ancestors.fsuserstringFileSystem-user of the process
process.ancestors.gidintGID of the process
process.ancestors.groupstringGroup of the process
process.ancestors.pidintProcess ID of the process (also called thread group ID)
process.ancestors.ppidintParent process ID
process.ancestors.tidintThread ID of the thread
process.ancestors.tty_namestringName of the TTY associated with the process
process.ancestors.uidintUID of the process
process.ancestors.userstringUser of the process
process.argsstringArguments of the process (as a string)
process.args_flagsstringArguments of the process (as an array)
process.args_optionsstringArguments of the process (as an array)
process.args_truncatedboolIndicator of arguments truncation
process.argvstringArguments of the process (as an array)
process.argv0stringFirst argument of the process
process.cap_effectiveintEffective capability set of the process
process.cap_permittedintPermitted capability set of the process
process.commstringComm attribute of the process
process.container.idstringContainer ID
process.cookieintCookie of the process
process.created_atintTimestamp of the creation of the process
process.egidintEffective GID of the process
process.egroupstringEffective group of the process
process.envpstringEnvironment variables of the process
process.envsstringEnvironment variable names of the process
process.envs_truncatedboolIndicator of environment variables truncation
process.euidintEffective UID of the process
process.euserstringEffective user of the process
process.file.change_timeintChange time of the file
process.file.filesystemstringFile’s filesystem
process.file.gidintGID of the file’s owner
process.file.groupstringGroup of the file’s owner
process.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
process.file.inodeintInode of the file
process.file.modeintMode/rights of the file
process.file.modification_timeintModification time of the file
process.file.mount_idintMount ID of the file
process.file.namestringFile’s basename
process.file.pathstringFile’s path
process.file.rightsintMode/rights of the file
process.file.uidintUID of the file’s owner
process.file.userstringUser of the file’s owner
process.fsgidintFileSystem-gid of the process
process.fsgroupstringFileSystem-group of the process
process.fsuidintFileSystem-uid of the process
process.fsuserstringFileSystem-user of the process
process.gidintGID of the process
process.groupstringGroup of the process
process.pidintProcess ID of the process (also called thread group ID)
process.ppidintParent process ID
process.tidintThread ID of the thread
process.tty_namestringName of the TTY associated with the process
process.uidintUID of the process
process.userstringUser of the process

Event bind

This event type is experimental and may change in the future.

A bind was executed

bind.addr.familyintAddress family
bind.addr.ipIP/CIDRIP address
bind.addr.portintPort number
bind.asyncboolTrue if the syscall was asynchronous
bind.retvalintReturn value of the syscall

Event bpf

A BPF command was executed

bpf.asyncboolTrue if the syscall was asynchronous
bpf.cmdintBPF command name of the eBPF map (added in 7.35) of the eBPF map
bpf.prog.attach_typeintAttach type of the eBPF program
bpf.prog.helpersinteBPF helpers used by the eBPF program (added in 7.35)
bpf.prog.namestringName of the eBPF program (added in 7.35)
bpf.prog.tagstringHash (sha1) of the eBPF program (added in 7.35)
bpf.prog.typeintType of the eBPF program
bpf.retvalintReturn value of the syscall

Event capset

A process changed its capacity set

capset.cap_effectiveintEffective capability set of the process
capset.cap_permittedintPermitted capability set of the process

Event chmod

A file’s permissions were changed

chmod.asyncboolTrue if the syscall was asynchronous
chmod.file.change_timeintChange time of the file
chmod.file.destination.modeintNew mode/rights of the chmod-ed file
chmod.file.destination.rightsintNew mode/rights of the chmod-ed file
chmod.file.filesystemstringFile’s filesystem
chmod.file.gidintGID of the file’s owner
chmod.file.groupstringGroup of the file’s owner
chmod.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
chmod.file.inodeintInode of the file
chmod.file.modeintMode/rights of the file
chmod.file.modification_timeintModification time of the file
chmod.file.mount_idintMount ID of the file
chmod.file.namestringFile’s basename
chmod.file.pathstringFile’s path
chmod.file.rightsintMode/rights of the file
chmod.file.uidintUID of the file’s owner
chmod.file.userstringUser of the file’s owner
chmod.retvalintReturn value of the syscall

