Workload Policy
Event notifications are generally limited to a frequency of once every five minutes. For details, see Message Throttling in Sysdig Secure.
Workload Policies Overview
Runtime Workload Policies contain a number of managed policies to provide threat detection in dynamic cloud environments:
- Sysdig Runtime Behavioral Analytics
- Sysdig Runtime Threat Detection
- Sysdig Runtime Threat Intelligence
- Sysdig Runtime Notable Events
- Sysdig Runtime Activity Logs
Sysdig Runtime Behavioral Analytics
Runtime Behavioral Analytics (BA) is an exceptional type of Workload Policy. Powered by Observations, it correlates a sequence of actions to detect multi-stage attacks often missed by event-driven security.
These include:
- Reverse Shell: Scenarios where a staged binary spawns a shell and connects to an attacker’s machine.
- Process Injection (PTRACE): Attempts to inject code into a running process.
- Multi-Event Chains: Writes to a file after a container execution, and subsequent attempts to execute that file in the same session.
Prerequisites
- Sysdig agent version 13.6.1 or higher.
- For optimal performance of all analytics features, we recommend the latest version of the agent.
Limitations
Only workload (syscall) events are eligible. Cloud and Kubernetes Audit events are not covered by Observations.
Only Managed Policies support Observations. You cannot use Observations in managed ruleset or custom policies. For the different types of policies, see Types of Threat Detection Policies.
Review Runtime Behavioral Analytics Policy and Rules
To review the Runtime Behavioral Analytics policy and the rules it enforces:
Log in to Sysdig Secure.
Select Policies > Threat Detection | Runtime Policies.
Find Sysdig Runtime Behavioral Analytics.
You can use search and filters to locate it. For example:
- Managed type = Managed Policy
- Select policy type = Workload
By default, it is scoped to Entire Infrastructure. Edit the policy to change the scope.
Select the policy to open the detail panel.
Here, you can see the policy type, description, scope, last update, rules, and more.
Select any rule from the rule list to expand its full logic and coverage.
Create a Workload Policy
To create a Workload policy:
Log in to Sysdig Secure and select Policies > Threat Detection > Runtime Policies.
Click Add Policy and select Workload.
Configure a Workload Policy
Basic Parameters
Name: Enter a policy name.
Description: Provide a meaningful and searchable description.
Enabled/Disabled: Toggle to enable the policy so that it generates events.
Severity: Choose the appropriate severity level as you would like to see it in the Runtime Policies UI: High, Medium, Low, Info
Policy severity is subjective and is used to group policies within a Sysdig Secure instance. There is no inheritance between the underlying rule priorities and the severity you assign to the policy.
Scope: Define the scope to which the policy will apply, based on the type-dependent options listed.
Link to Runbook: (Optional) Enter the URL of a company procedure that should be followed for events resulting from this policy. For example: https://www.mycompany.com/our-runbook-link.
If you enter a value here, then a View Runbook option will be displayed in any corresponding Event.
Policy Rules
Add or edit policy rules as needed. You can choose to Import from Library or to create a New Rule. To learn more about rules, see Manage Threat Detection Rules.
Actions
Determine what should be done if a Policy is violated.
Kill Process
Toggle Kill Process on to have the policy automatically kill the process that triggered the event. This works for container events and hosts, and honors the agent flag to ignore actions at the agent.
Containers
Container policy actions coverage map:
| Environment | Container Policy Action Supported? |
|---|---|
| Kubernetes - Linux | ✅ |
| Kubernetes - Windows | ❌ |
| Hosts - Linux Containers | ✅ |
| Hosts - Linux Packages | ✅ |
| Hosts - Windows | ❌ |
| Hosts - ECS on EC2 | ❌ |
| Serverless - Azure Container Apps | ❌ |
| Serverless - Cloud Run Service | ❌ |
| Serverless - ECS on Fargate | ❌ |
Select what should happen to affected containers if the policy rules are breached:
- Nothing (alert only): Do not change the container behavior; send a notification according to Notification Channel settings.
- Kill: Kills one or more running containers immediately.
- Stop: Allows a graceful shutdown (10-seconds) before killing the container.
- Pause: Suspends all processes in the specified containers.
For details, see Available Response Actions.
The agent can be configured to prevent Kill, Pause and Stop actions, regardless of the policy.
Capture
Toggle Capture on if you want to create a capture in case of an event, and define the number of seconds before and after the event that should be in the snapshot.
As of June, 2021, you can add the Capture option to policies affecting events from both the Sysdig agent and Fargate Serverless Agents Fargate serverless agents.
Note that for serverless agents, manual captures are not supported; you must toggle on the Capture option in the policy definition.
See also: Captures.
Notify
Select a notification channel from the drop-down list to send notifications of events to appropriate personnel.
See also: Set Up Notification Channels.
Search for Existing Policies
To review the existing Workload policies:
Log in to Sysdig Secure and select Policies > Threat Detection > Runtime Policies.
Filter for Managed Policy and Workload.
You can edit a managed policy, duplicate it to create a custom policy, or click + Add Policy, choose the Workload to configure it from scratch.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
