- 1:
- 1.1:
- 1.2:
- 1.3:
- 1.4:
- 1.5:
- 1.6:
- 1.7:
- 1.8:
- 1.9:
- 1.10:
- 2:
- 3:
Secure Events
From Sysdig Secure 3.5.0, the Policy Events module has been reworked
and renamed Events. The new functionality includes both runtime
policy and runtime image scanning events and has much more powerful
filtering capabilities.
BE AWARE!
Events in the old and new formats are stored separately.
No event or event data will be lost during the transition
Events that were registered before the new feed is deployed can be
browsed using the oldP Policy Events interface, available on the
burger menu in the top-right corner.
If you are running on a GKE cluster, review the GKE
Limitations.
The Events page in Sysdig Secure displays a complete list of events that
have occurred within the infrastructure during a defined timeline.
It provides a navigable interface to:
Find and surface insights around the most relevant security events
in your infrastructure
Slice and dice your event data using multiple filters and scopes to
hone into the events that will require further inspection or
remediation actions
Inspect any items using an advanced event detail panel
Follow up on forensics, activity audits, etc., by directly linking
to other sections of the product for additional event information
It provides an overview of the entire infrastructure, and the ability to
deep-dive into specific security events, identify false positives, and
configure policies to optimize performance.
Without filters or scope defined, the event list comprises all events
within the timeline, in chronological order. Clicking on an event opens
the event detail panel on the right.
Filter Secure Events
As of February, 2022, there are two filter options available in Sysdig Secure (SaaS): Original and Improved.
Both UIs allow you to structure a filter expression in various ways: using Scope, Severity, Type, Attributes, and Time Span, as well as using free-text Search, to filter by event name or label value.
You can toggle between the two interfaces at will.
Using the Improved Filter Bar
Building expressions in the improved filter bar is simpler and cleaner than in the original filter UI. Both use the Filter Expression Elements described below.
Build expressions from the drop-down options: Click Add Filter for an initial drop-down list of valid scope elements. Keep clicking in the filter bar to be presented with the next logical operand, value, etc. to add to your expression.
Build expressions using elements from the Events list: Click the operand after an element in an event to add it directly to the filter expression.
Add priority or type filters and save a constructed expression as a Favorite or set as the Default filter
Understanding Filter Expression Elements
Note that the filters are additive. For example, if you set the Type to
Image Scanning events and don’t see what you expected, make sure the
scope and time span have also been set appropriately.
You construct a filtering expression from the following elements:
Scope
By default, the Event scope encompasses Everywhere, but you can define
the environment scope(containers, namespaces, etc.) to limit the
range. Those environment limits are assigned to the team active
during the scope definition.
See also: Team Scope and the Event Feed,
below.
Define a Scope Filter (Original)
You an set a scope label as “variable,” so you can change its value
using a dropdown without having to edit the entire scope.
Log in to Sysdig Secure.
Any event scope you define will be applied to the team under which
you logged in.
On the Events page, click Edit Scope.
From the drop-down menus(s), select the elements, values, and labels
needed, and click Apply.
Free-Text Search
You can search by the event title and scope label values, such as
“my-cluster-name,” visible in the events lists.
Type
Events include both Runtime and Image Scanning events.
Runtime events correspond to the rules and violations defined in
Policies.
Image Scanning events correspond to the runtime scanning
alerts.
Severity
Use the appropriate buttons to filter events by High, Medium,
Low, and Info level of severity, corresponding to the levels
defined in the relevant runtime Policies
or runtime scanning alerts.
Time Span
As in the rest of the Sysdig Platform interface, the time span can be
set by date ranges using the calendar pop-up, and in increments from 10
minutes to 3 days. You can additionally use the calendar picker to
select other time ranges that are not available as fast buttons.
Attributes
Under Policies and Triggered Rules, hover over an attribute to reveal
the =/!= filter button and click to add to the Attribute filter.
Event Detail Panel
The Event Detail contents vary depending on the selected event. In
general, the following are always present:
Attributes on which you can filter directly:
See the Attributes discussion, above.
Action Buttons:
If relevant, the Captures button links to
Captures. See also: Quick Menu to Captures from Runtime Events.
For Runtime events, the Activity shortcut button is available and links to Activity Audit.