Event chown

A file’s owner was changed

chown.asyncboolTrue if the syscall was asynchronous
chown.file.change_timeintChange time of the file
chown.file.destination.gidintNew GID of the chown-ed file’s owner
chown.file.destination.groupstringNew group of the chown-ed file’s owner
chown.file.destination.uidintNew UID of the chown-ed file’s owner
chown.file.destination.userstringNew user of the chown-ed file’s owner
chown.file.filesystemstringFile’s filesystem
chown.file.gidintGID of the file’s owner
chown.file.groupstringGroup of the file’s owner
chown.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
chown.file.inodeintInode of the file
chown.file.modeintMode/rights of the file
chown.file.modification_timeintModification time of the file
chown.file.mount_idintMount ID of the file
chown.file.namestringFile’s basename
chown.file.pathstringFile’s path
chown.file.rightsintMode/rights of the file
chown.file.uidintUID of the file’s owner
chown.file.userstringUser of the file’s owner
chown.retvalintReturn value of the syscall

Event dns

A DNS request was sent

dns.question.classintthe class looked up by the DNS question
dns.question.countintthe total count of questions in the DNS request
dns.question.namestringthe queried domain name
dns.question.sizeintthe total DNS request size in bytes
dns.question.typeinta two octet code which specifies the DNS question type

Event exec

A process was executed or forked

exec.argsstringArguments of the process (as a string)
exec.args_flagsstringArguments of the process (as an array)
exec.args_optionsstringArguments of the process (as an array)
exec.args_truncatedboolIndicator of arguments truncation
exec.argvstringArguments of the process (as an array)
exec.argv0stringFirst argument of the process
exec.cap_effectiveintEffective capability set of the process
exec.cap_permittedintPermitted capability set of the process
exec.commstringComm attribute of the process
exec.container.idstringContainer ID
exec.cookieintCookie of the process
exec.created_atintTimestamp of the creation of the process
exec.egidintEffective GID of the process
exec.egroupstringEffective group of the process
exec.envpstringEnvironment variables of the process
exec.envsstringEnvironment variable names of the process
exec.envs_truncatedboolIndicator of environment variables truncation
exec.euidintEffective UID of the process
exec.euserstringEffective user of the process
exec.file.change_timeintChange time of the file
exec.file.filesystemstringFile’s filesystem
exec.file.gidintGID of the file’s owner
exec.file.groupstringGroup of the file’s owner
exec.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
exec.file.inodeintInode of the file
exec.file.modeintMode/rights of the file
exec.file.modification_timeintModification time of the file
exec.file.mount_idintMount ID of the file
exec.file.namestringFile’s basename
exec.file.pathstringFile’s path
exec.file.rightsintMode/rights of the file
exec.file.uidintUID of the file’s owner
exec.file.userstringUser of the file’s owner
exec.fsgidintFileSystem-gid of the process
exec.fsgroupstringFileSystem-group of the process
exec.fsuidintFileSystem-uid of the process
exec.fsuserstringFileSystem-user of the process
exec.gidintGID of the process
exec.groupstringGroup of the process
exec.pidintProcess ID of the process (also called thread group ID)
exec.ppidintParent process ID
exec.tidintThread ID of the thread
exec.tty_namestringName of the TTY associated with the process
exec.uidintUID of the process
exec.userstringUser of the process

