(Legacy) Agent-Based Threat Detection

This page describes the legacy process to install agent-based threat detection/CDR on GCP, for single projects or organizations.

Prerequisites and Permissions

Gather the Following

  • Sysdig Secure endpoint (by region)
  • Sysdig API token
  • GCP Region for example, us-east1 The region where resources will be created in your GCP project by default.
  • Project ID of the project in which compute resources will be deployed.
  • Organization Domain (If performing an Organizational deploy).

Check API Enablement

To check that all the required GCP Service APIs are enabled execute:

gcloud services list --enabled | grep -E '(iam.googleapis.com|iamcredentials.googleapis.com|cloudresourcemanager.googleapis.com|sts.googleapis.com|cloudasset.googleapis.com|recommender.googleapis.com|cloudidentity.googleapis.com|admin.googleapis.com)'

All the services listed above should be included. Note that you need to enable the serviceusage.googleapis.com Service API to use this command.

Available Options

Workload Types: Cloudrun, Kubernetes

Check example input parameters for these and other configuration options.

Install Agent-Based Threat Detection

This method installs ONLY Threat Detection. Use the Wizard to obtain agentless CSPM Compliance and agentless CIEM Identity and Access for GCP.

This installation is manual and can be performed for a single project or organizational project in Terraform.

Single Project

  1. In a terminal window, ensure you are authenticated to the GCP project you would like to connect. You can authenticate using the GCP CLI by running gcloud auth application-default login

  2. Save the following to a file named main.tf on your local machine:

    terraform {
      required_providers {
        sysdig = {
          source = "sysdiglabs/sysdig"
        }
      }
    }
    
    provider "sysdig" {
      sysdig_secure_url       = "<SYSDIG_SECURE_URL>"
      sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
    }
    
    provider "google" {
      project = "<PROJECT_ID>"
      region  = "<GCP_REGION>"
    }
    
    provider "google-beta" {
      project = "<PROJECT_ID>"
      region  = "<GCP_REGION>"
    }
    
    module "single-project" {
      source           = "sysdiglabs/secure-for-cloud/google//examples/single-project"
      deploy_benchmark = false
    }
    
  3. Replace the following placeholders in main.tf:

    • SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
      • US East: https://secure.sysdig.com.
      • US West: https://us2.app.sysdig.com
      • European Union:https://eu1.app.sysdig.com
    • SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
    • GCP_REGION: e.g. us-east1 The region where resources will be created in your GCP project by default.
    • GCP_PROJECT_ID: The GCP Project ID that you are onboarding.
  4. Run terraform init && terraform apply.

  5. After deploying, confirm that Threat Detection is working.

Organization

  1. In a terminal window, ensure you are authenticated to the GCP project in which you would like to set up Identity Federation. You can authenticate using the GCP CLI by running gcloud auth application-default login

  2. Create a file called sysdig.tf with the following contents:

    terraform {
      required_providers {
        sysdig = {
          source = "sysdiglabs/sysdig"
        }
      }
    }
    
    provider "sysdig" {
      sysdig_secure_url       = "<SYSDIG_SECURE_URL>"
      sysdig_secure_api_token = "<SYSDIG_SECURE_API_TOKEN>"
    }
    
    provider "google" {
      project = "<PROJECT_ID>"
      region  = "<GCP_REGION>"
    }
    
    provider "google" {
      alias  = "multiproject"
      region = "<GCP_REGION>"
    }
    
    provider "google-beta" {
      alias  = "multiproject"
      region = "<GCP_REGION>"
    }
    
    module "organization" {
      providers = {
        google.multiproject      = google.multiproject
        google-beta.multiproject = google-beta.multiproject
      }
      source = "sysdiglabs/secure-for-cloud/google//examples/organization-org_compliance"
    
      organization_domain = "<ORGANIZATION_DOMAIN>"
      deploy_benchmark    = false
    }
    
  3. Replace the following placeholders in main.tf:

    • SYSDIG_URL: Use the endpoint for the region in which your Sysdig Secure platform is installed:
      • US East: https://secure.sysdig.com.
      • US West: https://us2.app.sysdig.com
      • European Union:https://eu1.app.sysdig.com
    • SYSDIG_API_TOKEN: See Retrieve the Sysdig API Token to find yours.
    • GCP_PROJECT_ID: The GCP Project ID where Identity Federation resources will be created.
    • GCP_REGION: e.g. us-east1 The region where resources will be created in your GCP project by default.
    • GCP_ORG_DOMAIN: The domain of the GCP organization you are onboarding.
  4. Run terraform init.

  5. Run terraform apply.

  6. After deploying, confirm that Threat Detection is working.

Validate

Log in to Sysdig Secure and check the module you deployed is functioning. It may take 10 minutes or so for events to be collected and displayed.

Check Overall Connection Status

  • Data Sources: Select Integrations > Data Sources | Cloud Accounts to see all connected cloud accounts.

Check Threat Detection

  • Policies and Rules: Check Policies > Runtime Policies and confirm that the Sysdig AWS Threat Detection and Sysdig AWS Threat Intelligence managed policies are enabled.

    • These consist of the most-frequently-recommended rules for AWS and CloudTrail. You can customize them by creating a new policy of the AWS CloudTrail type.
  • Events: In the Events feed, filter for aws.accountid = and check for your cloud account.

  • Force an event: To manually create an event, choose one of the rules contained an AWS policy and execute it in your AWS account.
    ex.: Create a S3 Bucket with Public Access Blocked. Make it public to prompt the event.
    Remember that new rules added to policies require time to propagate the changes.

Features and Resources Created

Threat Detection/CDR

Resources Created

  • google_cloud_run_service
  • google_cloud_run_service_iam_member
  • google_eventarc_trigger
  • google_logging_organization_sink
  • google_logging_project_sink
  • google_project_iam_member
  • google_pubsub_subscription
  • google_pubsub_subscription_iam_member
  • google_pubsub_topic
  • google_pubsub_topic_iam_member
  • google_secret_manager_secret
  • google_secret_manager_secret_iam_member
  • google_secret_manager_secret_version
  • google_service_account
  • google_service_account_iam_binding

Permissions Granted

roles/eventarc.eventReceiver

roles/iam.serviceAccountTokenCreator

roles/secretmanager.secretAccessor

roles/pubsub.subscriber

roles/pubsub.publisher

roles/run.invoker

roles/run.viewer

roles/cloudbuild.builds.builder (If scanning enabled)

roles/iam.serviceAccountUser (If scanning enabled)

customRole (If organizational)

  • storage.objects.get
  • storage.objects.list
  • artifactregistry.repositories.get
  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.tags.list
  • artifactregistry.tags.get
  • run.services.get

Next Steps

If you want to add CSPM and Identity and Access/CIEM features, run the Agentless installation after the manual installation.