Event Forwarding

Sysdig supports sending different types of security data to third-party SIEM (security information and event management) platforms and logging tools, such as Splunk, Elastic Stack, Qradar, Arcsight, LogDNA. Use Event Forwarding to perform these integrations so you can view security events and correlate Sysdig findings with the tool that you are already using for analysis.

Supported 3rd-Party Solutions

Tip

Review the Types of Secure Integrations table for more context. The Event Forwarding column lists the various options and their levels of support.

Supported Data Sources

At this time, Sysdig Secure can forward the following types of data:

  • Policy events: there are now two supported formats: the older one (legacy policy events) and current one (runtime policy events).

    new_events_json.png
  • Activity audit information in each of the four audit types: command, network, file, and kubectl exec.

JSON Formats Used per Data Source

Informational; in most cases, there is no need to change the default format.

Policy Event Payloads

There are now two formats supported. See also this Release Note.

New Runtime Policy Events Payload

{
    "id": "164ace360cc3cfbc26ec22d61b439500",
    "type": "policy",
    "timestamp": 1606322948648718268,
    "originator": "policy",
    "category": "runtime",
    "source": "syscall",
    "name": "Notable Filesystem Changes",
    "description": "Identified notable filesystem activity that might change sensitive/important files. This differs from Suspicious Filesystem Changes in that it looks more broadly at filesystem activity, and might have more false positives as a result.",
    "severity": 0,
    "agentId": 13530,
    "containerId": "",
    "machineId": "08:00:27:54:f3:9d",
    "content": {
      "policyId": 544,
      "baselineId": "",
      "ruleName": "Write below etc",
      "ruleType": "RULE_TYPE_FALCO",
      "ruleTags": [
        "mitre_persistence",
        "NIST",
        "NIST_3.4.4",
        "filesystem"
      ],
      "output": "File below /etc opened for writing (user=root command=touch /etc/ard parent=bash pcmdline=bash file=/etc/ard program=touch gparent=su ggparent=sudo gggparent=bash container_id=host image=<NA>)",
      "fields": {
        "container.id": "host",
        "container.image.repository": "<NA>",
        "falco.rule": "Write below etc",
        "fd.name": "/etc/ard",
        "proc.aname[2]": "su",
        "proc.aname[3]": "sudo",
        "proc.aname[4]": "bash",
        "proc.cmdline": "touch /etc/ard",
        "proc.name": "touch",
        "proc.pcmdline": "bash",
        "proc.pname": "bash",
        "user.name": "root"
      },
      "falsePositive": false,
      "matchedOnDefault": false,
      "policyVersion": 2,
      "policyOrigin": "Sysdig"
    },
    "labels": {
      "host.hostName": "ardbox",
      "process.name": "touch /etc/ard"
    }
}

Legacy Secure Policy Event Payload

{
    "id": "164ace360cc3cfbc26ec22d61b439500",
    "containerId": "",
    "name": "Notable Filesystem Changes",
    "description": "Identified notable filesystem activity that might change sensitive/important files. This differs from Suspicious Filesystem Changes in that it looks more broadly at filesystem activity, and might have more false positives as a result.",
    "severity": 0,
    "policyId": 544,
    "actionResults": [],
    "output": "File below /etc opened for writing (user=root command=touch /etc/ard parent=bash pcmdline=bash file=/etc/ard program=touch gparent=su ggparent=sudo gggparent=bash container_id=host image=<NA>)",
    "ruleType": "RULE_TYPE_FALCO",
    "matchedOnDefault": false,
    "fields": [
      {
        "key": "container.image.repository",
        "value": "<NA>"
      },
      {
        "key": "proc.aname[3]",
        "value": "sudo"
      },
      {
        "key": "proc.aname[4]",
        "value": "bash"
      },
      {
        "key": "proc.cmdline",
        "value": "touch /etc/ard"
      },
      {
        "key": "proc.pname",
        "value": "bash"
      },
      {
        "key": "falco.rule",
        "value": "Write below etc"
      },
      {
        "key": "proc.name",
        "value": "touch"
      },
      {
        "key": "fd.name",
        "value": "/etc/ard"
      },
      {
        "key": "proc.aname[2]",
        "value": "su"
      },
      {
        "key": "proc.pcmdline",
        "value": "bash"
      },
      {
        "key": "container.id",
        "value": "host"
      },
      {
        "key": "user.name",
        "value": "root"
      }
    ],
    "eventLabels": [
      {
        "key": "host.hostName",
        "value": "ardbox"
      },
      {
        "key": "process.name",
        "value": "touch /etc/ard"
      }
    ],
    "falsePositive": false,
    "baselineId": "",
    "policyVersion": 2,
    "origin": "Sysdig",
    "timestamp": 1606322948648718,
    "timestampNs": 1606322948648718268,
    "hostMac": "08:00:27:54:f3:9d",
    "isAggregated": false
}

