Updated the overall docs and release notes for version 1.0.1

Signed-off-by: S3B4SZ17 <[email protected]>

Author: S3B4SZ17

Packs/Sysdig/.pack-ignore

@@ -1,2 +1,7 @@
 [file:README.md]
-ignore=RM108
+ignore=RM108
+
+[known_words]
+Mappers
+Mapper
+Runtime

Packs/Sysdig/Classifiers/classifier-Sysdig_Mapper_RuntimeEvents.json renamed to Packs/Sysdig/Classifiers/classifier-Sysdig_Mapper_Webhook.json

@@ -12,8 +12,11 @@ This is the default integration for this content pack when configured by the Dat
 | Trust any certificate (not secure) | False |
 | Use system proxy settings | False |
 | Classifier | False |
-| Incident type (if classifier doesn't exist) | False |
 | Mapper (incoming) | False |
+| Fetch incidents |  |
+| Incident type |  |
+| The maximum number of incidents per fetch |  |
+| First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | False |
 
 ## Commands
 
@@ -23,7 +26,7 @@ After you successfully execute a command, a DBot message appears in the War Room
 ### execute-response-action
 
 ***
-Execute response actions through the Sysdig API
+Execute response actions through the Sysdig API.
 
 #### Base Command
 
@@ -37,14 +40,14 @@ Execute response actions through the Sysdig API
 | callerId | The caller ID, it must be unique every time. | Required |
 | container_id | The container ID to apply the action. Example "container.id": "123456789123". | Optional |
 | path_absolute | The path of the file to quarantine. Example "/etc/sensitive". Required for the `FILE_QUARANTINE` action. | Optional |
-| host_id | The host ID. Example "laksjdf1923u90snca893". | Optional |
+| host_id | The host ID. Example "gke-host-1234". | Optional |
 | process_id | The process ID. Example "1234". Required for the `KILL_PROCESS` action. | Optional |
 
 #### Context Output
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| execute_response_action.Output | Dict | Output of the response-actions API |
+| execute_response_action.Output | Dict | Output of the response-actions API. |
 
 ### create-system-capture
 
@@ -72,7 +75,7 @@ Command to trigger a system capture, it will record all system calls at the host
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| create_system_capture.Output | Dict | Output of the system capture created |
+| create_system_capture.Output | Dict | Output of the system capture created. |
 
 ### get-capture-file
 
@@ -93,12 +96,12 @@ Command to get a system capture based on the capture ID.
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| get_capture_file.Output | Dict | Output of the system capture downloaded |
+| get_capture_file.Output | Dict | Output of the system capture downloaded. |
 
 ### get-action-execution
 
 ***
-Get the status and information of a triggered action execution
+Get the status and information of a triggered action execution.
 
 #### Base Command
 
@@ -114,4 +117,4 @@ Get the status and information of a triggered action execution
 
 | **Path** | **Type** | **Description** |
 | --- | --- | --- |
-| get_action_execution.Output | Dict | Output of the action execution info |
+| get_action_execution.Output | Dict | Output of the action execution info. |

Packs/Sysdig/Integrations/SysdigResponseActions/README.md

@@ -4,4 +4,4 @@
 
 For the **URL** parameter use your Sysdig SaaS url, refer to the [documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/#sysdig-platform-regions) for a list of them based on the region.
 
-For the **API Key** field refer to the [documentation](https://docs.sysdig.com/en/retrieve-the-sysdig-api-token/) on how to retrieve it
+For the **API Key** field refer to the [documentation](https://docs.sysdig.com/en/retrieve-the-sysdig-api-token/) on how to retrieve it

Packs/Sysdig/Integrations/SysdigResponseActions/SysdigResponseActions_description.md

@@ -1,4 +1,4 @@
 !get-capture-file capture_id="123456-123456"
-!execute-response-action actionType=KILL_CONTAINER callerId="test_kill_container_07" container_id="123456789012" process_id=12345
-!create-system-capture agent_id="123456" capture_name="test_capture" container_id="123456789012" customer_id="223344" host_name="ip-1-2-3-4.us-west-1.compute.internal" machine_id="aa:bb:cc:11:22:33" scan_duration=15
+!execute-response-action actionType=KILL_CONTAINER callerId="test_kill_container_07" container_id="123456789012"
+!create-system-capture container_id="accc" host_name="i-0caaaa" capture_name="xsoar-capture-1234" agent_id="1234567" customer_id="1234" machine_id="00:11:22:33:44" scan_duration="15"
 !get-action-execution action_execution_id="987654321"

Packs/Sysdig/Integrations/SysdigResponseActions/command_examples.txt

@@ -1,18 +1,15 @@
-# Sysdig Response Actions
-
-This integration utilizes the Sysdig agent and the Sysdig Response Actions API to facilitate automated and manual remediation of security incidents. It enables security teams to take precise actions at the host or container level, such as terminating compromised containers, quarantining suspicious files, or capturing detailed system activity for forensic analysis. These capabilities are designed to enhance incident response workflows and improve overall security operations.
+The Sysdig Cortex XSOAR content pack features runtime security insights and automated response capabilities that integrate seamlessly with Cortex XSOAR analytics.
+Use this Content Pack to detect, investigate, and respond to security threats across your containerized and cloud-native environments.
 
