Manage Policies


Review Understanding Sysdig Secure Policies, if needed. Remember that rules are not actionable until they are added to a runtime policy. At minimum, this means:

  • Using a default or creating a policy, either manually or using one of the optional tools to help automate policy creation

  • Defining the basic parameters, such as scope and severity levels

  • Adding rules

  • Defining the policy actions to be taken when rules are breached, such as: sending an event to a notification channel (PagerDuty, Slack, email..); triggering a capture file; and/or taking action on the container (stop/kill/pause).

Understanding How Policy Actions Are Triggered

Policy actions occur asynchronously. If a policy has a container action and matched activity, the agent asks the Docker/Cri-o daemon to perform the stop/kill/pause action. This process takes a few minutes, during which the container still runs and the connect/accept etc. still occur.

Deploy a Default Policy

The first time you access the Policies tab, you will be prompted to load the Sysdig default policies.

The policies are loaded with pre-defined enabled/disabled status, based on most common usage, but you can enable, disable, copy, edit, or delete each one as needed.

Create a Policy

There are a variety of optional tools to help automate the creation of policies. See also:

To create a policy manually:

  • Log in to Sysdig Secure and select Policies > Runtime Policies.

  • On the Runtime Policies list page, select +Add Policy.

    Select the policy type and define the policy parameters. **Note:**The Scope available will differ by policy type.

  • Add the rules and the actions to be taken if the policy rules are breached.

  • Enable and Save the policy.

Select the Policy Type

When you click +Add Policy, you are prompted to choose the Policy Type desired:

Scopes and Actions for Policy Types

The scopes and actions available differ by type:




AWS Cloud

Scope Options


Hosts only

Container only


Hosts only

Container only



Action Options

Stop/ pause/ kill


Notification channel

Stop/ pause/ kill


Notification channel

Notification channel

Notification chann

Define the Basic Parameters

The Policy parameters differ mainly by the Scope and Actions available on the type selected.

  • Name and Description: Provide meaningful, searchable descriptors

  • Enabled/Disabled: Once enabled, the policy will begin to generate events.

  • Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI.

    Policy severity is subjective and is used to group policies within a Sysdig Secure instance.

    NOTE: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.

  • Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.

Add Rules

You can select existing rules from the Library or create new rules on the fly and add them to a policy.

The Policy Editor interface provides many flexible ways to add rules to or remove rules from a Policy; the instructions below demonstrate one way.

See also: Manage Rules

Import from Library

  • From the New Policy (or Edit Policy) page, click Import from Library.

    The Import from Rules Library page is displayed.

  • Select the checkboxes by the rules to import.

    You can pre-sort a collection of rules by searching for particular keywords or tags, or clicking a colored Tag icon (e.g. ).

  • Click Mark for Import.

    A blue Import icon

    appears to the right of the selected rules and the Import Rules button is activated.

  • Click Import Rules.

    The Policy page is displayed with the selected rules listed.

    You can remove a rule from a Policy by clicking the X next to the rule in the list.

Create a Rule from the Policy Editor

If you click New Rule instead of Import from Library, you will be linked to the procedure described in Create a Rule.

Define Actions

Determine what should be done if a Policy is violated. See also: Understanding How Policy Actions Are Triggered.


Select what should happen to affected containers if the policy rules are breached:

  • Nothing (alert only): Do not change the container behavior; send a notification according to Notification Channel settings.

  • Kill: Kills one or more running containers immediately.

  • Stop: Allows a graceful shutdown (10-seconds) before killing the container.

  • **Pause:**Suspends all processes in the specified containers.

For more information about stop vs kill command, see Docker’s documentation.


Toggle Capture ON if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.

See also: Captures.

Notification Channels

Select a notification channel from the drop-down list, for sending notification of events to appropriate personnel.

See also: Set Up Notification Channels.

Copy, Edit or Delete a Policy

Select a row in the Runtime Policies list to expand the policy details and access the icons to Edit, Copy, or Delete the policy.

Note that policies are only auto-installed when the default policies are loaded first time. If you delete a default policy and subsequently upgrade, that policy will not be recreated.

Last modified September 11, 2021: Update generated docs (d3abcd9b)