Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Sysdig Secure Events | ✅ | ✅ | sysdig_secure_events | NDJSON | S3/API | ||
Sysdig Activity Audit - Command | ✅ | sysdig_activity_command | NDJSON | S3/API | |||
Sysdig Activity Audit - File Access | ✅ | sysdig_activity_file_access | NDJSON | S3/API | |||
Sysdig Activity Audit - Network | ✅ | ✅ | sysdig_activity_network | NDJSON | S3/API | ||
Sysdig Activity Audit - Kubernetes | ✅ | sysdig_activity_kubernetes | NDJSON | S3/API |
Overview
Sysdig is a cloud-native security and monitoring platform designed to help organizations secure and optimize their containerized environments, Kubernetes clusters, and cloud infrastructure. It provides real-time threat detection, vulnerability management, and compliance enforcement by leveraging deep visibility into runtime activity. Sysdig’s platform enables security teams to detect and respond to threats, enforce least-privilege access, and monitor application performance. With capabilities like container runtime security, forensic analysis, and policy-driven compliance, Sysdig helps organizations protect their cloud workloads while maintaining operational efficiency.
Supported data types
Sysdig Secure Events
Table name: sysdig_secure_events
Sysdig Secure Events log security incidents and policy violations in containerized and cloud environments. They provide real-time insights into suspicious activity, unauthorized access, and runtime threats, helping security teams detect and respond to risks efficiently.
Learn more here.
📘Note
For this data type, Hunters currently supports the Legacy Secure Policy Event Payload format.
Sysdig Activity Audit - Command
Table name: sysdig_activity_command
Sysdig Activity Audit logs every command executed in the environment. This includes commands run within containers, on the host, or through Kubernetes management tools. The logging of commands helps in understanding user actions, investigating incidents, and verifying compliance with policies.
Learn more here.
Sysdig Activity Audit - File Access
Table name: sysdig_activity_file_access
Sysdig Activity Audit also extends its monitoring and auditing capabilities to file access within containerized and cloud-native environments. This aspect of activity auditing is crucial for ensuring data security, detecting potential data breaches, and maintaining compliance with data protection regulations. By tracking file access activities, Sysdig Secure provides insights into how data is being accessed, modified, or transferred, which can be vital for forensic analysis and understanding the scope of a security incident.
Learn more here.
Sysdig Activity Audit - Network
Table name: sysdig_activity_network
The Sysdig Activity Audit feature encompasses network activity monitoring within its suite of capabilities, offering organizations deep visibility into the network interactions associated with their containerized and cloud-native applications. This level of monitoring is critical for securing the network perimeter of such environments, identifying suspicious activities, and ensuring compliance with network security policies. By auditing network activities, Sysdig Secure aids in the detection of anomalies, unauthorized data exfiltration, and potential threats that could compromise the integrity and confidentiality of network communications.
Learn more here.
Sysdig Activity Audit - Kubernetes
Table name: sysdig_activity_kubernetes
Sysdig Activity Audit extends its capabilities to Kubernetes environments, providing detailed auditing of activities and events within Kubernetes clusters. This is particularly important for organizations leveraging Kubernetes for container orchestration, as it helps ensure the security and compliance of their deployments. By monitoring Kubernetes-specific activities, Sysdig Secure helps organizations gain visibility into operations, configurations, and security events that occur within their Kubernetes environment.
Learn more here.
Send data to Hunters
You can collect logs using 2 methods:
- API - follow a few simple steps to connect logs to Hunters using API.
- S3 storage - route logs to an S3 bucket and provide Hunters with the details.
Using API
Hunters supports the collection of logs from Sysdig using API.
To connect Sysdig logs:
Log in to the Sysdig portal to retrieve your API host and API token.
Locate the URL you logged into. This is your API host. Example -
app.us4.sysdig.com
To retrieve the token, from the user menu navigate to Settings > User Profile.
The Sysdig Monitor or Sysdig Secure API token is displayed.
Locate your API token and copy it. Example -
87090758-60a0-4294-ba02-666bd0895eb8
Complete the process on the Hunters platform, following this guide.
Using S3 storage
Alternatively, you can collect the these logs from your network to a shared storage service (e.g. to an S3 bucket) shared with Hunters. Click here for further instructions.
📘Note
When using the S3 collection method, the host_region
field can only be added manually in order to retrieve the alert console URL in the alert (see the sample below). This field is not mandatory.
Expected format
In each log file, the events should be separated by a new-line, where each event has a JSON format.
Each of the above data types has a different format, as specified here:
Log Samples
Example for Audit Command events in an NDJSON file:
{"id":"164806c17885b5615ba513135ea13d79","agentId":32212,"cmdline":"calico-node-felix-ready-bird-ready","comm":"calico-node","containerId":"a407fb17332b","count":1,"cwd":"/","hostname":"qa-k8smetrics","loginShellDistance":0,"loginShellId":0,"pid":29278,"ppid":29275,"rxTimestamp":1605540695537513500,"timestamp":1605540695178065200,"type":"command","tty":0,"uid":0, "host_region":"eu1.app.sysdig.com"}
{"id":"164806c17885b5615ba513135ea13d780","agentId":32213,"cmdline":"calico-node-felix-ready-bird-not-ready","comm":"calico-node","containerId":"a407fb17332c","count":5,"cwd":"/temp/","hostname":"qa-test123","loginShellDistance":0,"loginShellId":0,"pid":29271,"ppid":29273,"rxTimestamp":1605540695537513500,"timestamp":1605550695178065200,"type":"command","tty":0,"uid":0, "host_region":"eu1.app.sysdig.com"}