Create a new name/alias for a file

link.asyncboolTrue if the syscall was asynchronous
link.file.change_timeintChange time of the file
link.file.destination.change_timeintChange time of the file
link.file.destination.filesystemstringFile’s filesystem
link.file.destination.gidintGID of the file’s owner
link.file.destination.groupstringGroup of the file’s owner
link.file.destination.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
link.file.destination.inodeintInode of the file
link.file.destination.modeintMode/rights of the file
link.file.destination.modification_timeintModification time of the file
link.file.destination.mount_idintMount ID of the file
link.file.destination.namestringFile’s basename
link.file.destination.pathstringFile’s path
link.file.destination.rightsintMode/rights of the file
link.file.destination.uidintUID of the file’s owner
link.file.destination.userstringUser of the file’s owner
link.file.filesystemstringFile’s filesystem
link.file.gidintGID of the file’s owner
link.file.groupstringGroup of the file’s owner
link.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
link.file.inodeintInode of the file
link.file.modeintMode/rights of the file
link.file.modification_timeintModification time of the file
link.file.mount_idintMount ID of the file
link.file.namestringFile’s basename
link.file.pathstringFile’s path
link.file.rightsintMode/rights of the file
link.file.uidintUID of the file’s owner
link.file.userstringUser of the file’s owner
link.retvalintReturn value of the syscall

Event load_module

A new kernel module was loaded

load_module.asyncboolTrue if the syscall was asynchronous
load_module.file.change_timeintChange time of the file
load_module.file.filesystemstringFile’s filesystem
load_module.file.gidintGID of the file’s owner
load_module.file.groupstringGroup of the file’s owner
load_module.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
load_module.file.inodeintInode of the file
load_module.file.modeintMode/rights of the file
load_module.file.modification_timeintModification time of the file
load_module.file.mount_idintMount ID of the file
load_module.file.namestringFile’s basename
load_module.file.pathstringFile’s path
load_module.file.rightsintMode/rights of the file
load_module.file.uidintUID of the file’s owner
load_module.file.userstringUser of the file’s owner
load_module.loaded_from_memoryboolIndicates if the kernel module was loaded from memory
load_module.namestringName of the new kernel module
load_module.retvalintReturn value of the syscall

Event mkdir

A directory was created

mkdir.asyncboolTrue if the syscall was asynchronous
mkdir.file.change_timeintChange time of the file
mkdir.file.destination.modeintMode/rights of the new directory
mkdir.file.destination.rightsintMode/rights of the new directory
mkdir.file.filesystemstringFile’s filesystem
mkdir.file.gidintGID of the file’s owner
mkdir.file.groupstringGroup of the file’s owner
mkdir.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
mkdir.file.inodeintInode of the file
mkdir.file.modeintMode/rights of the file
mkdir.file.modification_timeintModification time of the file
mkdir.file.mount_idintMount ID of the file
mkdir.file.namestringFile’s basename
mkdir.file.pathstringFile’s path
mkdir.file.rightsintMode/rights of the file
mkdir.file.uidintUID of the file’s owner
mkdir.file.userstringUser of the file’s owner
mkdir.retvalintReturn value of the syscall

Event mmap

A mmap command was executed

mmap.asyncboolTrue if the syscall was asynchronous
mmap.file.change_timeintChange time of the file
mmap.file.filesystemstringFile’s filesystem
mmap.file.gidintGID of the file’s owner
mmap.file.groupstringGroup of the file’s owner
mmap.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
mmap.file.inodeintInode of the file
mmap.file.modeintMode/rights of the file
mmap.file.modification_timeintModification time of the file
mmap.file.mount_idintMount ID of the file
mmap.file.namestringFile’s basename
mmap.file.pathstringFile’s path
mmap.file.rightsintMode/rights of the file
mmap.file.uidintUID of the file’s owner
mmap.file.userstringUser of the file’s owner
mmap.flagsintmemory segment flags
mmap.protectionintmemory segment protection
mmap.retvalintReturn value of the syscall

Event mprotect

A mprotect command was executed

mprotect.asyncboolTrue if the syscall was asynchronous
mprotect.req_protectionintnew memory segment protection
mprotect.retvalintReturn value of the syscall
mprotect.vm_protectionintinitial memory segment protection

