Automations (Tech Preview)

The Automations module enables you create logic flows to detect and address risks, vulnerabilities, or runtime events that need the most attention. It reduces noise and focuses on critical issues in your environment, with branching conditions to adjust responses based on events. Using automated actions, you can receive notifications when a critical event occurs.

Set up a filter to detect, for example, a new risk of critical severity in your team zone. Next, if the resource type is in an S3 bucket, you can notify a certain team via Slack. Alternatively, if the resource type is an IAM Role or IAM User, you can notify another team via Email.

Feature Availability

This feature is available in Technical Preview.

Guidelines

Understand the terminology:

  • Automation: A workflow that is automatically triggered when an event matches the criteria defined by the user.

  • Event: An atomic entity generated by the platform, such as the discovery or update of a risk.

  • Actions: Generic procedures performed within an automation. Each action leads to one or more outcomes: true, false, successful, or error. Note that not all actions support all outcome types.

  • Condition Action: An action to filter or branch attributes based on specific criteria, resulting in either a true or false outcome.

  • Notification Actions: The actions to send alerts to supported notification channels. You can append additional actions to these notifications. Subsequent actions are executed only after the notification action runs successfully.

  • Trigger: An event listener that activates when all criteria of a filter are met. Once triggered, the automation executes the subsequent set of actions. You can define optional filters to reduce unnecessary automation runs. Each automation listens for only one event at a time; however, a single event can trigger multiple automations. For optimal performance, triggers should use the broadest filters necessary to complete the task efficiently.

    For example:

    • Send a Slack message for all critical risks by:

      1. Set the trigger filter to severity = critical.
      2. Add a single action to send the notification to Slack.

    • Send a Slack message for all critical risks by:

      1. Leave the trigger filters empty.
      2. Add a condition action with severity = critical.
      3. Add a true action to send the notification to Slack.

      If there are 100 risk events, but only one is critical:

      • The first automation runs once and sends one Slack message.
      • The second automation runs 100 times but still sends only one Slack message.

Create an Alert with Risks Automations

Create a Risk Automation

To create an alert based on a risk or risk update:

  1. Log in to Sysdig Secure.

  2. Select Policies > Automations from the left navigation bar.

    The Automations page appears.

  3. Select New Automation > Risks.

  4. Select a Trigger:

    • Risks: Create an automation based on Risk events, such as elevated privileges or exposed containers. See Risk.

    • Risks Updates: Create an automation when a new resource is added to a risk.

      For example,

The Automations configuration page will open. Proceed to Configure an Automation.

Configure a Risk Automation

You can build automations visually through logic chains of conditions and actions.

  1. Set the first automation condition to Trigger on:

    • New Risks: A new risk that is reported.

    • Risk Updates: A risk you’ve seen before, but has updated.

      For more information, see Example Automation Flow.

  2. Choose one or more of the available Filters:

    • Severity: A severity, such as Critical, High, Medium or Low.

    • Zones: A default Zone, such as Entire Infrastructure or Entire Git, or a custom Zone.

      See Zones.

    • Platform: Cloud platforms, such as GCP and Azure, or platforms such as Linux or containers.

    • Resource Type: Workload resource, such as Kubernetes Deployment, Kubernetes DaemonSet, Compute Instance, AWS IAM Role, or AWS S3 Bucket.

  3. Select the plus icon under a condition box to select an action.

    Actions include:

    • An additional Condition.

    • A notification via Slack, MS Teams, Webhook, Email or PagerDuty.

      You can link several actions to a single condition. Actions such as sending a notification will only occur if the “If” condition is met successfully.

  4. Add additional conditions and actions until you have built a desired flow.

  5. To create the new automation, select Save.

Delete a Risk Automation

To delete an automation:

  1. Log in to Sysdig Secure.

  2. Select Policies > Automations from the left navigation bar.

    The Automations page appears.

  3. On the right side of an automation listing, select the three-dot menu icon.

  4. Select Delete, and confirm Yes, delete.

Example: Notify Risk Updates to AWS Resources

Consider you have set up the following automation flow:

  • Trigger on: Risks Updates
  • Filters: Resource Type in S3 Bucket, EC2 Instance, IAM User, IAM Role

At 12:00 AM, the user environment has no reported Risks.

At 12:01 AM, a new risk is detected: Risk: Workload with critical vulnerabilities exposed to the internet Affected Resources:

  • S3 Bucket
  • EC2 Instance

The user receives one alert for this new risk, listing all affected resources.

At 12:02 AM, the same risk persists, but two additional resources are affected:

  • S3 Bucket
  • EC2 Instance
  • IAM User
  • IAM Role

The user receives two separate alerts for the risk updates:

  • One alert for IAM User
  • One alert for IAM Role

Since S3 Bucket and EC2 Instance were already included in the initial alert, they do not trigger new alerts.

Create a VM Alert with VM Automations

Create a VM Automation

To create an alert to notify you of a vulnerability issue:

  1. Log in to Sysdig Secure.

  2. Select Policies > Automations.

    The Automations page appears.

  3. Select New Automation > Vulnerabilities.

​ The New Vulnerabilities configuration page will open. Proceed to Configure an Automation.

Configure a VM Automation

You can build automations visually through logic chains of conditions and actions.

  1. On the New Vulnerabilities page, select one or more of the available Filters:

    • Severity: A severity, such as Critical, High, Medium or Low.

    • EPSS Score: Choose between a score of 10% and 100%.

    • CISA KEV: Select Yes or No.

    • Has Exploit: Select Yes or No.

    • Has Fix: Select Yes or No.

    • Source: Select one of the following:

      • Kubernetes Runtime
      • Host Runtime

    • Zones: A default Zone, such as Entire Infrastructure or Entire Git, or a custom Zone.

      See Zones.

  2. Select the plus icon under a condition box to select an action.

    Actions include:

    • An additional Condition.

    • A notification via Slack, MS Teams, Webhook, Email or PagerDuty.

      You can link several actions to a single condition. Actions such as sending a notification will only occur if the “If” condition is met successfully.

  3. Add additional conditions and actions until you have built a desired flow.

  4. To complete creating the new automation, click Save.

Example: Notify Critical Vulnerabilities with Exploits in a Zone

Consider you want to be alerted on critical vulnerabilities with exploits.

  1. Click New Automations and Select a Trigger for Vulnerabilities.

  2. From Filters select:

    • Severity in Critical

    • Has Exploit = Yes

  3. Specify the condition:

    1. Select the Zone and click Done.
    2. Click TRUE.

  4. Select the Notification channel you prefer.

    When a crititical vulnerability with exploits occur in the selected zone, you will be notified on the selected channel.

Delete a VM Automation

To delete an automation:

  1. Log in to Sysdig Secure.

  2. Select Policies > Automations from the left navigation bar.

    The Automations page appears.

  3. On the right side of an automation listing, select the three-dot menu icon.

  4. Select Delete, and confirm Yes, delete.