For Image Scanning, the Scan Results shortcut links to the Scan Results page.
Edit Policy Shortcut:
For image scanning: Links to the runtime alert that generated the event.
For policy (runtime) events: Links to the runtime rule that
created the event, as well as the rule type (i.e. Falco - Syscall)
and the labels associated with that rule.
All three elements are filterable using the attribute filter widgets
(see above).
Output (For Policy events):
The Falco rule output as configured in the rule is listed.
Scope
The new scope selector allows for additional selector logic (in, not
in, contains, starts-with, etc), improving the scoping flexibility
over previous versions. This scope selector also provides scope
variables, allowing you to quickly switch between, for example,
Kubernetes namespaces without having to edit the panel scope. See
also: Team Scope and the Event Feed, below.
Note that the scope details listed can be entered in the free-text
search field if desired.
Live/Pause Button -
When live, events continually update. Use Pause to focus on a
section of the screen and not continue scrolling away in a noisy
environment.
Portable URLs
The Event Feed URL maintains the current filters, scope, and
selected elements. You can share this URL with other users to allow
them to display the same data.
For runtime policy events that have an associated capture, we now offer
a contextual menu for performing quick actions over the event capture,
rather than a simple link to the Captures interface. You can:
Additionally, if the event is scoped to a particular container, Sysdig
Inspect will automatically filter the displayed information to the scope
of that Container ID.
Team Scope and the Event Feed
Not every label available in the Sysdig Platform is compatible with the
set of labels used to define the scope of a security event in the Event
Feed.
Practically, this means that in order to correctly determine if a set of
events is visible for a certain Sysdig Secure team, the team scope must
not use any label outside the following list.
Permitted Labels
agent.tag.* (any label starting with agent.tag is valid)
host.hostName
host.mac
kubernetes.cluster.name
kubernetes.namespace.name
kubernetes.node.name
kubernetes.namespace.label.field.cattle.io/projectId
kubernetes.namespace.label.project
kubernetes.pod.name
kubernetes.daemonSet.name
kubernetes.deployment.name
kubernetes.replicaSet.name
kubernetes.statefulSet.name
kubernetes.job.name
kubernetes.cronJob.name
kubernetes.service.name
container.name
container.image.id
container.image.repo
container.image.tag
container.image.digest
container.label.io.kubernetes.container.name
container.label.io.kubernetes.pod.name
container.label.io.kubernetes.pod.namespace
container.label.maintainer
Not using any label to define team scope (Everywhere) is also
supported.
If the Secure team scope is defined using a label outside of the list
above, the Event Feed will be empty for that particular team.
1 -
Event Forwarding
Sysdig supports sending different types of security data to third-party
SIEM (security information and event management) platforms and logging
tools, such as Splunk, Elastic Stack, Qradar, Arcsight, LogDNA. Use
Event Forwarding to perform these integrations so you can view security
events and correlate Sysdig findings with the tool that you are already
using for analysis.
Review the Types of Secure
Integrations table for more
context. The Event Forwarding column lists the various options and their
levels of support.
You must be logged in to Sysdig Secure as Administrator to access the event forwarding options.
Supported Event Forwarding Data Sources
At this time, Sysdig Secure can forward the following types of data:
Policy events: there
are now two supported formats: the older one (legacy policy events)
and current one (runtime policy events).
Activity audit
information in each of the four audit types:
command, network, file, and kubectl exec.
Benchmarks (Legacy): When
the benchmarks component is installed with the Node
Analyzer, forwarding
benchmark data is supported.
Host Scanning: When
the feature has been installed with the Node
Analyzer, forwarding
host scanning data is supported.
Informational; in most cases, there is no need to change the default
format.
Policy Event Payloads
There are now two formats supported. See also this Release
Note.
