Webhook from Tracee-eBPF Directly?

[Brambopulos]

It appears from the code and the high-level overview of Tracee's workflow that the webhook feature of Tracee's output is designed to attach to Tracee-Rules after events have been filtered from the Tracee-eBPF.

Is it possible in Tracee's current state to post directly from a trace?

[itaysk]

Yes Tracee-eBPF doesn't can't call a webhook. This is by design, since raw trace is very verbose and an HTTP callback is not the best in this case, so Tracee-eBPF writes to a file which is a bit more suitable for the volume and velocity of events. Also, we consider Tracee-eBPF an internal component of Tracee, and the integration features (like webhook) are applied to Tracee and not that internal component.

If you can't read from the file, here's a quick workaround that will help you achieve what you wanted: just create a new Tracee Rule that matches everything. The effect is that when you run Tracee it will "detect" every raw event and call the webhook.Let me know if that needs clarification or help.

May I also ask about your use case? What are you trying to achieve? Perhaps we could suggest other solutions or learn about what we should fix in Tracee

[itaysk]

for example:

package tracee.XYZ_1

__rego_metadoc__ := {
    "id": "XYZ-1",
    "version": "0.1.0",
    "name": "pass-through"
}

tracee_selected_events[eventSelector] {
	eventSelector := {
		"source": "tracee"
	}
}

# always match
tracee_match {
    true
}

[Brambopulos]

It makes sense that the components of tracee-ebpf is considered the 'private function' of Tracee, as it is indeed verbose. I had considered the solution that you wrote in your example, but hadn't been able to figure out how to get the rules to behave properly- this works out pretty much perfectly.

My intention is to perform statistical analysis on the information coming through Tracee at scale, and so far it seems the best way to accomplish this would be to deposit all necessary information onto one server that takes care of the data science. In this case, having an excess of trace information is preferred over potentially missing data due to a limiting set of rules. Thank you for the reply, going to try getting a bit more used to rego moving forward.

[itaysk]

If you're not comfortable with rego, you can also write a signature in go.
But based on your scenario I think it's better to run Tracee-eBPF directly and dump all the raw data into your analysis tool. So you run the trace with -o json and then pipe it into another tool that sends every line to your analysis database. For example, you can use fluentbit for that.

[Brambopulos]

Thank you for the suggestions! Fluentbit looks promising, I'll definitely have to do more looking into it. My hope is to do real-time processing of the data from the trace so finding the cleanest solution is both arduous and up to interpretation.

If you don't mind another question, following the tracee-rule passthrough suggestion, I'm wondering where I can find more information about generating templates. All of the included templates only include the HostName and ProcessName context, but I'm interested in seeing event types, pids, and whatever else might be in that map[].

[itaysk]

Here's the docs for writing templates: https://aquasecurity.github.io/tracee/dev/integrations/
Here are examples: https://github.com/aquasecurity/tracee/tree/main/tracee-rules/templates
Here is a template that emits raw json: https://github.com/aquasecurity/tracee/blob/main/tracee-rules/templates/rawjson.tmpl