Explore Kunai Events

📄️ Event Layout and Info Section

Every kunai event gets a set of common fields shared between all the events. These fields give various information which might be used for advanced purposes such as event identification, grouping or correlation.

📄️ Start

This event is generated when Kunai starts and contains both system-related information and Kunai-specific details. This event can help in understanding the system's state and verifying the Kunai configuration and environment at startup.

📄️ Execve

This event is generated when a new process is created using one of the execve system calls. execve system calls are used to execute a program within the context of an existing process, replacing the current process image with a new one. This event is crucial for monitoring process execution and understanding the lineage and behavior of processes on a Linux system.

📄️ Execve Script

This event is generated when a script or binary is executed using the execve family of system calls. The execve_script event is a specialized form of the execve event, focusing on the execution of script files and binaries. This event is essential for monitoring script and binary executions, which are often used in automation, system administration, and various other tasks.

📄️ Exit

Exit events get generated when a single task (process or thread) exits.

📄️ Exit Group

Event generated when a thread-group (process and all its threads) exits.

📄️ Clone

A task is being cloned/forked. This means that a new task will be created on the system.

📄️ Prctl

A prctl event is generated when a process makes a call to the prctl syscall. As you can read in the man page, this syscall can be used to achieve a wide range of operations. Some of them might be considered as malicious, depending on the context.

📄️ Kill

This event is generated when kill signal is sent to a foreign process. You can find under .data.target information about the process targeted by the signal described by .data.signal.

📄️ Ptrace

Event generated when a ptrace syscall is issued. .data.mode reflects the ptrace mode as defined in Linux Kernel headers

📄️ Init Module

This kind of event is generated when a kernel module is loaded into the kernel.

📄️ Bpf Prog Load

This event is generated every time a BPF program is loaded into the kernel.

📄️ Bpf Socket Filter Attached

A socket filter attachment has been made (for instance via getsockopt syscall).

📄️ Mprotect Exec

This kind of event is generated when memory protection is turned to executable.

📄️ Mmap Exec

This events is generated whenever the mmap syscall is used to map an executable file in memory, with memory execution protection.

📄️ Connect

This event gets generated every time a connect attempt is made to a remote IP.

📄️ Dns Query

This event is generated when a DNS response is received on the host and provides insight into the query, response, and DNS resolver.

📄️ Send Data

This events gets generated when data is sent to a remote IP address.

📄️ Read

This event gets generated whenever a file is read.

📄️ Read Config

This file is generated whenever a file located in /etc is being read.

📄️ Write

This event gets generated whenever a file is write.

📄️ Write Config

This file is generated whenever a file located in /etc is being written.

📄️ File Rename

This event gets generated whenever a file is being renamed.

📄️ File Unlink

Event generated when a file gets unlinked.

📄️ Write and Close

An event generated when a file that has been written is just being closed.

📄️ File Create

This event is generated when a new file is being created at .data.path.

📄️ IO Uring SQE

This event is generated when Kunai detects a submission queue entry (SQE) in the iouring subsystem. The iouring subsystem is a Linux kernel feature that provides an asynchronous I/O interface, allowing applications to perform I/O operations without blocking the calling thread. This event captures details about the operation being submitted.

📄️ File Scan

Such events are generated when a scan-files action is requested. This event is a bit particular compared to other because it is triggered from another event. You can find the **cross-reference** to the **triggering event** in .data.sourceevent field.

📄️ Error

This event is generated when Kunai encounters an error. It provides detailed information about the error, including its code, message, and context. The error event helps in diagnosing and resolving issues effectively by surfacing critical details.

📄️ Event Loss

This event is generated when Kunai detects that some events are lost between the kernel and Kunai userland. It reflects a scenario where the event monitor cannot keep up with the kernel's pace. Such occurrences are inevitable when Kunai is configured to log very frequent events, such as file system activities (read, write, filecreated, fileunlink, etc.). While these events are valuable for detailed analysis, the high frequency may lead to unavoidable losses.