Event Enrichment with Agent Labels

Labels are default fields collected by the Sysdig Agent, on top of those specified in rule output. The agent will pull them out by default and they will be shown in the events feed and in your events forwarder destination.

Enable/disable

You can decide to enable or disable this feature. It is enabled by default.

event_labels:
  enabled: true/false

Adding Custom Labels

The agent is set to have a set of default labels. It’s possible to both include additional labels and exclude labels from the default set.

event_labels:
  exclude:
    - custom.label.to.exclude

event_labels:
  include:
    - custom.label.to.include

Example of an enriched event being sent to Splunk

{
   agentId: 1658033
   category: runtime
   containerId: d9f5e4a9aedd
   content: {
     baselineId:
     falsePositive: false
     fields: {
       container.id: d9f5e4a9aedd
       container.image.repository: sysdiglabs/example-voting-app-voter
       container.name: k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603
       evt.category: process
       falco.rule: Launch Root User Container
       fd.rip: <NA>
       fd.rport: <NA>
       proc.cmdline: container:d9f5e4a9aedd
       proc.name: container:d9f5e4a9aedd
       proc.pid: -1
       proc.pname: <NA>
       proc.ppid: -1
     }
     matchedOnDefault: false
     output: Outbound connection to IP/Port flagged by container:d9f5e4a9aedd (command=container:d9f5e4a9aedd port=<NA> ip=<NA> container=k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603 (id=d9f5e4a9aedd) image=sysdiglabs/example-voting-app-voter) extra fields = (<NA> -1 process -1 container:d9f5e4a9aeddproc.aname container:d9f5e4a9aedd -1proc.apid )
     policyId: 10009837
     policyOrigin: Sysdig
     policyVersion: 37
     ruleName: Launch Root User Container
     ruleTags: [
       network
       mitre_execution
     ]
     ruleType: RULE_TYPE_FALCO
   }
   description: This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.
   id: 1726f87daaaee3960301e17f9b06c3cf
   labels: {
     agent.tag.role: demo-kube-eks
     aws.accountId: 845151661675
     aws.instanceId: i-0b767c5bc9b2f89aa
     aws.region: us-east-1
     container.image.digest: sha256:4cde188c9b43d02197662b5d5323ea0ba8f40efdacf672fe9bd1eb010ad207de
     container.image.id: 27f385e91e79
     container.image.repo: sysdiglabs/example-voting-app-voter
     container.image.tag: 0.1
     container.label.io.kubernetes.container.name: voter
     container.label.io.kubernetes.pod.name: voter-77d98548bc-hmkpc
     container.label.io.kubernetes.pod.namespace: example-voting-app
     container.name: k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603
     host.hostName: ip-192-168-22-221.ec2.internal
     host.mac: 0a:a2:c4:d3:fd:ef
     kubernetes.cluster.name: demo-kube-eks
     kubernetes.deployment.name: voter
     kubernetes.namespace.name: example-voting-app
     kubernetes.node.name: ip-192-168-22-221.ec2.internal
     kubernetes.pod.name: voter-77d98548bc-hmkpc
     kubernetes.replicaSet.name: voter-77d98548bc
   }
   machineId: 0a:a2:c4:d3:fd:ef
   name: Sysdig Runtime Notable Events
   originator: policy
   severity: 4
   source: syscall
   timestamp: 1668293930605536300
   timestampRFC3339Nano: 2022-11-12T22:58:50.60553615Z
   type: policy
}