New Runtime Policy Events Payload
{
"id": "164ace360cc3cfbc26ec22d61b439500",
"type": "policy",
"timestamp": 1606322948648718268,
"originator": "policy",
"category": "runtime",
"source": "syscall",
"name": "Notable Filesystem Changes",
"description": "Identified notable filesystem activity that might change sensitive/important files. This differs from Suspicious Filesystem Changes in that it looks more broadly at filesystem activity, and might have more false positives as a result.",
"severity": 0,
"agentId": 13530,
"containerId": "",
"machineId": "08:00:27:54:f3:9d",
"content": {
"policyId": 544,
"baselineId": "",
"ruleName": "Write below etc",
"ruleType": "RULE_TYPE_FALCO",
"ruleTags": [
"mitre_persistence",
"NIST",
"NIST_3.4.4",
"filesystem"
],
"output": "File below /etc opened for writing (user=root command=touch /etc/ard parent=bash pcmdline=bash file=/etc/ard program=touch gparent=su ggparent=sudo gggparent=bash container_id=host image=<NA>)",
"fields": {
"container.id": "host",
"container.image.repository": "<NA>",
"falco.rule": "Write below etc",
"fd.name": "/etc/ard",
"proc.aname[2]": "su",
"proc.aname[3]": "sudo",
"proc.aname[4]": "bash",
"proc.cmdline": "touch /etc/ard",
"proc.name": "touch",
"proc.pcmdline": "bash",
"proc.pname": "bash",
"user.name": "root"
},
"falsePositive": false,
"matchedOnDefault": false,
"policyVersion": 2,
"policyOrigin": "Sysdig"
},
"labels": {
"host.hostName": "ardbox",
"process.name": "touch /etc/ard"
}
}
Legacy Secure Policy Event Payload
{
"id": "164ace360cc3cfbc26ec22d61b439500",
"containerId": "",
"name": "Notable Filesystem Changes",
"description": "Identified notable filesystem activity that might change sensitive/important files. This differs from Suspicious Filesystem Changes in that it looks more broadly at filesystem activity, and might have more false positives as a result.",
"severity": 0,
"policyId": 544,
"actionResults": [],
"output": "File below /etc opened for writing (user=root command=touch /etc/ard parent=bash pcmdline=bash file=/etc/ard program=touch gparent=su ggparent=sudo gggparent=bash container_id=host image=<NA>)",
"ruleType": "RULE_TYPE_FALCO",
"matchedOnDefault": false,
"fields": [
{
"key": "container.image.repository",
"value": "<NA>"
},
{
"key": "proc.aname[3]",
"value": "sudo"
},
{
"key": "proc.aname[4]",
"value": "bash"
},
{
"key": "proc.cmdline",
"value": "touch /etc/ard"
},
{
"key": "proc.pname",
"value": "bash"
},
{
"key": "falco.rule",
"value": "Write below etc"
},
{
"key": "proc.name",
"value": "touch"
},
{
"key": "fd.name",
"value": "/etc/ard"
},
{
"key": "proc.aname[2]",
"value": "su"
},
{
"key": "proc.pcmdline",
"value": "bash"
},
{
"key": "container.id",
"value": "host"
},
{
"key": "user.name",
"value": "root"
}
],
"eventLabels": [
{
"key": "host.hostName",
"value": "ardbox"
},
{
"key": "process.name",
"value": "touch /etc/ard"
}
],
"falsePositive": false,
"baselineId": "",
"policyVersion": 2,
"origin": "Sysdig",
"timestamp": 1606322948648718,
"timestampNs": 1606322948648718268,
"hostMac": "08:00:27:54:f3:9d",
"isAggregated": false
}
Activity Audit Forwarding Payloads
Each of the activity audit types has its own JSON format.
