Integrate Sysdig Secure with Google SecOps

This document explains how to integrate Sysdig Secure with Google Security Operations (Google SecOps).

Integration version: 1.0

Integration parameters

The Sysdig Secure integration requires the following parameters:

Parameter Description
API Root

Required.

The API root of the Sysdig Secure instance.

For more information about API root values, see Sysdig API.

API Token

Required.

The Sysdig Secure API token.

For more information about how to generate tokens, see Retrieve the Sysdig API Token.

Verify SSL

Required.

If selected, the integration validates the SSL certificate when connecting to the Sysdig Secure server.

Selected by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Ping

Use the Ping action to test the connectivity to Sysdig Secure.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Ping action can return the following output messages:

Output message Message description
Successfully connected to the Sysdig Secure server with the provided connection parameters! The action succeeded.
Failed to connect to the Sysdig Secure server! Error is ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Ping action:

Script result name Value
is_success True or False

Connectors

For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors).

Sysdig Secure - Events Connector

Use the Sysdig Secure - Events Connector to pull events from Sysdig Secure.

To work with the dynamic list, use the ruleName parameter.

Connector inputs

The Sysdig Secure - Events Connector requires the following parameters:

Parameter Description
Product Field Name

Required.

The name of the field where the product name is stored.

The default value is Product Name.

The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.

Event Field Name

Required.

The name of the field that determines the event name (subtype).

The default value is content_ruleName.

Environment Field Name

Optional.

The name of the field where the environment name is stored.

If the environment field is missing, the connector uses the default value.

Environment Regex Pattern

Optional.

A regular expression pattern to run on the value found in the Environment Field Name field. This parameter lets you manipulate the environment field using the regular expression logic.

Use the default value .* to retrieve the required raw Environment Field Name value.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds)

Required.

The timeout limit, in seconds, for the Python process that runs the current script.

The default value is 180.

API Root

Required.

The API root of the Sysdig Secure instance.

For more information about API root values, see Sysdig API.

API Token

Required.

The Sysdig Secure API token.

For more information about how to generate tokens, see Retrieve the Sysdig API Token.

Lowest Severity To Fetch

Optional.

The lowest severity of the alerts to retrieve.

If you don't configure this parameter, the connector ingests alerts with all severity levels.

The possible values are as follows:

  • Informational
  • Low
  • Medium
  • High
Custom Filter Query

Optional.

A query to filter, scope, or group events during ingestion.

This parameter has priority over the Lowest Severity To Fetch parameter and values that you set in the dynamic list. For more information about how to filter events, see Filter Secure Events.

The example of the input is as follows: host.hostName = "instance-1".

Max Hours Backwards

Required.

The number of hours prior to now to retrieve events.

This parameter can apply to the initial connector iteration after you enable the connector for the first time, or the fallback value for an expired connector timestamp.

The default value is 1.

Max Events To Fetch

Required.

The maximum number of events to process in every connector iteration.

The maximum value is 200.

The default value is 100.

Disable Overflow

Optional.

If selected, the connector ignores the Google SecOps overflow mechanism.

Not selected by default.

Use dynamic list as a blocklist

Optional.

If selected, the connector uses the dynamic list as a blocklist.

Not selected by default.

Verify SSL

Optional.

If selected, the integration validates the SSL certificate when connecting to the Sysdig Secure server.

Not selected by default.

Proxy Server Address

Optional.

The address of a proxy server to use.

Proxy Username

Optional.

The proxy username to authenticate with.

Proxy Password

Optional.

The proxy password to authenticate with.

Connector rules

The Sysdig Secure - Events Connector supports proxies.

