Integrate Sysdig Secure with Google SecOps
This document explains how to integrate Sysdig Secure with Google Security Operations (Google SecOps).
Integration version: 1.0
Integration parameters
The Sysdig Secure integration requires the following parameters:
| Parameter | Description |
|---|---|
API Root |
Required. The API root of the Sysdig Secure instance. For more information about API root values, see Sysdig API. |
API Token |
Required. The Sysdig Secure API token. For more information about how to generate tokens, see Retrieve the Sysdig API Token. |
Verify SSL |
Required. If selected, the integration validates the SSL certificate when connecting to the Sysdig Secure server. Selected by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Ping
Use the Ping action to test the connectivity to Sysdig Secure.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Ping action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Sysdig Secure server with the
provided connection parameters! |
The action succeeded. |
Failed to connect to the Sysdig Secure server! Error is ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Connectors
For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors).
Sysdig Secure - Events Connector
Use the Sysdig Secure - Events Connector to pull events from Sysdig Secure.
To work with the dynamic list, use the ruleName parameter.
Connector inputs
The Sysdig Secure - Events Connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name |
Required. The name of the field where the product name is stored. The default value is The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default. |
Event Field Name |
Required. The name of the field that determines the event name (subtype). The default value is
|
Environment Field Name |
Optional. The name of the field where the environment name is stored. If the environment field is missing, the connector uses the default value. |
Environment Regex Pattern |
Optional. A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
Script Timeout (Seconds) |
Required. The timeout limit, in seconds, for the Python process that runs the current script. The default value is |
API Root |
Required. The API root of the Sysdig Secure instance. For more information about API root values, see Sysdig API. |
API Token |
Required. The Sysdig Secure API token. For more information about how to generate tokens, see Retrieve the Sysdig API Token. |
Lowest Severity To Fetch |
Optional. The lowest severity of the alerts to retrieve. If you don't configure this parameter, the connector ingests alerts with all severity levels. The possible values are as follows:
|
Custom Filter Query |
Optional. A query to filter, scope, or group events during ingestion. This parameter has priority over the The example of the
input is as follows: |
Max Hours Backwards |
Required. The number of hours prior to now to retrieve events. This parameter can apply to the initial connector iteration after you enable the connector for the first time, or the fallback value for an expired connector timestamp. The default value is |
Max Events To Fetch |
Required. The maximum number of events to process in every connector iteration. The maximum value is The
default value is |
Disable Overflow |
Optional. If selected, the connector ignores the Google SecOps overflow mechanism. Not selected by default. |
Use dynamic list as a blocklist |
Optional. If selected, the connector uses the dynamic list as a blocklist. Not selected by default. |
Verify SSL |
Optional. If selected, the integration validates the SSL certificate when connecting to the Sysdig Secure server. Not selected by default. |
Proxy Server Address |
Optional. The address of a proxy server to use. |
Proxy Username |
Optional. The proxy username to authenticate with. |
Proxy Password |
Optional. The proxy password to authenticate with. |
Connector rules
The Sysdig Secure - Events Connector supports proxies.
Connector events
The example of the Sysdig Secure - Events Connector event is as follows:
{
"id": "ID",
"reference": "0194cd55-6752-823e-990c-380977fa3ce8",
"cursor": "PTE4MjBjYTI0NjdjZDFjYzkwMzdlZDA0NGVkNjYyNzFh",
"timestamp": "2025-02-03T19:41:53.874140361Z",
"customerId": 2002953,
"originator": "policy",
"category": "runtime",
"source": "syscall",
"rawEventOriginator": "linuxAgent",
"rawEventCategory": "runtime",
"sourceDetails": {
"sourceType": "workload",
"sourceSubType": "host"
},
"engine": "falco",
"name": "Sysdig Runtime Threat Detection",
"description": "This policy contains rules which Sysdig considers High Confidence of a security incident. They are tightly coupled to common attacker TTP's. They have been designed to minimize false positives but may still result in some depending on your environment.",
"severity": 3,
"agentId": 118055020,
"machineId": "MACHINE_ID",
"content": {
"policyId": 10339481,
"ruleName": "Find Google Cloud Credentials",
"internalRuleName": "Find Google Cloud Credentials",
"ruleType": 6,
"ruleSubType": 0,
"ruleTags": [
"host",
"container",
"MITRE",
"MITRE_TA0006_credential_access",
"MITRE_TA0007_discovery",
"MITRE_T1552_unsecured_credentials",
"MITRE_T1552.004_unsecured_credentials_private_keys",
"MITRE_T1119_automated_collection",
"MITRE_T1555_credentials_from_password_stores",
"MITRE_TA0009_collection",
"process",
"gcp",
"MITRE_T1552.003_unsecured_credentials_bash_history"
],
"output": "OUTPUT",
"fields": {
"container.id": "host",
"container.image.repository": "<NA>",
"container.image.tag": "<NA>",
"container.name": "host",
"evt.args": "ARGS_VALUE",
"evt.res": "SUCCESS",
"evt.type": "execve",
"group.gid": "1010",
"group.name": "example",
"proc.aname[2]": "sshd",
"proc.aname[3]": "sshd",
"proc.aname[4]": "sshd",
"proc.cmdline": "grep private_key example_credentials.json",
"proc.cwd": "/home/example/",
"proc.exepath": "/usr/bin/grep",
"proc.hash.sha256": "9a9c5a0c3b5d1d78952252f7bcf4a992ab9ea1081c84861381380a835106b817",
"proc.name": "grep",
"proc.pcmdline": "bash",
"proc.pid": "402495",
"proc.pid.ts": "1738611713873608827",
"proc.pname": "bash",
"proc.ppid": "385443",
"proc.ppid.ts": "1738599569497780082",
"proc.sid": "385443",
"user.loginname": "example",
"user.loginuid": "1009",
"user.name": "example",
"user.uid": "1009"
},
"falsePositive": false,
"matchedOnDefault": false,
"templateId": 1331,
"policyType": "falco",
"AlertId": 1357687,
"origin": "Sysdig"
},
"labels": {
"agent.tag.role": "datafeeder",
"cloudProvider.account.id": "ACCOUNT_ID",
"cloudProvider.name": "gcp",
"cloudProvider.region": "europe-west3",
"gcp.compute.availabilityZone": "europe-west3-c",
"gcp.compute.image": "projects/debian-cloud/global/images/debian-example",
"gcp.compute.instanceId": "INSTANCE_ID",
"gcp.compute.instanceName": "example-instance",
"gcp.compute.machineType": "e2-standard-2",
"gcp.location": "europe-west3",
"gcp.projectId": "PROJECT_ID",
"gcp.projectName": "example-project",
"host.hostName": "example-instance",
"host.id": "HOST_ID",
"orchestrator.type": "none",
"process.name": "grep private_key example_credentials.json"
}
}
Need more help? Get answers from Community members and Google SecOps professionals.