Merge branch 'master' into jjo/OTLP

Signed-off-by: JuanJo Ciarlante <juanjosec@gmail.com>

.github/workflows/build-image.yml

@@ -25,7 +25,7 @@ jobs:
 
       - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
 
-      - uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0
+      - uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4.6.0
         with:
           install-only: true
 

.github/workflows/push-main.yml

@@ -32,7 +32,7 @@ jobs:
 
       - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
 
-      - uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0
+      - uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4.6.0
         with:
           install-only: true
 
@@ -63,7 +63,7 @@ jobs:
 
       # Push images to AWS Public ECR
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # v3.0.1
+        uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3.0.2
         with:
           role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcosidekick-ecr
           aws-region: us-east-1

.github/workflows/release.yml

@@ -44,7 +44,7 @@ jobs:
 
       # Push images to AWS Public ECR
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # v3.0.1
+        uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3.0.2
         with:
           role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcosidekick-ecr
           aws-region: us-east-1
@@ -68,7 +68,7 @@ jobs:
 
       - name: Run GoReleaser
         id: run-goreleaser
-        uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0
+        uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4.6.0
         with:
           version: latest
           args: release --clean --timeout 120m

README.md

@@ -1451,7 +1451,7 @@ The name from the table should match with the `hypertable` output configuration.
 Run you daemon and try (from Falco's documentation) :
 
 ```bash
-curl -XPOST "http://localhost:2801/" -d'{"output":"16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)","priority":"Error","rule":"Write below binary dir","time":"2019-05-17T15:31:56.746609046Z", "output_fields": {"evt.time":1507591916746609046,"fd.name":"/bin/hack","proc.cmdline":"touch /bin/hack","user.name":"root"}}'
+curl -XPOST "http://localhost:2801/" -d'{"output":"16:31:56.746609046: Error File below a known binary directory opened for writing (user=root command=touch /bin/hack file=/bin/hack)","hostname": "localhost", "priority":"Error","rule":"Write below binary dir","time":"2019-05-17T15:31:56.746609046Z", "output_fields": {"evt.time":1507591916746609046,"fd.name":"/bin/hack","proc.cmdline":"touch /bin/hack","user.name":"root"}}'
 ```
 
 You should get :

go.mod

@@ -5,17 +5,17 @@ go 1.20
 require (
 	cloud.google.com/go/functions v1.15.1
 	cloud.google.com/go/pubsub v1.33.0
-	cloud.google.com/go/storage v1.32.0
+	cloud.google.com/go/storage v1.33.0
 	github.com/Azure/azure-event-hubs-go/v3 v3.6.1
 	github.com/DataDog/datadog-go v4.8.3+incompatible
 	github.com/PagerDuty/go-pagerduty v1.7.0
 	github.com/alecthomas/kingpin/v2 v2.3.2
-	github.com/aws/aws-sdk-go v1.45.2
+	github.com/aws/aws-sdk-go v1.45.6
 	github.com/cloudevents/sdk-go/v2 v2.14.0
 	github.com/eclipse/paho.mqtt.golang v1.4.3
 	github.com/embano1/memlog v0.4.5
 	github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead
-	github.com/emersion/go-smtp v0.18.0
+	github.com/emersion/go-smtp v0.18.1
 	github.com/google/uuid v1.3.1
 	github.com/googleapis/gax-go/v2 v2.12.0
 	github.com/jackc/pgx/v5 v5.4.3
@@ -36,8 +36,8 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.16.0
 	go.opentelemetry.io/otel/sdk v1.16.0
 	go.opentelemetry.io/otel/trace v1.16.0
-	golang.org/x/oauth2 v0.11.0
-	google.golang.org/api v0.138.0
+	golang.org/x/oauth2 v0.12.0
+	google.golang.org/api v0.139.0
 	google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d
 	k8s.io/api v0.28.1
 	k8s.io/apimachinery v0.28.1
@@ -137,10 +137,10 @@ require (
 	go.opentelemetry.io/proto/otlp v0.19.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.25.0 // indirect
-	golang.org/x/crypto v0.12.0 // indirect
+	golang.org/x/crypto v0.13.0 // indirect
 	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/net v0.14.0 // indirect
+	golang.org/x/net v0.15.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
 	golang.org/x/sys v0.12.0 // indirect
 	golang.org/x/term v0.12.0 // indirect

