Manage Threat Detection Policies
Review Threat Detection Polices, if needed.
In general, users will:
- Use Default Managed policies out-of-the-box, defining only the
Scope, actions such as
Nofication Channels, and
- Duplicate a policy to create a Managed Ruleset and edit additional parameters such as
- Require Custom rules and either convert an existing policy or build policy parameters and ruleset from scratch.
Steps to Create a Custom Policy from Scratch
Log in to Sysdig Secure and select
Policies > Runtime Policies.
On the Runtime Policies list page, select
Select Type: Select the policy type and define the policy parameters. Note: The
Scopeavailable will differ by policy type.
Define parameters: E.g., Name, Description, Severity, etc. Most policy types have the same parameters; Drift and Machine learning have some differences.
Add rules: Add or edit the rules to be used.
Define actions: to be taken if the policy rules are breached.
Enable and Save the policy.
Details in the following sections.
Select the Policy Type
When you click
+Add Policy, you are prompted to choose the Policy Type
desired. See also: Review Policy Types
Define the Basic Parameters
The Policy parameters differ mainly by the
on the type selected.
Name and Description: Provide meaningful, searchable descriptors
Enabled/Disabled: Once enabled, the policy will begin to generate events.
Severity: Choose the appropriate severity level as you would like to see it in the
Policy severity is subjective and is used to group policies within a Sysdig Secure instance.
NOTE: There is no inheritance between the underlying
rule prioritiesand the severity you assign to the policy.
Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.
Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. E.g. https://www.mycompany.com/our-runbook-link.
If you enter a value here, then a
View Runbookoption will be displayed in any corresponding Event.
Additional Parameters for Drift Policy Type
The Drift policy differs from the other policy types in a few ways:
- 1:1 Policy:Rule Drift includes only one rule.
- Prevent You can toggle the
Preventaction to stop the binary ever from starting.
- Dynamic Deny List When enabled, the policy evaluates and tracks any downloaded executable on the container. If that executable attempts to run, Sysdig will create an alert, or the executable is denied from running if
- Exceptions A user-defined list that can allow a downloaded executable to not trigger an alert
- Always Deny A user-defined list that will always block the executable from running even if it was built with the image
Additional Parameters for Machine Learning Policy Type
The Machine Learning policy differs from the other policy types in a few ways:
- Detection types You can what type of Machine Learning based detections you want enable in your policy. We support only
Crypto Mining Detectionat this time.
- Confidence level You can fine-tune the policy to choose at which certainty level the detection should trigger an event.
- Severity defined at detection level, so that you can have a different severity for each detection type.
You can select existing rules from the Library or create new rules on the fly and add them to a policy.
The Policy Editor interface provides many flexible ways to add rules to or remove rules from a Policy; the instructions below demonstrate one way.
See also: Manage Rules
Import from Library
From the New Policy (or Edit Policy) page, click
Import from Library.
The Import from Rules Library page is displayed.
Select the checkboxes by the rules to import.
You can pre-sort a collection of rules by searching for particular keywords or tags, or clicking a colored Tag icon (e.g. ).
Click Mark for Import.
appears to the right of the selected rules and the
Import Rulesbutton is activated.
The Policy page is displayed with the selected rules listed.
You can remove a rule from a Policy by clicking the X next to the rule in the list.
Create a Rule from the Policy Editor
If you click New Rule instead of Import from Library, you will be linked to the procedure described in Create a Rule.
Determine what should be done if a Policy is violated. See also: Understanding How Policy Actions Are Triggered.
Select what should happen to affected containers if the policy rules are breached:
Nothing (alert only):Do not change the container behavior; send a notification according to Notification Channel settings.
Kill:Kills one or more running containers immediately.
Stop:Allows a graceful shutdown (10-seconds) before killing the container.
Pause:Suspends all processes in the specified containers.
For more information about stop vs kill command, see Docker’s documentation.
Toggle Capture ON if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.
As of June, 2021, you can add the Capture option to policies affecting events from both the Sysdig agent and Fargate Serverless Agents Fargate serverless agents. Note that for serverless agents, manual captures are not supported; you must toggle on the Capture option in the policy defintion.
See also: Captures.
Select a notification channel from the drop-down list, for sending notification of events to appropriate personnel.
See also: Set Up Notification Channels.
Duplicate or Convert a Managed Policy
Select a row in the Runtime Policies list to expand the policy details
and access the icons to
Delete the policy.
Duplicate to Create a Managed Ruleset
Select a Managed Policy in the Runtime Policies list and click the
Duplicateicon in the details panel.
Optionally edit any of the parameters except the rules.
The new policy will appear in the Runtime policy list tagged
Note you can also duplicate a Ruleset, if desired.
If the Sysdig Threat Research team updates the underlying ruleset in the Default policy on which it was based, the Managed Ruleset policy will be updated accordingly.
Convert to Create a Custom Policy
Rulesetpolicy from the Runtime Policies list and click the
Editicon in the details panel.
Convert to Custombutton in the middle of the page.
You can now edit everything about this policy, including the rules. It will not be managed/updated by the Sysdig team; if new rules are offered, the user is responsible for adding them to the custom policies as desired.
Duplicating a custom policy simply creates another unmanaged custom policy.
Edit a Policy
Only certain changes can be made to a managed policy:
- Enable/disable the policy
- Set policy scope
- Set notifications
- New: Disable (or re-enable) individual rules (also available for custom policies)
Disable Individual Rules
As of September, 2022, you can disable individual rules within any policy or managed ruleset.
The primary use cases for this feature are:
- Using a subset of rules in a policy while retaining the “managed” status of the policy/ruleset and continuing to receive any updates that are pushed from Sysdig
- Temporarily disabling a rule that is generating many events, until the cause is investigated or an appropriate exception is put in place.
To disable a rule:
Select a threat detection policy from the Policies list and click the
Edit(pencil) icon in the slide-out panel.
The Policy details page is displayed.
Slide the toggle left for the rule(s) you want to disable.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.