- Machine Learning collects low-level activities from your infrastructure, aggregating them over time and applying algorithms.
- With machine learning policies you can configure the detections you want to use and their thresholds
- Machine Learning Detection algorithms work by estimating the probability that those activities are related the detection subjects, i.e. miners. Sysdig Machine Learning detections don’t rely on mere program names or executable checksums matching. Instead, they are based on actual runtime behaviors, collected in the form of fingerprints by the Profiling feature.
Enable Machine Learning
Machine Learning policies require enabling the Profiling Sysdig Labs toggle to activate the underling fingerprint collection mechanism.
Configure Machine Learning Custom Policy
In the Sysdig Secure UI:
Select Policies > Threat Detection|Runtime Policies to display the Runtime Policies page.
Click +Add Policy (at the top right of the page).
Select Machine Learning policy type.
Configure the policy:
Name: Enter a policy name
Description: Provide a meaningful and searchable description
Enabled/Disabled: Toggle to enable the policy so that it generates events.
Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI: High, Medium, Low, Info
Policy severity is subjective and is used to group policies within a Sysdig Secure instance.
Note: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.
Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.
Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.
If you enter a value here, then a
View Runbookoption will be displayed in any corresponding Event.
You can choose what type of Machine Learning-based detections you want enable in your policy. We support only
Crypto Mining Detectionat this time.
Crypto Mining Detection: The supported detection type
Confidence Level Enablement: Fine-tune the policy to choose at which certainty level the detection should trigger an event.
Severity defined at detection level, so that you can have a different severity for each detection type.
Notify: Select a notification channel from the drop-down list for sending notification of events to appropriate personnel.
See also: Set Up Notification Channels.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.