Thesis Questions: Interpreting Sysdig system call output

[EMS]

Hello,

I am writing my bachelor thesis with the topic of formatting output from an system call based IDS to log data that is usable for (human) analysis through SIEM.

The system calls are recorded using the sysdig CLI and I am currently working on getting the most information out of the sysdig event strings (that are the output of the IDS).

My questions concern the event arguments:

• base64 buffer content is stored under 'data'. Is it possible to decode the data argument for further analysis? I've simple tried to decode the string with an online tool, which did not work.
• What does the 'res' argument mean? The size of the return?
  
• Using the raw system call line, is there a possibility to get socket information regarding the protocol type (TCP/UDP)?

If someone has some resources for me that answer my questions or knows the answers right away, I would be happy to learn.

Also, if there are any ideas on which information to extract from the raw sysdig system call output that might be helpful for analysis - let me know :-)

Emmely