go.sum

@@ -79,8 +79,8 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
 cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
 cloud.google.com/go/storage v1.21.0/go.mod h1:XmRlxkgPjlBONznT2dDUU/5XlpU2OjMnKuqnZI01LAA=
-cloud.google.com/go/storage v1.32.0 h1:5w6DxEGOnktmJHarxAOUywxVW9lbNWIzlzzUltG/3+o=
-cloud.google.com/go/storage v1.32.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8=
+cloud.google.com/go/storage v1.33.0 h1:PVrDOkIC8qQVa1P3SXGpQvfuJhN2LHOoyZvWs8D2X5M=
+cloud.google.com/go/storage v1.33.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/OxflYkiD8=
 cloud.google.com/go/trace v1.0.0/go.mod h1:4iErSByzxkyHWzzlAj63/Gmjz0NH1ASqhJguHpGcr6A=
 cloud.google.com/go/trace v1.2.0/go.mod h1:Wc8y/uYyOhPy12KEnXG9XGrvfMz5F5SrYecQlbW1rwM=
 contrib.go.opencensus.io/exporter/aws v0.0.0-20200617204711-c478e41e60e9/go.mod h1:uu1P0UCM/6RbsMrgPa98ll8ZcHM858i/AD06a9aLRCA=
@@ -184,8 +184,8 @@ github.com/aws/aws-sdk-go v1.15.27/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZo
 github.com/aws/aws-sdk-go v1.30.19/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.43.31/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
-github.com/aws/aws-sdk-go v1.45.2 h1:hTong9YUklQKqzrGk3WnKABReb5R8GjbG4Y6dEQfjnk=
-github.com/aws/aws-sdk-go v1.45.2/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/aws/aws-sdk-go v1.45.6 h1:Y2isQQBZsnO15dzUQo9YQRThtHgrV200XCH05BRHVJI=
+github.com/aws/aws-sdk-go v1.45.6/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go-v2 v1.16.2/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.1/go.mod h1:n8Bs1ElDD2wJ9kCRTczA83gYbBmjSwZp3umc6zF4EeM=
 github.com/aws/aws-sdk-go-v2/config v1.15.3/go.mod h1:9YL3v07Xc/ohTsxFXzan9ZpFpdTOFl4X65BAKYaz8jg=
@@ -271,8 +271,8 @@ github.com/embano1/memlog v0.4.5/go.mod h1:7uN1Nv5QilpClPjWuT4dXQ35mzRCrpH3GGrGg
 github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
 github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead h1:fI1Jck0vUrXT8bnphprS1EoVRe2Q5CKCX8iDlpqjQ/Y=
 github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
-github.com/emersion/go-smtp v0.18.0 h1:lrVQqB0JdxYjC8CsBt55pSwB756bRRN6vK0DSr0pXfM=
-github.com/emersion/go-smtp v0.18.0/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
+github.com/emersion/go-smtp v0.18.1 h1:4DFV0jxKhq0Gqt/Br3BRHyKZy5TStk6NIMHAx6GE/LA=
+github.com/emersion/go-smtp v0.18.1/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -850,8 +850,8 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -961,8 +961,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
-golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -983,8 +983,8 @@ golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
-golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
+golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4=
+golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1250,8 +1250,8 @@ google.golang.org/api v0.69.0/go.mod h1:boanBiw+h5c3s+tBPgEzLDRHfFLWV0qXxRHz3ws7
 google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA=
 google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8=
 google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs=
-google.golang.org/api v0.138.0 h1:K/tVp05MxNVbHShRw9m7e9VJGdagNeTdMzqPH7AUqr0=
-google.golang.org/api v0.138.0/go.mod h1:4xyob8CxC+0GChNBvEUAk8VBKNvYOTWM9T3v3UfRxuY=
+google.golang.org/api v0.139.0 h1:A1TrCPgMmOiYu0AiNkvQIpIx+D8blHTDcJ5EogkP7LI=
+google.golang.org/api v0.139.0/go.mod h1:CVagp6Eekz9CjGZ718Z+sloknzkDJE7Vc1Ckj9+viBk=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=

