Search for Existing Policies
To review the existing Workload policies:
Log in to Sysdig Secure and select Policies > Threat Detction Policies.
Filter for Managed Policy and Workload.
You can edit a managed policy, duplicate it to create a custom policy, or click + Add Policy, choose the Workload Policy Type, and configure it from scratch.
Configure a Workload Policy
Name: Enter a policy name
Description: Provide a meaningful and searchable description
Enabled/Disabled: Toggle to enable the policy so that it generates events.
Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI: High, Medium, Low, Info
Policy severity is subjective and is used to group policies within a Sysdig Secure instance.
Note: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.
Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.
Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.
If you enter a value here, then a
View Runbook option will be displayed in any corresponding Event.
Add or edit policy rules as needed.
Determine what should be done if a Policy is violated.
Select what should happen to affected containers if the policy rules are breached:
Nothing (alert only): Do not change the container behavior; send a notification according to Notification Channel settings.
Kill: Kills one or more running containers immediately.
Stop: Allows a graceful shutdown (10-seconds) before killing the container.
Pause: Suspends all processes in the specified containers.
For more information about stop vs kill command, see Docker’s documentation.
Toggle Capture ON if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.
As of June, 2021, you can add the Capture option to policies affecting events from both the Sysdig agent and Fargate Serverless Agents Fargate serverless agents. Note that for serverless agents, manual captures are not supported; you must toggle on the Capture option in the policy defintion.
See also: Captures.
Select a notification channel from the drop-down list, for sending notification of events to appropriate personnel.
See also: Set Up Notification Channels.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.