Event Forwarding
Sysdig supports sending different types of security data to third-party SIEM (security information and event management) platforms and logging tools, such as Splunk, Elastic Stack, Qradar, Arcsight, LogDNA. Use Event Forwarding to perform these integrations so you can view security events and correlate Sysdig findings with the tool that you are already using for analysis.
Supported 3rd-Party Solutions
Webhook: Protocol used when your compatible solution is not in the supported list above.
Tip
Review the Types of Secure Integrations table for more context. The Event Forwarding column lists the various options and their levels of support.
Supported Data Sources
At this time, Sysdig Secure can forward the following types of data:
Policy events: there are now two supported formats: the older one (legacy policy events) and current one (runtime policy events).
Activity audit information in each of the four audit types:
command, network, file,
andkubectl exec
.
JSON Formats Used per Data Source
Informational; in most cases, there is no need to change the default format.
Policy Event Payloads
There are now two formats supported. See also this Release Note.
New Runtime Policy Events Payload
{ "id": "164ace360cc3cfbc26ec22d61b439500", "type": "policy", "timestamp": 1606322948648718268, "originator": "policy", "category": "runtime", "source": "syscall", "name": "Notable Filesystem Changes", "description": "Identified notable filesystem activity that might change sensitive/important files. This differs from Suspicious Filesystem Changes in that it looks more broadly at filesystem activity, and might have more false positives as a result.", "severity": 0, "agentId": 13530, "containerId": "", "machineId": "08:00:27:54:f3:9d", "content": { "policyId": 544, "baselineId": "", "ruleName": "Write below etc", "ruleType": "RULE_TYPE_FALCO", "ruleTags": [ "mitre_persistence", "NIST", "NIST_3.4.4", "filesystem" ], "output": "File below /etc opened for writing (user=root command=touch /etc/ard parent=bash pcmdline=bash file=/etc/ard program=touch gparent=su ggparent=sudo gggparent=bash container_id=host image=<NA>)", "fields": { "container.id": "host", "container.image.repository": "<NA>", "falco.rule": "Write below etc", "fd.name": "/etc/ard", "proc.aname[2]": "su", "proc.aname[3]": "sudo", "proc.aname[4]": "bash", "proc.cmdline": "touch /etc/ard", "proc.name": "touch", "proc.pcmdline": "bash", "proc.pname": "bash", "user.name": "root" }, "falsePositive": false, "matchedOnDefault": false, "policyVersion": 2, "policyOrigin": "Sysdig" }, "labels": { "host.hostName": "ardbox", "process.name": "touch /etc/ard" } }
Legacy Secure Policy Event Payload
{ "id": "164ace360cc3cfbc26ec22d61b439500", "containerId": "", "name": "Notable Filesystem Changes", "description": "Identified notable filesystem activity that might change sensitive/important files. This differs from Suspicious Filesystem Changes in that it looks more broadly at filesystem activity, and might have more false positives as a result.", "severity": 0, "policyId": 544, "actionResults": [], "output": "File below /etc opened for writing (user=root command=touch /etc/ard parent=bash pcmdline=bash file=/etc/ard program=touch gparent=su ggparent=sudo gggparent=bash container_id=host image=<NA>)", "ruleType": "RULE_TYPE_FALCO", "matchedOnDefault": false, "fields": [ { "key": "container.image.repository", "value": "<NA>" }, { "key": "proc.aname[3]", "value": "sudo" }, { "key": "proc.aname[4]", "value": "bash" }, { "key": "proc.cmdline", "value": "touch /etc/ard" }, { "key": "proc.pname", "value": "bash" }, { "key": "falco.rule", "value": "Write below etc" }, { "key": "proc.name", "value": "touch" }, { "key": "fd.name", "value": "/etc/ard" }, { "key": "proc.aname[2]", "value": "su" }, { "key": "proc.pcmdline", "value": "bash" }, { "key": "container.id", "value": "host" }, { "key": "user.name", "value": "root" } ], "eventLabels": [ { "key": "host.hostName", "value": "ardbox" }, { "key": "process.name", "value": "touch /etc/ard" } ], "falsePositive": false, "baselineId": "", "policyVersion": 2, "origin": "Sysdig", "timestamp": 1606322948648718, "timestampNs": 1606322948648718268, "hostMac": "08:00:27:54:f3:9d", "isAggregated": false }
Activity Audit Forwarding Payloads
Each of the activity audit types has its own JSON format.
Command (cmd) Payload
{ "id": "164806c17885b5615ba513135ea13d79", "agentId": 32212, "cmdline": "calico-node -felix-ready -bird-ready", "comm": "calico-node", "containerId": "a407fb17332b", "count": 1, "cwd": "/", "hostname": "qa-k8smetrics", "loginShellDistance": 0, "loginShellId": 0, "pid": 29278, "ppid": 29275, "rxTimestamp": 1605540695537513500, "timestamp": 1605540695178065200, "tty": 0, "uid": 0 }
Network (net) Payload
{ "id": "164806f43b4d7e8c6708f40cdbb47838", "agentId": 32212, "clientIpv4": 2886795285, "clientPort": 60720, "containerId": "da3abd373c7a", "direction": "out", "errorCode": 115, "hostname": "qa-k8smetrics", "l4protocol": 6, "pid": 2452, "processName": "kubectl", "rxTimestamp": 0, "serverIpv4": 174063617, "serverPort": 443, "timestamp": 1605540913194303200 }
File (file) Payload
{ "id": "164806c161a5dd221c4ee79d6b5dd1ce", "agentId": 32212, "containerId": "a407fb17332b", "hostname": "qa-k8smetrics", "timestamp": 1605540694794296600, "directory": "/etc/service/enabled/confd/supervise/", "filename": "ok", "permissions": "w", "pid": 29237, "comm": "sv", "cmdline": "" }
Kubernetes (kube exec) Payload
{ "id": "164806f4c47ad9101117d87f8b574ecf", "agentId": 32212, "args": { "command": "bash", "container": "nginx" }, "auditId": "c474d1de-c764-445a-8142-a0142505868e", "containerId": "397be1762fba", "hostname": "qa-k8smetrics", "name": "nginx-76f9cf7469-k5kf7", "namespace": "nginx", "resource": "pods", "sourceAddresses": [ "172.17.0.21" ], "stages": { "started": 1605540915526159000, "completed": 1605540915660084000 }, "subResource": "exec", "timestamp": 1605540915495754000, "user": { "username": "system:serviceaccount:default:default-kubectl-trigger", "groups": [ "system:serviceaccounts", "system:serviceaccounts:default", "system:authenticated" ] }, "userAgent": "kubectl/v1.16.2 (linux/amd64) kubernetes/c97fe50" }
Delete an Event Forwarding Integration
To delete an existing integration:
From the
Settings
module of the Sysdig Secure UI, navigate to theEvents Forwarding
tab.Click the
More Options
(three dots) icon.Click the
Delete Integration
button.Click the
Yes, delete
button to confirm the change.