Mocked outputs for a GenAI Cyber project

[erezweinstein5]

Add mocked outputs

It would be super helpful to have a mocked data (preferably with some real security issues detected). We're building a GenAI Cyber project and we would be happy to integrate Flaco as a data source.
Thank you :)

[ekoops]

Hey! You can use the falcosecurity/event-generator to generate mocked data for your use case.

The event-generator allows you to generate suspicious events (actions) which will trigger Falco rules. You can collect the generated alerts and feed them into your project.

You can use

# See all the available actions
event-generator list --all

# Run the actions matching the regular expression [regexp]
event-generator run [regexp]

I think it would be useful for you also to take a look at --loop and --sleep options:

--loop to run actions in a loop
--sleep to set the length of time to wait before running an action (default to 100ms)

If you want to generate custom actions triggering your own custom rules, you can add your own custom implementation or try the (still-in-development) declarative-testing branch.

The declarative-testing branch adds two new commands:

# Run test(s) specified via a YAML description
event-generator declarative run ...

# Run test(s) specified via a YAML description and verify that they produce the expected outcomes
event-generator declarative test ...

These commands are similar to their counterpart event-generator run and event-generator test, but allows to write your own action using a YAML based syntax. Take a look at these PRs to see some examples of usage:

• feat(decl): add CLI support to run declarative tests event-generator#237
• feat(decl): add process test resource and kill system call test step event-generator#241
• feat(decl/loader): add test cases support and fix doc generation for list items event-generator#266

You can also use event-generator declarative explain ... command to explore the YAML syntax.

[erezweinstein5]

Thank you @ekoops! Will certainly try that 👍