Secure Events
It provides a navigable interface to:
Find and surface insights around the most relevant security events in your infrastructure.
Slice and dice your event data using multiple filters and scopes to hone into the events that will require further inspection or remediation actions.
Inspect any items using an advanced event detail panel.
Follow up on forensics, activity audits, etc., by directly linking to other sections of the product for additional event information.
Without filters or scope defined, the event list comprises all events within the timeline, in chronological order. Click on an event to open the event detail panel on the right.
Review Summary and Filter Secure Events
The panel at the top of the page, together with the time-span selector at the bottom, provide a high-level summary of the events during the chosen timeframe - anywhere from 10 minutes to 3 days or more.
The summary shows the:
Top number of events per
Cluster
,Node
,Namespace
,Workload
,Image
, plus byRule name
orMITRE
attack.Number of events by severity (
High
/Med
/Low
/Info
)By default, High, Med, and Low are selected. Deselect to see, for example, just High severity events.
Group-by selector: currently, you can choose to group the events list by Policy.
Click elements to add them to filter expressions (see below).
Using the Filter Bar
Building expressions in the improved filter bar is simpler and cleaner than in the original filter UI. Both use the Filter Expression Elements described below.
Build expressions from the drop-down options: Click
Add Filter
for an initial drop-down list of valid scope elements. Keep clicking in the filter bar to be presented with the next logical operand and value to add to your expression.Build expressions using elements from the Events list: Click the operand after an element in an event to add it directly to the filter expression.
Add priority or type filters and save a constructed expression as a Favorite or set as the Default filter
Understanding Filter Expression Elements
Note that the filters are additive. For example, if you set the Type to Image Scanning events and don’t see what you expected, make sure the scope and time span have also been set appropriately.
You construct a filtering expression from the following elements:
Scope
By default, the Event scope encompasses Everywhere
, but you can define
the environment scope(containers
, namespaces
, etc.) to limit the
range. Those environment limits are assigned to the team active
during the scope definition.
See also: Team Scope and the Event Feed, below.
Free-Text Search
You can search by the event title and scope label values, such as “my-cluster-name,” visible in the events lists.
Type
Events include both Runtime
and Image Scanning
events.
Runtime events correspond to the rules and violations defined in Policies.
Image Scanning events correspond to the runtime scanning alerts.
Severity
Use the appropriate buttons to filter events by High, Medium, Low, and Info level of severity, corresponding to the levels defined in the relevant runtime Policies or runtime scanning alerts.
Group by
When a particular policy is generating many events, use the Group by: Policy option to sort the event feed into a more useable list.
No group | Grouped by policy |
Time Span
As in the rest of the Sysdig Platform interface, you can set the time span by date ranges using the calendar pop-up, and in increments from 10 minutes to 3 days. You can additionally use the calendar picker to select other time ranges that are not available as fast buttons.
Attributes
Under Details, hover over an attribute to reveal the =/!=
filter button and click to add to the Attribute filter.
Event Detail Panel
The Event Detail contents vary depending on the selected event. In general, the following are always present:
Attributes on which you can filter directly:
See the Attributes, above.
Action Buttons, sometimes grouped under “Respond”:
Only relevant activity links are displayed for each event detail.
If relevant, the Captures button links to Captures. See also: Quick Link to Captures from Runtime Events.
If set up in the associated policy, a View Runbook link or button connects your company’s procedure documents. The image below shows how it may appear as a single button or under Respond, depending how many actions have been enabled.
For Runtime events, the Activity shortcut button is available and links to Activity Audit.
For Image Scanning, the Scan Results shortcut links to the Scan Results page.
For a birds-eye view of the related network activity and the ability to create a netsec policy, the Network Activity shortcut links to the Netsec page. See also: Quick Link to Netsec Typology.
For auto-tuning policies to reduce noisy false positives, the Tunable Events shortcut provides a link the Runtime Policy Tuner. Note that the tuner only detects and alerts on rules that have exception definition, so the link does not necessarily appear on every event. See also: Tunable Exceptions.
Edit Policy Shortcut:
For image scanning: Links to the runtime alert that generated the event.
For policy (runtime) events: Links to the runtime rule that created the event, as well as the rule type (i.e. Falco - Syscall) and the labels associated with that rule.
All three elements are filterable using the attribute filter widgets (see above).
View Rule
Click the View Rule button to slide the out the rule detail panel for review.
Scope
The new scope selector allows for additional selector logic (such as: in, not in, contains, or starts-with), improving the scoping flexibility over previous versions. This scope selector also provides scope variables, allowing you to quickly switch between, for example, Kubernetes namespaces without having to edit the panel scope. See also: Team Scope and the Event Feed.
Note that the scope details listed can be entered in the free-text search field if desired.
Portable URLs
The Event Feed URL maintains the current filters, scope, and selected elements. You can share this URL with other users to allow them to display the same data.
Live/Pause Button
When live, events continually update. Use Pause
to focus on a
section of the screen and not continue scrolling away in a noisy
environment.
Process Trees (Preview)
With Sysdig Agent v12.15, the Event Detail panel can be enhanced with process tree visualizations for workload-related events. This feature is in Technical Preview status.
Enable the Feature
- Install Sysdig Agent v12.15+
- Agent 12.16+ this feature is enabled by default, no agent configuration needed
- Agent 12.15 - Modify the agent ConfigMap and set
enrich_with_process_lineage: true
- Log in to Sysdig Secure as administrator and go to Settings | Sysdig Labs to toggle the feature on.
Find Workload Events
Not all events include process trees at this time. Workload events invoke Falco policies that apply to system-call-related data.
