What’s new in Sysdig – August 2022

Oct 20 SANS Webinar! Solutions Forum 2022: Is Your SecOps Ready for Cloud and Containers?

Welcome to another month of What’s New in Sysdig in 2022! I’m Joshua Ma, a Customer Solutions Engineer based out of sunny Los Angeles. I joined the Customer Success team at Sysdig five months ago. After having my first taste of K8s, containers, and Falco at the North America KubeCon/CloudNativeCon in 2019, I haven’t looked back since!

August has been a busy month, and Sysdig has the pleasure of announcing many new features. In Sysdig Monitor, we’ve accelerated troubleshooting with the general availability of Advisories and enhanced our interface with a new Dashboard Manager, among other visualization improvements. In Sysdig Secure, we’ve rolled out powerful new features like Cryptomining Detection with Machine Learning, Actionable Compliance, and Managed Policies.

Sysdig Monitor

Advisor: Accelerate troubleshooting by up to 10x with Advisories

Advisories evaluate the thousands of data points being collected by the Sysdig agent, and display a prioritized view of key problems in your infrastructure that affect the health and availability of your clusters and the workloads running on them.

See Sysdig Advisor: Making Kubernetes troubleshooting effortless on the Sysdig blog.

Dashboards have a new home!

Dashboard Manager is a new page where users can easily explore all of their dashboards and browse the out-of-the-box Dashboard Templates with ease.

For more information, see Dashboard Manager.

Contextual Tooltip (Preview)

An enhanced tooltip that lets you explore all segments over time in a dashboard panel. The Contextual Tooltip is currently in preview (opt-in via Settings > User Profile).

Prometheus Alertmanager Notifications

You can now integrate Prometheus Alertmanager as a notification channel in Sysdig Monitor. See Prometheus Alertmanager Notifications for more details.

Enhanced Label Selector

The label selector in Dashboards and Metrics Explorer has been enriched with the following sought after features:

  • Label documentation
  • Preview of label values
  • Suggested labels

New PromQL Variables

The following PromQL variables have been added:

  • $__interval_sec
  • $__range_sec

They are handy when you need the scalar equivalent of $__interval or $__range, like when you need to query a rate of change in PromQL:

avg(sum_over_time(sysdig_container_cpu_used_percent{$__scope}[$__interval]) / $__interval_sec)

For more information, see Using PromQL.

PromQL support for Table Visualization

We further enhanced the Table Visualization to support PromQL. This allows powerful correlation of metrics over label denoted entities (the following example shows cpu and memory usage per container).

As always, please check out our Release Notes for more details on product updates, and ping your local Sysdig contact if you have questions about anything covered here.

Sysdig Secure

Cryptominer Detection with Machine Learning

We announced our machine learning (ML) solution for detecting cryptojacking with 99% precision. Building on Sysdig’s Image Profiling feature, our solution is based on an ML model trained to recognize the anatomy of cryptominers from process activity in running containers. Sysdig uses deep visibility into containers at runtime to collect the necessary type of data to be able to identify cryptominers’ behavior.

Learn more about how to Detect cryptojacking with Sysdig’s high-precision machine learning on our blog.

Managed Threat Detection Policies

We released Managed Policies to all customers, so you will now receive the latest feed of runtime security policies managed by our Threat Detection team. You can customize them to your liking by converting them to Managed Rulesets or Custom Policies.

Your existing policies have been labeled as Custom Policies, and they work exactly as they have always worked without any action on your part. However, to get the power of the Sysdig Threat Research team, we recommend moving over to the new Managed Policies.

See our updated documentation on the different types of managed policies.

Falco Rules

v0.80.2 is the latest version. Here there are some highlights of the changes from v0.74.3, which we covered in July.

Added the following rules:

  • GPG Key Reconnaissance
  • Create Access Key for User
  • PTRACE anti-debug attempt
  • PTRACE attached to process
  • Detect reconnaissance scripts
  • Detect malicious cmdlines
  • GCP Create DNS Record
  • GCP Create DNS Zone
  • GCP Delete DNS Record
  • GCP Update DNS Record
  • GCP Update DNS Zone
  • GCP Cloud Armor Blocked Connection
  • GCP Cloud IDS Alert
  • Delete AWS user (SSO)

Further details and the full changelog can be found on Sysdig documentation.

Sysdig Agents

New Sysdig Agents Data Sources Page (Preview)

We released a Sysdig Agents overview page in the Data Sources interface. This Technical Preview is available for all customers and shows all of your Sysdig Agents that have reported into the Sysdig backend.