Command (cmd) Payload
{
"id": "164806c17885b5615ba513135ea13d79",
"agentId": 32212,
"cmdline": "calico-node -felix-ready -bird-ready",
"comm": "calico-node",
"containerId": "a407fb17332b",
"count": 1,
"cwd": "/",
"hostname": "qa-k8smetrics",
"loginShellDistance": 0,
"loginShellId": 0,
"pid": 29278,
"ppid": 29275,
"rxTimestamp": 1605540695537513500,
"timestamp": 1605540695178065200,
"type": "command",
"tty": 0,
"uid": 0
}
Network (net) Payload
{
"id": "164806f43b4d7e8c6708f40cdbb47838",
"agentId": 32212,
"clientIpv4": 2886795285,
"clientPort": 60720,
"containerId": "da3abd373c7a",
"direction": "out",
"errorCode": 115,
"hostname": "qa-k8smetrics",
"l4protocol": 6,
"pid": 2452,
"processName": "kubectl",
"rxTimestamp": 0,
"serverIpv4": 174063617,
"serverPort": 443,
"timestamp": 1605540913194303200,
"type": "connection"
}
File (file) Payload
{
"id": "164806c161a5dd221c4ee79d6b5dd1ce",
"agentId": 32212,
"containerId": "a407fb17332b",
"hostname": "qa-k8smetrics",
"timestamp": 1605540694794296600,
"type": "fileaccess",
"directory": "/etc/service/enabled/confd/supervise/",
"filename": "ok",
"permissions": "w",
"pid": 29237,
"comm": "sv",
"cmdline": ""
}
Kubernetes (kube exec) Payload
{
"id": "164806f4c47ad9101117d87f8b574ecf",
"agentId": 32212,
"args": {
"command": "bash",
"container": "nginx"
},
"auditId": "c474d1de-c764-445a-8142-a0142505868e",
"containerId": "397be1762fba",
"hostname": "qa-k8smetrics",
"name": "nginx-76f9cf7469-k5kf7",
"namespace": "nginx",
"resource": "pods",
"sourceAddresses": [
"172.17.0.21"
],
"stages": {
"started": 1605540915526159000,
"completed": 1605540915660084000
},
"subResource": "exec",
"timestamp": 1605540915495754000,
"type": "kubernetes",
"user": {
"username": "system:serviceaccount:default:default-kubectl-trigger",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:default",
"system:authenticated"
]
},
"userAgent": "kubectl/v1.16.2 (linux/amd64) kubernetes/c97fe50"
}
Benchmark Result Payloads
To forward benchmark events, you must have Benchmarks v2
installed and configured,
using the Node Analyzer.
A Benchmark Control payload is emitted for each control on each host on
every Benchmark Run. A Benchmark Run payload containing a summary of the
results is emitted for each host on every Benchmark Run.
Benchmark Control Payload
{
"agentId": 0,
"category": "runtime",
"containerId": "",
"content": {
"control": {
"auditCommand": "ps -ef | grep etcd | grep -- --data-dir | sed 's%.*data-dir[= ]\\([^ ]*\\).*%\\1%' | xargs stat -c %U:%G",
"description": "etcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.",
"expectedOutput": "'' is present",
"failingResources": [
{
"Hostname": "qa-k8smetrics"
}
],
"familyName": "Master Node Configuration Files",
"id": "1.1.12",
"level": "Level 1",
"rationale": "etcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.",
"remediation": "On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the below command:\nps -ef | grep etcd\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd:etcd /var/lib/etcd\n",
"resourceCount": 0,
"resourceType": "Hosts",
"result": "Fail",
"title": "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
},
"runId": "e569ccbb-b314-4fcc-991e-7baa0671ff34",
"schema": "kube_bench_cis-1.6.0",
"source": "host",
"subType": "control",
"taskId": 205
},
"description": "Kubernetes benchmark kube_bench_cis-1.6.0 control 1.1.12 completed.",
"id": "167e641d319f53438dca3c702ecb2460",
"labels": {
"aws.accountId": "059797578166",
"aws.instanceId": "i-0fb61365358ce26a7",
"aws.region": "us-east-1",
"host.hostName": "qa-k8smetrics",
"host.mac": "16:16:ef:cb:72:15",
"kubernetes.cluster.name": "test-k8s-data",
"kubernetes.node.name": "qa-k8smetrics"
},
"machineId": "16:16:ef:cb:72:15",
"name": "Kubernetes Benchmark Control Reported",
"originator": "benchmarks",
"severity": 0,
"source": "host",
"timestamp": 1620842992449311555,
"type": "benchmark"
}
Benchmark Run Payload
{
"agentId": 0,
"category": "runtime",
"containerId": "",
"content": {
"run": {
"failCount": 11,
"passCount": 67,
"warnCount": 44
},
"runId": "e569ccbb-b314-4fcc-991e-7baa0671ff34",
"schema": "kube_bench_cis-1.6.0",
"source": "host",
"subType": "run",
"taskId": 205
},
"description": "Kubernetes benchmark kube_bench_cis-1.6.0 completed.",
"id": "167e641d319f5343019a4183b1ec2906",
"labels": {
"aws.accountId": "059797578166",
"aws.instanceId": "i-0fb61365358ce26a7",
"aws.region": "us-east-1",
"host.hostName": "qa-k8smetrics",
"host.mac": "16:16:ef:cb:72:15",
"kubernetes.cluster.name": "test-k8s-data",
"kubernetes.node.name": "qa-k8smetrics"
},
"machineId": "16:16:ef:cb:72:15",
"name": "Kubernetes Benchmark Run Failed",
"originator": "benchmarks",
"severity": 0,
"source": "host",
"timestamp": 1620842992449311555,
"type": "benchmark"
}
Host Scanning Payload
Incremental Report
This is the “vuln diff” report; it contains the list of added, removed,
or updated vulnerabilities that the host presents compared to the
previous scan.
