This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Event Enrichment with Agent Labels

    Labels are default fields collected by the Sysdig Agent, on top of those specified in rule output. The agent will pull them out by default and they will be shown in the events feed and in your events forwarder destination.

    Enable/disable

    You can decide to enable or disable this feature. It is enabled by default.

    event_labels:
      enabled: true/false
    

    Adding Custom Labels

    The agent is set to have a set of default labels. It’s possible to both include additional labels and exclude labels from the default set.

    event_labels:
      exclude:
        - custom.label.to.exclude
    
    event_labels:
      include:
        - custom.label.to.include
    

    Example of an enriched event being sent to Splunk

    {
       agentId: 1658033
       category: runtime
       containerId: d9f5e4a9aedd
       content: {
         baselineId:
         falsePositive: false
         fields: {
           container.id: d9f5e4a9aedd
           container.image.repository: sysdiglabs/example-voting-app-voter
           container.name: k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603
           evt.category: process
           falco.rule: Launch Root User Container
           fd.rip: <NA>
           fd.rport: <NA>
           proc.cmdline: container:d9f5e4a9aedd
           proc.name: container:d9f5e4a9aedd
           proc.pid: -1
           proc.pname: <NA>
           proc.ppid: -1
         }
         matchedOnDefault: false
         output: Outbound connection to IP/Port flagged by container:d9f5e4a9aedd (command=container:d9f5e4a9aedd port=<NA> ip=<NA> container=k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603 (id=d9f5e4a9aedd) image=sysdiglabs/example-voting-app-voter) extra fields = (<NA> -1 process -1 container:d9f5e4a9aeddproc.aname container:d9f5e4a9aedd -1proc.apid )
         policyId: 10009837
         policyOrigin: Sysdig
         policyVersion: 37
         ruleName: Launch Root User Container
         ruleTags: [
           network
           mitre_execution
         ]
         ruleType: RULE_TYPE_FALCO
       }
       description: This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.
       id: 1726f87daaaee3960301e17f9b06c3cf
       labels: {
         agent.tag.role: demo-kube-eks
         aws.accountId: 845151661675
         aws.instanceId: i-0b767c5bc9b2f89aa
         aws.region: us-east-1
         container.image.digest: sha256:4cde188c9b43d02197662b5d5323ea0ba8f40efdacf672fe9bd1eb010ad207de
         container.image.id: 27f385e91e79
         container.image.repo: sysdiglabs/example-voting-app-voter
         container.image.tag: 0.1
         container.label.io.kubernetes.container.name: voter
         container.label.io.kubernetes.pod.name: voter-77d98548bc-hmkpc
         container.label.io.kubernetes.pod.namespace: example-voting-app
         container.name: k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603
         host.hostName: ip-192-168-22-221.ec2.internal
         host.mac: 0a:a2:c4:d3:fd:ef
         kubernetes.cluster.name: demo-kube-eks
         kubernetes.deployment.name: voter
         kubernetes.namespace.name: example-voting-app
         kubernetes.node.name: ip-192-168-22-221.ec2.internal
         kubernetes.pod.name: voter-77d98548bc-hmkpc
         kubernetes.replicaSet.name: voter-77d98548bc
       }
       machineId: 0a:a2:c4:d3:fd:ef
       name: Sysdig Runtime Notable Events
       originator: policy
       severity: 4
       source: syscall
       timestamp: 1668293930605536300
       timestampRFC3339Nano: 2022-11-12T22:58:50.60553615Z
       type: policy
    }