This helps users quickly determine:

  • Which agents are up to date, out of date, or approaching being out of date.
  • Which managed clusters have been detected in your cloud environment, but have not yet been instrumented with the Sysdig agent.

For further information, see our new documentation.

Agent Updates

The latest Sysdig Agent release is v12.8.0. Below is a diff of updates since v12.7.1, which we covered in our last update.

  • A New Metric to Indicate Retrieving Kubernetes State
  • Read Certificate Chain
  • Support for dup() Syscalls
  • Falco Rules Optimizer
  • New Falco Rules Parser

Please refer to our v12.8.0 Release Notes for further details.

SDK, CLI, and Tools

Sysdig CLI

v0.7.14 is still the latest release (Download Link). The instructions on how to use the tool and the release notes from previous versions are available at the following link:

https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

v0.16.4 is still the latest release, which we covered in our October update.

https://github.com/sysdiglabs/sysdig-sdk-python/releases/tag/v0.16.3

Terraform Provider

v0.5.39 is still the latest release.

Documentation - https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs

Github link - https://github.com/sysdiglabs/terraform-provider-sysdig

Terraform Modules

  • AWS Sysdig Secure for Cloud: v0.9.4
  • GCP Sysdig Secure for Cloud has not changed and is still v0.9.0
  • Azure Sysdig Secure for Cloud has not changed and is still v0.9.0

Note: Please check release notes for potential breaking changes

Falco vs. Code Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

AWS Sysdig Secure for Cloud has a new release! v0.16.13 includes new features and some minor fixes.

Features include:

  • GuardDuty Ingestor

Check the full list of changes to get the full details.

Admission Controller

Sysdig Admission Controller has been updated to v3.9.7.

Documentation - https://docs.sysdig.com/en/docs/installation/admission-controller-installation/

Runtime Vulnerability Scanner

The new vuln-runtime-scanner has been released to GA state with v1.2.5.

Documentation - https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/runtime

Sysdig CLI Scanner

Sysdig CLI Scanner has been released to v1.2.5.

Documentation - https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/

Image Analyzer

Sysdig Image analyzer is still set to v0.1.18.

Host Analyzer

Sysdig Host Analyzer is still set to v0.1.9.

Documentation - https://docs.sysdig.com/en/docs/installation/node-analyzer-multi-feature-installation/#node-analyzer-multi-feature-installation

Sysdig Secure Inline Scan for Github Actions

The latest release is still v3.4.0.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

v2.1.16 is still the latest release.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Integrations:

  • Fix: Improved OpenShift HAProxy configuration to use ClusterRole.
  • Fix: Improved documentation with the official integrations names.
  • Fix: Fixed documentation page for Application Integrations.
  • Fix: In Istio agent configuration, removed metrics filtering in envoy job. This was preventing other custom metrics merged into the Envoy sidecar from being sent.

    Dashboards and alerts:

    • Fix: Typo in metric for ALB and ELB AWS Metrics Stream services.
    • Fix: Improved RDS text for PostgreSQL.
    • Fix: Improved calculation of used vs request/limits in Kubernetes Capacity Planning dashboard.
    • Fix: Improved promQL in kubernetes dashboards to avoid artifacts happening on ephemeral containers.
    • Fix: Deleted duplicate dashboard templates.
    • Refactor: Updated Kubelet metrics (Kubernetes >1.19) in dashboard templates:
      • kubelet_running_container_count --> kubelet_running_containers.
      • kubelet_running_pod_count --> kubelet_running_pods.
    • Fix: Removed duplicated dashboard templates.

Promcat.io

  • Fix: Improved OpenShift HAProxy configuration to use ClusterRole

Exporter images

  • Feat: Upgraded exporters Jenkinsfile for scratch and ubi images

Sysdig On-Premise

The 5.1.0 On-Premise minor release is now official. Here are some highlights for this minor release:

  • Added support for Kubernetes versions 1.22 and 1.23.
  • Added a pre-flight check to verify the kubectl and K8s versions of the cluster with the context provided by the customer.
  • API documentation for Sysdig Secure is now enabled by default.
  • Feature Enhancement: Falco Exceptions - Create Exception Objects to a Default Rule.
  • Various bug fixes.

The full release notes can be found here: Sysdig Docs or Github .

New Website Resources

Blogs

Webinars

Tradeshows

Education

Stay up to date

Sign up to receive our newest.

Related Posts

What’s new in Sysdig – July 2022

Detect cryptojacking with Sysdig’s high-precision machine learning

Sysdig achieves AWS Security Competency