Merge pull request #424 from kubescape/feature/remove-fix

Removing fix suggestions to save network

pkg/ruleengine/v1/r0001_unexpected_process_launched.go

@@ -10,8 +10,6 @@ import (
 	"github.com/kubescape/node-agent/pkg/ruleengine"
 	"github.com/kubescape/node-agent/pkg/utils"
 
-	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
-
 	apitypes "github.com/armosec/armoapi-go/armotypes"
 )
 
@@ -59,21 +57,6 @@ func CreateRuleR0001UnexpectedProcessLaunched() *R0001UnexpectedProcessLaunched
 	return &R0001UnexpectedProcessLaunched{enforceArgs: false}
 }
 
-func (rule *R0001UnexpectedProcessLaunched) generatePatchCommand(event *events.ExecEvent, ap *v1beta1.ApplicationProfile) string {
-	argList := "["
-	for _, arg := range event.Args {
-		argList += "\"" + arg + "\","
-	}
-	// remove the last comma
-	if len(argList) > 1 {
-		argList = argList[:len(argList)-1]
-	}
-	argList += "]"
-	baseTemplate := "kubectl patch applicationprofile %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"execs\": [{\"path\": \"%s\", \"args\": %s}]}]}}'"
-	return fmt.Sprintf(baseTemplate, ap.GetName(), ap.GetNamespace(),
-		event.GetContainer(), getExecPathFromEvent(event), argList)
-}
-
 func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objectCache objectcache.ObjectCache) ruleengine.RuleFailure {
 	if eventType != utils.ExecveEventType {
 		return nil
@@ -118,8 +101,7 @@ func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventTy
 				"exec":   execPath,
 				"args":   execEvent.Args,
 			},
-			FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the exec call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", execPath, execEvent.GetPod(), rule.generatePatchCommand(execEvent, ap)),
-			Severity:       R0001UnexpectedProcessLaunchedRuleDescriptor.Priority,
+			Severity: R0001UnexpectedProcessLaunchedRuleDescriptor.Priority,
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0002_unexpected_file_access.go

@@ -12,11 +12,9 @@ import (
 	"github.com/kubescape/node-agent/pkg/objectcache"
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
-	traceropentype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/open/types"
 
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/go-logger/helpers"
-	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
 )
 
 const (
@@ -82,19 +80,6 @@ func (rule *R0002UnexpectedFileAccess) SetParameters(parameters map[string]inter
 func (rule *R0002UnexpectedFileAccess) DeleteRule() {
 }
 
-func (rule *R0002UnexpectedFileAccess) generatePatchCommand(event *traceropentype.Event, ap *v1beta1.ApplicationProfile) string {
-	flagList := "["
-	for _, arg := range event.Flags {
-		flagList += "\"" + arg + "\","
-	}
-	// remove the last comma
-	if len(flagList) > 1 {
-		flagList = flagList[:len(flagList)-1]
-	}
-	baseTemplate := "kubectl patch applicationprofile %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"opens\": [{\"path\": \"%s\", \"flags\": %s}]}]}}'"
-	return fmt.Sprintf(baseTemplate, ap.GetName(), ap.GetNamespace(), event.GetContainer(), event.FullPath, flagList)
-}
-
 func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure {
 	if eventType != utils.OpenEventType {
 		return nil
@@ -162,8 +147,7 @@ func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, e
 				"flags": openEvent.Flags,
 				"path":  openEvent.FullPath,
 			},
-			FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the open call \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", openEvent.FullPath, openEvent.GetPod(), rule.generatePatchCommand(&openEvent, ap)),
-			Severity:       R0002UnexpectedFileAccessRuleDescriptor.Priority,
+			Severity: R0002UnexpectedFileAccessRuleDescriptor.Priority,
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0003_unexpected_system_call.go

