Sysdig Documentation

Policy Events

The Policy Events module displays a complete list of all events that have occurred within the infrastructure during a defined timeline. The module provides users with an overview of the entire infrastructure, as well as the functionality to deep dive into specific components, identify false positives, and configure policies to optimize performance.

Navigate the Policy Events Module

List View

The list view provides a comprehensive list of all events within the grouping/timeline, in chronological order:

374669413.png

Note

If multiple events occur at the same time, the dot will contain the number of events:

374669399.png

This view presents events in reverse chronological order, with the most recent event listed at the top. The following information is displayed:

Name

Description

Severity

The severity of the event based on the policies triggered.

  • A yellow dot signifies a low-severity event.

  • An orange dot signifies a medium-severity event.

  • A red dot signifies a high-severity event.

Note

If using the Sysdig API to work with policy events, note the numeric value of the severity levels: Low = 1 Medium = 2 High = 3

Rule Type

The type of rule violated by the event. Each rule type is represented by a periodic table style identifier:

  • Pr: Processes

  • Co: Containers

  • Ne: Network

  • Fi: File System

  • Sy: Syscall

  • Fa: Falco

Policy List

The policy or policies triggered by the event/s. Each policy is listed in bold text.

Entity

The entity the event originated from. The entities will reflect the current Browse By menu selection, and any selected entry in the drill-down menu.

Note

If multiple entities are impacted, a notation will appear stating X entities involved, where X represents the number of impacted entities.

Action(s) taken

The action(s) taken in response to the event. Each action is represented by an icon:

  • A pause symbol indicates the container was paused. The container remains paused until a user executes a docker unpause operation.

  • A stop symbol indicated the container was stopped and did not resume operation.

  • A tape symbol indicates a capture was recorded for the event.

Event Details

Selecting an event opens the Policy Event Details panel, which displays a detailed summary of the event, the location it occurred, and the policies that were violated:

374669392.png

The following information is displayed:

Name

Description

When

The date and time the event(s) occurred.

Related Resources

Additional information about the event, including:

  • The View Captures button opens the Captures tab, and provides access to the capture recorded for the event.

  • The View Commands button opens the Commands History tab, and provides access to the command(s) that triggered the event.

Severity

The severity of the event(s) based on the policies triggered.

  • A yellow bar signifies low-severity.

  • An orange bar signifies medium-severity.

  • A red bar signifies high-severity.

Note

If using the Sysdig API to work with policy events, note the numeric value of the severity levels: Low = 1 Medium = 2 High = 3

Triggered Policy

The policies that triggered the event(s). The link opens the Policies tab and expands the selected policy.

Note

Add/remove filter links next to each policy will add/remove that policy to the search bar.

Triggered Rule Type

The type of rule violated by the event. Each rule type is represented by a periodic table style identifier:

  • Pr: Processes

  • Co: Containers

  • Ne: Network

  • Fi: File System

  • Sy: Syscall

  • Fa: Falco

Scope

The scope of the event within the infrastructure.

Note

The entities listed, and the order they appear, will vary based on the grouping selected in the Browse By menu. For more information, refer to the Browse the Infrastructure section of the Sysdig Secure documentation.

Host

The hostname and MAC address of the host where the event occurred.

Container

The ID, name, and image of the container where the event occurred.

Actions

The action(s) taken in response to the event(s). Each action is represented by an icon:

  • A pause symbol indicates the container/s were paused. When it's paused, it remains paused until a user does a "docker unpause" operation.

  • A stop symbol indicated the container/s were stopped and did not resume operation.

  • A tape symbol indicates a capture was recorded for the event.

Summary

Detailed information regarding the event.

Topology View

The topology view provides an overview of all events, broken down visually to show their network dependencies across the various hosts, containers, and services, based on the configured grouping/timeline:

Note

For more information on configuring groupings and time intervals, refer to the Filter Policy Events section.

374669420.png

Each node can be drilled-down into, to find the exact events requiring review, by zooming in, and selecting the Expand (plus) icon in the top left corner of the node:

374669406.gif

Filter Policy Events

Groupings

Groupings are hierarchical organizations of labels, allowing users to organize their infrastructure views in a logical hierarchy. Users can switch between pre-configured groupings via the Browse By menu, or configure custom groupings, and then dive deeper into the infrastructure. For more information about groupings, refer to the Configure Groupings in Sysdig Secure documentation

Time Navigation

The time window navigation bar provides users with quick links to common time windows, filtering the table to only show commands run within that window. For more information on time windows, refer to the Time Windows documentation.

Note

Sysdig Secure does not currently provide the functionality to configure a custom time window.

Search Filters

Search filters can be applied by using the search bar. The event numbers alongside the groupings in the Browse By menu will be updated to reflect the number of events that meet the search criteria. The search bar example below displays only Write below rpm database events:

374669427.png

Note

The topology view is not impacted by the search function.