Connector events

The example of the Sysdig Secure - Events Connector event is as follows:

{
   "id": "ID",
   "reference": "0194cd55-6752-823e-990c-380977fa3ce8",
   "cursor": "PTE4MjBjYTI0NjdjZDFjYzkwMzdlZDA0NGVkNjYyNzFh",
   "timestamp": "2025-02-03T19:41:53.874140361Z",
   "customerId": 2002953,
   "originator": "policy",
   "category": "runtime",
   "source": "syscall",
   "rawEventOriginator": "linuxAgent",
   "rawEventCategory": "runtime",
   "sourceDetails": {
       "sourceType": "workload",
       "sourceSubType": "host"
   },
   "engine": "falco",
   "name": "Sysdig Runtime Threat Detection",
   "description": "This policy contains rules which Sysdig considers High Confidence of a security incident. They are tightly coupled to common attacker TTP's. They have been designed to minimize false positives but may still result in some depending on your environment.",
   "severity": 3,
   "agentId": 118055020,
   "machineId": "MACHINE_ID",
   "content": {
       "policyId": 10339481,
       "ruleName": "Find Google Cloud Credentials",
       "internalRuleName": "Find Google Cloud Credentials",
       "ruleType": 6,
       "ruleSubType": 0,
       "ruleTags": [
           "host",
           "container",
           "MITRE",
           "MITRE_TA0006_credential_access",
           "MITRE_TA0007_discovery",
           "MITRE_T1552_unsecured_credentials",
           "MITRE_T1552.004_unsecured_credentials_private_keys",
           "MITRE_T1119_automated_collection",
           "MITRE_T1555_credentials_from_password_stores",
           "MITRE_TA0009_collection",
           "process",
           "gcp",
           "MITRE_T1552.003_unsecured_credentials_bash_history"
       ],
       "output": "OUTPUT",
       "fields": {
           "container.id": "host",
           "container.image.repository": "<NA>",
           "container.image.tag": "<NA>",
           "container.name": "host",
           "evt.args": "ARGS_VALUE",
           "evt.res": "SUCCESS",
           "evt.type": "execve",
           "group.gid": "1010",
           "group.name": "example",
           "proc.aname[2]": "sshd",
           "proc.aname[3]": "sshd",
           "proc.aname[4]": "sshd",
           "proc.cmdline": "grep private_key example_credentials.json",
           "proc.cwd": "/home/example/",
           "proc.exepath": "/usr/bin/grep",
           "proc.hash.sha256": "9a9c5a0c3b5d1d78952252f7bcf4a992ab9ea1081c84861381380a835106b817",
           "proc.name": "grep",
           "proc.pcmdline": "bash",
           "proc.pid": "402495",
           "proc.pid.ts": "1738611713873608827",
           "proc.pname": "bash",
           "proc.ppid": "385443",
           "proc.ppid.ts": "1738599569497780082",
           "proc.sid": "385443",
           "user.loginname": "example",
           "user.loginuid": "1009",
           "user.name": "example",
           "user.uid": "1009"
       },
       "falsePositive": false,
       "matchedOnDefault": false,
       "templateId": 1331,
       "policyType": "falco",
       "AlertId": 1357687,
       "origin": "Sysdig"
   },
   "labels": {
       "agent.tag.role": "datafeeder",
       "cloudProvider.account.id": "ACCOUNT_ID",
       "cloudProvider.name": "gcp",
       "cloudProvider.region": "europe-west3",
       "gcp.compute.availabilityZone": "europe-west3-c",
       "gcp.compute.image": "projects/debian-cloud/global/images/debian-example",
       "gcp.compute.instanceId": "INSTANCE_ID",
       "gcp.compute.instanceName": "example-instance",
       "gcp.compute.machineType": "e2-standard-2",
       "gcp.location": "europe-west3",
       "gcp.projectId": "PROJECT_ID",
       "gcp.projectName": "example-project",
       "host.hostName": "example-instance",
       "host.id": "HOST_ID",
       "orchestrator.type": "none",
       "process.name": "grep private_key example_credentials.json"
   }
}

Need more help? Get answers from Community members and Google SecOps professionals.