Threat Exclusions

An Exclusion is a rule that suppresses specific Threats triggered by known, non-malicious activities such as trusted user actions, routine automation, or expected behavior in dev/test environments, helping reduce noise and focus on true security risks. Threats matching an exclusion rule will not be created.

When a Threat exclusion rule is active, the underlying events still occur, but the associated threat is not created on the Threats page, and thus, alert notifications will not be sent.

Use Cases

You can use threat exclusion rules to reduce the noise from a variety of sources that do not constitute real threats. These may include:

  • Known benign activities that consistently trigger Threats, such as routine admin activities in development or pre-production environments.
    • Example: Actions performed by a role like my_role frequently creating VPCs and deleting flow logs.
  • Activities occurring in specific environments, such as dev or pre-prod, where Threats are irrelevant or expected.
    • Example: Cryptocurrency mining detected in a sandbox or test environment specifically set up for resource load testing.
  • Activities performed by known, trusted identities / users / service accounts.
    • Example: A known and trusted admin user performing high-privileged actions.
  • Known noisy rules that consistently generate non-actionable Threats.
    • Example: Rules detecting Delete VPC Flow Log actions that are part of automated cleanup processes.
  • Routine or expected package installations, software updates, or environment configuration activities.
    • Example: apt-get update -y and apt install Python commands frequently triggered by deployment processes.

Create an Exclusion

You can create a threat exclusion from either the Threat Exclusion page or directly from a Threat.

To create it from the Threat Exclusion page:

  1. Log in to Sysdig Secure.

  2. Navigate to Policies > Threat Exclusion.

  3. Select New Exclusion Rule.

  4. Enter a Name and select the Criteria. For details, see Define Criteria.

To create an exclusion from an occurrence of a Threat:

  1. Log in to Sysdig Secure.

  2. Navigate to Threats > Threats.

  3. Identify a threat you wish to make an exclusion rule for.

  4. Select the three-dot menu icon.

  5. Select Create Exclusion Rule.

    The Exclusion Rule modal appears.

  6. Enter a Name, review the Criteria, and edit as you wish. For details, see Define Criteria.

  7. Select Save.

Created exclusions appear on the Threat Exclusion page. Here, you can enable or disable them with the toggle, and review their details, such as the creation date.

Define Criteria

In the Criteria section of the Exclusion Rule modal, you can define the exact threat you wish to ignore.

Use this when you always want to suppress Threats from particular clusters, users, workloads, or processes. You can combine multiple labels to target specific resources.