Welcome to another month of What’s New in Sysdig in 2022! I’m Joshua Ma, a Customer Solutions Engineer based out of sunny Los Angeles. I joined the Customer Success team at Sysdig five months ago. After having my first taste of K8s, containers, and Falco at the North America KubeCon/CloudNativeCon in 2019, I haven’t looked back since!
August has been a busy month, and Sysdig has the pleasure of announcing many new features. In Sysdig Monitor, we’ve accelerated troubleshooting with the general availability of Advisories and enhanced our interface with a new Dashboard Manager, among other visualization improvements. In Sysdig Secure, we’ve rolled out powerful new features like Cryptomining Detection with Machine Learning, Actionable Compliance, and Managed Policies.
Sysdig Monitor
Advisor: Accelerate troubleshooting by up to 10x with Advisories
Advisories evaluate the thousands of data points being collected by the Sysdig agent, and display a prioritized view of key problems in your infrastructure that affect the health and availability of your clusters and the workloads running on them.
See Sysdig Advisor: Making Kubernetes troubleshooting effortless on the Sysdig blog.
Dashboards have a new home!
Dashboard Manager is a new page where users can easily explore all of their dashboards and browse the out-of-the-box Dashboard Templates with ease.
For more information, see Dashboard Manager.
Contextual Tooltip (Preview)
An enhanced tooltip that lets you explore all segments over time in a dashboard panel. The Contextual Tooltip is currently in preview (opt-in via Settings > User Profile).
Prometheus Alertmanager Notifications
You can now integrate Prometheus Alertmanager as a notification channel in Sysdig Monitor. See Prometheus Alertmanager Notifications for more details.
Enhanced Label Selector
The label selector in Dashboards and Metrics Explorer has been enriched with the following sought after features:
- Label documentation
- Preview of label values
- Suggested labels
New PromQL Variables
The following PromQL variables have been added:
$__interval_sec
$__range_sec
They are handy when you need the scalar equivalent of $__interval
or $__range
, like when you need to query a rate of change in PromQL:
avg(sum_over_time(sysdig_container_cpu_used_percent{$__scope}[$__interval]) / $__interval_sec)
For more information, see Using PromQL.
PromQL support for Table Visualization
We further enhanced the Table Visualization to support PromQL. This allows powerful correlation of metrics over label denoted entities (the following example shows cpu and memory usage per container).
As always, please check out our Release Notes for more details on product updates, and ping your local Sysdig contact if you have questions about anything covered here.
Sysdig Secure
Cryptominer Detection with Machine Learning
We announced our machine learning (ML) solution for detecting cryptojacking with 99% precision. Building on Sysdig’s Image Profiling feature, our solution is based on an ML model trained to recognize the anatomy of cryptominers from process activity in running containers. Sysdig uses deep visibility into containers at runtime to collect the necessary type of data to be able to identify cryptominers’ behavior.
Learn more about how to Detect cryptojacking with Sysdig’s high-precision machine learning on our blog.
Managed Threat Detection Policies
We released Managed Policies to all customers, so you will now receive the latest feed of runtime security policies managed by our Threat Detection team. You can customize them to your liking by converting them to Managed Rulesets or Custom Policies.
Your existing policies have been labeled as Custom Policies, and they work exactly as they have always worked without any action on your part. However, to get the power of the Sysdig Threat Research team, we recommend moving over to the new Managed Policies.
Falco Rules
v0.80.2
is the latest version. Here there are some highlights of the changes from v0.74.3
, which we covered in July.
Added the following rules:
- GPG Key Reconnaissance
- Create Access Key for User
- PTRACE anti-debug attempt
- PTRACE attached to process
- Detect reconnaissance scripts
- Detect malicious cmdlines
- GCP Create DNS Record
- GCP Create DNS Zone
- GCP Delete DNS Record
- GCP Update DNS Record
- GCP Update DNS Zone
- GCP Cloud Armor Blocked Connection
- GCP Cloud IDS Alert
- Delete AWS user (SSO)
Further details and the full changelog can be found on Sysdig documentation.
Sysdig Agents
New Sysdig Agents Data Sources Page (Preview)
We released a Sysdig Agents overview page in the Data Sources interface. This Technical Preview is available for all customers and shows all of your Sysdig Agents that have reported into the Sysdig backend.
This helps users quickly determine:
- Which agents are up to date, out of date, or approaching being out of date.
- Which managed clusters have been detected in your cloud environment, but have not yet been instrumented with the Sysdig agent.
For further information, see our new documentation.
Agent Updates
The latest Sysdig Agent release is v12.8.0
. Below is a diff of updates since v12.7.1
, which we covered in our last update.
- A New Metric to Indicate Retrieving Kubernetes State
- Read Certificate Chain
- Support for dup() Syscalls
- Falco Rules Optimizer
- New Falco Rules Parser
Please refer to our v12.8.0 Release Notes for further details.
