Sysdig Response Actions
Sysdig Response Actions Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.10.0 and later.
This is an integration that will use Sysdig agent to respond to malicious activity by triggering different actions at the host or container level like killing a container, quarantine a file or perform a system capture
This integration was integrated and tested with Host shield 13.9.1
of the Sysdig Agent and ResponseActions version 0.1.0
This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.
#
Configure Sysdig Response Actions in CortexParameter | Required |
---|---|
Your server URL | True |
API Key | True |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
Classifier | False |
Incident type (if classifier doesn't exist) | False |
Mapper (incoming) | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
execute-response-actionExecute response actions through the Sysdig API
#
Base Commandexecute-response-action
#
InputArgument Name | Description | Required |
---|---|---|
actionType | Action type to perform. Possible values are: KILL_PROCESS, KILL_CONTAINER, STOP_CONTAINER, PAUSE_CONTAINER, FILE_QUARANTINE. | Required |
callerId | The caller ID, it must be unique every time. | Required |
container_id | The container ID to apply the action. Example "container.id": "123456789123". | Optional |
path_absolute | The path of the file to quarantine. Example "/etc/sensitive". Required for the FILE_QUARANTINE action. | Optional |
host_id | The host ID. Example "laksjdf1923u90snca893". | Optional |
process_id | The process ID. Example "1234". Required for the KILL_PROCESS action. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
execute_response_action.Output | Dict | Output of the response-actions API |
#
create-system-captureCommand to trigger a system capture, it will record all system calls at the host level.
#
Base Commandcreate-system-capture
#
InputArgument Name | Description | Required |
---|---|---|
container_id | The container ID to apply the action. Example "container.id": "123456789123". | Required |
host_name | The host name. Example "ip-1-1-1-1.us-west-1.compute.internal". | Required |
capture_name | The capture name. | Required |
agent_id | The agent ID. | Required |
customer_id | The customer ID. | Required |
machine_id | The machine ID/MAC. Example "01:aa:02:bb:03:cc". | Required |
scan_duration | Capture duration in seconds. | Optional |
scap_filter | Filter the scope of the capture to take. Example: (proc.name=ncat or proc.name=vi). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
create_system_capture.Output | Dict | Output of the system capture created |
#
get-capture-fileCommand to get a system capture based on the capture ID.
#
Base Commandget-capture-file
#
InputArgument Name | Description | Required |
---|---|---|
capture_id | System Capture ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
get_capture_file.Output | Dict | Output of the system capture downloaded |
#
get-action-executionGet the status and information of a triggered action execution
#
Base Commandget-action-execution
#
InputArgument Name | Description | Required |
---|---|---|
action_execution_id | The action exection ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
get_action_execution.Output | Dict | Output of the action execution info |