Event Enrichment with Agent Labels
Labels are default fields collected by the Sysdig Agent, on top of those specified in rule output. The agent will pull them out by default and they will be shown in the events feed and in your events forwarder destination.
Enable/disable
You can decide to enable or disable this feature. It is enabled by default.
event_labels:
enabled: true/false
Adding Custom Labels
The agent is set to have a set of default labels. It’s possible to both include additional labels and exclude labels from the default set.
event_labels:
exclude:
- custom.label.to.exclude
event_labels:
include:
- custom.label.to.include
Example of an enriched event being sent to Splunk
{
agentId: 1658033
category: runtime
containerId: d9f5e4a9aedd
content: {
baselineId:
falsePositive: false
fields: {
container.id: d9f5e4a9aedd
container.image.repository: sysdiglabs/example-voting-app-voter
container.name: k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603
evt.category: process
falco.rule: Launch Root User Container
fd.rip: <NA>
fd.rport: <NA>
proc.cmdline: container:d9f5e4a9aedd
proc.name: container:d9f5e4a9aedd
proc.pid: -1
proc.pname: <NA>
proc.ppid: -1
}
matchedOnDefault: false
output: Outbound connection to IP/Port flagged by container:d9f5e4a9aedd (command=container:d9f5e4a9aedd port=<NA> ip=<NA> container=k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603 (id=d9f5e4a9aedd) image=sysdiglabs/example-voting-app-voter) extra fields = (<NA> -1 process -1 container:d9f5e4a9aeddproc.aname container:d9f5e4a9aedd -1proc.apid )
policyId: 10009837
policyOrigin: Sysdig
policyVersion: 37
ruleName: Launch Root User Container
ruleTags: [
network
mitre_execution
]
ruleType: RULE_TYPE_FALCO
}
description: This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.
id: 1726f87daaaee3960301e17f9b06c3cf
labels: {
agent.tag.role: demo-kube-eks
aws.accountId: 845151661675
aws.instanceId: i-0b767c5bc9b2f89aa
aws.region: us-east-1
container.image.digest: sha256:4cde188c9b43d02197662b5d5323ea0ba8f40efdacf672fe9bd1eb010ad207de
container.image.id: 27f385e91e79
container.image.repo: sysdiglabs/example-voting-app-voter
container.image.tag: 0.1
container.label.io.kubernetes.container.name: voter
container.label.io.kubernetes.pod.name: voter-77d98548bc-hmkpc
container.label.io.kubernetes.pod.namespace: example-voting-app
container.name: k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603
host.hostName: ip-192-168-22-221.ec2.internal
host.mac: 0a:a2:c4:d3:fd:ef
kubernetes.cluster.name: demo-kube-eks
kubernetes.deployment.name: voter
kubernetes.namespace.name: example-voting-app
kubernetes.node.name: ip-192-168-22-221.ec2.internal
kubernetes.pod.name: voter-77d98548bc-hmkpc
kubernetes.replicaSet.name: voter-77d98548bc
}
machineId: 0a:a2:c4:d3:fd:ef
name: Sysdig Runtime Notable Events
originator: policy
severity: 4
source: syscall
timestamp: 1668293930605536300
timestampRFC3339Nano: 2022-11-12T22:58:50.60553615Z
type: policy
}
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.