Event Enrichment with Agent Labels

The agent includes these labels by default when enabling event labels

Enable labels

event_labels:
  enabled: true/false

Default labels

event_labels:
  include:
    - process.name
    - host.hostName
    - agent.tag
    - container.name
    - kubernetes.cluster.name
    - kubernetes.namespace.name
    - kubernetes.deployment.name
    - kubernetes.pod.name
    - kubernetes.node.name

Adding Custom Labels

Event labeling has the ability to both include and exclude event labels.

event_labels:
  exclude:
    - custom.label.to.exclude

event_labels:
  include:
    - custom.label.to.include

Example of an enriched event being sent to splunk

{ [-] 
baselineId: null 
containerId: e4d32e56d9d2 
description: A shell was used as the entrypoint/exec point into a container with an attached terminal. 
eventLabels: [ [-] 
{ [-] 
key: kubernetes.node.name 
value: ip-172-31-72-246 
} 
{ [-] 
key: container.name 
value: k8s_elasticsearch_sysdigcloud-elasticsearch-0_sysdigcloud_c824e1f8-aa1f-11e9-aff4-027768606bae_0 
} 
{ [-] 
key: kubernetes.cluster.name 
value: SysdigBackend 
} 
{ [-] 
key: kubernetes.pod.name 
value: sysdigcloud-elasticsearch-0 
} 
{ [-] 
key: kubernetes.namespace.name 
value: sysdigcloud 
} 
{ [-] 
key: agent.tag.timezone 
value: UTC 
} 
{ [-] 
key: agent.tag.location 
value: europe 
} 
{ [-] 
key: process.name 
value: bash 
} 
{ [-] 
key: host.hostName 
value: ip-172-31-72-246 
} 
] 
falsePositive: false 
fields: [ [+] 
] 
hostMac: 02:77:68:60:6b:ae 
id: 702701271278202880 
isAggregated: false 
matchedOnDefault: false 
name: Terminal shell in container 
output: A shell was spawned in a container with an attached terminal (user=root k8s_elasticsearch_sysdigcloud-elasticsearch-0_sysdigcloud_c824e1f8-aa1f-11e9-aff4-027768606bae_0 (id=e4d32e56d9d2) shell=bash parent=docker-runc cmdline=bash terminal=34816) 
policyId: 18 
ruleSubtype: null 
ruleType: RULE_TYPE_FALCO 
severity: 5 
timestamp: 1564065391633554 
version: 1 
}