Enrich Secure Events with Labels
Event labels are used in a variety of contexts in Sysdig Secure, such as Event Forwarding, Posture, and the Events feed. The Sysdig Agent collects a number of label fields by default. This page describes how to collect additional, custom labels, disable the collection of default labels, and disable label collection entirely.
Add Custom Labels with the Tag Attribute
The agent has a set of default labels. Use tags to include additional labels and/or exclude labels from the default set.
event_labels:
exclude:
- custom.label.to.exclude
event_labels:
include:
- custom.label.to.include
The following is an example of an enriched event being sent to Splunk:
{
agentId: 1658033
category: runtime
containerId: d9f5e4a9aedd
content: {
baselineId:
falsePositive: false
fields: {
container.id: d9f5e4a9aedd
container.image.repository: sysdiglabs/example-voting-app-voter
container.name: k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603
evt.category: process
falco.rule: Launch Root User Container
fd.rip: <NA>
fd.rport: <NA>
proc.cmdline: container:d9f5e4a9aedd
proc.name: container:d9f5e4a9aedd
proc.pid: -1
proc.pname: <NA>
proc.ppid: -1
}
matchedOnDefault: false
output: Outbound connection to IP/Port flagged by container:d9f5e4a9aedd (command=container:d9f5e4a9aedd port=<NA> ip=<NA> container=k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603 (id=d9f5e4a9aedd) image=sysdiglabs/example-voting-app-voter) extra fields = (<NA> -1 process -1 container:d9f5e4a9aeddproc.aname container:d9f5e4a9aedd -1proc.apid )
policyId: 10009837
policyOrigin: Sysdig
policyVersion: 37
ruleName: Launch Root User Container
ruleTags: [
network
mitre_execution
]
ruleType: RULE_TYPE_FALCO
}
description: This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.
id: 1726f87daaaee3960301e17f9b06c3cf
labels: {
agent.tag.role: demo-kube-eks
aws.accountId: <account-id>
aws.instanceId: <instance-id>
aws.region: us-east-1
container.image.digest: <sha-256>
container.image.id: <image-id>
container.image.repo: sysdiglabs/example-voting-app-voter
container.image.tag: 0.1
container.label.io.kubernetes.container.name: voter
container.label.io.kubernetes.pod.name: voter-77d98548bc-hmkpc
container.label.io.kubernetes.pod.namespace: example-voting-app
container.name: k8s_voter_voter-77d98548bc-hmkpc_example-voting-app_d27f532a-41f5-49f3-a140-99afccbac5e4_63603
host.hostName: <host-name>
host.mac: 0a:a2:c4:d3:fd:ef
kubernetes.cluster.name: demo-kube-eks
kubernetes.deployment.name: voter
kubernetes.namespace.name: example-voting-app
kubernetes.node.name: <node-name>
kubernetes.pod.name: voter-77d98548bc-hmkpc
kubernetes.replicaSet.name: voter-77d98548bc
}
machineId: 0a:a2:c4:d3:fd:ef
name: Sysdig Runtime Notable Events
originator: policy
severity: 4
source: syscall
timestamp: 1668293930605536300
timestampRFC3339Nano: 2022-11-12T22:58:50.60553615Z
type: policy
}
Add Custom Labels with the Event Labels Attribute
In addition to custom static tags added with the tags attribute in the agent configuration, you can use the event_labels
attribute to include any label present in the system call. Note the agent will only collect and store events handled by the Sysdig backend.
agent.tag.Tag
agent.tag.cluster
agent.tag.environment
agent.tag.role
agent.tag.sysdig_secure.enabled
gcp.projectId
host.hostName
aws.user
container.label.io.kubernetes.pod.namespace
host.mac
kubernetes.statefulSet.name
container.image.repo
container.label.io.kubernetes.pod.name
aws.accountId
gcp.user
gcp.region
container.label.maintainer
kubernetes.service.name
container.image.tag
kubernetes.cluster.name
kubernetes.deployment.name
kubernetes.namespace.label.project
container.label.io.kubernetes.container.name
container.name
kubernetes.pod.name
aws.fargate.task.arn
container.image.digest
kubernetes.daemonSet.name
kubernetes.job.name
kubernetes.namespace.label.field.cattle.io/projectId
kubernetes.namespace.name
kubernetes.node.name
kubernetes.replicaSet.name
aws.region
container.image.id
kubernetes.cronJob.name
aws.fargate.cluster.arn
aws.availabilityZone
Disable Label Collection
Sysdig Agent collects Secure Events labels by default. To disable the feature: disable the feature, change true
to false
:
event_labels:
enabled: true
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.