Runtime Threat Detection Policy Tuning
The Runtime Policy Tuning feature assists in reducing noisy false positives in the Sysdig Secure Events feed. Built on top of the Falco Rules Tuner, it automatically adds Exceptions to rules, thereby removing particularly noisy sets of policy events and leaving the lower-volume events for later analysis.
The tuner may be especially helpful when deploying Sysdig Secure runtime policies in a new environment. Your environment may include applications that legitimately perform actions such as running Docker clients in containers, changing namespaces, or writing below binary directories, but which trigger unwanted floods of related policy events in the default policies and rules provided by Sysdig.
Earlier versions of Sysdig used the The Falco Rules Tuner (Legacy).
Using Runtime Policy Tuner
Prerequisites
Sysdig agent 11.0.0+
Sysdig SaaS or Sysdig On-Prem 5.0+
Enable, View, Edit Exceptions, Disable
The tuner is enabled and disabled as needed to tame false positives and optimize the use of the Events feed. By default, it is disabled.
Log in to Sysdig Secure as Admin and choose
Policies > Threat Detection | Runtime Policy Tuning
.Enable the feature with the
Tuning Engine
toggle.It may take up to 24 hours to see the initial Applied Tuning Exceptions listed in the left panel.
In the background, the tuner will evaluate policy events as they are received by the Sysdig backend, find applicable exceptions values, and add them. The AppliedTuning Exceptions file is passed along to all Sysdig agents, along with the rules and policies.
If needed, you can edit the Exceptions created directly in the left-hand panel.
Any changes will be retained as the tuner evaluates additional events.
NOTE: Do not add custom exceptions, macros, or lists definitions here. Please use the Rules Editor (Custom Rules) for such elements.
Toggle the Tuning Engine
off
when you feel the feature has addressed the most commonly occurring (unwanted) policy events.NOTE: Any exceptions in the
Applied Tuning Exceptions
panel will still be passed along to agents.To start over from scratch, clear the Applied Tuning Exceptions text and re-enable with the Tuning Engine toggle.
Understanding How the Tuning Engine Works
When Does the Tuner Add Exceptions?
The Policy Tuning feature is conservative, only adding exceptions for commonly occurring events for a single rule with similar attributes.
All the conditions must be met:
The rule has generated at least 25 policy events in the past hour
A candidate set of exception values is applicable to at least 25% of the events in the past hour
This ensures the tuning feature only adds exceptions for high-volume sets of events that can be easily addressed with a single set of exception values.
Exceptions Behind the Scenes
If you want to understand the process of exception insertion by the tuner, consider a sample rule:
- rule: Write below root
desc: an attempt to write to any file
directly below / or /root
condition: root_dir and evt.dir = < and
open_write
exceptions: - name: proc_writer
fields: [proc.name, fd.filename]
And a stream of policy events with outputs such as:
File below / or /root opened for writing (user=root user_loginuid=-1 command=/usr/local/bin/my-app-server parent=java file=/state.txt program=my-app-server container_id=a97d44bbe437 image=my-registry/app-server:latest
File below / or /root opened for writing (user=root user_loginuid=-1 command=/usr/local/bin/my-app-server parent=java file=/state.txt program=my-app-server container_id=a97d44bbe437 image=my-registry/app-server:latest
File below / or /root opened for writing (user=root user_loginuid=-1 command=/usr/local/bin/my-app-server parent=java file=/state.txt program=my-app-server container_id=a97d44bbe437 image=my-registry/app-server:latest
File below / or /root opened for writing (user=root user_loginuid=-1 command=/usr/local/bin/my-app-server parent=java file=/state.txt program=my-app-server container_id=a97d44bbe437 image=my-registry/app-server:latest
Then the tuner would add the following exception values to address the false positives:
- rule: Write below root
exceptions:
- name: proc_writer
values:
- [my-app-server, /state.txt]
append: true
See the Falco proposal for more background information on using exceptions.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.