Activity Audit Forwarding Payloads

Each of the activity audit types has its own JSON format.

Command (cmd) Payload

{
    "id": "164806c17885b5615ba513135ea13d79",
    "agentId": 32212,
    "cmdline": "calico-node -felix-ready -bird-ready",
    "comm": "calico-node",
    "containerId": "a407fb17332b",
    "count": 1,
    "cwd": "/",
    "hostname": "qa-k8smetrics",
    "loginShellDistance": 0,
    "loginShellId": 0,
    "pid": 29278,
    "ppid": 29275,
    "rxTimestamp": 1605540695537513500,
    "timestamp": 1605540695178065200,
    "tty": 0,
    "uid": 0
}

Network (net) Payload

{
    "id": "164806f43b4d7e8c6708f40cdbb47838",
    "agentId": 32212,
    "clientIpv4": 2886795285,
    "clientPort": 60720,
    "containerId": "da3abd373c7a",
    "direction": "out",
    "errorCode": 115,
    "hostname": "qa-k8smetrics",
    "l4protocol": 6,
    "pid": 2452,
    "processName": "kubectl",
    "rxTimestamp": 0,
    "serverIpv4": 174063617,
    "serverPort": 443,
    "timestamp": 1605540913194303200
} 

File (file) Payload

{
    "id": "164806c161a5dd221c4ee79d6b5dd1ce",
    "agentId": 32212,
    "containerId": "a407fb17332b",
    "hostname": "qa-k8smetrics",
    "timestamp": 1605540694794296600,
    "directory": "/etc/service/enabled/confd/supervise/",
    "filename": "ok",
    "permissions": "w",
    "pid": 29237,
    "comm": "sv",
    "cmdline": ""
} 

Kubernetes (kube exec) Payload

{
    "id": "164806f4c47ad9101117d87f8b574ecf",
    "agentId": 32212,
    "args": {
        "command": "bash",
        "container": "nginx"
    },
    "auditId": "c474d1de-c764-445a-8142-a0142505868e",
    "containerId": "397be1762fba",
    "hostname": "qa-k8smetrics",
    "name": "nginx-76f9cf7469-k5kf7",
    "namespace": "nginx",
    "resource": "pods",
    "sourceAddresses": [
        "172.17.0.21"
    ],
    "stages": {
        "started": 1605540915526159000,
        "completed": 1605540915660084000
    },
    "subResource": "exec",
    "timestamp": 1605540915495754000,
    "user": {
        "username": "system:serviceaccount:default:default-kubectl-trigger",
        "groups": [
            "system:serviceaccounts",
            "system:serviceaccounts:default",
            "system:authenticated"
        ]
    },
    "userAgent": "kubectl/v1.16.2 (linux/amd64) kubernetes/c97fe50"
}

Delete an Event Forwarding Integration

To delete an existing integration:

  1. From the Settings module of the Sysdig Secure UI, navigate to the Events Forwarding tab.

  2. Click the More Options (three dots) icon.

  3. Click the Delete Integration button.

  4. Click the Yes, delete button to confirm the change.