From 40fc3fc888468ee4b1e3d0a39faf4f463094ac35 Mon Sep 17 00:00:00 2001
From: Yakir Oren <yakiroren@gmail.com>
Date: Wed, 21 Jan 2026 16:26:40 +0200
Subject: [PATCH] add host rule

Signed-off-by: Yakir Oren <yakiroren@gmail.com>
---
 pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml         | 1 +
 .../unexpected-sensitive-file-access.yaml                        | 1 +
 .../exec-from-malicious-source.yaml                              | 1 +
 pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml       | 1 +
 pkg/rules/r1005-fileless-execution/fileless-execution.yaml       | 1 +
 .../crypto-mining-domain-communication.yaml                      | 1 +
 .../crypto-mining-related-port.yaml                              | 1 +
 .../symlink-created-over-sensitive-file.yaml                     | 1 +
 .../r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml     | 1 +
 9 files changed, 9 insertions(+)

diff --git a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml
index 7613cea..cc05f81 100644
--- a/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml
+++ b/pkg/rules/r0009-ebpf-program-load/ebpf-program-load.yaml
@@ -25,6 +25,7 @@ spec:
       mitreTechnique: "T1218"
       tags:
         - "context:kubernetes"
+        - "context:host"
         - "bpf"
         - "ebpf"
         - "applicationprofile"
diff --git a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml
index 6017b30..33a22bc 100644
--- a/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml
+++ b/pkg/rules/r0010-unexpected-sensitive-file-access/unexpected-sensitive-file-access.yaml
@@ -25,6 +25,7 @@ spec:
       mitreTechnique: "T1005"
       tags:
         - "context:kubernetes"
+        - "context:host"
         - "files"
         - "anomaly"
         - "applicationprofile"
diff --git a/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml b/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml
index 6ef1960..e223d55 100644
--- a/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml
+++ b/pkg/rules/r1000-exec-from-malicious-source/exec-from-malicious-source.yaml
@@ -28,6 +28,7 @@ spec:
       mitreTechnique: "T1059"
       tags:
         - "context:kubernetes"
+        - "context:host"
         - "exec"
         - "signature"
         - "malicious"
diff --git a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml
index a692052..8390148 100644
--- a/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml
+++ b/pkg/rules/r1002-kernel-module-load/kernel-module-load.yaml
@@ -25,6 +25,7 @@ spec:
       mitreTechnique: "T1547.006"
       tags:
         - "context:kubernetes"
+        - "context:host"
         - "kmod"
         - "kernel"
         - "module"
diff --git a/pkg/rules/r1005-fileless-execution/fileless-execution.yaml b/pkg/rules/r1005-fileless-execution/fileless-execution.yaml
index 1ce4c29..5dcf091 100644
--- a/pkg/rules/r1005-fileless-execution/fileless-execution.yaml
+++ b/pkg/rules/r1005-fileless-execution/fileless-execution.yaml
@@ -25,6 +25,7 @@ spec:
       mitreTechnique: "T1055"
       tags:
         - "context:kubernetes"
+        - "context:host"
         - "fileless"
         - "execution"
         - "malicious"
diff --git a/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml b/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml
index 25bc7ee..22c728f 100644
--- a/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml
+++ b/pkg/rules/r1008-crypto-mining-domain-communication/crypto-mining-domain-communication.yaml
@@ -25,6 +25,7 @@ spec:
       mitreTechnique: "T1071.004"
       tags:
         - "context:kubernetes"
+        - "context:host"
         - "network"
         - "crypto"
         - "miners"
diff --git a/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml b/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml
index e49c107..fb942ab 100644
--- a/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml
+++ b/pkg/rules/r1009-crypto-mining-related-port/crypto-mining-related-port.yaml
@@ -25,6 +25,7 @@ spec:
       mitreTechnique: "T1071"
       tags:
         - "context:kubernetes"
+        - "context:host"
         - "network"
         - "crypto"
         - "miners"
diff --git a/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml b/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml
index d890e56..45c8723 100644
--- a/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml
+++ b/pkg/rules/r1010-symlink-created-over-sensitive-file/symlink-created-over-sensitive-file.yaml
@@ -25,6 +25,7 @@ spec:
       mitreTechnique: "T1005"
       tags:
         - "context:kubernetes"
+        - "context:host"
         - "anomaly"
         - "symlink"
         - "applicationprofile"
diff --git a/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml b/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml
index 46e5d2b..c1e43df 100644
--- a/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml
+++ b/pkg/rules/r1015-malicious-ptrace-usage/malicious-ptrace-usage.yaml
@@ -25,5 +25,6 @@ spec:
       mitreTechnique: "T1622"
       tags:
         - "context:kubernetes"
+        - "context:host"
         - "process"
         - "malicious"