Event Enrichment with Agent Labels

The agent includes these labels by default when enabling event labels

Enable labels

event_labels:
  enabled: true/false

Default labels

event_labels:
  include:
    - process.name
    - host.hostName
    - agent.tag
    - container.name
    - kubernetes.cluster.name
    - kubernetes.namespace.name
    - kubernetes.deployment.name
    - kubernetes.pod.name
    - kubernetes.node.name

Adding Custom Labels

Event labeling has the ability to both include and exclude event labels.

event_labels:
  exclude:
    - custom.label.to.exclude

event_labels:
  include:
    - custom.label.to.include

Example of an enriched event being sent to splunk

{ [-]
baselineId: null
containerId: e4d32e56d9d2
description: A shell was used as the entrypoint/exec point into a container with an attached terminal.
eventLabels: [ [-]
{ [-]
key: kubernetes.node.name
value: ip-172-31-72-246
}
{ [-]
key: container.name
value: k8s_elasticsearch_sysdigcloud-elasticsearch-0_sysdigcloud_c824e1f8-aa1f-11e9-aff4-027768606bae_0
}
{ [-]
key: kubernetes.cluster.name
value: SysdigBackend
}
{ [-]
key: kubernetes.pod.name
value: sysdigcloud-elasticsearch-0
}
{ [-]
key: kubernetes.namespace.name
value: sysdigcloud
}
{ [-]
key: agent.tag.timezone
value: UTC
}
{ [-]
key: agent.tag.location
value: europe
}
{ [-]
key: process.name
value: bash
}
{ [-]
key: host.hostName
value: ip-172-31-72-246
}
]
falsePositive: false
fields: [ [+]
]
hostMac: 02:77:68:60:6b:ae
id: 702701271278202880
isAggregated: false
matchedOnDefault: false
name: Terminal shell in container
output: A shell was spawned in a container with an attached terminal (user=root k8s_elasticsearch_sysdigcloud-elasticsearch-0_sysdigcloud_c824e1f8-aa1f-11e9-aff4-027768606bae_0 (id=e4d32e56d9d2) shell=bash parent=docker-runc cmdline=bash terminal=34816)
policyId: 18
ruleSubtype: null
ruleType: RULE_TYPE_FALCO
severity: 5
timestamp: 1564065391633554
version: 1
}

Last modified June 23, 2022