Event open

A file was opened

open.asyncboolTrue if the syscall was asynchronous
open.file.change_timeintChange time of the file
open.file.destination.modeintMode of the created file
open.file.filesystemstringFile’s filesystem
open.file.gidintGID of the file’s owner
open.file.groupstringGroup of the file’s owner
open.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
open.file.inodeintInode of the file
open.file.modeintMode/rights of the file
open.file.modification_timeintModification time of the file
open.file.mount_idintMount ID of the file
open.file.namestringFile’s basename
open.file.pathstringFile’s path
open.file.rightsintMode/rights of the file
open.file.uidintUID of the file’s owner
open.file.userstringUser of the file’s owner
open.flagsintFlags used when opening the file
open.retvalintReturn value of the syscall

Event ptrace

A ptrace command was executed

ptrace.asyncboolTrue if the syscall was asynchronous
ptrace.requestintptrace request
ptrace.retvalintReturn value of the syscall
ptrace.tracee.ancestors.argsstringArguments of the process (as a string)
ptrace.tracee.ancestors.args_flagsstringArguments of the process (as an array)
ptrace.tracee.ancestors.args_optionsstringArguments of the process (as an array)
ptrace.tracee.ancestors.args_truncatedboolIndicator of arguments truncation
ptrace.tracee.ancestors.argvstringArguments of the process (as an array)
ptrace.tracee.ancestors.argv0stringFirst argument of the process
ptrace.tracee.ancestors.cap_effectiveintEffective capability set of the process
ptrace.tracee.ancestors.cap_permittedintPermitted capability set of the process
ptrace.tracee.ancestors.commstringComm attribute of the process
ptrace.tracee.ancestors.container.idstringContainer ID
ptrace.tracee.ancestors.cookieintCookie of the process
ptrace.tracee.ancestors.created_atintTimestamp of the creation of the process
ptrace.tracee.ancestors.egidintEffective GID of the process
ptrace.tracee.ancestors.egroupstringEffective group of the process
ptrace.tracee.ancestors.envpstringEnvironment variables of the process
ptrace.tracee.ancestors.envsstringEnvironment variable names of the process
ptrace.tracee.ancestors.envs_truncatedboolIndicator of environment variables truncation
ptrace.tracee.ancestors.euidintEffective UID of the process
ptrace.tracee.ancestors.euserstringEffective user of the process
ptrace.tracee.ancestors.file.change_timeintChange time of the file
ptrace.tracee.ancestors.file.filesystemstringFile’s filesystem
ptrace.tracee.ancestors.file.gidintGID of the file’s owner
ptrace.tracee.ancestors.file.groupstringGroup of the file’s owner
ptrace.tracee.ancestors.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
ptrace.tracee.ancestors.file.inodeintInode of the file
ptrace.tracee.ancestors.file.modeintMode/rights of the file
ptrace.tracee.ancestors.file.modification_timeintModification time of the file
ptrace.tracee.ancestors.file.mount_idintMount ID of the file
ptrace.tracee.ancestors.file.namestringFile’s basename
ptrace.tracee.ancestors.file.pathstringFile’s path
ptrace.tracee.ancestors.file.rightsintMode/rights of the file
ptrace.tracee.ancestors.file.uidintUID of the file’s owner
ptrace.tracee.ancestors.file.userstringUser of the file’s owner