@@ -96,9 +96,8 @@ func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType utils.EventType, e
 			Arguments: map[string]interface{}{
 				"syscall": syscallEvent.SyscallName,
 			},
-			InfectedPID:    syscallEvent.Pid,
-			FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the system call \"%s\" to the whitelist in the application profile for the Pod \"%s\".", syscallEvent.SyscallName, syscallEvent.GetPod()),
-			Severity:       R0003UnexpectedSystemCallRuleDescriptor.Priority,
+			InfectedPID: syscallEvent.Pid,
+			Severity:    R0003UnexpectedSystemCallRuleDescriptor.Priority,
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0004_unexpected_capability_used.go

@@ -10,7 +10,6 @@ import (
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
 	tracercapabilitiestype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/capabilities/types"
-	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
 )
 
 const (
@@ -52,12 +51,6 @@ func (rule *R0004UnexpectedCapabilityUsed) ID() string {
 func (rule *R0004UnexpectedCapabilityUsed) DeleteRule() {
 }
 
-func (rule *R0004UnexpectedCapabilityUsed) generatePatchCommand(event *tracercapabilitiestype.Event, ap *v1beta1.ApplicationProfile) string {
-	baseTemplate := "kubectl patch applicationprofile %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"capabilities\": [{\"syscall\": \"%s\", \"caps\": [%s]}]}]}}'"
-	return fmt.Sprintf(baseTemplate, ap.GetName(), ap.GetNamespace(),
-		event.GetContainer(), event.Syscall, event.CapName)
-}
-
 func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure {
 	if eventType != utils.CapabilitiesEventType {
 		return nil
@@ -95,9 +88,8 @@ func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventTyp
 				"syscall":    capEvent.Syscall,
 				"capability": capEvent.CapName,
 			},
-			InfectedPID:    capEvent.Pid,
-			FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the capability use \"%s\" to the whitelist in the application profile for the Pod \"%s\". You can use the following command: %s", capEvent.CapName, capEvent.GetPod(), rule.generatePatchCommand(capEvent, ap)),
-			Severity:       R0004UnexpectedCapabilityUsedRuleDescriptor.Priority,
+			InfectedPID: capEvent.Pid,
+			Severity:    R0004UnexpectedCapabilityUsedRuleDescriptor.Priority,
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0005_unexpected_domain_request.go

@@ -12,7 +12,6 @@ import (
 
 	apitypes "github.com/armosec/armoapi-go/armotypes"
 	tracerdnstype "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/trace/dns/types"
-	"github.com/kubescape/storage/pkg/apis/softwarecomposition/v1beta1"
 )
 
 const (
@@ -55,12 +54,6 @@ func (rule *R0005UnexpectedDomainRequest) ID() string {
 func (rule *R0005UnexpectedDomainRequest) DeleteRule() {
 }
 
-func (rule *R0005UnexpectedDomainRequest) generatePatchCommand(event *tracerdnstype.Event, nn *v1beta1.NetworkNeighborhood) string {
-	baseTemplate := "kubectl patch networkneighborhood %s --namespace %s --type merge -p '{\"spec\": {\"containers\": [{\"name\": \"%s\", \"dns\": [{\"dnsName\": \"%s\"}]}]}}'"
-	return fmt.Sprintf(baseTemplate, nn.GetName(), nn.GetNamespace(),
-		event.GetContainer(), event.DNSName)
-}
-
 func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure {
 	if eventType != utils.DnsEventType {
 		return nil
@@ -107,10 +100,6 @@ func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType
 				"protocol":  domainEvent.Protocol,
 				"port":      domainEvent.DstPort,
 			},
-			FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the domain %s to the whitelist in the application profile for the Pod %s. You can use the following command: %s",
-				domainEvent.DNSName,
-				domainEvent.GetPod(),
-				rule.generatePatchCommand(domainEvent, nn)),
 			Severity: R0005UnexpectedDomainRequestRuleDescriptor.Priority,
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{

pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go

@@ -143,10 +143,7 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti
 				"flags": openEvent.Flags,
 			},
 			InfectedPID: openEvent.Pid,
-			FixSuggestions: fmt.Sprintf(
-				"If this is a valid behavior, please add the open call to the whitelist in the application profile for the Pod %s",
-				openEvent.GetPod()),
-			Severity: R0006UnexpectedServiceAccountTokenAccessRuleDescriptor.Priority,
+			Severity:    R0006UnexpectedServiceAccountTokenAccessRuleDescriptor.Priority,
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0007_kubernetes_client_executed.go

