(Legacy) Agent-Based Threat Detection

This page describes the legacy process to install agent-based threat detection/CDR on GCP, for single projects or organizations.

Prerequisites and Permissions

A Sysdig Secure SaaS account, with administrator permissions.
Have Terraform installed on the machine from which you will deploy the installation code.
- Terraform Google Platform Provider.
- Google’s Cloud SDK deployed in the environment where you will deploy the installation code.
A Google Cloud Platform (GCP) account, for Sysdig Secure’s cloud compute workload deployment, with the following roles and permissions required to install.
- Owner role, in order to create each of the resources specified in the resources list below.
- For organizational Organization Admin role is required too.
- Check that the following GCP Service APIs are enabled:
  - For Agentless CSPM:
    - Identity and access management API (iam.googleapis.com)
    - IAM Service Account Credentials API(iamcredentials.googleapis.com)
    - Cloud Resource Manager API(cloudresourcemanager.googleapis.com)
    - Security Token Service API (sts.googleapis.com)
    - Cloud Asset API (cloudasset.googleapis.com)
  See Permissions Granted for the roles and permissions used by the installed modules after installation.

Gather the Following

Sysdig Secure endpoint (by region)
Sysdig API token
GCP Region for example, us-east1 The region where resources will be created in your GCP project by default.
Project ID of the project in which compute resources will be deployed.
Organization Domain (If performing an Organizational deploy).

Check API Enablement

To check that all the required GCP Service APIs are enabled execute:

gcloud services list --enabled | grep -E '(iam.googleapis.com|iamcredentials.googleapis.com|cloudresourcemanager.googleapis.com|sts.googleapis.com|cloudasset.googleapis.com|recommender.googleapis.com|cloudidentity.googleapis.com|admin.googleapis.com)'

All the services listed above should be included. Note that you need to enable the serviceusage.googleapis.com Service API to use this command.

Available Options

Workload Types: Cloudrun, Kubernetes

Check example input parameters for these and other configuration options.

Install Agent-Based Threat Detection

This method installs ONLY Threat Detection. Use the Wizard to obtain agentless CSPM Compliance and agentless CIEM Identity and Access for GCP.

This installation is manual and can be performed for a single project or organizational project in Terraform.

Single Project

In a terminal window, ensure you are authenticated to the GCP project you would like to connect. You can authenticate using the GCP CLI by running gcloud auth application-default login

Save the following to a file named main.tf on your local machine:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_SECURE_URL>"
  sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
}

provider "google" {
  project = "<PROJECT_ID>"
  region  = "<GCP_REGION>"
}

provider "google-beta" {
  project = "<PROJECT_ID>"
  region  = "<GCP_REGION>"
}

module "single-project" {
  source           = "sysdiglabs/secure-for-cloud/google//examples/single-project"
  deploy_benchmark = false
}

Replace the following placeholders in main.tf:
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
  - US East: https://secure.sysdig.com.
  - US West: https://us2.app.sysdig.com
  - European Union:https://eu1.app.sysdig.com
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
- GCP_REGION: e.g. us-east1 The region where resources will be created in your GCP project by default.
- GCP_PROJECT_ID: The GCP Project ID that you are onboarding.
Run terraform init && terraform apply.
After deploying, confirm that Threat Detection is working.

Organization

In a terminal window, ensure you are authenticated to the GCP project in which you would like to set up Identity Federation. You can authenticate using the GCP CLI by running gcloud auth application-default login

Create a file called sysdig.tf with the following contents:

terraform {
  required_providers {
    sysdig = {
      source = "sysdiglabs/sysdig"
    }
  }
}

provider "sysdig" {
  sysdig_secure_url       = "<SYSDIG_SECURE_URL>"
  sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
}

provider "google" {
  project = "<PROJECT_ID>"
  region  = "<GCP_REGION>"
}

provider "google" {
  alias  = "multiproject"
  region = "<GCP_REGION>"
}

provider "google-beta" {
  alias  = "multiproject"
  region = "<GCP_REGION>"
}

module "organization" {
  providers = {
    google.multiproject      = google.multiproject
    google-beta.multiproject = google-beta.multiproject
  }
  source = "sysdiglabs/secure-for-cloud/google//examples/organization-org_compliance"

  organization_domain = "<ORGANIZATION_DOMAIN>"
  deploy_benchmark    = false
}

Replace the following placeholders in main.tf:
- SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
  - US East: https://secure.sysdig.com.
  - US West: https://us2.app.sysdig.com
  - European Union:https://eu1.app.sysdig.com
- SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
- GCP_PROJECT_ID: The GCP Project ID where Identity Federation resources will be created.
- GCP_REGION: e.g. us-east1 The region where resources will be created in your GCP project by default.
- GCP_ORG_DOMAIN: The domain of the GCP organization you are onboarding.
Run terraform init.
Run terraform apply.
After deploying, confirm that Threat Detection is working.

Validate

Log in to Sysdig Secure and check the module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.

Check Threat Detection

Policies and Rules: Check Policies > Runtime Policies and confirm that the Sysdig AWS Threat Detection and Sysdig AWS Threat Intelligence managed policies are enabled.
- These consist of the most-frequently-recommended rules for AWS and CloudTrail. You can customize them by creating a new policy of the AWS CloudTrail type.
Events: In the Events feed, filter for aws.accountid = and check for your cloud account.
Force an event: To manually create an event, choose one of the rules contained an AWS policy and execute it in your AWS account.
ex.: Create a S3 Bucket with Public Access Blocked. Make it public to prompt the event.
Remember that new rules added to policies require time to propagate the changes.

Features and Resources Created

Threat Detection/CDR

Resources Created

google_cloud_run_service
google_cloud_run_service_iam_member
google_eventarc_trigger
google_logging_organization_sink
google_logging_project_sink
google_project_iam_member
google_pubsub_subscription
google_pubsub_subscription_iam_member
google_pubsub_topic
google_pubsub_topic_iam_member
google_secret_manager_secret
google_secret_manager_secret_iam_member
google_secret_manager_secret_version
google_service_account
google_service_account_iam_binding

Permissions Granted

roles/eventarc.eventReceiver

roles/iam.serviceAccountTokenCreator

roles/secretmanager.secretAccessor

roles/pubsub.subscriber

roles/pubsub.publisher

roles/run.invoker

roles/run.viewer

roles/cloudbuild.builds.builder (If scanning enabled)

roles/iam.serviceAccountUser (If scanning enabled)

customRole (If organizational)

storage.objects.get
storage.objects.list
artifactregistry.repositories.get
artifactregistry.repositories.downloadArtifacts
artifactregistry.tags.list
artifactregistry.tags.get
run.services.get

Next Steps

If you want to add CSPM and Identity and Access/CIEM features, run the Agentless installation after the manual installation.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.