Rapid Response

Rapid Response is a tool that lets security teams connect to a remote shell within your environment to start troubleshooting and investigating an event using the commands they are already accustomed to, with the flexibility they need to run the security tools at their disposal, directly from the event alert.

Prerequisites

Configure Shield

Create a Team for Rapid Response

Rapid Response team members have access to a shell in the Sysdig Agent from within the Sysdig Secure UI. Provision permissions and capabilities accordingly.

You can configure a team to grant Rapid Response permissions to particular users. For example, if you have an existing team called CustomerResponse with 40 members and you’d like to grant 5 of those users Rapid Response capabilities, you could create a team called CustomerResponse_RR and add the 5 designated Advanced Users to it.

To create a team with Rapid Response permission:

  1. Log in to Sysdig Secure as Admin.

  2. Select Settings > Teams.

  3. Select Add team.

  4. Enter the team name and configure the team details.

  5. Check the Rapid Response additional permission checkbox.

  6. Select Save.

Enable Rapid Response for an Existing Team

To enable Rapid Response for an existing team:

  1. Go to Settings > Teams.

  2. Choose the applicable team to display the Edit Teams page.

  3. Select the Rapid Response checkbox in the additional permissions section and click Save.

Store Session Information

Rapid Response can store session logs on S3, if a Custom S3 storage bucket is provided.

T learn how to configure it, see Install Rapid Response.

Start Rapid Response

  1. Log in to the Sysdig Secure UI as a Rapid Response team member.

  2. Select Threats > Start Rapid Response.

  3. Select the host as prompted and click Start Session.

  4. Enter the passphrase for that host.

  5. Enter the two-factor authentication code that was emailed to you and click Confirm.

  6. Begin your session.

    You can dock the terminal window at the bottom or right panel of your page, or as a separate screen.

Launch a Rapid Response Session from Events Feed

  1. Log in to the Sysdig Secure UI as a Rapid Response team member.

  2. Select Events and choose an event from the list to open the detail pane.

  3. Click Respond: Open Shell.

  4. Enter the two-factor authentication code that was emailed to you and click Confirm.

  5. Begin your session.

    You can dock the terminal window at the bottom or right panel of your page, or as a separate screen.

Manage Rapid Response Logs

When reviewing the logs, you can download completed log sessions or close sessions that are live.

If you’re using Sysdig SaaS, configure a storage for Rapid Response logs in order to store them.

The logs visible to you depend on the team and role under which you are logged in. Administrators will see the entire log list.

The Session Log list includes the session initiator, the timestamp, and the host name accessed.

Download Session Information

Rapid Response will store session logs only if a Custom S3 storage is set up. To learn how, see Store Session Information to learn how.

When the session is closed, you can download the content of the session from the UI (input and output) as an Open SSL-compatible gzip encrypted file.

To open the file, use the following command (session-file is the name of the downloaded file and <passphrase> is the passphrase you set up for that host during the installation):

gzip -dc <session-file> | openssl enc -d -aes-256-ctr -pbkdf2 -k <passphrase>

Close an Active Session

Rapid Response team members can review the Session Log list and close any active session by clicking Close from the Actions column.