@@ -156,8 +156,7 @@ func (rule *R0007KubernetesClientExecuted) handleExecEvent(event *events.ExecEve
 					"exec": execPath,
 					"args": event.Args,
 				},
-				FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
-				Severity:       R0007KubernetesClientExecutedDescriptor.Priority,
+				Severity: R0007KubernetesClientExecutedDescriptor.Priority,
 			},
 			RuntimeProcessDetails: apitypes.ProcessTree{
 				ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0008_read_env_variables_procfs.go

@@ -92,9 +92,8 @@ func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.Ev
 				"path":  openEvent.FullPath,
 				"flags": openEvent.Flags,
 			},
-			InfectedPID:    openEvent.Pid,
-			FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
-			Severity:       R0008ReadEnvironmentVariablesProcFSRuleDescriptor.Priority,
+			InfectedPID: openEvent.Pid,
+			Severity:    R0008ReadEnvironmentVariablesProcFSRuleDescriptor.Priority,
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0009_ebpf_program_load.go

@@ -92,9 +92,8 @@ func (rule *R0009EbpfProgramLoad) ProcessEvent(eventType utils.EventType, event
 				Arguments: map[string]interface{}{
 					"syscall": syscallEvent.SyscallName,
 				},
-				InfectedPID:    syscallEvent.Pid,
-				FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule",
-				Severity:       R0009EbpfProgramLoadRuleDescriptor.Priority,
+				InfectedPID: syscallEvent.Pid,
+				Severity:    R0009EbpfProgramLoadRuleDescriptor.Priority,
 			},
 			RuntimeProcessDetails: apitypes.ProcessTree{
 				ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0010_unexpected_sensitive_file_access.go

@@ -117,9 +117,8 @@ func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.Eve
 				"path":  openEvent.FullPath,
 				"flags": openEvent.Flags,
 			},
-			InfectedPID:    openEvent.Pid,
-			FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
-			Severity:       R0010UnexpectedSensitiveFileAccessRuleDescriptor.Priority,
+			InfectedPID: openEvent.Pid,
+			Severity:    R0010UnexpectedSensitiveFileAccessRuleDescriptor.Priority,
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r0011_unexpected_egress_network_traffic.go

@@ -102,10 +102,6 @@ func (rule *R0011UnexpectedEgressNetworkTraffic) handleNetworkEvent(networkEvent
 					"port":  networkEvent.Port,
 					"proto": networkEvent.Proto,
 				},
-				FixSuggestions: fmt.Sprintf("If this is a valid behavior, please add the IP %s to the whitelist in the application profile for the Pod %s.",
-					networkEvent.DstEndpoint.Addr,
-					networkEvent.GetPod(),
-				),
 				Severity: R0011UnexpectedEgressNetworkTrafficRuleDescriptor.Priority,
 			},
 			RuntimeProcessDetails: apitypes.ProcessTree{

pkg/ruleengine/v1/r1000_exec_from_malicious_source.go

@@ -78,8 +78,7 @@ func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType
 					Arguments: map[string]interface{}{
 						"hardlink": execEvent.ExePath,
 					},
-					FixSuggestions: "If this is a legitimate action, please add consider removing this workload from the binding of this rule.",
-					Severity:       R1000ExecFromMaliciousSourceDescriptor.Priority,
+					Severity: R1000ExecFromMaliciousSourceDescriptor.Priority,
 				},
 				RuntimeProcessDetails: apitypes.ProcessTree{
 					ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r1001_exec_binary_not_in_base_image.go

