Workload Policy

Sysdig Secure delivers a variety of workload policies out of the box. Workload policies evaluate each system call and can be configured to take immediate action. You can edit them, duplicate to create a custom version, or create a new workload policy from scratch.

Event notifications are generally limited to a frequency of once every five minutes. For details, see Message Throttling in Sysdig Secure.

Create a Workload Policy

To create a Workload policy:

Log in to Sysdig Secure and select Policies > Threat Detection > Runtime Policies.
Click Add Policy and select Workload.

Configure a Workload Policy

Basic Parameters

Name: Enter a policy name.

Description: Provide a meaningful and searchable description.

Enabled/Disabled: Toggle to enable the policy so that it generates events.

Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI: High, Medium, Low, Info

Policy severity is subjective and is used to group policies within a Sysdig Secure instance. There is no inheritance between the underlying rule priorities and the severity you assign to the policy.

Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.

Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.

If you enter a value here, then a View Runbook option will be displayed in any corresponding Event.

Policy Rules

Add or edit policy rules as needed. You can choose to Import from Library or to create a New Rule. To learn more about rules, see Manage Threat Detection Rules.

Actions

Determine what should be done if a Policy is violated.

Kill Process

Toggle Kill Process on to have the policy automatically kill the process that triggered the event. This works for container events and hosts, and honors the agent flag to ignore actions at the agent.

Containers

Select what should happen to affected containers if the policy rules are breached:

Nothing (alert only): Do not change the container behavior; send a notification according to Notification Channel settings.
Kill: Kills one or more running containers immediately.
Stop: Allows a graceful shutdown (10-seconds) before killing the container.
Pause: Suspends all processes in the specified containers.

For a detailed breakdown and use cases, see Container Actions.

The agent can be configured to prevent Kill, Pause and Stop actions, regardless of the policy.

See Ignore Container Actions at the Agent Level.

Capture

Toggle Capture on if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.

As of June, 2021, you can add the Capture option to policies affecting events from both the Sysdig agent and Fargate Serverless Agents Fargate serverless agents.

Note that for serverless agents, manual captures are not supported; you must toggle on the Capture option in the policy definition.

Notify

Select a notification channel from the drop-down list to send notifications of events to appropriate personnel.

Container Actions

In Threat Detection Policies, Kill, Stop and Pause are different response actions, each with distinct impacts on workloads and use cases:

Kill: Killing the container immediately terminates it, removing it from the cluster. Kubernetes will typically attempt to restart the container based on its configuration. This can stop a malicious activity quickly, but can result in data loss (in stateful applications) and service disruption. It is the best choice for severe and urgent threats.

Stop: Stopping a container shuts down its processes and removes it from the scheduling pool, but unlike killing, it allows for a more graceful shutdown of services. Stopping a container might require manual intervention to bring it back online. It’s the best choice for stateful applications.

Pause: Pausing a container suspends its execution, freezing its processes and preserving its runtime state. The container remains in the cluster but is temporarily halted. It is ideal for forensic analysis and limiting disruption, but may result in higher resource consumption and prolonged risk due to lack of resolution.

Summary

Action	Impact on Container	Use Case	Drawbacks
Kill	Immediate termination	High risk threat. Rapid mitigation.	Loss of forensic data. Possible service disruption.
Stop	Graceful shutdown	Controlled threat removal. Preserving service dependencies.	Residual risk. Manual restart of container needed.
Pause	Execution halted, state preserved.	Stealthy containment. Preserves data for analysis.	Continued resource use. May prolong risk.

Search for Existing Policies

To review the existing Workload policies:

Log in to Sysdig Secure and select Policies > Threat Detection > Runtime Policies.
Filter for Managed Policy and Workload.
You can edit a managed policy, duplicate it to create a custom policy, or click + Add Policy, choose the Workload to configure it from scratch.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.