What’s New in Sysdig – November 2023

By Dimitris Vassilopoulos - NOVEMBER 30, 2023

SHARE:

“What’s New in Sysdig” is back with the November 2023 edition! My name is Dimitris Vassilopoulos, based in London, United Kingdom, and I’m excited to share our latest feature releases with you!

Building on the positive momentum generated by the array of features unveiled in October as part of our industry-leading Cloud-Native Application Protection Platform (CNAPP), Sysdig released the 5/5/5 Benchmark for Cloud Detection and Response at SANS CyberFest 2023, a new framework that outlines how quickly organizations should detect, triage, and respond to attacks in the cloud.

Operating securely in the cloud requires a mindset shift in regard to time, and with that, cloud security programs need to hold themselves to a modernized benchmark: 

  • Five seconds to detect
  • Five minutes to correlate insights and understand what’s happening
  • Five additional minutes to respond

Download the 5/5/5 Benchmark for Cloud Detection and Response.

Stay tuned for more updates from Sysdig, and let’s get started!

Sysdig Secure

Improved Home Page

Sysdig is pleased to announce a new and improved Home page! The Home page offers a clean, visual representation of the most important issues in your environment and a curated list of the top tasks required. The default tab Home encompasses the Dashboards, and the other tab contains Recommendations.

For the Home page dashboards to display data, you must have completed basic onboarding and at least one data source must be connected. Otherwise, the page will provide prompts for completing those setup tasks.

What is displayed in Dashboards is dependent on what has been installed. To learn more, read the docs.

Star Favorite Compliance Views

You can now select specific Policy + Zone combinations you want to see tracked on the Home page. Details are in the Compliance documentation.

Supported Web Browsers

Sysdig supports, tests, and verifies the latest versions of Chrome and Firefox. Other browsers may also work but are not tested in the same way.

Sysdig Monitor

Supported Web Browsers

The latest versions of Chrome and Firefox are tested, verified, and supported for Sysdig Monitor as well as Secure. However, note that other browsers may also work but are not tested with the same rigor.

Sysdig Serverless Agent

4.3.0 Hotfix Nov. 08, 2023

This hotfix updated the CloudFormation template, orchestrator-agent.yaml, to include default values for autoscaling. When autoscaling is disabled, the autoscaling parameters now default to 0.

For Installation and Upgrade steps, see AWS Fargate Serverless Agents.

SDK, CLI, and Tools

Sysdig CLI

v0.8.2 is still the current release. The instructions on how to use the tool and the release notes from previous versions are available at the following link:

https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

The Python SDK remains at  v0.17.1. 

Terraform Provider

We have just released the 1.18.0 version of Terraform provider. This release includes the following features:

  • Pass provider alias to cloud account creation call
  • Remove quotes for boolean values
  • Implement cloud account creation for Azure
  • Enable acceptance test for Secure cloud account

https://docs.sysdig.com/en/docs/developer-tools/terraform-provider

Terraform Modules

  • AWS Sysdig Secure for Cloud remains unchanged at  v10.0.9
  • GCP Sysdig Secure for Cloud remains unchanged at v0.9.10
  • Azure Sysdig Secure for Cloud remains unchanged at v0.9.7

Falco VSCode Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

New Cloud Connector changes to (v0.16.55) under helm chart 0.8.6.

Admission Controller

New Admission Controller release (3.9.35) under helm chart 0.14.14.

Sysdig CLI Scanner

Sysdig CLI Scanner latest version is v1.6.1.

https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/

Sysdig Secure Inline Scan Action

The latest release is v3.6.0.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

The Sysdig Secure Jenkins Plugin remains at version v2.3.0.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Prometheus Integrations has been updated to v1.23.2: 

  • Change: Replace HelpIcon with QuestionMarkCircleHelpIcon
  • Fix: OpenShift/rancher integration labels

Sysdig On-Premises

Sysdig On-Premises has been updated to 6.6.0 with the following changes.

Upgrade process

Supported upgrades from: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Sysdig Secure

Nexus and Google Support for Container Registry Scanning

The Image Registry Scanning functionality in the Sysdig Vulnerability Management engine has been updated to support scanning for the Nexus Repository and the Google Artifact Registry (GAR).

For more information on running the scanner, see the Registry Scanner documentation.

Reporting for Image Pipeline Vulnerability Scanning

The Vulnerability Management engine now supports Reporting for Image Pipeline Scanning. The engine now has reporting for all scanning functionality (Runtime, Registry, Host, and Pipeline). Pipeline reporting mirrors the Runtime and Registry reports, with just a change in the scoping context.

What?

  • This feature enables the easy collection and reporting on Pipeline scans over a given time period.

Why?

  • With this addition, we have completed normalizing the data output functions across the VM scanning set.

Exception UI improvements for threat detection rules

Sysdig is introducing a new, user-friendly exception builder. The new exception UI, built in to the Rules Editor, helps users create, update, modify, and delete exceptions for threat detection rules.

For more information, see Manage Threat Detection Rules.

Advanced users can apply Tuning suggestions

To simplify identifying and applying exceptions, we are enabling the ability for Advanced Users and Team Managers to see and apply Tuning suggestions from Insights and Event detail pages.

To enable:

  1. Log into Sysdig Secure as Admin and go to Settings.
  2. Toggle Advanced User Tuner Enablement on.

Sysdig Monitor

Metrics Usage Enhanced with Dashboards and Alerts Usage Metadata

Metrics Usage now displays which Dashboards and Alerts are using a given metric, enabling you to better understand the value a given metric provides to teams.

