Events Dashboards

The Events Dashboards in Sysdig Secure provide event trend analysis and at-a-glance summaries of top policies, rules, namespaces, accounts, or users with event activity over the past 31 days. From the Overviews, you can drill down into specific event feeds and details to take action.

The Events Dashboards provide event overviews by data source: Overview (all sources), Kubernetes Clusters, Cloud Accounts, and Hosts and Containers (for environments using containers without Kubernetes orchestration).

The Dashboards are currently in Technical Preview status for Sysdig Secure SaaS.

Prerequisites

Sysdig Secure (SaaS) with data sources connected:

NOTE:

  • If a particular type of data source is not connected , the corresponding overview will show no data.
  • Only teams scoped to Entire Infrastructure will see the Dashboards.

Usage

General

  1. Log in to Sysidig Secure (SaaS).

  2. Select Events > Event Dashboards > (choose your data source). One of four panels opens (Overview, Kubernetes, Cloud, or Hosts and Containers).

    The events displayed match the permissions of the team under which you logged in.

  3. Select top-level filters to focus on particular subset of event data, as appropriate.

    All of the context filters apply to the widget on the page and any drill-down pages.

    Common Filters
    • Severity

      Select any or all criticality level: Critical, High, Medium, Info

    • Date

      Each top trend panel reports on the behavior of events over the past 31days.

      By default, the trend graphs are set to 1 week. You can use the date selector or double-click on a day to see the Event panel results filtered for just that day. Use the Date bar at the bottom of the page to adjust up to two-weeks-worth of data at a time.

    Page-Specific Filters are detailed in the panel descriptions below.

  4. Review the top policies and rules with events and drill down into the Events feed or details to address them.

  5. Review the top activity by location, users, etc. and drill down as needed.

Events Overview

The Overview panel provides:

  • Top row: the common severity filter and the download button to capture a PDF of the panel display

  • Top panel: a summary of the data sources and their connected status (5 of 7, for example)

  • Events by Severity trend graph: Change the date selection at the bottom of the page if desired, or hover over a day to see the event number summarized by severity for that day

  • Top Policies and Top Rules triggered: click on an entry to drill into the event details

  • Mitre Attack Report by tactic and technique

Kubernetes Events

Filters Available

  • Cluster
  • Namespace
  • Workload

Cloud Events

Filters Available

  • Platform

  • Account/Project/Subscription (depending on AWS/GCP/Azure)

  • Region

  • Cloud Account User

Hosts and Containers Panel

Designed for environments using containers without Kubernetes orchestration.

Filters Available

  • Host names in
  • Containers in

Company Security Usage

The top trend panels are designed to guide Security workflows.

They present an overview of:

  • Trends of Events in the environment over the past 31 days (in up to two-week increments)
  • Policies and rules with most events (up to 20 listings)
  • Event data by date or date range
  • Clusters, Namespaces, Workloads, Cloud account IDs, Users, hosts, and containers with the most events detected

These allow security managers to answer questions about their risk posture, such as:

  • Are my event levels trending down?
  • What is my most event-prone environment?

Sample Flows

Identify Progress through Metrics

  1. Choose the data source you want to view.
  2. Filter on segments of the infrastructure (specific clusters, accounts, users, hosts, containers) as desired.
  3. Review the metrics graph to see trends.
  4. Click on days to identify the difference between them.
  5. Drill down to event feeds for further investigation.