Forwarding to Google Security Command Center
Supported dataFor the moment we only support GCP Audit Log events to be forwarded to this integration.
Event forwarder originate from region-specific IPs. For the full list of outbound IPs by region, see SaaS Regions and IP Ranges. Update your firewall and allow inbound requests from these IP addresses to enable Sysdig to handle event forwarding.
Enable integration from GCP console, select Enable APIs and Services and enable the following APIs
- Security Command Center API
- Identity and Access Management (IAM) API
Service Account:A service account with the right permissions is required. The following example illustrates how to do it automatically from the terminal. The values PROJECT_ID and ORG_ID have to be provided. SERVICE_ACCOUNT refers to the desired name for the account. KEY_LOCATION refers to the desired name for the json output file that will need to be uploaded in to the Sysdig UI in the next step.
export SERVICE_ACCOUNT=scc-servaccount export PROJECT_ID=elevated-web-872901 export KEY_LOCATION=scckey.json export ORG_ID=494436833222 gcloud iam service-accounts create $SERVICE_ACCOUNT \ --display-name "Service Account for USER" \ --project $PROJECT_ID gcloud iam service-accounts keys create $KEY_LOCATION \ --iam-account $SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com gcloud beta organizations add-iam-policy-binding $ORG_ID \ --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \ --role='roles/securitycenter.admin'
Configure Event Forwarding Integration with Google SCC
This action can be performed only by an Administrator
To forward event data to Google SCC:
Log in to Sysdig Secure as admin.
Settingsmodule, navigate to the
Google SCCfrom the drop-down menu.
Configure the required options:
- Integration Name: Define an integration name.
- Organization: Set the ID of your GCP organization.
- JSON credentials: Updload JSON credentials that you previously generated from a service account or user.
- Data to Send: Select from the drop-down the types of Sysdig data that should be forwarded. Note that since only GCP Audit Log events can be forwarded, only Runtime Policy events are shown.
- Toggle the enable switch as necessary. Remember that you will need to “Test Integration” with the button below before enabling the integration.
- Click the
Savebutton to save the integration.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.