Event Forwarding
Sysdig supports sending different types of security data to third-party SIEM (security information and event management) platforms and logging tools, such as Splunk, Elastic Stack, Qradar, Arcsight, LogDNA. Use Event Forwarding to perform these integrations so you can view security events and correlate Sysdig findings with the tool that you are already using for analysis.
Supported 3rd-Party Solutions
Webhook: Protocol used when your compatible solution is not in the supported list above.
Tip
Review the Types of Secure Integrations table for more context. The Event Forwarding column lists the various options and their levels of support.
Supported Event Forwarding Data Sources
At this time, Sysdig Secure can forward the following types of data:
Policy events: there are now two supported formats: the older one (legacy policy events) and current one (runtime policy events).
Activity audit information in each of the four audit types:
command, network, file,andkubectl exec.
JSON Formats Used per Data Source
Informational; in most cases, there is no need to change the default format.
Policy Event Payloads
There are now two formats supported. See also this Release Note.
New Runtime Policy Events Payload
{
"id": "164ace360cc3cfbc26ec22d61b439500",
"type": "policy",
"timestamp": 1606322948648718268,
"originator": "policy",
"category": "runtime",
"source": "syscall",
"name": "Notable Filesystem Changes",
"description": "Identified notable filesystem activity that might change sensitive/important files. This differs from Suspicious Filesystem Changes in that it looks more broadly at filesystem activity, and might have more false positives as a result.",
"severity": 0,
"agentId": 13530,
"containerId": "",
"machineId": "08:00:27:54:f3:9d",
"content": {
"policyId": 544,
"baselineId": "",
"ruleName": "Write below etc",
"ruleType": "RULE_TYPE_FALCO",
"ruleTags": [
"mitre_persistence",
"NIST",
"NIST_3.4.4",
"filesystem"
],
"output": "File below /etc opened for writing (user=root command=touch /etc/ard parent=bash pcmdline=bash file=/etc/ard program=touch gparent=su ggparent=sudo gggparent=bash container_id=host image=<NA>)",
"fields": {
"container.id": "host",
"container.image.repository": "<NA>",
"falco.rule": "Write below etc",
"fd.name": "/etc/ard",
"proc.aname[2]": "su",
"proc.aname[3]": "sudo",
"proc.aname[4]": "bash",
"proc.cmdline": "touch /etc/ard",
"proc.name": "touch",
"proc.pcmdline": "bash",
"proc.pname": "bash",
"user.name": "root"
},
"falsePositive": false,
"matchedOnDefault": false,
"policyVersion": 2,
"policyOrigin": "Sysdig"
},
"labels": {
"host.hostName": "ardbox",
"process.name": "touch /etc/ard"
}
}Legacy Secure Policy Event Payload
{
"id": "164ace360cc3cfbc26ec22d61b439500",
"containerId": "",
"name": "Notable Filesystem Changes",
"description": "Identified notable filesystem activity that might change sensitive/important files. This differs from Suspicious Filesystem Changes in that it looks more broadly at filesystem activity, and might have more false positives as a result.",
"severity": 0,
"policyId": 544,
"actionResults": [],
"output": "File below /etc opened for writing (user=root command=touch /etc/ard parent=bash pcmdline=bash file=/etc/ard program=touch gparent=su ggparent=sudo gggparent=bash container_id=host image=<NA>)",
"ruleType": "RULE_TYPE_FALCO",
"matchedOnDefault": false,
"fields": [
{
"key": "container.image.repository",
"value": "<NA>"
},
{
"key": "proc.aname[3]",
"value": "sudo"
},
{
"key": "proc.aname[4]",
"value": "bash"
},
{
"key": "proc.cmdline",
"value": "touch /etc/ard"
},
{
"key": "proc.pname",
"value": "bash"
},
{
"key": "falco.rule",
"value": "Write below etc"
},
{
"key": "proc.name",
"value": "touch"
},
{
"key": "fd.name",
"value": "/etc/ard"
},
{
"key": "proc.aname[2]",
"value": "su"
},
{
"key": "proc.pcmdline",
"value": "bash"
},
{
"key": "container.id",
"value": "host"
},
{
"key": "user.name",
"value": "root"
}
],
"eventLabels": [
{
"key": "host.hostName",
"value": "ardbox"
},
{
"key": "process.name",
"value": "touch /etc/ard"
}
],
"falsePositive": false,
"baselineId": "",
"policyVersion": 2,
"origin": "Sysdig",
"timestamp": 1606322948648718,
"timestampNs": 1606322948648718268,
"hostMac": "08:00:27:54:f3:9d",
"isAggregated": false
}Activity Audit Forwarding Payloads
Each of the activity audit types has its own JSON format.
