Manage Threat Detection Policies


Review Threat Detection Polices, if needed.

You can:

  • Use default Managed Policies out of the box

    You can:

    • Define Scope
    • Define Actions, such as Notification Channels to be used for alerts
    • Enable/Disable the policy
  • Duplicate default policies to create Managed Ruleset Policies

    You can

    • Define Name, Description, and Severity
    • Add Actions, such as separate notification channels
  • Create Custom Policies by converting an existing policy or building from scratch

    Some Policy Types, such as Drift Control, are always Custom policies.

Configure Policies


  1. Log in to Sysdig Secure and select Policies > Threat Detection|Runtime Policies.

  2. On the Runtime Policies list page, select +Add Policy.`

  3. Select Type: Select the policy type and define the policy parameters. Note: The Scope available will differ by policy type. See also: Review Policy Types

  4. Configure Parameters: E.g., Name, Description, Severity, etc. Most parameters are the same across policy types.

  5. Add Rules: Add or edit the rules to be used, if needed. Some policy types already include the allowable rules.

  6. Define Actions: to be taken if the policy rules are breached.

  7. Enable and Save the policy.

Configuration Details

Different policy types may have different configuration details, as described in the three examples linked below.

Workload Policy Example (provided out of the box, but can be created or edited)

Drift Control Policy Example (always custom)

Machine Learning Policy Example (always custom)

Duplicate or Convert a Managed Policy

Select a row in the Runtime Policies list to expand the policy details and access the icons to Edit, Copy, or Delete the policy.

Duplicate to Create a Managed Ruleset

  1. Select a Managed Policy in the Runtime Policies list and click the Duplicate icon in the details panel.

  2. Optionally edit any of the parameters except the rules.

  3. Click Save.

    The new policy will appear in the Runtime policy list tagged Ruleset.

    Note you can also duplicate a Ruleset, if desired.

    If the Sysdig Threat Research team updates the underlying ruleset in the Default policy on which it was based, the Managed Ruleset policy will be updated accordingly.

Convert to Create a Custom Policy

  1. Select a Default or a Ruleset policy from the Runtime Policies list and click the Edit icon in the details panel.

  2. Click the Convert to Custom button in the middle of the page.

    You can now edit everything about this policy, including the rules. It will not be managed/updated by the Sysdig team; if new rules are offered, the user is responsible for adding them to the custom policies as desired.

  3. Click Save.

    Duplicating a custom policy simply creates another unmanaged custom policy.

Edit a Policy

Only certain changes can be made to a managed policy:

  • Enable/disable the policy
  • Set policy scope
  • Set notifications
  • New: Disable (or re-enable) individual rules (also available for custom policies)

Disable Individual Rules

As of September, 2022, you can disable individual rules within any policy or managed ruleset.

The primary use cases for this feature are:

  • Using a subset of rules in a policy while retaining the “managed” status of the policy/ruleset and continuing to receive any updates that are pushed from Sysdig
  • Temporarily disabling a rule that is generating many events, until the cause is investigated or an appropriate exception is put in place.

To disable a rule:

  1. Select a threat detection policy from the Policies list and click the Edit (pencil) icon in the slide-out panel.

    The Policy details page is displayed.

  2. Slide the toggle left for the rule(s) you want to disable.

  3. Click Save.


Kubernetes workload labels

The following Kubernetes labels are no longer supported as part of a policy scope, however you can still use these labels to search events.

Topics in This Section

Sysdig Secure delivers a variety of workload policies out of the box. You can edit them, duplicate to create a custom version, or create a new workload policy from scratch.

Drift Control

Drift is when an environment differs from the state checked into a version control system. This can occur in software that was introduced, updated, or upgraded into a live environment. Sysdig’s Drift Control feature identifies newly created, downloaded, or modified binaries that were not part of a container image before it started running. To implement Drift Control, create a Container Drift policy.

Workload ML

Sysdig’s Workload ML (Machine Learning) policy is used to provide a second layer of defense to complete the deep and exact coverage that Falco provides with a broader statistics-based approach.


The AWS Machine Learning (ML) policy detects anomalous AWS Console login events in connected AWS cloud accounts.