Automations (Tech Preview)

The Sysdig Risk Automations module helps reduce noise by allowing you to fine-tune triggers and logic flows to focus only on the risks that matter to you. You can set up automated actions, such as sending notifications via email, Slack, or webhooks.

This feature is available in technical preview.

Prerequisites

Understand the terminology:

Automation: A workflow that is automatically triggered when an event matches the criteria defined by the user.
Event: An atomic entity generated by the platform, such as the discovery or update of a risk.
Actions: Generic steps performed within an automation. Each action leads to one or more outcomes: true, false, successful, or error. Note that not all actions support all outcome types.
Condition Action: An action used to filter or branch attributes based on specific criteria, resulting in either a true or false outcome.
Notification Actions: Actions used to send alerts to supported notification channels. You can append additional actions to these notifications. Subsequent actions are executed only after the notification action runs successfully.
Trigger: An event listener that activates when all criteria of a filter are met. Once triggered, the automation executes the subsequent set of actions. You can define optional filters to reduce unnecessary automation runs. Each automation listens for only one event at a time; however, a single event can trigger multiple automations. For optimal performance, triggers should use the broadest filters necessary to complete the task efficiently. For example:
- Send a Slack message for all critical risks by:
  1. Set the trigger filter to severity = critical.
  2. Add a single action to send the notification to Slack.
- Send a Slack message for all critical risks by:
  1. Leave the trigger filters empty.
  2. Add a condition action with severity = critical.
  3. Add a true action to send the notification to Slack.
  If there are 100 risk events, but only one is critical:
  - The first automation runs once and sends one Slack message.
  - The second automation runs 100 times but still sends only one Slack message.

Create an Automation

To create an Automation:

Log in to Sysdig Secure.
Select Policies > Automations from the left navigation bar.
The Automations page appears.
Select New Automation in the top right corner of the page.
Select a Trigger:
- Risks: Create an automation based on Risk events, such as elevated privileges or exposed containers.
  See Risk.
- Threats : Create an automation based on suspicious runtime behavior, such as unauthorized file access or network activity.

The Automations configuration page will open. Proceed to Configure a Risk Automation/

Configure a Risk Automation

You can build automations visually through logic chains of conditions and actions.

Set the first automation condition to Trigger on:

New: A new risk.
Update: A risk you’ve seen before, but has updated.

Choose one or more of the available Filters:

Severity: A severity, such as Critical, High, Medium or Low.
Zones: A default Zone, such as Entire Infrastructure or Entire Git, or a custom Zone.
See Zones.
Platform: Cloud platforms, such as GCP and Azure, or platforms such as Linux or containers.

Select the plus icon under a condition box to select an action. Actions include:

A further Condition.
A notification via Slack, Webhook, Email or PagerDuty.
You can link several actions to a single condition. Actions such as sending a notification will only occur if the “If” condition is met successfully.

Add additional conditions and actions until you have built a desired flow.
To create the new automation, select Save.

Delete an Automation

To delete an automation:

Log in to Sysdig Secure.
Select Policies > Automations from the left navigation bar.
The Automations page appears.
On the right side of an automation listing, select the three-dot menu icon.
Select Delete, and confirm Yes, delete.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.