UX Improvements for PromQL Query Explorer

The PromQL Query Explorer editor has been updated with quality of life improvements for a better user experience while running queries:

  • Only relevant labels to the query metrics are now displayed in the autocomplete prompt.
  • Labels are automatically selected and displayed in the query results table.

Notification snapshot for Metric Alert notifications

Metric Alert notifications forwarded to Slack or email include a snapshot of the triggering time series data. For the Slack Notification channels, you can toggle the snapshot within the notification channel settings. When the channel is configured to Notify when Resolved, a snapshot of the time series data that resolves the alert is also provided in the notification.

Platform

Settings page refresh

Settings page in Sysdig Secure and Monitor has been enhanced to provide you a superior user experience:

  • Improved color scheme for the dark mode.
  • Unified layout and components to establish consistency between Sysdig products.
  • Better navigation through the new header component.

Defect fixes

  • Fixed an issue in the Explore module where promlegacy_* metrics could prevent metric counts from loading.

Falco Threat Detection Rules Changelog

Several versions of the rules have been released in the last months. Below are the release notes for the most recent rules changes.

https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog/

Rule Changes

  • Reduced false positives for the following rules:
    • Modification of pam.d detected
    • Possible Backdoor using BPF
    • Packet socket created in container
    • Dump memory for credentials
    • Launch Remote File Copy Tools in Container
    • Suspicious cron modification
    • Base64-encoded Shell Script Execution
    • Fileless Malware Detected (memfd)
    • eBPF program loaded into Kernel
    • Launch Ingress Remote File Copy Tools in Container
    • Write below etc.
    • Escape to host via command injection in process
    • eBPF program loaded into kernel
    • Non sudo setuid
    • Mount launched in Privileged Container
    • Change thread namespace
    • Set Setuid or Setgid bit
    • Launch Sensitive Mount Container
    • Launch Root User Container
    • Write below root
    • Packet socket created in container
    • Launch privileged container
    • Diamorphine Rootkit Activity
    • Read Environment Variable from /proc files in Container
    • Search Private Keys or Passwords
    • SSH keys added to authorized_keys
    • Change memory swap options
    • Kernel startup modules changed
  • Added the following rules:
    • Container image built on host
    • Leave Organization
    • EC2 Add User Data
    • SSM Get Parameter
    • EC2 Get User Data
    • Shutdown or Reboot detected
    • Get Federation Token with Admin Policy
    • Full Visibility on Federated Sessions
    • GCP CloudRun Service Started
    • Create Key Pair
    • Stop EC2 Instances
    • Get Lambda Function
    • Attach IAM Policy to Group
    • Escape to host via command injection in process
  • Improved the following conditions
    • System procs network activity
    • Potential UAC bypass using Registry manipulation
    • Dump memory for credentials
    • Execution of binary using ld-linux rule
  • Improved the output for the following rules
    • Github Webhook Connected rule
    • Okta ruleset
    • Shutdown or Reboot detected rule
  • Updated the IoCs Ruleset with new findings
  • Updated description for the Malicious C2 IPs or domains exploiting log4j rule
  • Updated theSysdig AWS Notable Events policy
  • Improved the Windowssuspicious_network_binaries list
  • Improve tags for the AWS RDS Master Password Update
  • Improved MITRE tags

Default Policy Changes

  • Added the following files:
    • Shutdown or Reboot detected
    • Get Federation Token with Admin Policy
    • Full Visibility on Federated Sessions
    • GCP CloudRun Service Started
    • Create Key Pair
    • Stop EC2 Instances
    • Get Lambda Function
    • Attach IAM Policy to Group
    • Escape to host via command injection in process
  • Updated the Remove MFA from user in Okta policy.
  • Updated the policy for rules:
    • Change memory swap options
    • EC2 Instance Connect/SSH Public Key Uploaded
    • SSM Get Parameter

Open Source

Falco

Falco 0.36.2 is the latest stable release. 

https://github.com/falcosecurity/falco/releases/tag/0.36.2

New Website Resources

Press Releases

Sysdig Debuts New Benchmark for Cloud Detection and Response

Sysdig Extends the Power of Detection and Response to Include Windows Server and Malware Threat Detection

Blogs 

Securing Servers in the Cloud Requires a Cloud Centric Approach

Why Traditional EDRs Fail at Server D&R in the Cloud

Is Traditional EDR a Risk to Your Cloud Estate?

Webinars

Fix What Matters First: Bridging Code and Cloud Security

Generate This: Bring AI to Cloud Security

Safeguarding Identities

Events

AWS re:Invent 2023 – Cloud Security Powered by Runtime Insights

BlackHat Europe 2023

Sysdig Education 

Sysdig. Secure Every Second: https://www.youtube.com/watch?v=c7mqQOwQv3U 

Unparalleled Cloud Visibility in Action with Sysdig’s Enhanced Searchable Inventory: https://www.youtube.com/watch?v=D6lnQhU0xD0

Rethinking Cloud Security with Sysdig’s CNAPP: https://www.youtube.com/watch?v=19QjEmXbvqY 

Strengthening Your Security with Agentless Vulnerability Management: https://www.youtube.com/watch?v=M0YpW-1WqqU 

Sysdig Attack Path in action: https://www.youtube.com/watch?v=Exiw48ClOYE 

Subscribe and get the latest updates