Custom Risk

Different industries and organizations use various cloud infrastructures, each with unique security needs. Custom Risks empowers you to create risk policies tailored to your specific environment, allowing you to prioritize the risks that matter most. This focused approach enables you to address the most critical security issues effectively. Additionally, the ability to customize using SysQL queries gives you greater control over your security posture, enhancing the efficiency and effectiveness of your security operations.

Use the Custom Risks page under Risk to view, define, edit custom risk policies.

Define Custom Risk

Log in to Sysdig Secure.
Select Risks > Custom Risk.
On the top-left corner of the page, click New Custom Risk.
The Create Query page appears where you can do one of the following:
- Select an out-of-the box risk.
- Build a query to define your custom risk.
Based on your selection, continue with one of the following:

Build a Query

On the Create Query page, you can define a custom risk by using the SysQL query builder. For example, let us build the following queries:

EC2 with Critical Vulnerabilities

Click the query builder and select Compute > EC2Instance.
Select That has Package and click Go.

The query is ready to add more options.
On the query builder, click the + icon next to THAT HAS Package.

You have the option to hide, remove, or make the entity optional.
Select That Is Affected ByCriticalVulnerability.
Click the + icon to open the menu options and select Severity.
Click Go.
On the query builder, click the value for severity and choose Critical.
Click Run to see all the entities that are under risk.
Click Save as Risk to save the custom risk that you have defined.
1. Specify the following:
  - Risk Name: A unique name to identify the custom risk that you have defined.
  - Description: Details such as what this risk is.
  - Risk Severity: Low, Medium, High, Critical.
2. Optionally, enable the risk that you have just created.
Click Save.

Once saved, you can view the risk you have just created on the Custom Risks page.

Edit an Out-of-the-Box Risk

Click an available out-of-the-box risk policy.
For example, select Show me all the workloads having a critical vulnerability possibly exploitable.
The Search page with the SySQL query matching your selection appears.
```
MATCH KubeWorkload
	WHERE isExposed = true
	That Is Affected By criticalVulnerability
		That Affects Package
			WHERE inUse = true
	That Generates RuntimeEvent
	That Violates Control
		WHERE isPrivileged = true
```
You can also see the entities that matches the query.
Edit the query if you would like to customize.
For example, to filter the entities within the demo-kube-aws, you can edit the query as follows:
1. Click the + icon next to the main object, which in this case is KubeWorkload.
2. Scroll down and select clusterName.
3. Click Go.
  You can see that the query builder is updated with the updated query:
```
MATCH KubeWorkload
	WHERE clusterName = `demo-kube-aws` AND isExposed = true
	That Is Affected By criticalVulnerability
		That Affects Package
			WHERE inUse = true
	That Generates RuntimeEvent
	That Violates Control
		WHERE isPrivileged = true
```
4. Click Run to view the list of entities matching your query.
5. Click Save as Risk to save your query for future use.
Filter Custom Risks
You can search for and filter custom risks that you have created in the following ways:
- Search Bar: Use the search bar to locate a risk that you have created.
- Severity: Filter by using the severity of the risk. Click C, H, M, or L to find risks in these categories.
- Status: Filter all the risk that are enabled or disabled.
Activate or Deactivate a Custom Risk
On the Custom Risks page, use the slider next to each custom risk to enable or disable it.

Edit a Custom Risk
1. Log in to Sysdig Secure.
2. Select Risks > Custom Risk.
3. On the top-left corner of the page, click New Custom Risk.
  The Search page appears.
4. Select an out-of-the box risk.
5. Edit the following as necessary:
  - Query: Click Edit Query to take you to the Edit Query page, where you can build a new query based on your existing one.
  - Risk Name
  - Description
  - Risk Severity
6. Click Save.
  The edited custom risk will appear on the Custom Risks page.

Query Limitations

Consider the following constraints while building a query to create a Custom Risk rule:

The query must point to one of the following resources:
- AWSLambda
- AWSRDSDatabaseCluster
- AWSRDSDatabaseInstance
- AzureFunction
- AzureIAMGroup
- AzureIAMRole
- AzureIAMUser
- AzureStorageAccountBlobService
- AzureStorageAccountBlobServiceContainer
- AzureVirtualMachine
- CloudIAMRole
- CloudIAMUser
- CloudOrKubeResource
- EC2Instance
- GCPCloudFunction
- GCPCloudStorageBucket
- GCPComputeInstance
- GCPIAMRole
- GCPIAMUser
- IAMGroup
- IAMRole
- IAMUser
- KubeWorkload
- Cloud Resource
- Kubernetes Resource
- S3Bucket
- VirtualMachine
The query must have at least one filter applied to be evaluated as Risk. A filter can be:
- A WHERE clause that filters out the resource
- A relation matching some entity attached to the central resource This ensures that the result of the risk is not a plain list of resources but that these are filtered following some logic.
The query must use only outgoing relations from entities that are resources:
- The following query can’t be a risk, because it uses the Vulnerability as a “bridge” to get the workloads :
```
MATCH EC2Instance
	AFFECTED_BY Vulnerability
		THAT_AFFECTS KubeWorkload
```
- This ensures that the risk represents a possible attack surface and that does not represent connections between resources that are not logically connected.
A query can have only Resources as root nodes in the query.
A query requires at least one filter or relationship in the query.
Outgoing connections from the Package are not allowed except for Vulnerabilities.
To prevent users from creating invalid queries, outgoing connection are blocked from the following entities:
- Metadata
  - Label
  - Zone
  - Region
- Policy
  - Policy
- Vuln
  - Vulnerability
  - CriticalVulnerability
- Controls
  - Control
  - PrivilegedControl
  - S3AcceptsHTTP
  - S3VersioningDisabled
  - ContainsAIPackage
- IAM Findings
  - RiskFinding
  - CompromisedState
- Runtime Events
  - RuntimeEvent

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.