Appearance
Event Kinds Reference
Event kinds are the normalized identifiers Telovix uses across alerts, the Console UI, APIs, SIEM forwarding, webhooks, and detection rules. They are stable strings that appear consistently whether you are reading an alert, filtering the Events view, writing a custom detection rule, or configuring a SIEM destination.
How to read this reference
Each event kind entry includes:
- Source: what eBPF hook or mechanism generates it
- Default severity: the severity used when no rule overrides it
- Description: what the event means operationally
Severities: info, warning, high, critical.
Process and lifecycle events
| Event kind | Source hook | Default severity | Description |
|---|---|---|---|
process_exec | sys_execve / kprobe | info | A process executed via execve. Includes binary path, PID, UID, parent, and ancestor chain. |
process_exit | sys_exit_group / kprobe | info | A process exited with its exit code. |
process_fork | sys_fork / kprobe | info | A process forked via clone syscall. |
process_exec_burst | Aggregation | warning | 5 or more process_exec events from the same parent binary within 1 second are collapsed into a single burst record with a count. |
process_fork_burst | Aggregation | warning | 3 or more process_fork events from the same parent binary within 1 second are collapsed into a single burst record. |
Burst aggregation: The burst thresholds exist to reduce noise from legitimate process storms (package managers, build systems, init sequences) and prevent heartbeat overload. Burst records include the count and a representative summary; individual events within the burst are not separately stored.
File and integrity events
| Event kind | Source hook | Default severity | Description |
|---|---|---|---|
file_open | openat / kprobe | info | A process opened a sensitive system file (credentials, SSH keys, PAM configuration). Only fires for paths in the FIM watch list. |
file_write | sys_write + VFS_WRITE / kprobe | critical | A process wrote to a sensitive system file. Covers credential modification, binary replacement, and persistence mechanisms. |
file_mmap | sys_mmap_pgoff / kprobe | warning | A process memory-mapped an executable file. Indicates potential code injection. |
file_unlink | sys_unlink / kprobe | warning | A file was deleted. Relevant for log tampering detection. |
fim_alert | Baseline hash mismatch | critical | A file integrity violation fired. A binary or system configuration file was modified since the enrolled baseline hash. |
Network and flow events
| Event kind | Source hook | Default severity | Description |
|---|---|---|---|
network_connect | tcp_connect / kprobe | info | An outbound TCP or UDP connection was initiated. Includes binary, destination IP and port, PID, and UID. |
network_accept | inet_csk_accept / kprobe | info | A server-side TCP accept completed. Identifies inbound connections with process attribution. |
network_listen | inet_listen / kprobe | warning | A process opened a listening TCP socket. Warning severity because unexpected listeners indicate potential backdoor ports. |
network_flow | tcp_connect + tcp_close / aggregation | info | A completed TCP flow record with final state, duration, and bytes sent. Generated when the connection closes. |
tcp_close | tcp_close / kprobe | info | A TCP connection closed. Used internally for flow tracking; may appear in raw event queries. |
socket_create | inet_create / kprobe | info | A socket was created (TCP, UDP, AF_UNIX). |
socket_bind | inet_bind / kprobe | info | A socket was bound to an address and port. |
socket_listen | inet_listen / kprobe | warning | A socket was placed in LISTEN state. Potential C2 server indicator. |
socket_connect | inet_stream_connect / kprobe | info | A socket connected to a remote peer. |
DNS events
| Event kind | Source hook | Default severity | Description |
|---|---|---|---|
dns_query | udp_sendmsg + port 53/853/5353 / kprobe | info | A DNS query was sent. Covers UDP port 53, DoT port 853, and mDNS port 5353. Queries to non-standard resolvers are flagged as C2 indicators. |
dns_lookup | getaddrinfo / uprobe | info | A userspace hostname lookup via getaddrinfo() occurred before a network connection. |
dns_resolution | Correlation | info | A correlated hostname-to-IP mapping resolved from getaddrinfo() plus network_connect timing. |
Security and identity events
| Event kind | Source hook | Default severity | Description |
|---|---|---|---|
privilege_change | sys_setuid / kprobe | warning | setuid or setgid was called. Identity change detected. |
namespace_create | sys_clone + CLONE_NEW* / kprobe | warning | A process created a Linux namespace. Normal for container runtimes; CLONE_NEWUSER indicates UID 0 inside the namespace, which warrants investigation outside container contexts. |
ptrace | sys_ptrace / kprobe | warning | A process attached to another with ptrace. Anti-forensics risk. |
cap_change | cap_capable / LSM | warning | A capability check result changed. Indicates capability bypass attempts. |
signal | sys_kill / kprobe | warning | A signal was sent to another process. Relevant for lateral movement patterns. |
capability_audit | cap audit / LSM | warning | Unexpected capability usage observed. |
LSM hook events
| Event kind | Source hook | Default severity | Description |
|---|---|---|---|
lsm_exec | LSM security hook | info | An LSM-backed execution security hook fired. |
lsm_net_connect | LSM security hook | info | An LSM-backed network security hook fired. |
lsm_file_open | LSM security hook | info | An LSM-backed file open observation fired. |
lsm_setuid | LSM security hook | warning | An LSM-backed identity change or privileged execution event fired. |
lsm_mount | LSM security hook | warning | A mount-related LSM hook fired. |
lsm_kernel_read | LSM security hook | warning | A kernel or privileged file read hook fired. |
Kernel and eBPF integrity events
| Event kind | Source hook | Default severity | Description |
|---|---|---|---|
module_load | sys_init_module / kprobe | high | A kernel module was loaded. Rootkit indicator when unexpected. |
bpf_object_get | sys_bpf + BPF_OBJ_GET_INFO_BY_FD / kprobe | critical | Access to a BPF map was observed. Potential tampering with the sensor monitoring itself. |
bpf_map_update | sys_bpf + BPF_MAP_UPDATE_ELEM / kprobe | critical | An eBPF map was modified. Indicates potential sensor disablement or evasion. |
bpf_tampering | BPF program or map access | critical | eBPF program or map tampered. Sensor disablement risk. |
Application-layer events
These events are generated from protocol parsing at the application layer, not from kernel hooks.
