Rapid Response

Finding the team or developer responsible for an application in a cloud or Kubernetes environment can take hours or days. Troubleshooting a live issue or security event may require faster investigation, to lower the mean time to repair (MTTR) of these events.

Rapid Response allows security teams to connect to a remote shell within your environment to start troubleshooting and investigating an event using the commands they are already accustomed to, with the flexibility they need to run the security tools at their disposal, directly from the event alert.

Prerequisites

To Download Session Information, the following prerequisites are required:

• OpenSSL >= 1.1.1

• A properly configured Custom S3 storage bucket.

Process Overview

• Install: Install and configure the Rapid Response container on

  • Sysdig Secure on-premises v4.0+ or
  • Sysdig Secure SaaS

• Configure Teams: Create or configure teams of Sysdig Secure Advanced Users who should have Rapid Response privileges.

• Use: Team members log in and manage workloads using Rapid Response shell.

• Check logs Review session logs to keep track of what has been done using Rapid Response.

Configure Rapid Response Teams

For example, if you have an existing team called CustomerResponse with 40 members and you’d like five of those users to be granted Rapid Response capabilities. You could create a team called CustomerResponse_RR and add the five designated Advanced Users to it.

1. Create a team or teams, as described in Create in Team.

2. Add users**, assigning them the **Advanced User role.

3. Check the Rapid Response additional permission checkbox.

Enable Rapid Response for an Existing Team

To enable Rapid Response for an existing team:

1. Go to Settings > Teams.

2. Choose the applicable team to display the Edit Teams page.

3. Select the Rapid Response checkbox in the additional permissions section and click Save.

Usage

You can access the Rapid Response feature in either of the following ways:

Launch Session from Investigate Button

1. Log in to the Sysdig Secure UI as a Rapid Response team member.

2. Select Investigate > Start Rapid Response.

3. Select the host as prompted and click Start Session.

4. Enter the passphrase for that host.

5. Enter the two-factor authentication code that was emailed to you and click Confirm.

6. Begin your session. You can dock the terminal window at the bottom or right panel of your page, or as a separate screen.

Launch Session from Events Detail

1. Log in to the Sysdig Secure UI as a Rapid Response team member.

2. Select Events and choose an event from the list to open the detail pane. Click Respond: Launch Rapid Response.

3. Enter the two-factor authentication code that was emailed to you and click Confirm.

4. Begin your session. You can dock the terminal window at the bottom or right panel of your page, or as a separate screen.

Manage Rapid Response Logs

When reviewing the logs, you can download completed log sessions or close sessions that are live.

The logs visible to you depend on the team and role under which you are logged in. Administrators will see the entire log list.

The Session Log list includes the session initiator, the timestamp, and the host name accessed.

Download Session Information

If the session has been closed, you can download the content of the session from the UI (input and output) as an Open SLL-compatible gzip encrypted file.

To open the file, use the following command (session-file is the name of the downloaded file and <passphrase> is the passphrase you set up for that host during the installation):

gzip -dc <session-file> | openssl enc -d -aes-256-ctr -pbkdf2 -k <passphrase>

Close an Active Session

Rapid Response team members can review the Session Log list and close any active session by clicking Close.