handlers.go

@@ -136,6 +136,8 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) {
 	promLabels := map[string]string{"rule": falcopayload.Rule, "priority": falcopayload.Priority.String(), "k8s_ns_name": kn, "k8s_pod_name": kp}
 	if falcopayload.Hostname != "" {
 		promLabels["hostname"] = falcopayload.Hostname
+	} else {
+		promLabels["hostname"] = "unknown"
 	}
 
 	for key, value := range config.Customfields {

outputs/dynatrace.go

@@ -3,6 +3,7 @@ package outputs
 import (
 	"log"
 	"regexp"
+	"strconv"
 	"time"
 
 	"github.com/falcosecurity/falcosidekick/types"
@@ -28,7 +29,7 @@ type dtLogMessage struct {
 	ContainerImageName    string       `json:"container.image.name,omitempty"`
 	K8sNamespaceName      string       `json:"k8s.namespace.name,omitempty"`
 	K8sPodName            string       `json:"k8s.pod.name,omitempty"`
-	K8sPodId              string       `json:"k8s.pod.id,omitempty"`
+	K8sPodUid             string       `json:"k8s.pod.uid,omitempty"`
 	ProcessExecutableName string       `json:"process.executable.name,omitempty"`
 	SpanId                string       `json:"span.id,omitempty"`
 }
@@ -65,26 +66,32 @@ func newDynatracePayload(falcopayload types.FalcoPayload) dtPayload {
 	}
 
 	// possibly map a few fields to semantic attributes
-	for fcKey, val := range falcopayload.OutputFields {
-		switch fcKey {
-		case "container.id":
-			message.ContainerId = val.(string)
-		case "container.name":
-			message.ContainerName = val.(string)
-		case "container.image.name":
-			message.ContainerImageName = val.(string)
-		case "k8s.namespace.name", "ka.target.namespace":
-			message.K8sNamespaceName = val.(string)
-		case "k8s.pod.name":
-			message.K8sPodName = val.(string)
-		case "k8s.pod.id":
-			message.K8sPodId = val.(string)
-		case "proc.name":
-			message.ProcessExecutableName = val.(string)
-		case "span.id":
-			message.SpanId = val.(string)
-		default:
-			continue
+	if falcopayload.OutputFields != nil {
+		for fcKey, val := range falcopayload.OutputFields {
+			if val == nil {
+				continue
+			}
+
+			switch fcKey {
+			case "container.id":
+				message.ContainerId = val.(string)
+			case "container.name":
+				message.ContainerName = val.(string)
+			case "container.image":
+				message.ContainerImageName = val.(string)
+			case "k8s.ns.name", "ka.target.namespace":
+				message.K8sNamespaceName = val.(string)
+			case "k8s.pod.name":
+				message.K8sPodName = val.(string)
+			case "k8s.pod.id":
+				message.K8sPodUid = val.(string)
+			case "proc.name":
+				message.ProcessExecutableName = val.(string)
+			case "span.id":
+				message.SpanId = strconv.Itoa(val.(int))
+			default:
+				continue
+			}
 		}
 	}
 

