Event Forwarding

Sysdig supports sending policy events and activity audit information to third-party SIEM (security information and event management) platforms and logging tools, such as Splunk, Elastic Stack, Qradar, Arcsight, LogDNA. You can use the Event Forwarding functionality in Sysdig Secure to forward events and audits to a tool in your environment. By doing so you can view security events and correlate Sysdig findings with the tool that you are already using for analysis.

Types of Event Forwarding

Tip

Review the Types of Secure Integrations table for more context. The Event Forwarding column lists the various options and their levels of support.

Event Enrichment with Agent Labels

The agent includes these labels by default when enabling event labels

Enable labels

event_labels:
  enabled: true/false

Default labels

event_labels:
  include:
    - process.name
    - host.hostName
    - agent.tag
    - container.name
    - kubernetes.cluster.name
    - kubernetes.namespace.name
    - kubernetes.deployment.name
    - kubernetes.pod.name
    - kubernetes.node.name

Adding Custom Labels

Event labeling has the ability to both include and exclude event labels.

event_labels:
  exclude:
    - custom.label.to.exclude

event_labels:
  include:
    - custom.label.to.include

Example of an enriched event being sent to splunk

{ [-] 
baselineId: null 
containerId: e4d32e56d9d2 
description: A shell was used as the entrypoint/exec point into a container with an attached terminal. 
eventLabels: [ [-] 
{ [-] 
key: kubernetes.node.name 
value: ip-172-31-72-246 
} 
{ [-] 
key: container.name 
value: k8s_elasticsearch_sysdigcloud-elasticsearch-0_sysdigcloud_c824e1f8-aa1f-11e9-aff4-027768606bae_0 
} 
{ [-] 
key: kubernetes.cluster.name 
value: SysdigBackend 
} 
{ [-] 
key: kubernetes.pod.name 
value: sysdigcloud-elasticsearch-0 
} 
{ [-] 
key: kubernetes.namespace.name 
value: sysdigcloud 
} 
{ [-] 
key: agent.tag.timezone 
value: UTC 
} 
{ [-] 
key: agent.tag.location 
value: europe 
} 
{ [-] 
key: process.name 
value: bash 
} 
{ [-] 
key: host.hostName 
value: ip-172-31-72-246 
} 
] 
falsePositive: false 
fields: [ [+] 
] 
hostMac: 02:77:68:60:6b:ae 
id: 702701271278202880 
isAggregated: false 
matchedOnDefault: false 
name: Terminal shell in container 
output: A shell was spawned in a container with an attached terminal (user=root k8s_elasticsearch_sysdigcloud-elasticsearch-0_sysdigcloud_c824e1f8-aa1f-11e9-aff4-027768606bae_0 (id=e4d32e56d9d2) shell=bash parent=docker-runc cmdline=bash terminal=34816) 
policyId: 18 
ruleSubtype: null 
ruleType: RULE_TYPE_FALCO 
severity: 5 
timestamp: 1564065391633554 
version: 1 
}

Delete an Event Forwarding Integration

To delete an existing integration:

  1. From the Settings module of the Sysdig Secure UI, navigate to the Events Forwarding tab.

  2. Click the More Options (three dots) icon.

  3. Click the Delete Integration button.

  4. Click the Yes, delete button to confirm the change.