Automations

Set up a filter to detect, for example, a new risk of critical severity in your team zone. Next, if the resource type is in an S3 bucket, you can notify a certain team via Slack. Alternatively, if the resource type is an IAM Role or IAM User, you can notify another team via Email.

Prerequisites

To use Automations, you need:

• Admin role permission or greater.

Guidelines

Understand the terminology:

• Automation: A workflow that is automatically triggered when an event matches the criteria defined by the user.

• Event: An atomic entity generated by the platform, such as the discovery or update of a risk.

• Actions: Generic procedures performed within an automation. Each action leads to one or more outcomes: true, false, successful, or error. Note that not all actions support all outcome types.

• Condition Action: An action to filter or branch attributes based on specific criteria, resulting in either a true or false outcome.

• Notification Actions: The actions to send alerts to supported notification channels. You can append additional actions to these notifications. Subsequent actions are executed only after the notification action runs successfully.

• Trigger: An event listener that activates when all criteria of a filter are met. Once triggered, the automation executes the subsequent set of actions. You can define optional filters to reduce unnecessary automation runs. Each automation listens for only one event at a time; however, a single event can trigger multiple automations. For optimal performance, triggers should use the broadest filters necessary to complete the task efficiently.

  For example:

  • Send a Slack message for all critical risks by:

    1. Set the trigger filter to severity = critical.
    2. Add a single action to send the notification to Slack.

  • Send a Slack message for all critical risks by:

    1. Leave the trigger filters empty.
    2. Add a condition action with severity = critical.
    3. Add a true action to send the notification to Slack.

    If there are 100 risk events, but only one is critical:

    • The first automation runs once and sends one Slack message.
    • The second automation runs 100 times but still sends only one Slack message.

Risk Automations

Create a Risk Automation

To create an alert based on a risk or risk update:

1. Log in to Sysdig Secure as an Admin.

2. Select Policies > Automations from the left navigation bar.

   The Automations page appears.

3. Select New Automation > Risks.

4. Select a Trigger:

   • Risks: Create an automation based on Risk events, such as elevated privileges or exposed containers. See Risk.

   • Risks Updates: Create an automation when a new resource is added to a risk.

     For example,

The Automations configuration page will open. Proceed to Configure an Automation.

Configure a Risk Automation

You can build automations visually through logic chains of conditions and actions.

1. Set the first automation condition to Trigger on:

   • New Risks: A new risk that is reported.

   • Risk Updates: A risk you’ve seen before, but has updated.

     For more information, see Example Automation Flow.

2. Choose one or more of the available Filters:

   • Severity: A severity, such as Critical, High, Medium or Low.

   • Zones: A default Zone, such as Entire Infrastructure or Entire Git, or a custom Zone.

     See Zones.

   • Platform: Cloud platforms, such as GCP and Azure, or platforms such as Linux or containers.

   • Resource Type: Workload resource, such as Kubernetes Deployment, Kubernetes DaemonSet, Compute Instance, AWS IAM Role, or AWS S3 Bucket.

3. Select the plus icon under a condition box to select an action.

   Actions include:

   • An additional Condition.

   • A notification via Slack, MS Teams, Webhook, Email or PagerDuty.

     You can link several actions to a single condition. Actions such as sending a notification will only occur if the “If” condition is met successfully.

4. Add additional conditions and actions until you have built a desired flow.

5. To create the new automation, select Save.

Delete a Risk Automation

To delete an automation:

1. Log in to Sysdig Secure as an Admin.

2. Select Policies > Automations from the left navigation bar.

   The Automations page appears.

3. On the right side of an automation listing, select the three-dot menu icon.

4. Select Delete, and confirm Yes, delete.

Example: Notify Risk Updates to AWS Resources

Consider you have set up the following automation flow:

• Trigger on: Risks Updates
• Filters: Resource Type in S3 Bucket, EC2 Instance, IAM User, IAM Role

At 12:00 AM, the user environment has no reported Risks.

