Secure Events

Note

From Sysdig Secure 3.5.0, the Policy Events module has been reworked and renamed Events. The new functionality includes both runtime policy and runtime image scanning events and has much more powerful filtering capabilities.

BE AWARE!

Events in the old and new formats are stored separately.

  • No event or event data will be lost during the transition

  • Events that were registered before the new feed is deployed can be browsed using the oldP Policy Events interface, available on the burger menu in the top-right corner.

The Events page in Sysdig Secure displays a complete list of events that have occurred within the infrastructure during a defined timeline.

It provides a navigable interface to:

  • Find and surface insights around the most relevant security events in your infrastructure

  • Slice and dice your event data using multiple filters and scopes to hone into the events that will require further inspection or remediation actions

  • Inspect any items using an advanced event detail panel

  • Follow up on forensics, activity audits, etc., by directly linking to other sections of the product for additional event information

It provides an overview of the entire infrastructure, and the ability to deep-dive into specific security events, identify false positives, and configure policies to optimize performance.

Without filters or scope defined, the event list comprises all events within the timeline, in chronological order. Clicking on an event opens the event detail panel on the right.

new-events-feed-4.png

Ways to Filter Events

There are six types of filtering available: Scope, Severity, Type, Attributes, and Time Span, as well as a free-text Search field, to filter by event name or label value.

Note that the filters are additive. For example, if you set the Type to Image Scanning events and don't see what you expected, make sure the scope and time span have also been set appropriately.

Scope

By default, the Event scope encompasses Everywhere, but you can define the environment scope(containers, namespaces, etc.) to limit the range. Those environment limits are assigned to the team active during the scope definition.

See also: Team Scope and the Event Feed, below.

Define a Scope Filter

You an set a scope label as "variable," so you can change its value using a dropdown without having to edit the entire scope.

  1. Log in to Sysdig Secure.

    Any event scope you define will be applied to the team under which you logged in.

  2. On the Events page, click Edit Scope.

  3. From the drop-down menus(s), select the elements, values, and labels needed, and click Apply.

    env_scope_define.png

Free-Text Search

You can search by the event title and scope label values, such as "my-cluster-name," visible in the events lists.

Type

Events now include both Runtime and Image Scanning events.

Runtime events correspond to the rules and violations defined in Policies.

Image Scanning events correspond to the runtime scanning alerts.

Severity

Use the appropriate buttons to filter events by High, Medium, Low, and Info level of severity, corresponding to the levels defined in the relevant runtime Policies or runtime scanning alerts..

Time Span

As in the rest of the Sysdig Platform interface, the time span can be set by date ranges using the calendar pop-up, and in increments from 10 minutes to 3 days. You can additionally use the calendar picker to select other time ranges that are not available as fast buttons.

Attributes

Under Policies and Triggered Rules, hover over an attribute to reveal the =/!= filter button and click to add to the Attribute filter.

secure_event_detail.png

Event Detail Panel

The Event Detail contents vary depending on the selected event. In general, the following are always present:

  • Attributes on which you can filter directly:

    See the Attributes discussion, above.

  • Action Buttons:

    If relevant, the Captures button links to Captures.

    For Runtime events, the Activity shortcut button is available and links to Activity Audit.

    For Image Scanning, the Scan Results shortcut links to the Scan Results page.

  • Edit Policy Shortcut:

    For image scanning: Links to the runtime alert that generated the event.

    For policy (runtime) events: Links to the runtime rule that created the event, as well as the rule type (i.e. Falco - Syscall) and the labels associated with that rule.

    All three elements are filterable using the attribute filter widgets (see above).

  • Output (For Policy events):

    The Falco rule output as configured in the rule is listed.

  • Scope

    The new scope selector allows for additional selector logic (in, not in, contains, starts-with, etc), improving the scoping flexibility over previous versions. This scope selector also provides scope variables, allowing you to quickly switch between, for example, Kubernetes namespaces without having to edit the panel scope. See also: Team Scope and the Event Feed, below.

    Note that the scope details listed can be entered in the free-text search field if desired.

  • Live/Pause Button -

    When live, events continually update. Use Pause to focus on a section of the screen and not continue scrolling away in a noisy environment.

  • Portable URLs

    The Event Feed URL maintains the current filters, scope, and selected elements. You can share this URL with other users to allow them to display the same data.

Team Scope and the Event Feed

Not every label available in the Sysdig Platform is compatible with the set of labels used to define the scope of a security event in the Event Feed.

Practically, this means that in order to correctly determine if a set of events is visible for a certain Sysdig Secure team, the team scope must not use any label outside the following list.

Permitted Labels

agent.tag.* (any label starting with agent.tag is valid)

host.hostName
host.mac

kubernetes.cluster.name
kubernetes.namespace.name
kubernetes.node.name
kubernetes.namespace.label.field.cattle.io/projectId
kubernetes.namespace.label.project

kubernetes.pod.name
kubernetes.daemonSet.name
kubernetes.deployment.name
kubernetes.replicaSet.name
kubernetes.statefulSet.name
kubernetes.job.name
kubernetes.cronJob.name
kubernetes.service.name

container.name
container.image.id
container.image.repo
container.image.tag
container.image.digest

container.label.io.kubernetes.container.name
container.label.io.kubernetes.pod.name
container.label.io.kubernetes.pod.namespace
container.label.maintainer

Not using any label to define team scope (Everywhere) is also supported.

If the Secure team scope is defined using a label outside of the list above, the Event Feed will be empty for that particular team.