[
{
"id": "167fddc1197bcc776d72f0f299e83530",
"type": "hostscanning",
"timestamp": 1621258212302,
"originator": "hostscanning",
"category": "hostscanning_incremental_report",
"source": "hostscanning",
"name": "Vulnerability updates - Host dev-vm",
"description": "",
"severity": 4,
"agentId": 0,
"containerId": "",
"machineId": "00:0c:29:e5:9e:51",
"content": {
"hostname": "dev-vm",
"mac": "00:0c:29:e5:9e:51",
"reportType": "incremental",
"added": [
{
"cve": "CVE-2020-27170",
"fixAvailable": "5.4.0-70.78",
"packageName": "linux-headers-5.4.0-67",
"packageType": "dpkg",
"packageVersion": "5.4.0-67.75",
"severity": "High",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-27170",
"vulnerablePackage": "linux-headers-5.4.0-67:5.4.0-67.75"
},
{
"cve": "CVE-2019-9515",
"fixAvailable": "None",
"packageName": "libgrpc6",
"packageType": "dpkg",
"packageVersion": "1.16.1-1ubuntu5",
"severity": "Medium",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-9515",
"vulnerablePackage": "libgrpc6:1.16.1-1ubuntu5"
}
],
"updated": [
{
"cve": "CVE-2018-17977",
"fixAvailable": "None",
"packageName": "linux-modules-5.4.0-72-generic",
"packageType": "dpkg",
"packageVersion": "5.4.0-72.80",
"severity": "Medium",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-17977",
"vulnerablePackage": "linux-modules-5.4.0-72-generic:5.4.0-72.80"
},
{
"cve": "CVE-2021-3348",
"fixAvailable": "5.4.0-71.79",
"packageName": "linux-modules-extra-5.4.0-67-generic",
"packageType": "dpkg",
"packageVersion": "5.4.0-67.75",
"severity": "Medium",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-3348",
"vulnerablePackage": "linux-modules-extra-5.4.0-67-generic:5.4.0-67.75"
},
{
"cve": "CVE-2021-29265",
"fixAvailable": "5.4.0-73.82",
"packageName": "linux-headers-5.4.0-67-generic",
"packageType": "dpkg",
"packageVersion": "5.4.0-67.75",
"severity": "Medium",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-29265",
"vulnerablePackage": "linux-headers-5.4.0-67-generic:5.4.0-67.75"
},
{
"cve": "CVE-2021-29921",
"fixAvailable": "None",
"packageName": "python3.8-dev",
"packageType": "dpkg",
"packageVersion": "3.8.5-1~20.04.2",
"severity": "Medium",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-29921",
"vulnerablePackage": "python3.8-dev:3.8.5-1~20.04.2"
}
],
"removed": [
{
"cve": "CVE-2021-26932",
"fixAvailable": "None",
"packageName": "linux-modules-5.4.0-67-generic",
"packageType": "dpkg",
"packageVersion": "5.4.0-67.75",
"severity": "Medium",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-26932",
"vulnerablePackage": "linux-modules-5.4.0-67-generic:5.4.0-67.75"
},
{
"cve": "CVE-2020-26541",
"fixAvailable": "None",
"packageName": "linux-modules-extra-5.4.0-67-generic",
"packageType": "dpkg",
"packageVersion": "5.4.0-67.75",
"severity": "Medium",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-26541",
"vulnerablePackage": "linux-modules-extra-5.4.0-67-generic:5.4.0-67.75"
},
{
"cve": "CVE-2014-4607",
"fixAvailable": "2.04-1ubuntu26.8",
"packageName": "grub-pc",
"packageType": "dpkg",
"packageVersion": "2.04-1ubuntu26.7",
"severity": "Medium",
"url": "http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-4607",
"vulnerablePackage": "grub-pc:2.04-1ubuntu26.7"
}
]
},
"labels": {
"host.hostName": "dev-vm",
"host.id": "d82e5bde1d992bedd10a640bdb2f052493ff4b3e03f5e96d1077bf208f32ea96",
"host.mac": "00:0c:29:e5:9e:51",
"host.os.name": "ubuntu",
"host.os.version": "20.04"
}
}
]
Full Report
The full report contains all the vulnerabilities found during the first
host scan.
