Threat Management

Prerequisites

• Sysdig SaaS.

Access Threats

To access the Threats page:

1. Log in to Sysdig Secure.

2. Select Threats > Threats.

The Threats page appears.

Key Features

Context-Driven Correlation

Sysdig Threat Management intelligently correlates events based on shared context, such as Kubernetes workloads, cloud identities, or attack phases. This consolidation enables teams to quickly understand the scope and criticality of threats.

Sysdig Sage: AI-Powered Insights

Threat Management leverages Sysdig Sage™, a generative AI security analyst. It enriches threats with easy-to-understand summaries and high-fidelity context, providing situational awareness for faster decision-making.

Streamlined Workflows

Analysts can manage alerts more efficiently with inline management features like status changes, rule tuning, enhanced investigation, and response actions, all within a single interface.

Concepts

Signal Correlation

Sysdig groups related security signals based on:

• Entity Matching: Correlation by shared resources (containers, cloud users, hosts).
• Time Proximity: Signals occurring within a 15-minute observation window are grouped.
• Event Severity:
  • High-severity detections always trigger a Threat, even from a single event.
  • Multiple low or medium severity events within the observation window trigger a Threat.
  • Informational events provide context but do not independently trigger Threats.

Grouping Behavior

The same behavior across multiple workloads is grouped together.

Recurring behavior within the same workload after an initial Threat will be appended to the existing group.

Threat Status

All Threats have a Status. The default status is Open, which remains until you manually mark the Threat as under investigation or archived with a provided reason. Use statuses to track threats. You can also filter by statuses to find particular threats.

To change the Status of a Threat:

1. Log in to Sysdig Secure.

2. Select Threats > Threats.

   The Threats page appears.

3. Identify a group or individual threat whose status youu want to change.

4. Select the three-dot icon on the right-hand side of a listing.

5. Select Change Status.

   The Change Status modal appears.

6. From the New Status drop-down, choose from:

• Open
• In Investigation
• Archived

7. If you select Archived, select a Reason from the drop-down:

• Resolved / Mitigated
• Escalated
• Expected Behavior
• False Positive
• Other

8. Select Change Status to save your changes.

Alternatively, you can change the status from the Threats Detail panel:

1. Log in to Sysdig Secure.

2. Select Threats > Threats.

3. Select a grouping.

   Recorded threats appear.

4. Select a threat.

   The Threats Detail panel appears.

5. From the Status drop-down, select:

• Open
• In Investigation
• Archived

6. If you selected Archived, select a reason:

• Resolved / Mitigated
• Escalated
• Expected Behavior
• False Positive
• Other

Your changes are automatically saved.

Filter Threats

You can filter the Threats page in different ways to find specific threats. For example, you can filter to only see threats from a particular cloud environment and a particular cloud user.

You can filter by:

• Status
• Cluster in
• Workload in
• Cloud User in
• High Severity Only

Select + Add to add additional filters, such as:

• Cloud Provider
• Cloud User
• Cluster
• Namespace
• Source
• Workload

Select Reset to return to the default filter.

Threats Detail Panel

Select a threat to open the Threats Detail panel.

The name given to threats is provided by Sysdig Sage AI. Sysdig Sage looks at all the events and activity Sysdig has recorded and summarizes the behavior in simple English.

Select All Events to view the Events Feed, filtered to the scope of the selected threat.

Highlights

The panel opens on the Highlights tab. Here, you can get a quick overview of the threat.

Affected Resource Summary tells you where the threat was recorded. For example, in a certain cluster, namespace, workload or container.

Under Threats Summary, you can read a description of what behavior or activity Sysdig has flagged. This clarifies the impact of activity, and saves you time from needing to review individual events.

The Highlights tab also presents metadata related to activity related to:

• User identity
• Container image and name
• Cloud environment
• Files and directory reads/writes
• Processes

Rules

In the Rules tab, you can see the additional rules.

Select the three-dot icon on a rule to:

• View Rule
• View Events
• Tune Rule: Open the exceptions editor, where you can see suggestions on how to tune the rule.

Events

In the Events tab, you can look at the individual events.

Impacted Resources

In the Impacted Resources tab, you can see the impacted resources.

Activity Audit

In the Activity Audit tab, you can look at the Activity Audit scoped to the affected resource.

Select View All to go to the Activity Audit page and view activity before or after the time frame of the threat.

Processes

In the Processes tab, you can view the processes, and explore the Process Tree.

Graph Search

Threats are ingested into Sysdig’s graph database. You can leverage Search to correlate Threats with other Findings such as vulnerabilities or misconfigurations.

Example: List Open Threats in Kubernetes Cluster “my-cluster”

MATCH Threat GENERATED_BY KubeWorkload
  WHERE Threat.status IN ['open'] AND KubeWorkload.clusterName IN ['my-cluster']
  RETURN DISTINCT Threat, KubeWorkload
  LIMIT 50;

Example: List ingress-NGINX Instances Vulnerable to IngressNightmare and have been Exploited

This is indicated by the Falco rule “Potential IngressNightmare Vulnerability Exploitation”.

MATCH KubeWorkload AFFECTED_BY Vulnerability OVER Container, Image, ContainerImageV2
  WHERE KubeWorkload.isExposed = true AND Vulnerability.name IN ['CVE-2025-1974']  
MATCH KubeWorkload GENERATES Threat
  WHERE Threat.status IN ['open'] AND Threat.rules IN ['Potential IngressNightmare Vulnerability Exploitation']
  RETURN DISTINCT KubeWorkload, Vulnerability, Threat
  LIMIT 50;