Falco · Schema
Falco Alert Output
Schema for the JSON alert output emitted by Falco when a rule is triggered. This is the format used by all Falco output channels including stdout, file, gRPC, and HTTP webhook outputs.
Cloud NativeeBPFRuntime SecuritySecurityThreat Detection
Properties
| Name | Type | Description |
|---|---|---|
| uuid | string | Unique identifier for the alert event |
| output | string | Formatted output message as defined by the rule output template |
| priority | string | Severity level of the alert |
| rule | string | Name of the rule that triggered the alert |
| source | string | Data source that generated the event |
| time | string | ISO 8601 timestamp of when the event occurred |
| hostname | string | Hostname of the machine where the event was detected |
| tags | array | Tags associated with the triggered rule including MITRE ATT&CK references |
| output_fields | object | Key-value pairs of fields extracted from the event |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://falco.org/schemas/output/v1/falco-alert-output.json",
"title": "Falco Alert Output",
"description": "Schema for the JSON alert output emitted by Falco when a rule is triggered. This is the format used by all Falco output channels including stdout, file, gRPC, and HTTP webhook outputs.",
"type": "object",
"properties": {
"uuid": {
"type": "string",
"format": "uuid",
"description": "Unique identifier for the alert event"
},
"output": {
"type": "string",
"description": "Formatted output message as defined by the rule output template"
},
"priority": {
"type": "string",
"description": "Severity level of the alert",
"enum": [
"Emergency",
"Alert",
"Critical",
"Error",
"Warning",
"Notice",
"Informational",
"Debug"
]
},
"rule": {
"type": "string",
"description": "Name of the rule that triggered the alert"
},
"source": {
"type": "string",
"description": "Data source that generated the event",
"enum": [
"syscall",
"k8s_audit",
"aws_cloudtrail",
"okta",
"github"
]
},
"time": {
"type": "string",
"format": "date-time",
"description": "ISO 8601 timestamp of when the event occurred"
},
"hostname": {
"type": "string",
"description": "Hostname of the machine where the event was detected"
},
"tags": {
"type": "array",
"items": {
"type": "string"
},
"description": "Tags associated with the triggered rule including MITRE ATT&CK references"
},
"output_fields": {
"type": "object",
"description": "Key-value pairs of fields extracted from the event",
"properties": {
"evt.time": {
"type": "string",
"description": "Event timestamp"
},
"evt.type": {
"type": "string",
"description": "System call or event type"
},
"user.name": {
"type": "string",
"description": "User name associated with the event"
},
"user.uid": {
"type": ["integer", "string"],
"description": "User ID associated with the event"
},
"proc.name": {
"type": "string",
"description": "Process name"
},
"proc.pid": {
"type": "integer",
"description": "Process ID"
},
"proc.ppid": {
"type": "integer",
"description": "Parent process ID"
},
"proc.cmdline": {
"type": "string",
"description": "Full command line of the process"
},
"proc.pname": {
"type": "string",
"description": "Parent process name"
},
"container.id": {
"type": "string",
"description": "Container ID"
},
"container.name": {
"type": "string",
"description": "Container name"
},
"container.image.repository": {
"type": "string",
"description": "Container image repository"
},
"container.image.tag": {
"type": "string",
"description": "Container image tag"
},
"k8s.ns.name": {
"type": "string",
"description": "Kubernetes namespace name"
},
"k8s.pod.name": {
"type": "string",
"description": "Kubernetes pod name"
},
"fd.name": {
"type": "string",
"description": "File descriptor name (file path, connection tuple, etc.)"
}
},
"additionalProperties": {
"type": ["string", "integer", "boolean", "null"]
}
}
},
"required": ["output", "priority", "rule", "source", "time"],
"additionalProperties": true
}