At 12:01 AM, a new risk is detected: Risk: Workload with critical vulnerabilities exposed to the internet Affected Resources:

• S3 Bucket
• EC2 Instance

The user receives one alert for this new risk, listing all affected resources.

At 12:02 AM, the same risk persists, but two additional resources are affected:

• S3 Bucket
• EC2 Instance
• IAM User
• IAM Role

The user receives two separate alerts for the risk updates:

• One alert for IAM User
• One alert for IAM Role

Since S3 Bucket and EC2 Instance were already included in the initial alert, they do not trigger new alerts.

Automation for Vulnerability Findings

Create a VM Automation

To create an alert to notify you of a vulnerability issue:

1. Log in to Sysdig Secure as an Admin.

2. Select Policies > Automations.

   The Automations page appears.

3. Select New Automation > Vulnerabilities.

​ The New Vulnerability Findings configuration panel appears. Proceed to Configure an Automation.

Configure a VM Automation

You can build automations visually through logic chains of conditions and actions.

1. On the New Vulnerability Findings panel, select one or more of the available Filters:

   • Severity: A severity, such as Critical, High, Medium or Low.

   • EPSS Score: Choose between a score of 10% and 100%.

   • CISA KEV: Select Yes or No.

   • Has Exploit: Select Yes or No.

   • Has Fix: Select Yes or No.

   • Source: Select one of the following:

     • Kubernetes Runtime
     • Host Runtime

   • Zones: A default Zone, such as Entire Infrastructure or Entire Git, or a custom Zone.

     See Zones.

2. Select Done.

3. Select the plus icon under a condition box to select an action.

   Actions include:

   • An additional Condition.

   • A notification via Slack, MS Teams, Webhook, Email or PagerDuty.

   • A Tickets integration you have set up, such as Jira. To set up a Jira integration, see Jira Ticketing. When you select the action, you must select the integration and the issue type. Optionally, you can select the assignee, along with a number of additional fields, allowing assignment and organisation based on your existing workflows.

     You can link several actions to a single condition. Actions such as sending a notification will only occur if the “If” condition is met successfully.

4. Add additional conditions and actions until you have built a desired flow.

5. To complete creating the new automation, click Save.

Example: Notify Critical Vulnerabilities with Exploits in a Zone

Consider you want to be alerted on critical vulnerabilities with exploits.

1. Click New Automations and Select a Trigger for Vulnerabilities.

2. From Filters select:

   • Severity in Critical

   • Has Exploit = Yes

3. Specify the condition:

   1. Select the Zone and click Done.
   2. Click TRUE.

4. Select the Notification channel you prefer.

   When a crititical vulnerability with exploits occur in the selected zone, you will be notified on the selected channel.

Delete a VM Automation

To delete an automation:

1. Log in to Sysdig Secure as an Admin.

2. Select Policies > Automations from the left navigation bar.

   The Automations page appears.

3. On the right side of an automation listing, select the three-dot menu icon.

4. Select Delete, and confirm Yes, delete.

Automation for VM Accepted Risk

You can create an automation to trigger when Accepted Risks for vulnerabilities are created, updated, or deleted.

Create an Automation for VM Accepted Risk

To create a Vulnerabilities Accepted Risks automation:

1. Log in to Sysdig Secure as an Admin.

2. Navigate to Policies > Automations.

   The Automations page appears.

3. Select New Automation > Vulnerabilities Accepted Risk.

   The configuration panel appears.

Proceed to Configure a Vulnerabilities Accepted Risk Automation.

Configure a Vulnerabilities Accepted Risk Automation

You can build automations visually through logic chains of conditions and actions from the configuration panel:

1. Set the first automation condition to Trigger on:

• Event based triggers such Risk Acceptance Created, Updated, Deleted or Expired, which happen when a risk acceptance change occurs. Such changes are typically user-driven.

• Risk Acceptance Expiring: Calculates the number of days until a risk expires. Use this be alerted 7, 30, 60, or 90 days before a risk expires.

