Secure Live

Secure Live is a powerful tool that assists in the response and investigation into security events, vulnerabilities, and misconfigurations in your infrastructure under one pane of glass, with a simple way to scope the part of the infrastructure you are investigating.

Secure Live presents the last 24 hours of your infrastructure by scopes based on the hierarchy, such as cluster, namespace, and workloads. Selecting one of these scopes presents existing data from different parts of Sysdig Secure in a curated set of panels and tabs that are specific to that scope. As this feature evolves, more panels and “Live” views will be added, such as Posture Tab and Cloud Live.

Kubernetes Live

Sysdig Secure Live for Kubernetes helps you respond to and protect your Kubernetes environment from a wide range of threats. It can be used for reactive investigation to security events or proactive highlighting images that have known vulnerabilities.

There are two main parts of Kubernetes Live:

• The left pane used as the scope tree for navigating your infrastructure
• The right pane with security-related finding, events, and more.

Left Pane Scope Tree

The scope tree has three main functionalities

• Infrastructure Layout: Provides a hierarchical structure of the infrastructure that Sysdig has secured for some period of time in the last 24 hour period. In Kubernetes, this is all Clusters, Namespaces & Workloads.
• Panel View: Depending on the hierarchy you select, the curated tabs and panels will change to be relevant for the level you’ve selected, such as Namespace.
• Scope: Filters the data that will be presented in the curated tabs, such as selecting your production cluster, or default namespace. Only that data will show in the right panel.

The scope tree is the live view (last 24 hours) of your infrastructure grouped by Cluster, Namespace, and Workload.

Scoping

As you move down the tree, the scopes are always additive.

For example, you can’t scope to a namespace without a cluster. This also includes any filters that are available in any of the tabs, it will be the scope below + any new filter you add.

Right Pane Tabs and Panels

The data in the tabs and panels on the right pane are sourced from many different parts of Sysdig Secure, and scoped based on the scope tree selected.

For example, selecting the default Namespace in your production Cluster would be similar to setting the scope in the Events feed or Vulnerability runtime to kubernetes.cluster.name = production AND kubernetes.namespace.name=default.

The tabs and panels are each curated with live details (past 24 hours) of your environment based on the scope selected. Some of the tabs take existing functionality and add the scoping, while some of the tabs and panels add new functionality or combine existing data into a single aggregate panel.

Overview

Overview is the most dynamic tab based on the scope you have selected in the tree. This tab shows the high-level details about your infrastructure, such as the visibility in the number of resources that have been or are being protected in the last 24 hours.

• New dashboards for aggregated events and vulnerabilities have been added that were not previously in Sysdig.
• New Mitre ATT&CK map that is only available in the Entire Infrastructure scope. Support for other scopes may be added in the future.

Events

Provides the same functionality as the Secure Events page. Secure Live provides two main enhancements:

• The filter has an implicit filter that is hidden based on the scope you have selected in the scope tree
• The quick filters at the top change based on the scope that you have selected in the scope tree. You will not see clusters if you select a cluster scope or lower, but there are New filters available the lower you go, such as container or image available in the workload scope.

Images

Provides the same functionality as the Vulnerabilities Runtime page, with an implicit filter that is hidden based on the scope you have selected in the scope tree.

Clusters, Namespaces, Workloads & Pods

Based on the scope selected, you will see one or more of these tabs.

• New functionality has been added to aggregate the events and metrics about the objects in the scope you have selected. If available, it will drill down into the scope of the selected resource, for example when there are multiple findings, without the user needing to select the resource from the scope tree.

Logs

Only available in the Workload scope.

Live Logs can display the tail logs for a container, which is the equivalent of running kubectl logs -f. This is useful for investigating container logs that may hint at what a workload is doing (provided there are logs with that level of detail).

When selecting a workload with multiple pods or containers, choose the pod and container for which you wish to view logs. Once requested, logs are streamed for 3 minutes before the session is automatically closed. You can simply re-start streaming if necessary.

The Network tab provides similar functionality to the existing Network Security but is meant to be used as an observability feature only. The functionality to generate a network policy is removed.

Access Secure Live

Secure Live is enabled for all users by default. If you have disabled the feature, do the following to enable it:

Prerequisite: Sysdig Agent must be installed in your environment.

1. Log in to Sysdig Secure as an Administrator User.
2. Navigate to Settings > User Profile.
3. Under Sysdig Labs, enable Kubernetes Live.
4. Select Kubernetes Live under the Insights menu.

Disable Secure Live

If you would like to opt out of this feature,

1. Log in to Sysdig Secure as Administrator User.
2. Navigate to Settings > User Profile.
3. Under Sysdig Labs, disable Kubernetes Live.