





















Security teams waste precious time jumping between tools and stitching alerts together by hand. In fast-moving cloud environments, where workloads are ephemeral and scale shifts constantly, these delays drive up MTTR and create dangerous blind spots. Delays during an active threat amplify risk with every passing minute.
Sysdig has integrated with the Palo Alto Networks Cortex XSOAR platform to enhance incident management capabilities, with a strong focus on contextualization and rapid response actions.
This integration streamlines both automated and manual remediation of security incidents. Incident responders can quickly triage alerts and take precise, targeted actions at the host or container level—such as terminating compromised containers, quarantining suspicious files, or capturing detailed system activity for forensic analysis.
Effortlessly pull data from workloads, containers, cloud accounts, and even SaaS platforms into one cohesive view—no more chasing shadows across silos.
Automate the tedious stuff like data enrichment and case management, freeing us up to focus on the big picture.
Plus, it’s got our back with triggered response actions and system captures, firing off API calls to our backend for deeper analysis. It’s like having a Swiss Army knife that’s always one step ahead of the threats.
Integration possibilities vary based on factors like team dynamics and technical stack. Here, we’ll outline two of the most common integration patterns:
Sysdig provides real-time runtime insights, powered by Falco, across workloads in the cloud, containers, and hosts. XSOAR receives these threat notifications and triggers playbooks.
This direct approach is ideal for organizations that prioritize fast response times and want to minimize dependencies by bypassing additional layers like SIEM.

Some organizations prefer to centralize all security telemetry within a SIEM before handing off to XSOAR. In this pattern:

Cortex XSOAR Marketplace content packs are pre-built bundles of integrations. The Sysdig content pack includes a sample playbook that serves as a blueprint, and other objects like a sample mapper – making it easier for teams to build custom playbooks tailored to their needs.
Through the execute-response-action command. The integration supports the following action types:
KILL_PROCESSKILL_CONTAINERSTOP_CONTAINERPAUSE_CONTAINERFILE_QUARANTINEThe create-system-capture command triggers a system capture for a particular host. This is particularly useful for further forensic analysis. Read more about Sysdig System Captures
The flow consists of different stages:
As we saw above, there are two ways to ingest Sysdig runtime events. The more common is to send the runtime events straight to the XSOAR platform; which could be done using the Event Forwarder or notification channel to send the events to the XSOAR webhook. The other option is to send the events from Sysdig to a SIEM solution for further enrichment and then to the XSOAR platform. In any case, we are providing an incoming classifier that will allow mapping the fields we send as part of our payload to Incident Fields, so the XSOAR platform can classify the event with the correct type.
Based on the event or multiple events received from Sysdig, we will create a new Sysdig Runtime Event Incident. Based on the fields like the container ID, the host, and the Sysdig tenant, we will be able to run the different integration commands, including the execute-response-action to kill/pause/stop the container or quarantine a file.

This entire process can be wrapped and run automatically with a playbook. The playbook can be as complex as needed and can involve the execution of Sysdig commands to perform response actions or system captures, as well as other actions from different vendors. In this case, we are providing the Sysdig Trigger System Capture Playbook. More playbooks will be added in the next releases.

The purpose of this playbook is to automate the process of taking a system capture of an affected host. The steps are as follows:
Let’s assume Sysdig detects a crypto miner running in our environment, which triggers the Detect crypto miners using the Stratum protocol rule. Once we receive that event in the XSOAR platform, a new high-severity incident can be created. Thanks to the classifier, we can extract incident fields.

We will get an incident with the necessary fields like this. Check the incident type, the Playbook and the “Sysdig Incident Information” tabs.

The next step is to manage responding to the event. Since we don’t want a crypto miner in our environment consuming resources and generating profit for the attacker, we want to kill the container. To do that, we can run:
!execute-response-action actionType=KILL_CONTAINER callerId="soc_team" host_id="hostname-id" container_id="c000-000" Code language: YAML (yaml)
…in the War Room and manually extract the parameters needed from the incident fields.

The whole process can be automated with a custom playbook. The high-level steps for the playbook would be:
KILL_CONTAINER action type.To get started with the Sysdig integration for Cortex XSOAR, head to the XSOAR Marketplace.
From there, you can install the official integration pack directly into your XSOAR environment. Once installed, register a Sysdig account by providing the required API credentials, which enable secure communication between Sysdig and Cortex XSOAR.

To install a Sysdig Response Action instance, you will need to go to Settings > Instances and search for “Sysdig”. Click on “Add Instance”.

For the URL parameter, you have to indicate your Sysdig SaaS URL; refer to the documentation for a list categorized by region.
For the API Key field, refer to the documentation on how to retrieve it, and then create an XSOAR credential entry using the following documentation.

Scroll down to the “Collect” section and select the “Sysdig Runtime Event” incident type; as well as the “Sysdig Mapper Runtime Event” for the Mapper (incoming).

Then you should see a new instance configured and enabled.

Integrating Sysdig with Cortex XSOAR bridges the gap between deep runtime visibility and powerful automated response. By unifying detection and orchestration, security teams can cut through noise, reduce MTTR, and respond to threats at cloud speed. Whether starting with direct integration or a SIEM-driven workflow, this setup gives practitioners the confidence and agility needed to defend modern, dynamic environments.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。