@@ -71,10 +71,9 @@ func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventTyp
 		upperLayer := true
 		ruleFailure := GenericRuleFailure{
 			BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-				AlertName:      rule.Name(),
-				InfectedPID:    execEvent.Pid,
-				FixSuggestions: "If this is an expected behavior it is strongly suggested to include all executables in the container image. If this is not possible you can remove the rule binding to this workload.",
-				Severity:       R1001ExecBinaryNotInBaseImageRuleDescriptor.Priority,
+				AlertName:   rule.Name(),
+				InfectedPID: execEvent.Pid,
+				Severity:    R1001ExecBinaryNotInBaseImageRuleDescriptor.Priority,
 			},
 			RuntimeProcessDetails: apitypes.ProcessTree{
 				ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r1002_load_kernel_module.go

@@ -70,10 +70,9 @@ func (rule *R1002LoadKernelModule) ProcessEvent(eventType utils.EventType, event
 		rule.alerted = true
 		ruleFailure := GenericRuleFailure{
 			BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-				AlertName:      rule.Name(),
-				InfectedPID:    syscallEvent.Pid,
-				FixSuggestions: "If this is a legitimate action, please add consider removing this workload from the binding of this rule",
-				Severity:       R1002LoadKernelModuleRuleDescriptor.Priority,
+				AlertName:   rule.Name(),
+				InfectedPID: syscallEvent.Pid,
+				Severity:    R1002LoadKernelModuleRuleDescriptor.Priority,
 			},
 			RuntimeProcessDetails: apitypes.ProcessTree{
 				ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r1003_malicious_ssh_connection.go

@@ -176,9 +176,8 @@ func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType utils.EventType,
 					"dstPort": sshEvent.DstPort,
 					"srcPort": sshEvent.SrcPort,
 				},
-				InfectedPID:    sshEvent.Pid,
-				FixSuggestions: "If this is a legitimate action, please add the port as a parameter to the binding of this rule",
-				Severity:       R1003MaliciousSSHConnectionRuleDescriptor.Priority,
+				InfectedPID: sshEvent.Pid,
+				Severity:    R1003MaliciousSSHConnectionRuleDescriptor.Priority,
 			},
 			RuntimeProcessDetails: apitypes.ProcessTree{
 				ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r1004_exec_from_mount.go

@@ -83,8 +83,7 @@ func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event ut
 						"exec": execEvent.ExePath,
 						"args": execEvent.Args,
 					},
-					FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule",
-					Severity:       R1004ExecFromMountRuleDescriptor.Priority,
+					Severity: R1004ExecFromMountRuleDescriptor.Priority,
 				},
 				RuntimeProcessDetails: apitypes.ProcessTree{
 					ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r1005_fileless_execution.go

@@ -80,8 +80,7 @@ func (rule *R1005FilelessExecution) handleExecveEvent(execEvent *events.ExecEven
 				Arguments: map[string]interface{}{
 					"hardlink": execEvent.ExePath,
 				},
-				FixSuggestions: "If this is a legitimate action, please add consider removing this workload from the binding of this rule.",
-				Severity:       R1005FilelessExecutionRuleDescriptor.Priority,
+				Severity: R1005FilelessExecutionRuleDescriptor.Priority,
 			},
 			RuntimeProcessDetails: apitypes.ProcessTree{
 				ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r1006_unshare_system_call.go

@@ -72,10 +72,9 @@ func (rule *R1006UnshareSyscall) ProcessEvent(eventType utils.EventType, event u
 		rule.alreadyNotified = true
 		ruleFailure := GenericRuleFailure{
 			BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-				AlertName:      rule.Name(),
-				InfectedPID:    syscallEvent.Pid,
-				FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule",
-				Severity:       R1006UnshareSyscallRuleDescriptor.Priority,
+				AlertName:   rule.Name(),
+				InfectedPID: syscallEvent.Pid,
+				Severity:    R1006UnshareSyscallRuleDescriptor.Priority,
 			},
 			RuntimeProcessDetails: apitypes.ProcessTree{
 				ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r1007_xmr_crypto_mining.go

@@ -62,10 +62,9 @@ func (rule *R1007XMRCryptoMining) ProcessEvent(eventType utils.EventType, event
 	if randomXEvent, ok := event.(*tracerrandomxtype.Event); ok {
 		ruleFailure := GenericRuleFailure{
 			BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-				AlertName:      rule.Name(),
-				InfectedPID:    randomXEvent.Pid,
-				FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
-				Severity:       R1007XMRCryptoMiningRuleDescriptor.Priority,
+				AlertName:   rule.Name(),
+				InfectedPID: randomXEvent.Pid,
+				Severity:    R1007XMRCryptoMiningRuleDescriptor.Priority,
 			},
 			RuntimeProcessDetails: apitypes.ProcessTree{
 				ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r1008_crypto_mining_domain.go

@@ -179,10 +179,9 @@ func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.E
 		if slices.Contains(commonlyUsedCryptoMinersDomains, dnsEvent.DNSName) {
 			ruleFailure := GenericRuleFailure{
 				BaseRuntimeAlert: apitypes.BaseRuntimeAlert{
-					AlertName:      rule.Name(),
-					InfectedPID:    dnsEvent.Pid,
-					FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
-					Severity:       R1008CryptoMiningDomainCommunicationRuleDescriptor.Priority,
+					AlertName:   rule.Name(),
+					InfectedPID: dnsEvent.Pid,
+					Severity:    R1008CryptoMiningDomainCommunicationRuleDescriptor.Priority,
 				},
 				RuntimeProcessDetails: apitypes.ProcessTree{
 					ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r1009_crypto_mining_port.go

@@ -102,9 +102,8 @@ func (rule *R1009CryptoMiningRelatedPort) ProcessEvent(eventType utils.EventType
 						"proto": networkEvent.Proto,
 						"ip":    networkEvent.DstEndpoint.Addr,
 					},
-					InfectedPID:    networkEvent.Pid,
-					FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
-					Severity:       R1009CryptoMiningRelatedPortRuleDescriptor.Priority,
+					InfectedPID: networkEvent.Pid,
+					Severity:    R1009CryptoMiningRelatedPortRuleDescriptor.Priority,
 				},
 				RuntimeProcessDetails: apitypes.ProcessTree{
 					ProcessTree: apitypes.Process{

pkg/ruleengine/v1/r1010_symlink_created_over_sensitive_file.go

@@ -79,10 +79,7 @@ func (rule *R1010SymlinkCreatedOverSensitiveFile) DeleteRule() {
 }
 
 func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure {
-	logger.L().Debug("Processing event", helpers.String("ruleID", rule.ID()), helpers.String("eventType", string(eventType)))
-
 	if !rule.EvaluateRule(eventType, event, objCache.K8sObjectCache()) {
-		logger.L().Debug("Event does not match rule", helpers.String("ruleID", rule.ID()), helpers.String("eventType", string(eventType)))
 		return nil
 	}
 
@@ -102,9 +99,8 @@ func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.E
 				"oldPath": symlinkEvent.OldPath,
 				"newPath": symlinkEvent.NewPath,
 			},
-			InfectedPID:    symlinkEvent.Pid,
-			FixSuggestions: "If this is a legitimate action, please consider removing this workload from the binding of this rule.",
-			Severity:       R1010SymlinkCreatedOverSensitiveFileRuleDescriptor.Priority,
+			InfectedPID: symlinkEvent.Pid,
+			Severity:    R1010SymlinkCreatedOverSensitiveFileRuleDescriptor.Priority,
 		},
 		RuntimeProcessDetails: apitypes.ProcessTree{
 			ProcessTree: apitypes.Process{