SDK, CLI, and Tools
Sysdig CLI
v0.7.14
is still the latest release (Download Link). The instructions on how to use the tool and the release notes from previous versions are available at the following link:
Python SDK
v0.16.4
is still the latest release, which we covered in our October update.
Terraform Provider
v0.5.39
is still the latest release.
Documentation – https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs
Github link – https://github.com/sysdiglabs/terraform-provider-sysdig
Terraform Modules
- AWS Sysdig Secure for Cloud: v0.9.4
- GCP Sysdig Secure for Cloud has not changed and is still v0.9.0
- Azure Sysdig Secure for Cloud has not changed and is still v0.9.0
Note: Please check release notes for potential breaking changes
Falco vs. Code Extension
v0.1.0
is still the latest release.
Sysdig Cloud Connector
AWS Sysdig Secure for Cloud has a new release! v0.16.13 includes new features and some minor fixes.
Features include:
- GuardDuty Ingestor
Check the full list of changes to get the full details.
Admission Controller
Sysdig Admission Controller has been updated to v3.9.7
.
Documentation – https://docs.sysdig.com/en/docs/installation/admission-controller-installation/
Runtime Vulnerability Scanner
The new vuln-runtime-scanner has been released to GA state with v1.2.5
.
Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/runtime
Sysdig CLI Scanner
Sysdig CLI Scanner has been released to v1.2.5
.
Documentation – https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/
Image Analyzer
Sysdig Image analyzer is still set to v0.1.18
.
Host Analyzer
Sysdig Host Analyzer is still set to v0.1.9
.
Documentation – https://docs.sysdig.com/en/docs/installation/node-analyzer-multi-feature-installation/#node-analyzer-multi-feature-installation
Sysdig Secure Inline Scan for Github Actions
The latest release is still v3.4.0.
Sysdig Secure Jenkins Plugin
v2.1.16 is still the latest release.
Prometheus Integrations
Integrations:
- Fix: Improved OpenShift HAProxy configuration to use ClusterRole.
- Fix: Improved documentation with the official integrations names.
- Fix: Fixed documentation page for Application Integrations.
- Fix: In Istio agent configuration, removed metrics filtering in envoy job. This was preventing other custom metrics merged into the Envoy sidecar from being sent.
Dashboards and alerts:
- Fix: Typo in metric for ALB and ELB AWS Metrics Stream services.
- Fix: Improved RDS text for PostgreSQL.
- Fix: Improved calculation of used vs request/limits in Kubernetes Capacity Planning dashboard.
- Fix: Improved promQL in kubernetes dashboards to avoid artifacts happening on ephemeral containers.
- Fix: Deleted duplicate dashboard templates.
- Refactor: Updated Kubelet metrics (Kubernetes >1.19) in dashboard templates:
- kubelet_running_container_count –> kubelet_running_containers.
- kubelet_running_pod_count –> kubelet_running_pods.
- Fix: Removed duplicated dashboard templates.
Promcat.io
- Fix: Improved OpenShift HAProxy configuration to use ClusterRole
Exporter images
- Feat: Upgraded exporters Jenkinsfile for scratch and ubi images
Sysdig On-Premise
The 5.1.0 On-Premise minor release is now official. Here are some highlights for this minor release:
- Added support for Kubernetes versions 1.22 and 1.23.
- Added a pre-flight check to verify the kubectl and K8s versions of the cluster with the context provided by the customer.
- API documentation for Sysdig Secure is now enabled by default.
- Feature Enhancement: Falco Exceptions – Create Exception Objects to a Default Rule.
- Various bug fixes.
The full release notes can be found here: Sysdig Docs or Github .
New Website Resources
Blogs
- Kubernetes 1.25 – What’s new?
- Blackhat 2022 recap – Trends and highlights
- Cryptominer detection: a machine learning approach
- Detect cyrptojacking with Sysdig’s high-precision machine learning
- Cloud DNS Security – How to protect DNS in the Cloud
Webinars
- August 24 – 5 Easy Ways to Secure Images & Prioritize Risk from Source to Run On AWS
- Sept. 06 – How Does Your Kubernetes Environment Stack Up?
- Sept. 13 – How to Improve Security for Cloud-Native App Platform in 3 Easy Steps for Azure
- Sept. 15 – Becoming a Cloud Security Ninja: Sharpen your Cloud Threat Detection Sword with Machine Learning
- Sept. 20 – 5 Best Practices to Prevent, Detect, and Respond to Threats Lurking Within Your Azure Cloud Workloads
Tradeshows
- Oct. 10-12, ISC2, Las Vegas NV
- Oct. 11-13, Google Next, San Francisco CA
- Oct. 24-28, Kubecon NA 2022, Detroit MI
- Nov. 28 – Dec. 2, AWS Reinvent, Las Vegas NV
Education