Command (cmd) Payload
{
"id": "164806c17885b5615ba513135ea13d79",
"agentId": 32212,
"cmdline": "calico-node -felix-ready -bird-ready",
"comm": "calico-node",
"containerId": "a407fb17332b",
"count": 1,
"cwd": "/",
"hostname": "qa-k8smetrics",
"loginShellDistance": 0,
"loginShellId": 0,
"pid": 29278,
"ppid": 29275,
"rxTimestamp": 1605540695537513500,
"timestamp": 1605540695178065200,
"tty": 0,
"uid": 0
}Network (net) Payload
{
"id": "164806f43b4d7e8c6708f40cdbb47838",
"agentId": 32212,
"clientIpv4": 2886795285,
"clientPort": 60720,
"containerId": "da3abd373c7a",
"direction": "out",
"errorCode": 115,
"hostname": "qa-k8smetrics",
"l4protocol": 6,
"pid": 2452,
"processName": "kubectl",
"rxTimestamp": 0,
"serverIpv4": 174063617,
"serverPort": 443,
"timestamp": 1605540913194303200
} File (file) Payload
{
"id": "164806c161a5dd221c4ee79d6b5dd1ce",
"agentId": 32212,
"containerId": "a407fb17332b",
"hostname": "qa-k8smetrics",
"timestamp": 1605540694794296600,
"directory": "/etc/service/enabled/confd/supervise/",
"filename": "ok",
"permissions": "w",
"pid": 29237,
"comm": "sv",
"cmdline": ""
} Kubernetes (kube exec) Payload
{
"id": "164806f4c47ad9101117d87f8b574ecf",
"agentId": 32212,
"args": {
"command": "bash",
"container": "nginx"
},
"auditId": "c474d1de-c764-445a-8142-a0142505868e",
"containerId": "397be1762fba",
"hostname": "qa-k8smetrics",
"name": "nginx-76f9cf7469-k5kf7",
"namespace": "nginx",
"resource": "pods",
"sourceAddresses": [
"172.17.0.21"
],
"stages": {
"started": 1605540915526159000,
"completed": 1605540915660084000
},
"subResource": "exec",
"timestamp": 1605540915495754000,
"user": {
"username": "system:serviceaccount:default:default-kubectl-trigger",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:default",
"system:authenticated"
]
},
"userAgent": "kubectl/v1.16.2 (linux/amd64) kubernetes/c97fe50"
}Benchmark Result Payloads
To forward benchmark events, you must have Benchmarks v2 installed and configured, using the Node Analyzer.
A Benchmark Control payload is emitted for each control on each host on every Benchmark Run. A Benchmark Run payload containing a summary of the results is emitted for each host on every Benchmark Run.
Benchmark Control Payload
{
"agentId": 0,
"category": "runtime",
"containerId": "",
"content": {
"control": {
"auditCommand": "ps -ef | grep etcd | grep -- --data-dir | sed 's%.*data-dir[= ]\\([^ ]*\\).*%\\1%' | xargs stat -c %U:%G",
"description": "etcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.",
"expectedOutput": "'' is present",
"failingResources": [
{
"Hostname": "qa-k8smetrics"
}
],
"familyName": "Master Node Configuration Files",
"id": "1.1.12",
"level": "Level 1",
"rationale": "etcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.",
"remediation": "On the etcd server node, get the etcd data directory, passed as an argument --data-dir,\nfrom the below command:\nps -ef | grep etcd\nRun the below command (based on the etcd data directory found above).\nFor example, chown etcd:etcd /var/lib/etcd\n",
"resourceCount": 0,
"resourceType": "Hosts",
"result": "Fail",
"title": "Ensure that the etcd data directory ownership is set to etcd:etcd (Automated)"
},
"runId": "e569ccbb-b314-4fcc-991e-7baa0671ff34",
"schema": "kube_bench_cis-1.6.0",
"source": "host",
"subType": "control",
"taskId": 205
},
"description": "Kubernetes benchmark kube_bench_cis-1.6.0 control 1.1.12 completed.",
"id": "167e641d319f53438dca3c702ecb2460",
"labels": {
"aws.accountId": "059797578166",
"aws.instanceId": "i-0fb61365358ce26a7",
"aws.region": "us-east-1",
"host.hostName": "qa-k8smetrics",
"host.mac": "16:16:ef:cb:72:15",
"kubernetes.cluster.name": "test-k8s-data",
"kubernetes.node.name": "qa-k8smetrics"
},
"machineId": "16:16:ef:cb:72:15",
"name": "Kubernetes Benchmark Control Reported",
"originator": "benchmarks",
"severity": 0,
"source": "host",
"timestamp": 1620842992449311555,
"type": "benchmark"
}Benchmark Run Payload
{
"agentId": 0,
"category": "runtime",
"containerId": "",
"content": {
"run": {
"failCount": 11,
"passCount": 67,
"warnCount": 44
},
"runId": "e569ccbb-b314-4fcc-991e-7baa0671ff34",
"schema": "kube_bench_cis-1.6.0",
"source": "host",
"subType": "run",
"taskId": 205
},
"description": "Kubernetes benchmark kube_bench_cis-1.6.0 completed.",
"id": "167e641d319f5343019a4183b1ec2906",
"labels": {
"aws.accountId": "059797578166",
"aws.instanceId": "i-0fb61365358ce26a7",
"aws.region": "us-east-1",
"host.hostName": "qa-k8smetrics",
"host.mac": "16:16:ef:cb:72:15",
"kubernetes.cluster.name": "test-k8s-data",
"kubernetes.node.name": "qa-k8smetrics"
},
"machineId": "16:16:ef:cb:72:15",
"name": "Kubernetes Benchmark Run Failed",
"originator": "benchmarks",
"severity": 0,
"source": "host",
"timestamp": 1620842992449311555,
"type": "benchmark"
}Delete an Event Forwarding Integration
To delete an existing integration:
From the
Settingsmodule of the Sysdig Secure UI, navigate to theEvents Forwardingtab.Click the
More Options(three dots) icon.Click the
Delete Integrationbutton.Click the
Yes, deletebutton to confirm the change.