Manage Threat Detection Policies

Overview

Review Threat Detection Polices, if needed.

You can:

  • Use default Managed Policies out of the box

    You can:

    • Define Scope
    • Define Actions, such as Notification Channels to be used for alerts
    • Enable/Disable the policy

  • Duplicate default policies to create Managed Ruleset Policies

    You can

    • Define Name, Description, and Severity
    • Add Actions, such as separate notification channels

  • Create Custom Policies by converting an existing policy or building from scratch

    Some Policy Types, such as Drift Control, are always Custom policies.

Configure Policies

Quickstart

  1. Log in to Sysdig Secure and select Policies > Threat Detection|Runtime Policies.

  2. On the Runtime Policies list page, select +Add Policy.`

  3. Select Type: Select the policy type and define the policy parameters. Note: The Scope available will differ by policy type. See also: Review Policy Types

  4. Configure Parameters: E.g., Name, Description, Severity, etc. Most parameters are the same across policy types.

  5. Add Rules: Add or edit the rules to be used, if needed. Some policy types already include the allowable rules.

  6. Define Actions: to be taken if the policy rules are breached.

  7. Enable and Save the policy.

Configuration Details

Different policy types may have different configuration details, as described in the three examples linked below.

Workload Policy Example (provided out of the box, but can be created or edited)

Drift Control Policy Example (always custom)

Machine Learning Policy Example (always custom)

Duplicate or Convert a Managed Policy

Select a row in the Runtime Policies list to expand the policy details and access the icons to Edit, Copy, or Delete the policy.

Duplicate to Create a Managed Ruleset

  1. Select a Managed Policy in the Runtime Policies list and click the Duplicate icon in the details panel.

  2. Optionally edit any of the parameters except the rules.

  3. Click Save.

    The new policy will appear in the Runtime policy list tagged Ruleset.

    Note you can also duplicate a Ruleset, if desired.

    If the Sysdig Threat Research team updates the underlying ruleset in the Default policy on which it was based, the Managed Ruleset policy will be updated accordingly.

Convert to Create a Custom Policy

  1. Select a Default or a Ruleset policy from the Runtime Policies list and click the Edit icon in the details panel.

  2. Click the Convert to Custom button in the middle of the page.

    You can now edit everything about this policy, including the rules. It will not be managed/updated by the Sysdig team; if new rules are offered, the user is responsible for adding them to the custom policies as desired.

  3. Click Save.

    Duplicating a custom policy simply creates another unmanaged custom policy.

Edit a Policy

Only certain changes can be made to a managed policy:

  • Enable/disable the policy
  • Set policy scope
  • Set notifications
  • New: Disable (or re-enable) individual rules (also available for custom policies)

Disable Individual Rules

As of September, 2022, you can disable individual rules within any policy or managed ruleset.

The primary use cases for this feature are:

  • Using a subset of rules in a policy while retaining the “managed” status of the policy/ruleset and continuing to receive any updates that are pushed from Sysdig
  • Temporarily disabling a rule that is generating many events, until the cause is investigated or an appropriate exception is put in place.

To disable a rule:

  1. Select a threat detection policy from the Policies list and click the Edit (pencil) icon in the slide-out panel.

    The Policy details page is displayed.

  2. Slide the toggle left for the rule(s) you want to disable.

  3. Click Save.

Limitations

Kubernetes workload labels

The following Kubernetes labels are no longer supported as part of a policy scope, however you can still use these labels to search events.

  • kubernetes.daemonset.name
  • kubernetes.deployment.name
  • kubernetes.statefulset.name
  • kubernetes.replicaset.name
Topics in This Section
Workload Policy

Sysdig Secure delivers a variety of workload policies out of the box. Workload policies evaulate each system call and can be configured to take immdiate action. You can edit them, duplicate to create a custom version, or create a new workload policy from scratch.

List Matching Policy

List Matching policies evaluate a simple matching or not matching filter for containers, files, network processes, and syscalls. You can edit them, duplicate to create a custom version, or create a new list matching policy from scratch.

Kubernetes Audit Policy

Kubernetes Audit policies evaluate a Kubernetes Audit Log entry. You can edit them, duplicate to create a custom version, or create a new list matching policy from scratch. You can scope policies by cluster or namespace.

AWS CloudTrail - CloudConnector Policy

AWS CloudTrail - CloudConnector policies evaluate each AWS CloudTrail entry. You can edit them, duplicate to create a custom version, or create a new list matching policy from scratch. You can scope policies by Account ID or virtual private cloud (VPC). This policy is used by Sysdig’s Legacy Agent-Based with CIEM.

GCP Audit Log Policy

GCP Audit Log policies evaluate each GCP Audit Log entry. You can edit them, duplicate to create a custom version, or create a new list matching policy from scratch. You can scope policies by Account ID or virtual private cloud (VPC).

Azure Platform Log Policy

Azure Platform Log policies evaluate each Azure Platform Log entry. You can edit them, duplicate to create a custom version, or create a new list matching policy from scratch. You can scope policies by Account ID or virtual private cloud (VPC).

Container Drift Policy

Drift is when an environment differs from the state checked into a version control system. This can occur in software that was introduced, updated, or upgraded into a live environment. Sysdig’s Drift Control feature identifies newly created, downloaded, or modified binaries that were not part of a container image before it started running. To implement Drift Control, create a Container Drift policy.

Workload ML Policy

Sysdig’s Workload ML (Machine Learning) policy is used to provide a second layer of defense to complete the deep and exact coverage that Falco provides with a broader statistics-based approach.

AWS CloudTrail Policy

AWS CloudTrail policies evaluate each AWS CloudTrail entry in Sysdig Cloud. You can edit them, duplicate to create a custom version, or create a new list matching policy from scratch. These policies are used by Sysdig Agentless detection engine.

Microsoft Entra

Microsoft Entra policies evaluate Microsoft Entra ID logs in the Sysdig Cloud. You can edit them, duplicate to create a custom version, or create a new list matching policy from scratch. Powered by Falco, policies can be scoped by tenant.

Okta Policy

Okta policies evaluate Okta logs in Sysdig Cloud. You can edit them, duplicate to create a custom version, or create a new list matching policy from scratch.

AWS ML Policy

The AWS Machine Learning (ML) policy detects anomalous AWS Console login events in connected AWS cloud accounts.