- Machine learning collects low-level activities from your infrastructure, aggregating them over time and applying algorithms.
- With machine learning policies, you can configure the detections you want to use and their thresholds.
- Machine learning detection algorithms estimate the probability that those activities are related to the detection subjects, i.e. miners. The Sysdig Workload ML detections don’t rely on mere program names or executable checksums matching. Instead, they are based on runtime behaviors, collected as fingerprints by the Profiling feature.
Enable Workload ML
The Workload ML policy requires the profiling feature to be enabled to activate the underlying fingerprint collection mechanism.
If you are using Sysdig agent v.12.15+, this option is automatically enabled.
To enable/disable manually, see Profiling.
Configure Workload ML Custom Policy
In the Sysdig Secure UI:
Select Policies > Threat Detection|Runtime Policies to display the Runtime Policies page.
Click +Add Policy (at the top right of the page).
Select the Workload ML policy type.
Configure the policy:
Name: Enter a policy name
Description: Provide a meaningful and searchable description
Enabled/Disabled: Toggle to enable the policy so that it generates events.
Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI: High, Medium, Low, Info
Policy severity is subjective and is used to group policies within a Sysdig Secure instance.
Note: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.
Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.
Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.
If you enter a value here, then a
View Runbookoption will be displayed in any corresponding Event.
You can choose what type of Machine Learning-based detections you want enable in your policy. We support only
Crypto Mining Detectionat this time.
Crypto Mining Detection: The supported detection type
Confidence Level Enablement: Fine-tune the policy to choose at which certainty level the detection should trigger an event.
Severity defined at detection level, so that you can have a different severity for each detection type.
Notify: Select a notification channel from the drop-down list for sending notification of events to appropriate personnel.
See also: Set Up Notification Channels.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.