Workload ML Policy
Key Features
- Machine learning collects low-level activities from your infrastructure, aggregating them over time and applying algorithms.
- With machine learning policies, you can configure the detections you want to use and their thresholds.
- Machine learning detection algorithms estimate the probability that those activities are related to the detection subjects, i.e. miners. The Sysdig Workload ML detections don’t rely on mere program names or executable checksums matching. Instead, they are based on runtime behaviors.
Event notifications are generally limited to a frequency of once every five minutes. For details, see Message Throttling in Sysdig Secure.
Configure Workload ML Custom Policy
To configure a Workload ML Custom Policy in the Sysdig Secure UI:
Select Policies > Threat Detection > Runtime Policies to display the Runtime Policies page.
Click +Add Policy (at the top right of the page).
Select the Workload ML policy type.
Configure the policy by specifying the basic parameters:
Basic Parameters
Name: Enter a policy name
Description: Provide a meaningful and searchable description
Enabled/Disabled: Toggle to enable the policy so that it generates events.
Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI: High, Medium, Low, Info
Policy severity is subjective and is used to group policies within a Sysdig Secure instance.
Note: There is no inheritance between the underlying rule priorities and the severity you assign to the policy.
Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.
Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.
If you enter a value here, then a
View Runbook
option will be displayed in any corresponding Event.Detect
You can choose what type of Machine Learning-based detections you want enable in your policy. We support only
Crypto Mining Detection
at this time.Crypto Mining Detection: The supported detection type
Confidence Level Enablement: Fine-tune the policy to choose at which certainty level the detection should trigger an event.
Severity defined at detection level, so that you can have a different severity for each detection type.
Actions
Notify: Select a notification channel from the drop-down list for sending notification of events to appropriate personnel.
See also: Set Up Notification Channels.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.