Rapid Response

Overview

With Rapid Response, Sysdig has introduced a way to grant designated Advanced Users in Sysdig Secure the ability to remote connect into a host directly from the Event stream and execute desired commands there.

Finding the team or developer responsible for an application in a cloud or Kubernetes environment can take hours or days. Troubleshooting a live issue or security event may require faster investigation, to lower the MTTR of these events.

Rapid Response allows security teams to connect to a remote shell within your environment to start troubleshooting and investigating an event using the commands they are already accustomed to, with the flexibility they need to run the security tools at their disposal, directly from the event alert.

Process Overview

  • Install: Install and configure the Rapid Response container on Sysdig Secure on-premises v4.0 and request that Sysdig Support enable the Rapid Response flag.

  • Create Teams: Create a team/teams of Sysdig Secure Advanced Users who should have Rapid Response privileges

  • Enable: Enable Rapid Response for those teams

  • Use: Team members log in and manage events using Rapid Response shell or review and manage Rapid Response logs.

Create Rapid Response Teams

Rapid Response team members have access to a full shell from within the Sysdig Secure UI. Responsibility for the security of this powerful feature rests with you: your enterprise and your designated employees.

Suppose you have an existing team called CustomerResponse with 40 members and you’d like five of those users to be granted Rapid Response capabilities. You could create a team called, e.g.,CustomerResponse_RR and add the five designated Advanced Users to it.

  • Create a team or teams, as described here

  • Add users, assigning them the Advanced User role.

  • Enable Rapid Response for the designated team(s). Select Settings > Teams and choose a Rapid Response team from the list. On the resulting Edit Teams page, select the Enable Rapid Response checkbox.

Usage

There are two points of entry to the Rapid Response feature:

  • From the Investigate component link

  • From the Events feed detail panel

In either case, the user will be prompted to enter a 2FA authentication code generated on the fly by the Sysdig backend as soon as they launch the session. This code will be emailed to the user.

Launch Session from Investigate Button

  • Log in the Sysdig Secure UI as a Rapid Response team member.

  • Select Investigate > Rapid Response | Start Session.

  • Select the host as prompted and click Start Session.

  • Enter your password.

  • Enter the 2FA code that was emailed to your user address and click Confirm.

  • Begin your session. You can dock the terminal window at the bottom or right panel of your page, or as a separate screen.

Launch Session from Events Detail

  • Log in the Sysdig Secure UI as a Rapid Response team member.

  • Select Events and choose an event from the list to open the detail pane. Click Respond: Launch Rapid Response.

  • Enter the 2FA code that was emailed to your user address and click Confirm.

  • Begin your session. You can dock the terminal window at the bottom or right panel of your page, or as a separate screen.

Manage Rapid Response Logs

When reviewing the logs, you can download log sessions that have been completed, or close sessions that are live, if needed.

The logs visible to the user depend on the team and role under which they are logged in. Administrators will see the entire log list.

Review Session Log Info

The Session Log list includes the session initiator, the timestamp, and the host name accessed.

Download Session Information

If the session has been closed, the content of the session can be downloaded from the UI (input and output) as an Open SLL-compatible gzip encrypted file.

To open the file, use the following command, where session-file is the name of the downloaded file.

gzip -dc session-file | openssl enc -d -aes-256-ctr -pbkdf2zcat session-file | openssl enc -d -aes-256-ctr -pbkdf2

Close an Active Session

Any Rapid Response team member can review the Session Log list and close any active session by clicking the Close link.



Last modified July 17, 2021: Aliases to old site urls (#98) (917a9be2)