Insights

With Insights, all findings generated by Sysdig across both workload and cloud environments are aggregated into a visual platform that streamlines threat detection and forensic analysis.

Highlights:

• Birds-eye view of findings across environments and timelines, with responsive representations combined with summaries plus the linear events feed.

• Instantly hone in on problem areas or block out noisy results.

• Share views with team members.

The Insights tool is intuitive and easy to use. Note the following design and usage attributes.

Log in to Sysdig Secure and select Insights.

Navigation

Choose the resources you want to view from the top left drop-down.

• Cloud User Activity: Detects vulnerabilities and events related to user activity in connected cloud accounts. It includes User, Account, Region, Resource Category, Resource Type, and Resource.

• Cloud Activity: Detects all findings in connected cloud accounts. Specifically, it includes Account, Region, Resource Category, Resource Type, and Resource.

• Kubernetes Activity: Detects all findings in connected Kubernetes clusters, namespaces, and workloads. It includes Cluster, Namespace, Pod Owner, and Workload.

• Node and Pod Activity

• Host and Container Activity

The default view shown will be based on the findings in your environment.

If a particular type of resource is not connected in your environment, that page will show no findings.

Timeline

As with many other Sysdig tools, you scope by timespan using the timeline at the bottom of the page.

• The default span is 14 days. You can choose other presets (such as 3H, 12H, 1D, 3D) or set a span using the clickable calendar.

• Insights display up to 14 days or 999 events, whichever comes first.

Visualization Panel

The power of the Insights tool resides in the Visualization panel.

Experiment with the Visualization panel features:

• Concentric rings drill down the resources to the most granular findings. Note that the header labels each level in order (Account > Region > Resource Category > ...)

  

• Hover over a target area for details, and click to isolate in the summary.

  

• Change the Timeline.

• Take advantage of Search | Show | Hide | Exclude.

Activity Panel: Summary

The Summary panel recapitulates the Visualization panel as an ordered list. It can be grouped by Rule or User activity.

Group by Rule

• Click a line item to open the details. See at a glance the affected containers, images, rules, and user names.

  

• Take advantage of Search | Show | Hide | Exclude.

Tunable Exceptions

Sysdig’s Runtime Policy Tuner helps reduce false positives by using rule exceptions. If there are potential exceptions that match one or more events from the same rule a {#} Tunable Exceptions button may appear in the rules summary. When clicked, a modal appears with suggestions of matching exceptions.

1. Expand a rule to open the event summary, if there are available exceptions, you will see an option for “Tunable Exceptions”.

   

2. The exceptions modal appears.

   

3. Review the suggested exceptions and decide whether to use them:

   • Compare the Existing Values with the Suggested Values.

   • Adjust the suggested values, if required.

     For example, if the suggestion shows contains: prod-app-1 but you wanted to apply the exception to all the clusters in production, you could edit to say contains: prod.

   • Review the previously-applied exceptions, which are also displayed, to gain context for the decision.

   • Click View affected policies to see all the places the rule and exception would be used.

4. Click Apply, or

   • If you do not want to manage Exceptions with Sysdig, you can view the Exception as Terraform, copy the snippet, and paste it in your Terraform file. YAML snippets are also available.

You can also use tunable exceptions in the events tab. For more information see, Events Feed Tunable Exceptions.

Group by User | Rule

View the Summary grouped by User to help detect outlier behavior.

Expand the user entry to view details and click the arrow to switch to the event feed for that user, with events listed in reverse chronological order.

Cloud Activity Summary Panel

For AWS Cloud Activity, the summary also includes a link back to view the data in the AWS Console.

Activity Panel: Events

The Events panel replicates the Sysdig Secure Events feed. Click an entry in the time-based list to open its details.

Search | Show | Hide | Exclude

The Search bar works in conjunction with options in the Activity Summary.

• Each line of the Activity Summary includes the Show (=), Hide (!=) and Exclude

  

  options.

  • Show (=): Click Show to add the finding to the Search bar, and to the page URL. The Visualization will be targeted accordingly.

  • Hide (!=): Click Hide to filter that finding from the Visualization, adding the filter to the Search and the URL.

  • Exclude

    

    : Click Exclude to refetch the data without the excluded entry. This cuts down on noisy repetitious results (which in some cases could cause the 999-item limit to be exceeded).

  Note that Show and Hide do not trigger a re-fetch of data.

• After you exclud an entry, the Exclude icon

  

  is displayed in the Visualization header.

  

  • Click the icon to view the current exclusions.

  • Clear All Exclusions if desired.

Insights Team-Based Views and Sharing

Note:

• Your team and user role influence what Insights you have access to.

• The page URL persists search and filter items, and can be shared with team members with the same level of permissions.

See User and Team Administration for more detail.