Therefore, you can quickly filter for workload events with ruleType = Falco - Syscall
Explore Process Trees with Event Correlation (Controlled Availability)
Event correlation allows you start from the process tree of a targeted event and view any other events within that process tree from a particular timeframe, to assist in your event analysis.
No additional requirements are needed to enable this feature apart from previous process tree requirements
, but contact your Sysdig representative to test during Controlled Availability.- All Process Trees have a “focused” event. This event which determines the scope and time box as to which events to show.
- The process tree always shows the ancestral lineage to the root process. Lineage to the offspring only shows if a Sysdig event has occurred.
Anatomy
Header
- Scope: Metadata on the focused event, which may include the cloud account metadata down to the pod and host metadata. All events shown in the tree have the same scope.
- Time Box Dropdown: The time elapsed before and after the focused event occurred. The default is 15 minutes before and after, with options for 10 and 5 minutes.
- Severity Filters: Based on the severity of the event to filter more or fewer events.
Process Tree Overlay
- Timeline: The process tree starts at the focused event, shown with the bold outline, and the time of the event. The time of each related process is shown in relation to the event, for example
-7 hr
and+ 2 s
- Collapse/Expand: Use the chevron on the left to expand or collapse any process with any number of offspring. Process names stacked within a tree also indicated collapsed processes (for example, the second-to-last line in the screenshot).
- Events: The latest, highest severity policy name for an event will show inline of each process within the tree. Any other events are indicated inline with the count of events by severity. The counts do not include the event with the details shown. For example, the last line in the screenshot shows two unique events.
Process & Event Summary
- Process Summary: Selecting a process with one or more events will summarize the process details, including the Process ID, Session ID, username and more. Each unique rule triggered will show under the process details, which will open up the Event Details panel.
- Event Details: These are the details provided from the events feed with all event information, including the rules, policies, and related metadata.
Captures
For runtime policy events that have an associated capture, we now offer a contextual menu for performing quick actions over the event capture, rather than a simple link to the Captures interface. You can:
View the capture directly in Sysdig Inspect
Directly download or delete the capture
Additionally, if the event is scoped to a particular container, Sysdig Inspect will automatically filter the displayed information to the scope of that Container ID.
Netsec Topology
As part of triaging an event, it may be useful to get a birds-eye-view of the network activity for example, to establish what is connected to what, who else a service communicates with, and whether the connection is expected or an outlier.
When relevant, the event detail Respond button provides a quick link to the Network Activity topology, visible users with Advanced User privileges or above, as well as the ability for administrators to craft a unique netsec policy as needed.
The event should include cluster/ namespace/workload details (one of deployment
, daemonset
, statefulset
, job
, cronjob
), and actual network activity on the workload for the Network Activity link to be offered.
Tunable Exceptions
Sysdig’s Runtime Policy Tuner helps reduce false positives using rule exceptions. If there are potential exceptions that match one or more events from the same rule a {#}
Tunable Exceptions button may appear in the event details, or under the Respond button. When clicked, a modal will open up with suggestions of matching exceptions.
Select an event and open an event to view the event details, if there are available exceptions, you will see an option for “Tunable Exceptions”
NOTE: You can also navigate to the same event details from the Insights module
The exceptions modal opens.
Review the suggested exceptions and decide whether to use them:
Compare the Existing Values with the Suggested Values
Adjust the suggested values, if desired.
For example, if the suggestion said
contains: prod-app-1
but you wanted to apply the exception to all the clusters in production, you could edit to saycontains: prod
.Review the previously-applied exceptions that are also displayed, to gain context for the decision
Click View affected policies to see all the places the rule and exception would be used
Click Apply, or
Team Scope and the Event Feed
Not every label available in the Sysdig Platform is compatible with the set of labels used to define the scope of a security event in the Event Feed.
Therefore, to correctly determine if a set of events is visible for a certain Sysdig Secure team, the team scope must not use any label outside the following list.
Permitted Labels
agent.tag.* (any label starting with agent.tag is valid)
host.hostName
host.mac
kubernetes.cluster.name
kubernetes.namespace.name
kubernetes.node.name
kubernetes.namespace.label.field.cattle.io/projectId
kubernetes.namespace.label.project
kubernetes.pod.name
kubernetes.daemonSet.name
kubernetes.deployment.name
kubernetes.replicaSet.name
kubernetes.statefulSet.name
kubernetes.job.name
kubernetes.cronJob.name
kubernetes.service.name
container.name
container.image.id
container.image.repo
container.image.tag
container.image.digest
container.label.io.kubernetes.container.name
container.label.io.kubernetes.pod.name
container.label.io.kubernetes.pod.namespace
container.label.maintainer
Not using any label to define team scope (Everywhere) is also supported.
If the Secure team scope is defined using a label outside of the list above, the Event Feed will be empty for that particular team.
Events Dashboards
The Events Dashboards in Sysdig Secure provide event trend analysis and at-a-glance summaries of top policies, rules, namespaces, accounts, or users with event activity over the past 31 days. From the Overviews, you can drill down into specific event feeds and details to take action.
Event Forwarding
Sysdig Secure supports sending different types of security data to third-party SIEM (security information and event management) platforms and logging tools, such as Splunk, Elastic Stack, Qradar, Arcsight, LogDNA. Use Event Forwarding to perform these integrations so you can view security events and correlate Sysdig findings with the tool that you are already using for analysis.
Kubernetes Audit Logging
Kubernetes log integration enables Sysdig Secure to use Kubernetes audit log data in the Events feed and the Activity Audit.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.