SysdigResponseActions

This is an integration that will use Sysdig agent to respond to malicious activity by triggering different actions at the host or container level like killing a container, quarantine a file or perform a system capture.

Data Enrichment & Threat Intelligence · Sysdig Response Actions

Configuration parameters

  • url — Your server URL (required)
  • credentials — (required)
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings
  • classifier — Classifier
  • mapper — Mapper (incoming)
  • isFetch — Fetch incidents
  • incidentType — Incident type
  • max_fetch — The maximum number of incidents per fetch
  • first_fetch — First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)

Commands (4)

  • create-system-capture

    Command to trigger a system capture, it will record all system calls at the host level.

  • execute-response-action

    Execute response actions through the Sysdig API.

  • get-action-execution

    Get the status and information of a triggered action execution.

  • get-capture-file

    Command to get a system capture based on the capture ID.