Manage Threat Detection Policies

Overview

Review Threat Detection Polices, if needed.

In general, users will:

• Use Default Managed policies out-of-the-box, defining only the Scope , actions such as Nofication Channels, and enabling/disabling the policy;
• Duplicate a policy to create a Managed Ruleset and edit additional parameters such as Name, Description, and Severity, creating Managed Ruleset policies;
• Require Custom rules and either convert an existing policy or build policy parameters and ruleset from scratch.

Steps to Create a Custom Policy from Scratch

1. Log in to Sysdig Secure and select Policies > Runtime Policies.

2. On the Runtime Policies list page, select +Add Policy.

3. Select Type: Select the policy type and define the policy parameters. Note: The Scope available will differ by policy type.

4. Define parameters: E.g., Name, Description, Severity, etc. Most policy types have the same parameters; Drift and Machine learning have some differences.

5. Add rules: Add or edit the rules to be used.

6. Define actions: to be taken if the policy rules are breached.

7. Enable and Save the policy.

Details in the following sections.

Policy Details

Select the Policy Type

When you click +Add Policy, you are prompted to choose the Policy Type desired. See also: Review Policy Types

Define the Basic Parameters

The Policy parameters differ mainly by the Scope and Actions available on the type selected.

Name and Description: Provide meaningful, searchable descriptors.

Enabled/Disabled: Once enabled, the policy will begin to generate events.

Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI.

Policy severity is subjective and is used to group policies within a Sysdig Secure instance.

NOTE: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.

Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.

Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. E.g. https://www.mycompany.com/our-runbook-link.

If you enter a value here, then a View Runbook option will be displayed in any corresponding Event.

Additional Parameters for Drift Policy Type

The Drift policy differs from the other policy types in a few ways:

1:1 Policy:Rule Drift includes only one rule.

Drifted Binaries When enabled, the policy will dynamically detect the execution of drifted binaries/downloaded executables. If that binary attempts to run, Sysdig will create an alert, or the binary is denied from running if Prevent is enabled.

Note: Formerly called dynamic deny list

Exceptions A user-defined list for which the detection is skipped even if it has drifted. Provide full path of binaries separated by commas.

Prohibited Binaries A user-defined list of binaries whose execution is blocked even if it was built with the image. Provide full path of binaries separated by commas.

Note: Formerly called always deny

Prevent Toggle the Prevent action to stop the binary ever from starting.

Additional Parameters for Machine Learning Policy Type

The Machine Learning policy differs from the other policy types in a few ways:

• Detection types You can what type of Machine Learning based detections you want enable in your policy. We support only Crypto Mining Detection at this time.
• Confidence level You can fine-tune the policy to choose at which certainty level the detection should trigger an event.
• Severity defined at detection level, so that you can have a different severity for each detection type.

Add Rules

You can select existing rules from the Library or create new rules on the fly and add them to a policy.

The Policy Editor interface provides many flexible ways to add rules to or remove rules from a Policy; the instructions below demonstrate one way.

See also: Manage Rules

Import from Library

1. From the New Policy (or Edit Policy) page, click Import from Library.

   The Import from Rules Library page is displayed.

   

2. Select the checkboxes by the rules to import.

3. Click Mark for Import.

   

   A blue Import icon

   

   appears to the right of the selected rules and the Import Rules button is activated.

   

4. Click Import Rules.

   The Policy page is displayed with the selected rules listed.

   

Create a Rule from the Policy Editor

If you click New Rule instead of Import from Library, you will be linked to the procedure described in Create a Rule.

Define Actions

Determine what should be done if a Policy is violated.

Containers

Select what should happen to affected containers if the policy rules are breached:

Nothing (alert only): Do not change the container behavior; send a notification according to Notification Channel settings.

Kill: Kills one or more running containers immediately.

Stop: Allows a graceful shutdown (10-seconds) before killing the container.

Pause: Suspends all processes in the specified containers.

For more information about stop vs kill command, see Docker’s documentation.

security:
  ignore_container_action: true

Capture

Toggle Capture ON if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.

As of June, 2021, you can add the Capture option to policies affecting events from both the Sysdig agent and Fargate Serverless Agents Fargate serverless agents. Note that for serverless agents, manual captures are not supported; you must toggle on the Capture option in the policy defintion.

See also: Captures.

Notification Channels

Select a notification channel from the drop-down list, for sending notification of events to appropriate personnel.

See also: Set Up Notification Channels.

Duplicate or Convert a Managed Policy

Select a row in the Runtime Policies list to expand the policy details and access the icons to Edit, Copy, or Delete the policy.

Duplicate to Create a Managed Ruleset

1. Select a Managed Policy in the Runtime Policies list and click the Duplicate icon in the details panel.

2. Optionally edit any of the parameters except the rules.

3. Click Save.

   The new policy will appear in the Runtime policy list tagged Ruleset.

   Note you can also duplicate a Ruleset, if desired.

   If the Sysdig Threat Research team updates the underlying ruleset in the Default policy on which it was based, the Managed Ruleset policy will be updated accordingly.

Convert to Create a Custom Policy

1. Select a Default or a Ruleset policy from the Runtime Policies list and click the Edit icon in the details panel.

2. Click the Convert to Custom button in the middle of the page.

   You can now edit everything about this policy, including the rules. It will not be managed/updated by the Sysdig team; if new rules are offered, the user is responsible for adding them to the custom policies as desired.

3. Click Save.

   Duplicating a custom policy simply creates another unmanaged custom policy.

Edit a Policy

Only certain changes can be made to a managed policy:

• Enable/disable the policy
• Set policy scope
• Set notifications
• New: Disable (or re-enable) individual rules (also available for custom policies)

Disable Individual Rules

As of September, 2022, you can disable individual rules within any policy or managed ruleset.

The primary use cases for this feature are:

• Using a subset of rules in a policy while retaining the “managed” status of the policy/ruleset and continuing to receive any updates that are pushed from Sysdig
• Temporarily disabling a rule that is generating many events, until the cause is investigated or an appropriate exception is put in place.

To disable a rule:

1. Select a threat detection policy from the Policies list and click the Edit (pencil) icon in the slide-out panel.

   The Policy details page is displayed.

   

2. Slide the toggle left for the rule(s) you want to disable.

3. Click Save.