List Matching Policy

List Matching policies evaluate a simple matching or not matching filter for containers, files, network processes, and syscalls. You can edit them, duplicate to create a custom version, or create a new list matching policy from scratch.

Event notifications are generally limited to a frequency of once every five minutes. For details, see Message Throttling in Sysdig Secure.

Create a List Matching Policy

To create a List Matching policy:

  1. Log in to Sysdig Secure and select Policies > Threat Detection > Runtime Policies.

  2. Click Add Policy and select List Matching.

Configure a List Matching Policy

Basic Parameters

Name: Enter a policy name.

Description: Provide a meaningful and searchable description.

Enabled/Disabled: Toggle to enable the policy so that it generates events.

Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI: High, Medium, Low, Info

Policy severity is subjective and is used to group policies within a Sysdig Secure instance. There is no inheritance between the underlying rule priorities and the severity you assign to the policy.

Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.

Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.

If you enter a value here, then a View Runbook option will be displayed in any corresponding Event.

Policy Rules

Add or edit policy rules as needed. You can choose to Import from Library or to create a New Rule. To learn more about rules, see Manage Threat Detection Rules.

Actions

Determine what should be done if a Policy is violated.

Kill Process

Toggle Kill Process on to have the policy automatically kill the process that triggered the event. This works for container events and hosts, and honors the agent flag to ignore actions at the agent.

Containers

Select what should happen to affected containers if the policy rules are breached:

  • No container action: Do not change the container behavior; send a notification according to Notification Channel settings.
  • Kill: Kill one or more running containers immediately.
  • Stop: Allow a graceful shutdown (10-seconds) before killing the container.
  • Pause: Suspend all processes in the specified containers.

For a detailed breakdown and use cases, see Container Actions.

The agent can be configured to prevent Kill, Pause or Stop actions regardless of the policy.

See Ignore Container Actions at the Agent Level.

Capture

Toggle Capture on if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.

As of June, 2021, you can add the Capture option to policies affecting events from both the Sysdig agent and Fargate Serverless Agents Fargate serverless agents.

Note that for serverless agents, manual captures are not supported; you must toggle on the Capture option in the policy definition.

See also: Captures.

Notify

Select a notification channel from the drop-down list to send notifications of events to appropriate personnel.

See also: Set Up Notification Channels.

Container Actions

In Threat Detection Policies, Kill, Stop and Pause are different response actions, each with distinct impacts on workloads and use cases:

Kill: Killing the container immediately terminates it, removing it from the cluster. Kubernetes will typically attempt to restart the container based on its configuration. This can stop a malicious activity quickly, but can result in data loss (in stateful applications) and service disruption. It is the best choice for severe and urgent threats.

Stop: Stopping a container shuts down its processes and removes it from the scheduling pool, but unlike killing, it allows for a more graceful shutdown of services. Stopping a container might require manual intervention to bring it back online. It’s best for stateful applications.

Pause: Pausing a container suspends its execution, freezing its processes and preserving its runtime state. The container remains in the cluster but is temporarily halted. It’s ideal for forensic analysis and limiting disruption, but may result in higher resource consumption and prolonged risk due to lack of resolution.

Summary

ActionImpact on ContainerUse CaseDrawbacks
KillImmediate terminationHigh risk threat. Rapid mitigation.Loss of forensic data. Possible service disruption.
StopGraceful shutdownControlled threat removal. Preserving service dependencies.Residual risk. Manual restart of container needed.
PauseExecution halted, state preserved.Stealthy containment. Preserves data for analysis.Continued resource use. May prolong risk.

Search for Existing Policies

To review the existing Workload policies:

  1. Log in to Sysdig Secure and select Policies > Threat Detection > Runtime Policies.

  2. Filter for Managed Policy and List Matching.

  3. You can edit a managed policy, duplicate it to create a custom policy, or click + Add Policy, choose List Matching to configure it from scratch.