 ## What does this pack do?
 
-This pack leverages the Sysdig Response Actions API to enable automated and manual responses to security incidents. Key features include:
+Provide integrations that will help you to:
 
-- **Container Management**: Terminate malicious containers to prevent further damage.
-- **File Quarantine**: Isolate suspicious files to mitigate potential threats.
-- **System Capture**: Perform detailed system captures for forensic analysis.
-- **Host-Level Actions**: Execute commands or scripts on hosts to remediate issues.
+- **Container Management**: Terminate malicious containers to prevent further damage and stop lateral movement.
+- **File Quarantine**: Isolate suspicious files to mitigate potential threats and preserve evidence for investigation.
+- **System Capture**: Perform detailed system captures for forensic analysis and root cause investigation.
+- **Real-time Response**: Leverage Sysdig's Response Actions API for immediate automated and manual incident response.
 
-These capabilities help streamline incident response and enhance security posture.
+These capabilities help streamline incident response workflows and enhance your overall security posture through precise, targeted actions at the host and container level.
 
 _For more information, visit [Sysdig](https://sysdig.com)_.
-
-[![Sysdig Overview](doc_files/Author_image.png)](https://sysdig.com)

Packs/Sysdig/README.md

@@ -0,0 +1,77 @@
+
+#### Incident Fields
+
+<!--
+##### Sysdig Container ID
+
+- Added a new incident field- Sysdig Container ID that The Sysdig Container ID.
+-->
+##### Sysdig Agent Version
+
+- Added a new incident field- Sysdig Agent Version.
+
+##### Sysdig Category
+
+- Added a new incident field- Sysdig Category.
+
+##### Sysdig Rule Name
+
+- Added a new incident field- Sysdig Rule Name.
+
+##### Sysdig Event ID
+
+- Added a new incident field- Sysdig Event ID.
+
+##### Sysdig Severity
+
+- Added a new incident field- Sysdig Severity.
+
+##### Sysdig Agent ID
+
+- Updated the incident field- Sysdig Agent ID to new `number` type.
+
+##### Sysdig Customer ID
+
+- Updated the incident field- Sysdig Customer ID to new `number` type.
+
+##### Sysdig Policy
+
+- Added a new incident field- Sysdig Policy.
+
+#### Layouts
+
+##### Sysdig Incident
+
+- Updated the layout- Sysdig Incident that to include the new Sysdig Fields.
+
+#### Mappers
+
+##### Sysdig Mapper Runtime Event
+
+- Updated the mapper- Sysdig Mapper Runtime Event to include new Sysdig incident fields.
+
+<!--
+#### Playbooks
+
+##### Sysdig Trigger System Capture
+
+Added a new Example playbook on how to manage different response actions based on incident fields.
+
+#### Incident Types
+
+##### Sysdig Runtime Event
+
+- Added a new incident type- Sysdig Runtime Event for incidents.
+
+#### Integrations
+
+##### Sysdig Response Actions
+
+- Added a new integration- SysdigResponseActions that This is an integration that will use Sysdig agent to respond to malicious activity by triggering different actions at the host or container level like killing a container, quarantine a file or perform a system capture.
+
+- Added the following commands:
+	- ***execute-response-action***
+	- ***create-system-capture***
+	- ***get-capture-file***
+	- ***get-action-execution***
+-->

Packs/Sysdig/ReleaseNotes/1_0_1.md

@@ -1,8 +1,8 @@
 {
-    "name": "Sysdig Response Actions",
-    "description": "This is an integration that will use Sysdig agent to respond to malicious activity by triggering different actions at the host or container level like killing a container, quarantine a file or perform a system capture",
+    "name": "Sysdig",
+    "description": "Integrates with Sysdig to provide incident enrichment and response capabilities to threat events.",
     "support": "partner",
-    "currentVersion": "1.0.0",
+    "currentVersion": "1.0.1",
     "author": "Sysdig",
     "url": "https://sysdig.com/support/",
     "email": "[email protected]",