Open Write

content/en/docs/reference/rules/default-macros/open_write.md

latest140 B

yaml

- macro: open_write
  condition: (evt.type=open or evt.type=openat) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0