Profiling

What is Image Profiling in Sysdig

Image profiling in Sysdig enhances the data collection capabilities of the agent, and is a building block for several other Sysdig features:

Creating Machine Learning policies
Viewing prioritized vulnerabilities in an “In Use” column in Vulnerability Runtime results
Allowing third-party vulnerability management software to consume and display the prioritized runtime vulnerabilities from Sysdig, as described in Risk Spotlight Integrations

Availability and Enablement

Some features are still under Controlled Availability and require enablement from Sysdig support, as noted.

Enabling Profiling triggers a feature on the agent that will increase its resource demand, both in memory and CPU. Note that if the agent starts using too many resources, it will automatically and temporarily disable this feature, to avoid impacting its basic functionality.

Enable for Machine Learning

To use machine learning policies:

Log in to Sysdig Secure as Admin and navigate to Settings > User Profile.
Toggle the Profiling switch in the Sysdig Labs section.
Select Policies > Runtime Policies and create a new policy of the type Machine Learning.

Enable for Risk Spotlight Integrations or for the In Use Column

Prerequisite: Have the new Vulnerability Management engine enabled in Sysdig Secure SaaS.

Then:

Contact Sysdig support and ask to have the feature enabled in the backend. (This step is required during Controlled Availability.)
Enable a parameter to the Node Analyzer of your Sysdig agents, e.g., using the sysdig-deploy Helm chart. The parameter is:
```
nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true
```
Toggle the Profiling switch in the Sysdig Labs section.
After 12 hours, check Vulnerabilities > Runtime. The runtime scanner will gather information against this policy every 12 hours, displaying results in the Vulnerabilities Runtime scan results.
You should see the In Use column populated.
If you also want to export these results to third-party software, follow the instructions in Risk Spotlight Integrations.
(Note: If the third-party software is Snyk, the instructions are slightly different.)

How Image Profiles Work

With image profiling enabled, the agents start sending “fingerprints” of what happened on the containers – network activity, files and directories accessed, processes run, and system calls used – and Sysdig Secure aggregates this information per image. Thus, for multiple containers based off of the same image, running on different nodes, the profiler will collect and combine system activity into an image profile.

Internal algorithms determine two aspects of behavior:

Length of time observed: Related to the image being in a learning/done learning state
Consistency of behavior: Related to the confidence level of the observed behavior

Profile Contents

A container image profile is a collection of data points related to:

Network activity
- TCP ports (in/out)
- UDP ports (in/out)
Processes detected
File system (informational only)
- Files (read/write)
- Directories (read/write)
System calls detected

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.