ptrace.tracee.ancestors.fsgidintFileSystem-gid of the process
ptrace.tracee.ancestors.fsgroupstringFileSystem-group of the process
ptrace.tracee.ancestors.fsuidintFileSystem-uid of the process
ptrace.tracee.ancestors.fsuserstringFileSystem-user of the process
ptrace.tracee.ancestors.gidintGID of the process
ptrace.tracee.ancestors.groupstringGroup of the process
ptrace.tracee.ancestors.pidintProcess ID of the process (also called thread group ID)
ptrace.tracee.ancestors.ppidintParent process ID
ptrace.tracee.ancestors.tidintThread ID of the thread
ptrace.tracee.ancestors.tty_namestringName of the TTY associated with the process
ptrace.tracee.ancestors.uidintUID of the process
ptrace.tracee.ancestors.userstringUser of the process
ptrace.tracee.argsstringArguments of the process (as a string)
ptrace.tracee.args_flagsstringArguments of the process (as an array)
ptrace.tracee.args_optionsstringArguments of the process (as an array)
ptrace.tracee.args_truncatedboolIndicator of arguments truncation
ptrace.tracee.argvstringArguments of the process (as an array)
ptrace.tracee.argv0stringFirst argument of the process
ptrace.tracee.cap_effectiveintEffective capability set of the process
ptrace.tracee.cap_permittedintPermitted capability set of the process
ptrace.tracee.commstringComm attribute of the process
ptrace.tracee.container.idstringContainer ID
ptrace.tracee.cookieintCookie of the process
ptrace.tracee.created_atintTimestamp of the creation of the process
ptrace.tracee.egidintEffective GID of the process
ptrace.tracee.egroupstringEffective group of the process
ptrace.tracee.envpstringEnvironment variables of the process
ptrace.tracee.envsstringEnvironment variable names of the process
ptrace.tracee.envs_truncatedboolIndicator of environment variables truncation
ptrace.tracee.euidintEffective UID of the process
ptrace.tracee.euserstringEffective user of the process
ptrace.tracee.file.change_timeintChange time of the file
ptrace.tracee.file.filesystemstringFile’s filesystem
ptrace.tracee.file.gidintGID of the file’s owner
ptrace.tracee.file.groupstringGroup of the file’s owner
ptrace.tracee.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
ptrace.tracee.file.inodeintInode of the file
ptrace.tracee.file.modeintMode/rights of the file
ptrace.tracee.file.modification_timeintModification time of the file
ptrace.tracee.file.mount_idintMount ID of the file
ptrace.tracee.file.namestringFile’s basename
ptrace.tracee.file.pathstringFile’s path
ptrace.tracee.file.rightsintMode/rights of the file
ptrace.tracee.file.uidintUID of the file’s owner
ptrace.tracee.file.userstringUser of the file’s owner
ptrace.tracee.fsgidintFileSystem-gid of the process
ptrace.tracee.fsgroupstringFileSystem-group of the process
ptrace.tracee.fsuidintFileSystem-uid of the process
ptrace.tracee.fsuserstringFileSystem-user of the process
ptrace.tracee.gidintGID of the process
ptrace.tracee.groupstringGroup of the process
ptrace.tracee.pidintProcess ID of the process (also called thread group ID)
ptrace.tracee.ppidintParent process ID
ptrace.tracee.tidintThread ID of the thread
ptrace.tracee.tty_namestringName of the TTY associated with the process
ptrace.tracee.uidintUID of the process
ptrace.tracee.userstringUser of the process

