fix(list_runtime_events): enable ML event discovery (#67)

The `list_runtime_events` tool returned zero results when querying for
ML-based detections (e.g. "Crypto Mining Detection" with `engine =
"machineLearning"`), even though these events were visible in the Sysdig
Secure UI.

The root cause was a `source != "auditTrail"` clause in the MCP
baseFilter that duplicated a filter already applied by the events API.
This duplication caused an OpenSearch query interaction that silently
excluded ML events from the `events_profiling_detection_v1` index.

Tested on both us2 and eu1 environments:
- `engine = "machineLearning"` now returns ML events (Crypto Mining
Detection confirmed)
- `source = "auditTrail"` returns 0 events (API-side filter works
correctly)
- No audit trail event leakage across 2-week windows with 200k+ total
events

Co-authored-by: Fede Barcelona <fede_rico_94@hotmail.com>

Author: ivanlysiuk-sysdig

internal/infra/mcp/tools/tool_list_runtime_events.go

@@ -10,7 +10,7 @@ import (
 	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/sysdig"
 )
 
-const baseFilter = `source != "audittrail" and not originator in ("benchmarks","compliance","cloudsec","scanning","hostscanning")`
+const baseFilter = `not originator in ("benchmarks","compliance","cloudsec","scanning","hostscanning")`
 
 type ToolListRuntimeEvents struct {
 	sysdigClient sysdig.ExtendedClientWithResponsesInterface
@@ -63,7 +63,7 @@ func toolRequestToEventsV1Params(request mcp.CallToolRequest, clock clock.Clock)
 
 func (h *ToolListRuntimeEvents) RegisterInServer(s *server.MCPServer) {
 	tool := mcp.NewTool("list_runtime_events",
-		mcp.WithDescription("List runtime security events from the last given hours, optionally filtered by severity level."),
+		mcp.WithDescription("List runtime security events from the last given hours, optionally filtered by severity level. Includes both Falco-based and machine learning (ML) detections such as crypto mining, anomalous logins, and other ML-detected threats."),
 		mcp.WithString("cursor",
 			mcp.Description("Cursor for pagination."),
 		),
@@ -72,14 +72,20 @@ func (h *ToolListRuntimeEvents) RegisterInServer(s *server.MCPServer) {
 			mcp.DefaultNumber(1),
 		),
 		mcp.WithNumber("limit",
-			mcp.Description("Maximum number of events to return."),
+			mcp.Description("Maximum number of events to return. Maximum allowed value is 200."),
 			mcp.DefaultNumber(50),
 		),
 		mcp.WithString("filter_expr",
 			mcp.Description(`Logical filter expression to select runtime security events.
 Supports operators: =, !=, in, contains, startsWith, exists.
 Combine with and/or/not.
-Key attributes include: severity (codes "0"-"7"), originator, sourceType, ruleName, rawEventCategory, kubernetes.cluster.name, host.hostName, container.imageName, aws.accountId, azure.subscriptionId, gcp.projectId, policyId, trigger.
+Key attributes include: severity (codes "0"-"7"), originator, sourceType, ruleName, rawEventCategory, engine, source, category, kubernetes.cluster.name, host.hostName, container.imageName, aws.accountId, azure.subscriptionId, gcp.projectId, policyId, trigger.
+
+To find machine learning (ML) detections (e.g. crypto mining, anomalous logins), use engine or source filters:
+- All ML events: 'engine = "machineLearning"'
+- AWS ML detections: 'source = "agentless-aws-ml"'
+- Okta ML detections: 'source = "agentless-okta-ml"'
+- By category: 'category = "machine-learning"'
 
 You can specify the severity of the events based on the following cases:
 - high-severity: 'severity in ("0","1","2","3")'
@@ -96,6 +102,9 @@ You can specify the severity of the events based on the following cases:
 				`container.imageName = "nginx:latest" and originator = "hostscanning"`,
 				`aws.accountId = "123456789012"`,
 				`policyId = "CIS_Docker_Benchmark"`,
+				`engine = "machineLearning"`,
+				`source = "agentless-aws-ml"`,
+				`engine = "machineLearning" and aws.accountId = "123456789012"`,
 			),
 		),
 		mcp.WithOutputSchema[map[string]any](),

internal/infra/mcp/tools/tool_list_runtime_events_test.go

@@ -94,7 +94,7 @@ var _ = Describe("ToolListRuntimeEvents", func() {
 	It("should use default values when no params are provided", func(ctx SpecContext) {
 		mockClient.EXPECT().GetEventsV1WithResponse(gomock.Any(), gomock.Any()).DoAndReturn(func(_ context.Context, params *sysdig.GetEventsV1Params, _ ...sysdig.RequestEditorFn) (*sysdig.GetEventsV1Response, error) {
 			Expect(*params.Limit).To(Equal(int32(50)))
-			Expect(*params.Filter).To(Equal(`source != "audittrail" and not originator in ("benchmarks","compliance","cloudsec","scanning","hostscanning")`))
+			Expect(*params.Filter).To(Equal(`not originator in ("benchmarks","compliance","cloudsec","scanning","hostscanning")`))
 			Expect(*params.To).To(Equal(int64(946684800000000000)))
 			Expect(*params.From).To(Equal(int64(946681200000000000)))