Read
This event gets generated whenever a file is read.
info
- If consecutive
readoperations are made on the same file, only one event will be generated for a given task. - Events gets generated on
readvariant syscalls. It means a file just being opened withopenkind of syscalls won't generate any event until being actually read.
danger
If you decide to enable these events (disabled by default), please be aware that there will be a large number of them. Make sure you have read the configuration section.
{
"data": {
"ancestors": "/usr/lib/systemd/systemd|/usr/bin/login|/usr/bin/zsh|/usr/bin/bash|/usr/bin/xinit|/usr/bin/i3|/usr/bin/bash|/usr/bin/urxvt|/usr/bin/zsh|/usr/bin/bash",
"command_line": "sudo docker run -it --rm -h ubuntu-kunai-test ubuntu:latest ls -hail",
"exe": {
"path": "/usr/bin/sudo"
},
"path": "/run/sudo/ts/1000"
},
"info": {
"host": "...",
"event": {
"source": "kunai",
"id": 81,
"name": "read",
"uuid": "f7f6ce71-325a-9708-4363-97c413bffa28",
"batch": 604
},
"task": "...",
"parent_task": "...",
"utc_time": "2024-10-29T12:47:57.957950584Z"
}
}
Additional Details
Why This Event Matters
The read event is crucial for:
- File Access Monitoring: Tracks when files are read, providing visibility into file access patterns across the system.
- Security Monitoring: Detects unauthorized file reads that may indicate credential harvesting or reconnaissance activities.
- Forensic Analysis: Establishes timelines of file access for incident investigation and understanding attack patterns.
Key Fields Explained
.data.ancestors
- A pipe-separated list of the executable paths of the process ancestors that read the file.
.data.command_line
- The command line of the process that read the file.
.data.exe.path
- The path to the executable that read the file.
.data.path
- The full path to the file that was read.