Event removexattr

Remove extended attributes

removexattr.asyncboolTrue if the syscall was asynchronous
removexattr.file.change_timeintChange time of the file
removexattr.file.destination.namestringName of the extended attribute
removexattr.file.destination.namespacestringNamespace of the extended attribute
removexattr.file.filesystemstringFile’s filesystem
removexattr.file.gidintGID of the file’s owner
removexattr.file.groupstringGroup of the file’s owner
removexattr.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
removexattr.file.inodeintInode of the file
removexattr.file.modeintMode/rights of the file
removexattr.file.modification_timeintModification time of the file
removexattr.file.mount_idintMount ID of the file
removexattr.file.namestringFile’s basename
removexattr.file.pathstringFile’s path
removexattr.file.rightsintMode/rights of the file
removexattr.file.uidintUID of the file’s owner
removexattr.file.userstringUser of the file’s owner
removexattr.retvalintReturn value of the syscall

Event rename

A file/directory was renamed

rename.asyncboolTrue if the syscall was asynchronous
rename.file.change_timeintChange time of the file
rename.file.destination.change_timeintChange time of the file
rename.file.destination.filesystemstringFile’s filesystem
rename.file.destination.gidintGID of the file’s owner
rename.file.destination.groupstringGroup of the file’s owner
rename.file.destination.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
rename.file.destination.inodeintInode of the file
rename.file.destination.modeintMode/rights of the file
rename.file.destination.modification_timeintModification time of the file
rename.file.destination.mount_idintMount ID of the file
rename.file.destination.namestringFile’s basename
rename.file.destination.pathstringFile’s path
rename.file.destination.rightsintMode/rights of the file
rename.file.destination.uidintUID of the file’s owner
rename.file.destination.userstringUser of the file’s owner
rename.file.filesystemstringFile’s filesystem
rename.file.gidintGID of the file’s owner
rename.file.groupstringGroup of the file’s owner
rename.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
rename.file.inodeintInode of the file
rename.file.modeintMode/rights of the file
rename.file.modification_timeintModification time of the file
rename.file.mount_idintMount ID of the file
rename.file.namestringFile’s basename
rename.file.pathstringFile’s path
rename.file.rightsintMode/rights of the file
rename.file.uidintUID of the file’s owner
rename.file.userstringUser of the file’s owner
rename.retvalintReturn value of the syscall

Event rmdir

A directory was removed

rmdir.asyncboolTrue if the syscall was asynchronous
rmdir.file.change_timeintChange time of the file
rmdir.file.filesystemstringFile’s filesystem
rmdir.file.gidintGID of the file’s owner
rmdir.file.groupstringGroup of the file’s owner
rmdir.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
rmdir.file.inodeintInode of the file
rmdir.file.modeintMode/rights of the file
rmdir.file.modification_timeintModification time of the file
rmdir.file.mount_idintMount ID of the file
rmdir.file.namestringFile’s basename
rmdir.file.pathstringFile’s path
rmdir.file.rightsintMode/rights of the file
rmdir.file.uidintUID of the file’s owner
rmdir.file.userstringUser of the file’s owner
rmdir.retvalintReturn value of the syscall

Event selinux

An SELinux operation was run

selinux.bool.namestringSELinux boolean name
selinux.bool.statestringSELinux boolean new value
selinux.bool_commit.stateboolIndicator of a SELinux boolean commit operation
selinux.enforce.statusstringSELinux enforcement status (one of “enforcing”, “permissive”, “disabled”")

Event setgid

A process changed its effective gid

setgid.egidintNew effective GID of the process
setgid.egroupstringNew effective group of the process
setgid.fsgidintNew FileSystem GID of the process
setgid.fsgroupstringNew FileSystem group of the process
setgid.gidintNew GID of the process
setgid.groupstringNew group of the process

Event setuid

A process changed its effective uid

setuid.euidintNew effective UID of the process
setuid.euserstringNew effective user of the process
setuid.fsuidintNew FileSystem UID of the process
setuid.fsuserstringNew FileSystem user of the process
setuid.uidintNew UID of the process
setuid.userstringNew user of the process

Event setxattr

Set exteneded attributes

setxattr.asyncboolTrue if the syscall was asynchronous
setxattr.file.change_timeintChange time of the file
setxattr.file.destination.namestringName of the extended attribute
setxattr.file.destination.namespacestringNamespace of the extended attribute
setxattr.file.filesystemstringFile’s filesystem
setxattr.file.gidintGID of the file’s owner
setxattr.file.groupstringGroup of the file’s owner
setxattr.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
setxattr.file.inodeintInode of the file
setxattr.file.modeintMode/rights of the file
setxattr.file.modification_timeintModification time of the file
setxattr.file.mount_idintMount ID of the file
setxattr.file.namestringFile’s basename
setxattr.file.pathstringFile’s path
setxattr.file.rightsintMode/rights of the file
setxattr.file.uidintUID of the file’s owner
setxattr.file.userstringUser of the file’s owner
setxattr.retvalintReturn value of the syscall

