Motivation

This issue aims to discuss the feasibility of supporting per-index access to proc.args and nested proc.args e.g. a nested notion proc.aargs[1][2] for tracking arguments passed by parent or grandparent processes.
This capability could enable process tree–based detection that considers how a process was invoked through its lineage. It would also potentially allow for more precise and expressive detection use cases.

Feature

• Per-index proc.args rule filtering, e.g., proc.args[1], proc.args[2]
• Nested argument access in the process tree, e.g., proc.aargs[1][2]
  (referring to the potential ability to access a specific argument from a specific ancestor process — a nested, positional access pattern for argv across process lineage)

Currently, Falco only supports proc.args as a flat CHARBUF, which somewhat limits the flexibility needed to detect behaviors involving specific arguments passed across a multi-process invocation chain.