Manage Threat Detection Policies
Review Threat Detection Polices, if needed.
Use default Managed Policies out of the box
- Define Scope
- Define Actions, such as Notification Channels to be used for alerts
- Enable/Disable the policy
Duplicate default policies to create Managed Ruleset Policies
- Define Name, Description, and Severity
- Add Actions, such as separate notification channels
Create Custom Policies by converting an existing policy or building from scratch
Some Policy Types, such as Drift Control, are always Custom policies.
Log in to Sysdig Secure and select Policies > Threat Detection|Runtime Policies.
On the Runtime Policies list page, select +Add Policy.`
Select Type: Select the policy type and define the policy parameters. Note: The
Scopeavailable will differ by policy type. See also: Review Policy Types
Configure Parameters: E.g., Name, Description, Severity, etc. Most parameters are the same across policy types.
Add Rules: Add or edit the rules to be used, if needed. Some policy types already include the allowable rules.
Define Actions: to be taken if the policy rules are breached.
Enable and Save the policy.
Different policy types may have different configuration details, as described in the three examples linked below.
Workload Policy Example (provided out of the box, but can be created or edited)
Drift Control Policy Example (always custom)
Machine Learning Policy Example (always custom)
Duplicate or Convert a Managed Policy
Select a row in the Runtime Policies list to expand the policy details
and access the icons to
Delete the policy.
Duplicate to Create a Managed Ruleset
Select a Managed Policy in the Runtime Policies list and click the
Duplicateicon in the details panel.
Optionally edit any of the parameters except the rules.
The new policy will appear in the Runtime policy list tagged
Note you can also duplicate a Ruleset, if desired.
If the Sysdig Threat Research team updates the underlying ruleset in the Default policy on which it was based, the Managed Ruleset policy will be updated accordingly.
Convert to Create a Custom Policy
Rulesetpolicy from the Runtime Policies list and click the
Editicon in the details panel.
Convert to Custombutton in the middle of the page.
You can now edit everything about this policy, including the rules. It will not be managed/updated by the Sysdig team; if new rules are offered, the user is responsible for adding them to the custom policies as desired.
Duplicating a custom policy simply creates another unmanaged custom policy.
Edit a Policy
Only certain changes can be made to a managed policy:
- Enable/disable the policy
- Set policy scope
- Set notifications
- New: Disable (or re-enable) individual rules (also available for custom policies)
Disable Individual Rules
As of September, 2022, you can disable individual rules within any policy or managed ruleset.
The primary use cases for this feature are:
- Using a subset of rules in a policy while retaining the “managed” status of the policy/ruleset and continuing to receive any updates that are pushed from Sysdig
- Temporarily disabling a rule that is generating many events, until the cause is investigated or an appropriate exception is put in place.
To disable a rule:
Select a threat detection policy from the Policies list and click the
Edit(pencil) icon in the slide-out panel.
The Policy details page is displayed.
Slide the toggle left for the rule(s) you want to disable.
Kubernetes workload labels
The following Kubernetes labels are no longer supported as part of a policy scope, however you can still use these labels to search events.
Sysdig Secure delivers a variety of workload policies out of the box. You can edit them, duplicate to create a custom version, or create a new workload policy from scratch.
Drift is when an environment differs from the state checked into a version control system. This can occur in software that was introduced, updated, or upgraded into a live environment. Sysdig’s Drift Control feature identifies newly created, downloaded, or modified binaries that were not part of a container image before it started running. To implement Drift Control, create a Container Drift policy.
Sysdig’s Workload ML (Machine Learning) policy is used to provide a second layer of defense to complete the deep and exact coverage that Falco provides with a broader statistics-based approach.
The AWS Machine Learning (ML) policy detects anomalous AWS Console login events in connected AWS cloud accounts.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.