Event signal

A signal was sent

signal.asyncboolTrue if the syscall was asynchronous
signal.pidintTarget PID
signal.retvalintReturn value of the syscall of the process (as a string) of the process (as an array) of the process (as an array) of arguments truncation of the process (as an array) argument of the process capability set of the process capability set of the process attribute of the process ID of the process of the creation of the process GID of the process group of the process variables of the process variable names of the process of environment variables truncation UID of the process user of the process time of the file’s filesystem of the file’s owner of the file’s owner of the file layer, in an OverlayFS for example of the file of the file time of the file ID of the file’s basename’s path of the file of the file’s owner of the file’s owner of the process of the process of the process of the process of the process of the process ID of the process (also called thread group ID) process ID ID of the thread of the TTY associated with the process of the process of the process of the process (as a string) of the process (as an array) of the process (as an array) of arguments truncation of the process (as an array) argument of the process capability set of the process capability set of the process attribute of the process ID of the process of the creation of the process GID of the process group of the process variables of the process variable names of the process of environment variables truncation UID of the process user of the process time of the file’s filesystem of the file’s owner of the file’s owner of the file layer, in an OverlayFS for example of the file of the file time of the file ID of the file’s basename’s path of the file of the file’s owner of the file’s owner of the process of the process of the process of the process of the process of the process ID of the process (also called thread group ID) process ID ID of the thread of the TTY associated with the process of the process of the process
signal.typeintSignal type (ex: SIGHUP, SIGINT, SIGQUIT, etc)

Event splice

A splice command was executed

splice.asyncboolTrue if the syscall was asynchronous
splice.file.change_timeintChange time of the file
splice.file.filesystemstringFile’s filesystem
splice.file.gidintGID of the file’s owner
splice.file.groupstringGroup of the file’s owner
splice.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
splice.file.inodeintInode of the file
splice.file.modeintMode/rights of the file
splice.file.modification_timeintModification time of the file
splice.file.mount_idintMount ID of the file
splice.file.namestringFile’s basename
splice.file.pathstringFile’s path
splice.file.rightsintMode/rights of the file
splice.file.uidintUID of the file’s owner
splice.file.userstringUser of the file’s owner
splice.pipe_entry_flagintEntry flag of the “fd_out” pipe passed to the splice syscall
splice.pipe_exit_flagintExit flag of the “fd_out” pipe passed to the splice syscall
splice.retvalintReturn value of the syscall

A file was deleted

unlink.asyncboolTrue if the syscall was asynchronous
unlink.file.change_timeintChange time of the file
unlink.file.filesystemstringFile’s filesystem
unlink.file.gidintGID of the file’s owner
unlink.file.groupstringGroup of the file’s owner
unlink.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
unlink.file.inodeintInode of the file
unlink.file.modeintMode/rights of the file
unlink.file.modification_timeintModification time of the file
unlink.file.mount_idintMount ID of the file
unlink.file.namestringFile’s basename
unlink.file.pathstringFile’s path
unlink.file.rightsintMode/rights of the file
unlink.file.uidintUID of the file’s owner
unlink.file.userstringUser of the file’s owner
unlink.retvalintReturn value of the syscall

Event unload_module

A kernel module was deleted

unload_module.asyncboolTrue if the syscall was asynchronous
unload_module.namestringName of the kernel module that was deleted
unload_module.retvalintReturn value of the syscall

Event utimes

Change file access/modification times

utimes.asyncboolTrue if the syscall was asynchronous
utimes.file.change_timeintChange time of the file
utimes.file.filesystemstringFile’s filesystem
utimes.file.gidintGID of the file’s owner
utimes.file.groupstringGroup of the file’s owner
utimes.file.in_upper_layerboolIndicator of the file layer, in an OverlayFS for example
utimes.file.inodeintInode of the file
utimes.file.modeintMode/rights of the file
utimes.file.modification_timeintModification time of the file
utimes.file.mount_idintMount ID of the file
utimes.file.namestringFile’s basename
utimes.file.pathstringFile’s path
utimes.file.rightsintMode/rights of the file
utimes.file.uidintUID of the file’s owner
utimes.file.userstringUser of the file’s owner
utimes.retvalintReturn value of the syscall

Documentation, liens et articles supplémentaires utiles: