Use Go templates for stdout (#630)

Signed-off-by: Simarpreet Singh <simar@linux.com>
aquasecurity · Mar 24, 2021 · 96a39dc · 96a39dc
1 parent 8b8045b
commit 96a39dc
Show file tree

Hide file tree

Showing 11 changed files with 126 additions and 48 deletions.
diff --git a/tracee-rules/Readme.md b/tracee-rules/Readme.md
@@ -39,6 +39,8 @@ Flag name | Description | Example
 `--webhook-url` | The webhook URL | `--webhook-url http://my.webhook/endpoint`
 `--webhook-template` | Path to Go-template that formats the payload to send. Tracee's [Finding](https://github.com/aquasecurity/tracee/blob/28fbc66be8c9f3efa53f617a654cafe7421e8c70/tracee-rules/types/types.go#L46-L50) type is available to use within the template | `--webhook-template /path/to/my.tmpl` <br> See template examples [here](tracee-rules/templates/).
 `--webhook-content-type` | If present, will set the Content-Type HTTP header to match the provided template | `--webhook-content-type application/json`
+`--output-template` | Path to a Go-template that will format the standard logging output to display | `--output-template /path/to/my.tmpl`
+
 
 # Rules
 Rules are discovered from the local `rules` directory (unless changed by the `--rules-dir` flag). By default, all discovered rules will be loaded unless specific rules are selected using the `--rules` flag.

diff --git a/tracee-rules/go.mod b/tracee-rules/go.mod
@@ -3,7 +3,13 @@ module github.com/aquasecurity/tracee/tracee-rules
 go 1.16
 
 require (
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver v1.5.0 // indirect
+	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/aquasecurity/tracee/tracee-ebpf v0.0.0-20210217124138-0575cb7b157d
+	github.com/huandu/xstrings v1.3.2 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/mitchellh/copystructure v1.1.1 // indirect
 	github.com/open-policy-agent/opa v0.25.2
 	github.com/stretchr/testify v1.5.1
 	github.com/urfave/cli/v2 v2.3.0

diff --git a/tracee-rules/go.sum b/tracee-rules/go.sum
@@ -2,6 +2,12 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
+github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
+github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
+github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60=
+github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
 github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
 github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
@@ -101,6 +107,7 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
@@ -131,7 +138,11 @@ github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0m
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
+github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg=
+github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
+github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
@@ -165,12 +176,16 @@ github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/copystructure v1.1.1 h1:Bp6x9R1Wn16SIz3OfeDr0b7RnCG2OB66Y7PQyC/cvq4=
+github.com/mitchellh/copystructure v1.1.1/go.mod h1:EBArHfARyrSWO/+Wyr9zwEkc6XMFB9XyNgFNmRkZZU4=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
 github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/reflectwalk v1.0.1 h1:FVzMWA5RllMAKIdUSC8mdWo3XtwoecrH79BY70sEEpE=
+github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
@@ -269,7 +284,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
@@ -305,6 +319,7 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

diff --git a/tracee-rules/main.go b/tracee-rules/main.go
@@ -74,7 +74,8 @@ func main() {
 			if inputs == (engine.EventSources{}) {
 				return err
 			}
-			output, err := setupOutput(os.Stdout, realClock{}, c.String("webhook"), c.String("webhook-template"), c.String("webhook-content-type"))
+
+			output, err := setupOutput(os.Stdout, c.String("webhook"), c.String("webhook-template"), c.String("webhook-content-type"), c.String("output-template"))
 			if err != nil {
 				return err
 			}
@@ -111,6 +112,10 @@ func main() {
 				Name:  "input-tracee",
 				Usage: "configure tracee-ebpf as input source. see '--input-tracee help' for more info",
 			},
+			&cli.StringFlag{
+				Name:  "output-template",
+				Usage: "configure output format via templates. Usage: --output-template=path/to/my.tmpl",
+			},
 		},
 	}
 	err := app.Run(os.Args)

diff --git a/tracee-rules/output.go b/tracee-rules/output.go
@@ -12,29 +12,51 @@ import (
 	"text/template"
 	"time"
 
+	"github.com/Masterminds/sprig"
 	tracee "github.com/aquasecurity/tracee/tracee-ebpf/tracee/external"
 	"github.com/aquasecurity/tracee/tracee-rules/types"
 )
 
-const DetectionOutput string = `
+const DefaultDetectionOutputTemplate string = `
 *** Detection ***
-Time: %s
-Signature ID: %s
-Signature: %s
-Data: %s
-Command: %s
-Hostname: %s
+Time: {{ dateInZone "2006-01-02T15:04:05Z" (now) "UTC" }}
+Signature ID: {{ .ID }}
+Signature: {{ .Name }}
+Data: {{ .Finding.Data }}
+Command: {{ .Finding.Context.ProcessName }}
+Hostname: {{ .Finding.Context.HostName }}
 `
 
-func setupOutput(resultWriter io.Writer, clock Clock, webhook string, webhookTemplate string, contentType string) (chan types.Finding, error) {
+func setupTemplate(inputTemplateFile string) (*template.Template, error) {
+	switch {
+	case inputTemplateFile != "":
+		return template.New(filepath.Base(inputTemplateFile)).
+			Funcs(sprig.TxtFuncMap()).
+			ParseFiles(inputTemplateFile)
+	default:
+		return template.New("default").
+			Funcs(sprig.TxtFuncMap()).
+			Parse(DefaultDetectionOutputTemplate)
+	}
+}
+
+func setupOutput(w io.Writer, webhook string, webhookTemplate string, contentType string, outputTemplate string) (chan types.Finding, error) {
 	out := make(chan types.Finding)
+	var err error
 
-	t, err := setupTemplate(webhookTemplate, realClock{})
+	var tWebhook *template.Template
+	tWebhook, err = setupTemplate(webhookTemplate)
 	if err != nil && webhookTemplate != "" {
 		return nil, fmt.Errorf("error preparing webhook template: %v", err)
 	}
 
-	go func(t *template.Template) {
+	var tOutput *template.Template
+	tOutput, err = setupTemplate(outputTemplate)
+	if err != nil && outputTemplate != "" {
+		return nil, fmt.Errorf("error preparing output template: %v", err)
+	}
+
+	go func(w io.Writer, tWebhook, tOutput *template.Template) {
 		for res := range out {
 			sigMetadata, err := res.Signature.GetMetadata()
 			if err != nil {
@@ -44,33 +66,24 @@ func setupOutput(resultWriter io.Writer, clock Clock, webhook string, webhookTem
 
 			switch res.Context.(type) {
 			case tracee.Event:
-				command := res.Context.(tracee.Event).ProcessName
-				hostName := res.Context.(tracee.Event).HostName
-				fmt.Fprintf(resultWriter, DetectionOutput, clock.Now().UTC().Format(time.RFC3339), sigMetadata.ID, sigMetadata.Name, res.Data, command, hostName)
+				if err := tOutput.Execute(w, types.FindingWithMetadata{Finding: res, SignatureMetadata: sigMetadata}); err != nil {
+					log.Println("error writing to output: ", err)
+				}
 			default:
 				log.Printf("unsupported event detected: %T\n", res.Context)
 				continue
 			}
 
 			if webhook != "" {
-				if err := sendToWebhook(t, res, webhook, webhookTemplate, contentType, realClock{}); err != nil {
+				if err := sendToWebhook(tWebhook, res, webhook, webhookTemplate, contentType, realClock{}); err != nil {
 					log.Println(err)
 				}
 			}
 		}
-	}(t)
+	}(w, tWebhook, tOutput)
 	return out, nil
 }
 
-func setupTemplate(webhookTemplate string, clock Clock) (*template.Template, error) {
-	return template.New(filepath.Base(webhookTemplate)).
-		Funcs(map[string]interface{}{
-			"timeNow": func(unixTs float64) string {
-				return clock.Now().UTC().Format("2006-01-02T15:04:05Z")
-			},
-		}).ParseFiles(webhookTemplate)
-}
-
 func sendToWebhook(t *template.Template, res types.Finding, webhook string, webhookTemplate string, contentType string, clock Clock) error {
 	var payload string
 

diff --git a/tracee-rules/output_test.go b/tracee-rules/output_test.go
@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 	"time"
 
@@ -45,10 +46,11 @@ func Test_setupOutput(t *testing.T) {
 	var testCases = []struct {
 		name           string
 		inputContext   interface{}
+		outputFormat   string
 		expectedOutput string
 	}{
 		{
-			name: "happy path with tracee event",
+			name: "happy path with tracee event and default output",
 			inputContext: external.Event{
 				ProcessName: "foobar.exe",
 				HostName:    "foobar.local",
@@ -63,18 +65,39 @@ Command: foobar.exe
 Hostname: foobar.local
 `,
 		},
+		{
+			name: "happy path with tracee event and simple custom output template",
+			inputContext: external.Event{
+				ProcessName: "foobar.exe",
+				HostName:    "foobar.local",
+			},
+			expectedOutput: `*** Detection ***
+Timestamp: 2021-02-23T01:54:57Z
+ProcessName: foobar.exe
+HostName: foobar.local
+`,
+			outputFormat: "templates/simple.tmpl",
+		},
 		{
 			name: "sad path with unknown context",
 			inputContext: struct {
 				foo string
 			}{foo: "bad input context"},
 			expectedOutput: ``,
 		},
+		{
+			name: "sad path with invalid custom template",
+			inputContext: external.Event{
+				ProcessName: "foobar.exe",
+				HostName:    "foobar.local",
+			},
+			outputFormat: "goldens/broken.tmpl",
+		},
 	}
 
 	for _, tc := range testCases {
 		var actualOutput bytes.Buffer
-		findingCh, err := setupOutput(&actualOutput, fakeClock{}, "", "", "")
+		findingCh, err := setupOutput(&actualOutput, "", "", "", tc.outputFormat)
 		require.NoError(t, err, tc.name)
 
 		findingCh <- types.Finding{
@@ -87,7 +110,19 @@ Hostname: foobar.local
 		}
 
 		time.Sleep(time.Millisecond)
-		assert.Equal(t, tc.expectedOutput, actualOutput.String(), tc.name)
+		checkOutput(t, tc.name, actualOutput, tc.expectedOutput)
+	}
+}
+
+func checkOutput(t *testing.T, testName string, actualOutput bytes.Buffer, expectedOutput string) {
+	got := strings.Split(actualOutput.String(), "\n")
+	for _, g := range got {
+		if strings.Contains(g, "Time") {
+			_, err := time.Parse("2006-01-02T15:04:05Z", strings.Split(g, " ")[1])
+			assert.NoError(t, err, testName) // check if time is parsable
+		} else {
+			assert.Contains(t, expectedOutput, g, testName)
+		}
 	}
 }
 
@@ -117,20 +152,16 @@ HostName: foobar.local
 			inputTemplateFile: "templates/simple.tmpl",
 		},
 		{
-			name:              "happy path, with CSV template",
-			contentType:       "text/csv",
-			expectedOutput:    `2021-02-23T01:54:57Z,foobar.exe,foobar.local`,
-			inputTemplateFile: "templates/csv.tmpl",
-		},
-		{
-			name:        "happy path, with XML template",
-			contentType: "application/xml",
-			expectedOutput: `<?xml version="1.0" encoding="UTF-8" ?>
- <detection timestamp="2021-02-23T01:54:57Z">
-    <processname>foobar.exe</processname>
-    <hostname>foobar.local</hostname>
- </detection>`,
-			inputTemplateFile: "templates/xml.tmpl",
+			name:        "happy path with functions from sprig template",
+			contentType: "text/plain",
+			expectedOutput: `{
+  "foo1": "bar1, baz1",
+  "foo2": [
+    "bar2",
+    "baz2"
+  ]
+}`,
+			inputTemplateFile: "templates/sprig.tmpl",
 		},
 		{
 			name: "sad path, with failing GetMetadata func for sig",
@@ -163,7 +194,7 @@ HostName: foobar.local
 		t.Run(tc.name, func(t *testing.T) {
 			ts := httptest.NewServer(http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
 				got, _ := ioutil.ReadAll(request.Body)
-				assert.Equal(t, tc.expectedOutput, string(got), tc.name)
+				checkOutput(t, tc.name, *bytes.NewBuffer(got), tc.expectedOutput)
 				assert.Equal(t, tc.contentType, request.Header.Get("content-type"), tc.name)
 			}))
 			defer ts.Close()
@@ -172,7 +203,7 @@ HostName: foobar.local
 				ts.URL = tc.inputTestServerURL
 			}
 
-			inputTemplate, _ := setupTemplate(tc.inputTemplateFile, fakeClock{})
+			inputTemplate, _ := setupTemplate(tc.inputTemplateFile)
 
 			actualError := sendToWebhook(inputTemplate, types.Finding{
 				Data: map[string]interface{}{

diff --git a/tracee-rules/templates/csv.tmpl b/tracee-rules/templates/csv.tmpl
@@ -1 +1 @@
-{{ .Context.Timestamp | timeNow }},{{ .Context.ProcessName }},{{ .Context.HostName }}
+{{ dateInZone "2006-01-02T15:04:05Z" (now) "UTC" }},{{ .Context.ProcessName }},{{ .Context.HostName }}
diff --git a/tracee-rules/templates/simple.tmpl b/tracee-rules/templates/simple.tmpl
@@ -1,4 +1,4 @@
 *** Detection ***
-Timestamp: {{ .Context.Timestamp | timeNow }}
+Timestamp: {{ dateInZone "2006-01-02T15:04:05Z" (now) "UTC" }}
 ProcessName: {{ .Context.ProcessName }}
 HostName: {{ .Context.HostName }}
diff --git a/tracee-rules/templates/sprig.tmpl b/tracee-rules/templates/sprig.tmpl
@@ -0,0 +1 @@
+{{ toPrettyJson .Data }}
diff --git a/tracee-rules/templates/xml.tmpl b/tracee-rules/templates/xml.tmpl
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" ?>
- <detection timestamp="{{.Context.Timestamp | timeNow }}">
+ <detection timestamp="{{ dateInZone "2006-01-02T15:04:05Z" (now) "UTC" }}">
     <processname>{{ .Context.ProcessName }}</processname>
     <hostname>{{ .Context.HostName }}</hostname>
  </detection>
diff --git a/tracee-rules/types/types.go b/tracee-rules/types/types.go
@@ -49,3 +49,8 @@ type Finding struct {
 	Context   Event
 	Signature Signature
 }
+
+type FindingWithMetadata struct {
+	Finding
+	SignatureMetadata
+}