[
{
"id": "1680c8462f368eaf38d2f269d9de1637",
"type": "hostscanning",
"timestamp": 1621516069618,
"originator": "hostscanning",
"category": "hostscanning_full_report",
"source": "hostscanning",
"name": "Host ip-172-31-94-81 scanned",
"description": "",
"severity": 4,
"agentId": 0,
"containerId": "",
"machineId": "16:1f:b4:f5:02:03",
"content": {
"hostname": "ip-172-31-94-81",
"mac": "16:1f:b4:f5:02:03",
"reportType": "full",
"added": [
{
"cve": "CVE-2015-0207",
"fixAvailable": "None",
"packageName": "libssl1.1",
"packageType": "dpkg",
"packageVersion": "1.1.0l-1~deb9u3",
"severity": "Negligible",
"url": "https://security-tracker.debian.org/tracker/CVE-2015-0207",
"vulnerablePackage": "libssl1.1:1.1.0l-1~deb9u3"
},
{
"cve": "CVE-2016-2088",
"fixAvailable": "None",
"packageName": "libdns162",
"packageType": "dpkg",
"packageVersion": "1:9.10.3.dfsg.P4-12.3+deb9u8",
"severity": "Negligible",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-2088",
"vulnerablePackage": "libdns162:1:9.10.3.dfsg.P4-12.3+deb9u8"
},
{
"cve": "CVE-2017-5123",
"fixAvailable": "None",
"packageName": "linux-headers-4.9.0-15-amd64",
"packageType": "dpkg",
"packageVersion": "4.9.258-1",
"severity": "Negligible",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-5123",
"vulnerablePackage": "linux-headers-4.9.0-15-amd64:4.9.258-1"
},
{
"cve": "CVE-2014-2739",
"fixAvailable": "None",
"packageName": "linux-headers-4.9.0-15-common",
"packageType": "dpkg",
"packageVersion": "4.9.258-1",
"severity": "Negligible",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-2739",
"vulnerablePackage": "linux-headers-4.9.0-15-common:4.9.258-1"
},
{
"cve": "CVE-2014-9781",
"fixAvailable": "None",
"packageName": "linux-kbuild-4.9",
"packageType": "dpkg",
"packageVersion": "4.9.258-1",
"severity": "Negligible",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-9781",
"vulnerablePackage": "linux-kbuild-4.9:4.9.258-1"
},
{
"cve": "CVE-2015-8705",
"fixAvailable": "None",
"packageName": "libisc-export160",
"packageType": "dpkg",
"packageVersion": "1:9.10.3.dfsg.P4-12.3+deb9u8",
"severity": "Negligible",
"url": "https://security-tracker.debian.org/tracker/CVE-2015-8705",
"vulnerablePackage": "libisc-export160:1:9.10.3.dfsg.P4-12.3+deb9u8"
}
]
},
"labels": {
"agent.tag.distribution": "Debian",
"agent.tag.fqdn": "ec2-3-231-219-145.compute-1.amazonaws.com",
"agent.tag.test-type": "qa-hs",
"agent.tag.version": "9.13",
"host.hostName": "ip-172-31-94-81",
"host.id": "cbd8fc14e9116a33770453e0755cbd1e72e4790e16876327607c50ce9de25a4b",
"host.mac": "16:1f:b4:f5:02:03",
"host.os.name": "debian",
"host.os.version": "9.13"
}
}
]
Delete an Event Forwarding Integration
To delete an existing integration:
From the Settings module of the Sysdig Secure UI, navigate to the
Events Forwarding tab.
Click the More Options (three dots) icon.
Click the Delete Integration button.
Click the Yes, delete button to confirm the change.