| Event kind | Source | Default severity | Description |
|---|---|---|---|
api_session | HTTP/2 or gRPC frame capture | info | An application-layer session observed for HTTP/2, gRPC, or 5G SBI NF-to-NF communication. |
api_call | gRPC method decoding or HTTP path extraction | info | An application-layer API call observed in HTTP/2 or 5G SBI traffic. |
Alert system and detection events
These event kinds are generated by the Console alert system, behavioral analytics, or custom rules rather than directly by eBPF hooks.
| Event kind | Category | Default severity | Description |
|---|---|---|---|
security_violation | Security | critical | Generic security policy violation from a pack or LSM rule. |
anomalous_behavior | Behavioral | warning | Behavior deviates from the established baseline for this process. |
custom_detection | Custom | warning | Matched a user-defined custom detection rule. |
enforcement_action | Enforcement | info | A policy enforcement action was taken: process killed or packet dropped. |
guardian_profile_violation | Guardian | warning | A Guardian Profile detected behavior outside the approved behavioral envelope. |
O-RAN WG11 and telecom protocol events
These events are generated by the telecom flavor sensor from protocol parsing and O-RAN monitoring modules.
Signaling protocol events
| Event kind | Default severity | Description |
|---|---|---|
ngap_procedure | info | An NGAP control-plane procedure or KPI event was observed on the N2 interface. |
pfcp_session | info | A PFCP session or control event was observed on the N4 interface. |
gtpu_tunnel | info | A GTP-U tunnel lifecycle event was observed. |
sbi_request | info | An SBI request between 5G Core network functions was observed. |
sbi_response | info | An SBI response between 5G Core network functions was observed. |
diameter_message | info | A Diameter protocol message was observed. |
radius_message | info | A RADIUS authentication or accounting message was observed. |
m3ua_transport_up | info | An M3UA or SIGTRAN transport association came up. |
oran_e2_peer | info | An O-RAN E2 peer relationship was observed. |
O1 management plane events (WG11: ORAN_O1)
| Event kind | Default severity | Description |
|---|---|---|
k2_o1_new_peer | high | A new management peer appeared on the O1 plane after the learning window. |
k2_o1_public_management_peer | critical | An O1 management peer connected from a public internet IP address. |
k2_o1_peer_changed | high | A previously known O1 peer address changed. |
k2_o1_callhome_unexpected | high | Unexpected NETCONF call-home behavior was observed. |
k2_o1_wrong_process | high | A non-management process attempted to use the O1 management path. |
O2 infrastructure events (WG11: ORAN_O2)
| Event kind | Default severity | Description |
|---|---|---|
k3_o2_public_peer | critical | An O2 infrastructure management peer connected from a public internet IP. |
k3_o2_new_caller | high | A new or unclassified caller used the O2 REST interface. |
k3_o2_destructive_operation | critical | A destructive infrastructure operation was attempted by an unauthorized process. |
E2 interface and RIC events (WG11: ORAN_E2, ORAN_XAPP)
| Event kind | Default severity | Description |
|---|---|---|
oran_e2_public_peer | critical | An E2 peer connected from a public internet IP address. |
oran_e2_peer_change | high | A previously known E2 peer address changed. |
oran_e2_multi_ric | high | More than one RIC peer was observed for a single xApp or E2 agent. |
oran_e2_wrong_process | high | A non-RAN process used the E2 interface. |
oran_e2_unclassified_agent | warning | An unclassified binary accessed the E2 interface. |
oran_e2_port_anomaly | high | E2-like signaling appeared on a non-standard port. |
oran_api_a1_policy | high | A1 policy operations were attempted from an unauthorized caller. |
oran_api_route_modification | high | Near-RT RIC route manipulation was attempted by an unexpected process. |
oran_api_e2t_access | high | Unexpected access to E2 termination surfaces was observed. |
oran_api_kpm_caller_violation | high | A non-RIC process accessed KPM-related interfaces. |
oran_api_high_volume | warning | High-volume O-RAN API or KPM behavior was observed. |
oran_api_f1e1_boundary | high | A non-authorized process crossed the F1 or E1 interface boundary. |
Event structure
Every event delivered to the Console has this normalized structure:
| Field | Description |
|---|---|
event_id | Unique identifier in the format {event_kind}_{timestamp}_{hash} |
event_kind | The event kind string from this reference |
severity | info, warning, high, or critical |
observed_at | ISO 8601 timestamp when the event occurred |
process_executable | Full path of the process |
process_name | Process name (comm) |
process_pid | Process ID |
process_uid | User ID of the process |
parent_executable | Full path of the parent process |
parent_pid | Parent process ID |
ancestors_json | JSON-encoded ancestor chain |
k8s_namespace | Kubernetes namespace (if applicable) |
k8s_pod_name | Kubernetes pod name (if applicable) |
nf_role | Declared NF role of the sensor (telecom flavor) |
detected_class | MITRE-style detection class label |
message | Human-readable event description |
suppressed | Whether this event is suppressed by an active suppression rule |
pack_id | Policy pack that generated the event |
Filtering events by kind
Filter events by kind using the event kind dropdown in the Events view. Select one or more event kinds from the dropdown to narrow the event list to matching records.
📸 Screenshot: events-kind-filter Events view showing the event kind dropdown filter with a list of available kinds and a multi-select interface.