2. Choose one or more of the available Filters:

• Expires in: How many days the user has defined that the risk accepted will be expiring

• Days before expiration: Relative number of days before the risk acceptance will expire. Only available for the Risk Acceptance Expiring trigger.

• Created By: The user who created the risk accepted.

• Updated By: The user updating the risk accepted. Only available for the Risk Acceptance Updated trigger.

• Reason: The reason selected by the user for performing the risk action. This includes custom reasons.

3. Select Done.

4. Select the + icon under a condition box to Select an Action. Actions include:

• Condition: An additional condition.

• Notifications via Slack, MS Teams, Webhook, Email or PagerDuty to notification channels you have created.

  You can link several actions to a single condition. Actions, such as sending a notification, only occur when the If condition is met.

5. Add additional conditions and actions until you have built a desired flow.

6. Select whether to Enable the automation or not, and select Save.

You cannot save an automation if the configuration is incomplete. For example, if a Send Slack Message action has not been linked to a notification channel.

Example: Alert Before a Risk Expires

As an example, imagine you want to be alerted on whenever a risk is set to expire in 7 days. To set this up from the Automations page:

1. Click New Automation > Vulnerabilities Accepted Risks.

2. For Trigger on, select Risk Acceptance Expiring from the drop-down.

3. From Filters select:

• Days before expiration = 5.

  You can input the number as free text.

4. Select Done.

5. Select the + icon under the condition box.

   The Select an Action modal appears.

6. Select the Notification channel you prefer.

7. Ensure the automation is Enabled, and click Save.

Five days before the accepted risk expires, the notification channel you selected will get an alert.

Runtime Events Automation

You can create an automation to trigger when a runtime policy event finds a new threat.

Create a a Runtime Events Automation

To create a Runtime Event Automation:

1. Log in to Sysdig Secure as an Admin.

2. Select Policies > Automations.

   The Automations page appears.

3. Select New Automation > Runtime Events.

The configuration panel appears.

Proceed to Configure a Runtime Events Automation.

Configure a Runtime Events Automation

You can build automations visually through logic chains of conditions and actions. To configure a Runtime Events Automation:

1. From the configuration panel, select at least a Severity of Policy filter.

2. Optionally, you can add other filters, such as:

• Event Source, such as Syscall, K8s Audit and more
• Rule Name
• Zones
• Labels available from agent tags, Kubernetes labels and more

3. Select Done.

4. Select the + icon under the condition box to Select an Action, such as:

• An additional Condition.

• Notifications via Slack, MS Teams, Webhook, Email or PagerDuty to notification channels you have created.

  You can link several actions to a single condition. Actions such as sending a notification will only occur when the If condition is met.

5. Add additional Conditions and Actions until you have built a desired flow.

6. Ensure the automation is Enabled and select Save.

Example: Alert for all High Severity Events in a Zone. Alert by Slack if there are Specific Labels.

As an example of a Runtime Event Automation, imagine you want to be alerted via email about all high severity events in your Prod Zone. Additionally, if the agent tag critical = true is detected in that zone, you want to receive a Slack notification. To set this automation up:

1. Log in to Sysdig Secure as an Admin.

2. Select Policies > Automations.

   The Automations page appears.

3. Select New Automation > Runtime Events.

The configuration panel appears.

4. From Filters select:

• Severity in High.

• Zones in Prod.

5. Select Done.

6. Select the + icon under the condition box.

   The Select an Action modal appears.

7. Under Notifications, select Email.

8. From the Notification channel, select the email notification channel of your security team.

9. Select Done.

10. Under the original condition box, select the + icon.

11. Select Condition.

The If panel appears.

12. From the Select Filter drop-down, add:

• agent.tag.critical in true

13. Select Done.

14. Under the agent.tag.critical in true condition box, select the TRUE + icon.

The Select an Action modal appears.

15. Select Slack, and choose your Slack notification channel from the drop-down.

16. Click Done.

17. Ensure the automation is Enabled and select Save.

This automation would result in two alerts for the label agent.tag.critical; one to Slack and one to an email.