Manage Threat Detection Policies
Overview
Review Threat Detection Polices, if needed.
You can:
Use default Managed Policies out of the box
You can:
- Define Scope
- Define Actions, such as Notification Channels to be used for alerts
- Enable/Disable the policy
Duplicate default policies to create Managed Ruleset Policies
You can
- Define Name, Description, and Severity
- Add Actions, such as separate notification channels
Create Custom Policies by converting an existing policy or building from scratch
Some Policy Types, such as Drift Control, are always Custom policies.
Configure Policies
Quickstart
Log in to Sysdig Secure and select Policies > Threat Detection|Runtime Policies.
On the Runtime Policies list page, select +Add Policy.`
Select Type: Select the policy type and define the policy parameters. Note: The
Scope
available will differ by policy type. See also: Review Policy TypesConfigure Parameters: E.g., Name, Description, Severity, etc. Most parameters are the same across policy types.
Add Rules: Add or edit the rules to be used, if needed. Some policy types already include the allowable rules.
Define Actions: to be taken if the policy rules are breached.
Enable and Save the policy.
Configuration Details
Different policy types may have different configuration details, as described in the three examples linked below.
Workload Policy Example (provided out of the box, but can be created or edited)
Drift Control Policy Example (always custom)
Machine Learning Policy Example (always custom)
Duplicate or Convert a Managed Policy
Select a row in the Runtime Policies list to expand the policy details
and access the icons to Edit
, Copy
, or Delete
the policy.
Duplicate to Create a Managed Ruleset
Select a Managed Policy in the Runtime Policies list and click the
Duplicate
icon in the details panel.Optionally edit any of the parameters except the rules.
Click
Save
.The new policy will appear in the Runtime policy list tagged
Ruleset
.Note you can also duplicate a Ruleset, if desired.
If the Sysdig Threat Research team updates the underlying ruleset in the Default policy on which it was based, the Managed Ruleset policy will be updated accordingly.
Convert to Create a Custom Policy
Select a
Default
or aRuleset
policy from the Runtime Policies list and click theEdit
icon in the details panel.Click the
Convert to Custom
button in the middle of the page.You can now edit everything about this policy, including the rules. It will not be managed/updated by the Sysdig team; if new rules are offered, the user is responsible for adding them to the custom policies as desired.
Click
Save
.Duplicating a custom policy simply creates another unmanaged custom policy.
Edit a Policy
Only certain changes can be made to a managed policy:
- Enable/disable the policy
- Set policy scope
- Set notifications
- New: Disable (or re-enable) individual rules (also available for custom policies)
Disable Individual Rules
As of September, 2022, you can disable individual rules within any policy or managed ruleset.
The primary use cases for this feature are:
- Using a subset of rules in a policy while retaining the “managed” status of the policy/ruleset and continuing to receive any updates that are pushed from Sysdig
- Temporarily disabling a rule that is generating many events, until the cause is investigated or an appropriate exception is put in place.
To disable a rule:
Select a threat detection policy from the Policies list and click the
Edit
(pencil) icon in the slide-out panel.The Policy details page is displayed.
Slide the toggle left for the rule(s) you want to disable.
Click
Save
.
Limitations
Kubernetes workload labels
The following Kubernetes labels are no longer supported as part of a policy scope, however you can still use these labels to search events.
- kubernetes.daemonset.name
- kubernetes.deployment.name
- kubernetes.statefulset.name
- kubernetes.replicaset.name
Workload
Sysdig Secure delivers a variety of workload policies out of the box. Workload policies evaulate each system call and can be configured to take immdiate action. You can edit them, duplicate to create a custom version, or create a new workload policy from scratch.
Drift Control
Drift is when an environment differs from the state checked into a version control system. This can occur in software that was introduced, updated, or upgraded into a live environment. Sysdig’s Drift Control feature identifies newly created, downloaded, or modified binaries that were not part of a container image before it started running. To implement Drift Control, create a Container Drift policy.
Workload ML
Sysdig’s Workload ML (Machine Learning) policy is used to provide a second layer of defense to complete the deep and exact coverage that Falco provides with a broader statistics-based approach.
AWS ML
The AWS Machine Learning (ML) policy detects anomalous AWS Console login events in connected AWS cloud accounts.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.