Sysdig Sage
Sysdig Sage for Cloud Detection and Response
Sysdig Sage for Cloud Detection and Response (CDR) primarily targets users working in security operations responsible for incident response and forensics. It helps you reduce response time and speed up investigations. For example, Sysdig Sage for CDR can:
- Explain command lines
- Explain rules
- Interpret data
- Suggest areas to investigate for a particular issue
- Recommend next steps
Sysdig Sage’s multi-level conversation:
- Summarization: Offers top statistics for runtime security events based on various groupings such as policy name, rule, event type, severity, and more.
- Explainability: Provides in-depth information about specific security events.
Enable Sysdig Sage
To enable Sysdig Sage:
Log in to Sysdig Secure as an Admin.
Select Settings > Sysdig Sage | Activation and T&C.
If you are not an Admin, contact your Admin to enable Sysdig Sage for you.
To enable Sysdig Sage for another user, you must create a custom role and team:
Create a Custom Role for Sysdig Sage
To use Sysdig Sage, create a custom role and assign the required permissions:
Log in to Sysdig Secure as an Admin.
Select Settings > Roles.
Create a New Role for Sysdig Sage.
Grant the following permissions:
| Permissions | Settings |
|---|---|
| Sage: Full Access |
|
| Events: Read only |
|
| Captures and Investigate: Custom |
|
- Click Save.
For more information about creating roles, see Create a Custom Role.
Next, you must create a team for Sysdig Sage Users.
Create a Team for Sysdig Sage
We recommend you create a team for Sysdig Sage users for ease of operations:
Select Settings > Teams.
Select Add team.
Configure the team and select Save.
For more information about team creation, see Create a Team.
Assign Users to the Sysdig Sage Role
Add users to the Team you set up for Sysdig Sage users and assign them the custom role you created for Sysdig Sage. See Assign a User to a Team for more information.
Log in to Sysdig Secure as an Admin.
Select Settings > Teams.
From the Teams page, select the team you configured.
In the Team Users tab, select Assign User.
For User, select the user from the drop-down. For Role, select the Sysdig Sage role you configured.
Select Save.
The user now has access to Sysdig Sage.
Get Started with Sysdig Sage
Log in to Sysdig Secure.
Click the Sysdig Sage icon on the top-right corner of the screen.
Enter your prompt.
See Example Prompts for more information.
Optionally, you can perform the following operations:
Operations Settings Clear Chat 
Close the Sysdig Sage window 
Expand the Sysdig Sage window 
Minimize the Sysdig Sage window 
Example Prompts
| PROMPT | VALUE |
|---|---|
| What are the most critical events on my cloud infrastructure? What are my noisiest rules? Which containers are generating the most events? What are my top 3 high severity events What are the most critical events on my cloud infrastructure? How many events do I have for each severity? | Sysdig Sage can help you quickly summarize events on the Events Feed UI instead of analyzing them one by one. |
| What process generated the selected runtime event? Help me understand the selected runtime event Explain the rule that generated the selected runtime event | Sysdig Sage is context aware. For example, Sysdig Sage is aware that the process that generated the selected runtime event. Sysdig Sage helps reduce analysis time down to a few seconds to get to the core interesting concepts. |
| Can you explain the command line option in this event? | Sysdig Sage gets you the right context with rich information and explanations. You no longer need to leave Sysdig Secure and search on the Internet. |
| What cloud users are associated with runtime events? What users are associated with critical events? | Sysdig Sage gives you insight into the users who are associated with a selected event. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.