Activity

Activity is a powerful visualization tool for threat detection, investigation, and risk prioritization. On the Insights page, all findings generated by Sysdig across workloads and cloud environments are aggregated into an easily navigable visual platform. Use it to identify compliance anomalies and ongoing threats to your environment.

Choose your Scope

Activity offers five different Activity Views. Use one of the following options to select an activity view:

  1. Select Threats to bring up the Activity Views list, where you can select your desired view.

  2. From the Activity module, click the name of the current view on the top left. A dropdown appears with the full list, where you can select your desired view.

Findings are grouped in a hierarchical order.

Cloud User Activity

Detects events related to user activity in connected cloud accounts. The findings are grouped in the following order: User / Account / Region / Resource Category / Resource Type / Resource.

Cloud Activity

Detects events in connected cloud accounts. The findings are grouped in the following order: Account / Region / Resource Category / Resource Type / Resource.

Kubernetes Activity

Detects events in connected Kubernetes clusters, namespaces, and workloads. The findings are grouped in the following order: Cluster / Namespace / Workload / Pod.

Node and Pod Activity

Detects events in connected Kubernetes nodes and pods, but presents them in a different order to assist visibility. The findings are grouped in the following order: Cluster / Node / Pod.

Host and Container Activity

Detects events in connected hosts and containers. The findings are grouped in the following order: Hostname / Container.

For more information on the order of subheadings, see Use the Visualization Panel.

Use the Graph Panel

On the left side of the Activity UI, you will find the graph panel. Here, a coloured visual is displayed which represents a part of your infrastructure. To switch between parts, refer back to Choose your Scope.

The Activity graph is designed to convey hierarchy in an intuitive way. If you have selected Node & Pod Activity, for example, there are three levels at play: clusters, nodes, and pods. These levels are found in the headers under the name of the current scope. The hierarchy is conveyed visually by nested circles, in the manner of a Matryoshka doll. Small circles representing pods sit inside bigger circles representing nodes, which in turn sit inside large circles representing clusters.

The graph is dynamic and responsive. Click any circle to highlight it and read details from the floating panel that appears. The Activity Panel on the right will also update in accordance with your selection.

Change Timespan

To scope by timespan, use the timeline at the bottom of the page.

Choose your timespan by selecting presets such as three hours, (3H), one day (1D), and one week (1W). The default span is 14 days (2W).

To specify a custom span, click on the date range the date to open a calendar.

Activity can display up to a maximum of 14 days or 999 events, whichever comes first.

Filter by Severity

To the right of the search bar, you find four severity buttons; (H)igh, (M)edium, (L)ow, and (I)nfo. Toggle the buttons to remove or include events of that severity from the results.

To learn more about severity, see Severity and Status.

Use the Activity Panel

The All Activity panel is found on the right side of the Activity module for Cloud, Cloud User, Kubernetes, Node&Pod, and Host&Container. If a particular type of resource is not connected in your environment, the panel will show No Activities.

Summary Tab

When findings are present, click Summary to see a recapitulation the data in the visualization as an ordered list. You can group findings by Rule or User > Rule.

Hover over a line item to see at a glance the affected containers, images, rules, and user names.

Events Tab

Click the right arrow on any rule to see it in the Events tab.

The Events tab replicates the Sysdig Secure Events feed. Click an entry in the time-based list to open its details. Hover over any event to see its exact location in your environment highlighted in the visualization.

Search | Show | Hide | Exclude

The Search bar works in conjunction with options in the Summary tab.

Each item in the Summary list includes the options:

  • Click 🚫, exclude, to reload the visualization and exclude this entry. This can cut down on repetitious results (which, in some cases, can cause the 999-item limit to be exceeded).

  • Click =, show, to add the finding to the Search bar, and to the page URL. The visualization will be targeted accordingly.

  • Click !=, hide, to hide that finding from the visualization, adding the filter to the Search and the URL.

Note that =, show, and !=, hide, do not trigger a re-fetch of data.

After you exclude an entry, an Exclusions button appears at the top of the page.

Click Exclusions to:

  • View the events you have marked for exclusion.
  • Clear All Exclusions, if desired.

Tunable Exceptions

Sysdig’s Runtime Policy Tuner helps reduce false positives by using rule exceptions. If there are potential exceptions that match one or more events from the same rule a {#} Tunable Exceptions button may appear in the rules summary. When clicked, a modal appears with suggestions of matching exceptions.

  1. Expand a rule to open the event summary, if there are available exceptions, you will see an option for Tunable Exceptions.

  2. Click Tunable Exceptions.

    The exceptions modal appears.

  3. Review the suggested exceptions and decide whether to use them:

    • Compare the Existing Values with the Suggested Values.

    • Adjust the suggested values, if required.

      For example, if the suggestion shows contains: prod-app-1 but you wanted to apply the exception to all the clusters in production, you could edit it to say contains: prod.

    • Review the previously-applied exceptions, which are also displayed, to gain context for the decision.

    • Click View affected policies to see all the places the rule and exception would be used.

  4. Click Apply, or:

    • If you do not want to manage Exceptions with Sysdig, you can view the Exception as Terraform, copy the snippet, and paste it in your Terraform file.

      YAML snippets are also available.

You can also use tunable exceptions in the events tab. For more information see, Events Feed Tunable Exceptions.

Group by User | Rule

Group the Summary by User > Rule to detect outlier behavior.

Expand the user entry to view details and click the arrow to switch to the event feed for that user, with events listed in reverse chronological order.

Cloud Activity Summary Panel

For AWS Cloud Activity, click View in Console for a link to view the data in the AWS Console

Team-Based Views and Sharing

When sharing activities across teams, note:

  • Your team and user role influence what activities you have access to.

  • The page URL persists search and filter items, and can be shared with team members with the same level of permissions.

​ See User and TeamAdministration for more detail.