Skip to main content

Sysdig Response Actions

This Integration is part of the Sysdig Response Actions Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

This is an integration that will use Sysdig agent to respond to malicious activity by triggering different actions at the host or container level like killing a container, quarantine a file or perform a system capture This integration was integrated and tested with Host shield 13.9.1 of the Sysdig Agent and ResponseActions version 0.1.0

This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.

Configure Sysdig Response Actions in Cortex#

ParameterRequired
Your server URLTrue
API KeyTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse
ClassifierFalse
Incident type (if classifier doesn't exist)False
Mapper (incoming)False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

execute-response-action#


Execute response actions through the Sysdig API

Base Command#

execute-response-action

Input#

Argument NameDescriptionRequired
actionTypeAction type to perform. Possible values are: KILL_PROCESS, KILL_CONTAINER, STOP_CONTAINER, PAUSE_CONTAINER, FILE_QUARANTINE.Required
callerIdThe caller ID, it must be unique every time.Required
container_idThe container ID to apply the action. Example "container.id": "123456789123".Optional
path_absoluteThe path of the file to quarantine. Example "/etc/sensitive". Required for the FILE_QUARANTINE action.Optional
host_idThe host ID. Example "laksjdf1923u90snca893".Optional
process_idThe process ID. Example "1234". Required for the KILL_PROCESS action.Optional

Context Output#

PathTypeDescription
execute_response_action.OutputDictOutput of the response-actions API

create-system-capture#


Command to trigger a system capture, it will record all system calls at the host level.

Base Command#

create-system-capture

Input#

Argument NameDescriptionRequired
container_idThe container ID to apply the action. Example "container.id": "123456789123".Required
host_nameThe host name. Example "ip-1-1-1-1.us-west-1.compute.internal".Required
capture_nameThe capture name.Required
agent_idThe agent ID.Required
customer_idThe customer ID.Required
machine_idThe machine ID/MAC. Example "01:aa:02:bb:03:cc".Required
scan_durationCapture duration in seconds.Optional
scap_filterFilter the scope of the capture to take. Example: (proc.name=ncat or proc.name=vi).Optional

Context Output#

PathTypeDescription
create_system_capture.OutputDictOutput of the system capture created

get-capture-file#


Command to get a system capture based on the capture ID.

Base Command#

get-capture-file

Input#

Argument NameDescriptionRequired
capture_idSystem Capture ID.Required

Context Output#

PathTypeDescription
get_capture_file.OutputDictOutput of the system capture downloaded

get-action-execution#


Get the status and information of a triggered action execution

Base Command#

get-action-execution

Input#

Argument NameDescriptionRequired
action_execution_idThe action exection ID.Required

Context Output#

PathTypeDescription
get_action_execution.OutputDictOutput of the action execution info