Enable Validated Exposure for Advanced Network Exposure

Learn how to enable and configure validated exposure for Advanced Network Exposure in Sysdig Secure, including port scanning validation and IP whitelisting requirements.

Overview

Advanced Network Exposure is automatically enabled when you connect your cloud accounts to Sysdig Secure with Cloud Security Posture Management (CSPM) capabilities. The configuration-based analysis works by analyzing the network configurations and metadata from your cloud providers without requiring additional agent installation.

However, validated exposure through port scanning requires additional manual setup steps and must be explicitly enabled by contacting Sysdig Support.

Enable Validated Exposure (Port Scanning)

Validated exposure adds an additional layer of verification by performing port scanning and IP discovery to confirm resources identified as exposed through configuration analysis are reachable from the internet.

Important: Validated exposure requires manual activation by Sysdig Support and involves additional setup steps including IP whitelisting. This feature must be explicitly requested and configured.

When Sysdig performs port scanning and IP discovery to validate exposure, these activities can be detected by your security infrastructure as potentially malicious behavior. Common security systems that may flag or block Sysdig’s scanning activities include:

  • Firewalls: May interpret repeated connection attempts as port scanning attacks
  • Web Application Firewalls (WAF): Can identify scanning patterns and block the source IPs
  • Intrusion Detection/Prevention Systems (IDS/IPS): May alert on or block scanning activity
  • Cloud-native security services: Such as AWS GuardDuty, Azure Security Center or GCP Security Command Center

To ensure validated exposure works correctly and to prevent Sysdig’s scanning IPs from being blocked or flagged as malicious actors, you must add Sysdig’s IP addresses to your allow lists.

Note: The IP addresses used for scanning are documented in the SaaS Regions and IP Ranges documentation. Refer to this page for the complete list of IP ranges for your Sysdig region.

Identifying Network Scanner Activity

To help distinguish legitimate Sysdig scanning activity from potential threats, HTTP scans performed by the network scanner include a custom header that can be used to identify and whitelist these requests in your logs and security systems.

The following custom header is included in all HTTP scan requests:

  • Header Name: X-Sysdig-CSPM
  • Header Value: NetworkScanner/1.0

You can use this header to:

  • Configure your WAF or firewall rules to allow traffic from Sysdig’s network scanner
  • Filter and identify Sysdig scanning activity in your web server and application logs
  • Create exceptions in your IDS/IPS systems to prevent false positive alerts

For example, you can configure your web application firewall to recognize requests with the X-Sysdig-CSPM: NetworkScanner/1.0 header as legitimate security scanning from Sysdig and allow them without triggering alerts.