content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon demisto

Sysdig Response Actions

Open S3B4SZ17 opened this issue 8 months ago • 8 comments

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

  • [x] In Progress
  • [ ] Ready
  • [ ] In Hold - (Reason for hold)

Related Issues

NA

Description

Adding a new Sysdig pack for Response Actions. It is a functionality that lets you respond to a variety of incidents, such as threats, activity audits, and runtime events by executing actions like killing/stop/pause a malicious container, quarantining a file ...

Must have

  • [x] Tests
  • [x] Documentation

S3B4SZ17 avatar Apr 22 '25 17:04 S3B4SZ17

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Apr 22 '25 17:04 CLAassistant

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @MosheEichler will know the proposed changes are ready to be reviewed. For your convenience, here is a link to the contributions SLAs document.

content-bot avatar Apr 22 '25 17:04 content-bot

Hi @S3B4SZ17, thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution please follow this link.

content-bot avatar Apr 22 '25 17:04 content-bot

Hi @S3B4SZ17 Please fill the contribution form here

edik24 avatar Apr 29 '25 08:04 edik24

Contribution Registration

Hi @edik24, the form was already submitted a couple of days ago. Please advise if all the details submitted are the expected ones and if we are on track. Cheers

S3B4SZ17 avatar May 02 '25 17:05 S3B4SZ17

@S3B4SZ17 Please also sign the CLA here

edik24 avatar May 06 '25 10:05 edik24

Hi @S3B4SZ17, we haven’t heard from you in a while. Do you need any help with the pull request?

Please feel free to reach out to me here or on Slack. Thanks again for contributing to our repo, hope to hear from you soon.

MosheEichler avatar May 20 '25 09:05 MosheEichler

Hi @S3B4SZ17, we haven’t heard from you in a while. Do you need any help with the pull request?

Please feel free to reach out to me here or on Slack. Thanks again for contributing to our repo, hope to hear from you soon.

Hi Moshe, thanks for reaching out. I was able to work on the changes this week and submitted them. However, I have a few questions and sent them to you over the Slack channel. Thanks for the help

S3B4SZ17 avatar May 28 '25 17:05 S3B4SZ17

For the Reviewer: Trigger build request has been accepted for this contribution PR.

content-bot avatar Jun 08 '25 08:06 content-bot

For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/3681478

content-bot avatar Jun 08 '25 08:06 content-bot

Hi, @MosheEichler. Did you have the chance to review the latest changes? Thank you

manuelbcd avatar Jun 12 '25 16:06 manuelbcd

Hey manuelbcd S3B4SZ17

Please see my comment And fix the build failures

Note:

  1. A release notes file is missing
  2. you have some secrets you should wither remove or add to the secrets ignore

Let me know if you need help with the build failures

  1. Regarding the release notes and this docu I see that for new packs, release notes are not required, will be created automatically or should we just add under ReleaseNotes a new 1_0_0.md file?
  2. Added the entries to the .secrets-ignore file

S3B4SZ17 avatar Jun 24 '25 17:06 S3B4SZ17

Hi @S3B4SZ17, I saw you fixed some of my comments — thanks! A few remaining points:

Mapper The Hostname field is currently mapped to labels.host\.name. Could you provide an example of how this field is populated from the API response?

Playbook

  • Add a step at the beginning to check if a Sysdig instance is enabled before running the script, to avoid errors.
  • Add a Done step at the end.
  • Map the else or No path from the "Do we trigger a system capture?" step to the Done step.
  • Align and organize the playbook steps for better visibility and logical flow.

Let me know once it’s updated so I can review again.

Mapper

Currently, the field Source Hostname is mapped to labels."host.hostName", which is an entry that should be coming from our JSON payload for each Sysdig event and its source. In this case, it is necessary to take a system capture of the syscall since it is per host. So the capture is a response to having that entry. That will generate a .scap file and will be attached to the war room for later analysis.

Playbook Applied the changes to the playbook so it can be more interactive and will be easier to manage.

S3B4SZ17 avatar Jul 01 '25 06:07 S3B4SZ17

In the playbook, change the type of "Done" step from "Standard" to "Section Header"

Done

S3B4SZ17 avatar Jul 01 '25 22:07 S3B4SZ17

doc_files

Thanks! Updated the docs and image of the playbook. Waiting for next steps

S3B4SZ17 avatar Jul 04 '25 19:07 S3B4SZ17

Thank you for your contribution. Your external PR has been merged and the changes are now included in an internal PR for further review. The internal PR will be merged to the master branch within 3 business days.

github-actions[bot] avatar Jul 06 '25 13:07 github-actions[bot]