AWS ML Policy
Key Features
This policy:
Extends machine learning to AWS cloud accounts to monitor whether AWS console logins follow irregular patterns and notify users about suspicious activity
Quickly detects AWS log-ons from odd locations or different areas of the globe, as well as from unexpected browsers or OSes.
Enables advanced machine learning detection capabilities based on CloudTrail logs
Allows users to understand why an event is considered anomalous compared to the expected behavior. Specifically, the policy provides the following info:
Description: What the Anomaly is about
Influential Factors: Variables contributing most to anomaly
Confidence Level: Probability measure of detection accuracy
The AWS ML policy is available by default in the main policies menu for all Sysdig Secure SaaS users.
Event notifications are generally limited to a frequency of once every five minutes. For details, see Message Throttling in Sysdig Secure.
Configure AWS ML Custom Policy
In the Sysdig Secure UI:
Select Policies > Threat Detection > Runtime Policies to display the Runtime Policies page.
Click +Add Policy (at the top right of the page).
Select AWS ML policy type.
Configure the policy:
Basic Parameters
Name: Enter a policy name.
Description: Provide a meaningful and searchable description or keep the default one.
Enabled/Disabled: Toggle to enable the policy so that it generates events.
Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI: High, Medium, Low, Info.
Policy severity is subjective and is used to group policies within a Sysdig Secure instance.
Note: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.
Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.
Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.
If you enter a value here, then a View Runbook option will be displayed in any corresponding Event.
Detect
Anomalous Console Login: Toggle on or off and select the confidence level at which the policy should be triggered: Default, Higher, or Highest.
- Default: This is the value at which the model is tested by Sysdig’s Threat Research Team.
- Higher and Highest: The higher the value chosen, the lower the chance of false positives, but the higher the chance of false negatives (i.e. missed anomalous behaviors).
Actions
Notify: Select a notification channel from the drop-down list for sending notifications of events to appropriate personnel.
See also: Set Up Notification Channels.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.