outputs/dynatrace_test.go

@@ -0,0 +1,106 @@
+package outputs
+
+import (
+	"encoding/json"
+	"strconv"
+	"testing"
+
+	"github.com/falcosecurity/falcosidekick/types"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewDynatracePayload(t *testing.T) {
+	expectedOutput := dtPayload{
+		Payload: []dtLogMessage{
+			{
+				Timestamp:     "2001-01-01T01:10:00Z",
+				EventName:     "Test rule",
+				EventProvider: "Falco",
+				Severity:      "Debug",
+				HostName:      "test-host",
+				LogSource:     "syscalls",
+				Content: dtLogContent{
+					Output: "This is a test from falcosidekick",
+					OutputFields: map[string]interface{}{
+						"proc.name": "falcosidekick",
+						"proc.tty":  float64(1234),
+					},
+					Tags: []string{"test", "example"},
+				},
+				ProcessExecutableName: "falcosidekick",
+			},
+		},
+	}
+
+	var f types.FalcoPayload
+	require.Nil(t, json.Unmarshal([]byte(falcoTestInput), &f))
+
+	output := newDynatracePayload(f)
+	require.Equal(t, output, expectedOutput)
+}
+
+func TestNewDynatracePayloadWithExtraOutputFields(t *testing.T) {
+	const ContainerId = "77d156711504"
+	const ContainerName = "hello-world"
+	const ContainerImageName = "falcosecurity/falco:latest"
+	const K8sNamespaceName = "falco"
+	const K8sPodName = "falco-khx2g"
+	const ProcessExecutableName = "falcosidekick"
+	const SpanId = 1337
+	const MitreTechnique = "T1059"
+	const MitreTactic = "mitre_execution"
+
+	expectedOutput := dtPayload{
+		Payload: []dtLogMessage{
+			{
+				Timestamp:     "2001-01-01T01:10:00Z",
+				EventName:     "Test rule",
+				EventProvider: "Falco",
+				Severity:      "Debug",
+				HostName:      "test-host",
+				LogSource:     "syscalls",
+				Content: dtLogContent{
+					Output: "This is a test from falcosidekick",
+					OutputFields: map[string]interface{}{
+						"container.id":    ContainerId,
+						"container.name":  ContainerName,
+						"container.image": ContainerImageName,
+						"k8s.ns.name":     K8sNamespaceName,
+						"k8s.pod.name":    K8sPodName,
+						"k8s.pod.id":      nil,
+						"proc.name":       ProcessExecutableName,
+						"span.id":         SpanId,
+					},
+					Tags: []string{"test", "example", MitreTechnique, MitreTactic},
+				},
+				ContainerId:           ContainerId,
+				ContainerName:         ContainerName,
+				ContainerImageName:    ContainerImageName,
+				K8sNamespaceName:      K8sNamespaceName,
+				K8sPodName:            K8sPodName,
+				ProcessExecutableName: ProcessExecutableName,
+				SpanId:                strconv.Itoa(SpanId),
+				MitreTactic:           MitreTactic,
+				MitreTechnique:        MitreTechnique,
+			},
+		},
+	}
+
+	var f types.FalcoPayload
+	require.Nil(t, json.Unmarshal([]byte(falcoTestInput), &f))
+	delete(f.OutputFields, "proc.tty")
+	f.OutputFields["container.id"] = ContainerId
+	f.OutputFields["container.name"] = ContainerName
+	f.OutputFields["container.image"] = ContainerImageName
+	f.OutputFields["k8s.ns.name"] = K8sNamespaceName
+	f.OutputFields["k8s.pod.name"] = K8sPodName
+	f.OutputFields["k8s.pod.id"] = nil
+	f.OutputFields["proc.name"] = ProcessExecutableName
+	f.OutputFields["span.id"] = SpanId
+	f.Tags = append(f.Tags, "T1059")
+	f.Tags = append(f.Tags, "mitre_execution")
+
+	output := newDynatracePayload(f)
+	require.Equal(t, output, expectedOutput)
+}