Forwarding to Google Security Command Center

Google Security Command Center or SCC is a centralized vulnerability and threat reporting service that helps you strengthen your security posture and provide asset inventory and discovery.

Supported data

For the moment we only support GCP Audit Log events to be forwarded to this integration.

Prerequisites

  1. Event forwarder originate from region-specific IPs. For the full list of outbound IPs by region, see SaaS Regions and IP Ranges. Update your firewall and allow inbound requests from these IP addresses to enable Sysdig to handle event forwarding.

  2. Enable integration from GCP console, select Enable APIs and Services and enable the following APIs

    • Security Command Center API
    • Identity and Access Management (IAM) API
  3. Service Account:A service account with the right permissions is required. The following example illustrates how to do it automatically from the terminal. The values PROJECT_ID and ORG_ID have to be provided. SERVICE_ACCOUNT refers to the desired name for the account. KEY_LOCATION refers to the desired name for the json output file that will need to be uploaded in to the Sysdig UI in the next step.

      export SERVICE_ACCOUNT=scc-servaccount
      export PROJECT_ID=elevated-web-872901
      export KEY_LOCATION=scckey.json
      export ORG_ID=494436833222
    
      gcloud iam service-accounts create $SERVICE_ACCOUNT  \
        --display-name "Service Account for USER"  \
        --project $PROJECT_ID
    
      gcloud iam service-accounts keys create $KEY_LOCATION  \
        --iam-account $SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com
    
      gcloud beta organizations add-iam-policy-binding $ORG_ID \
        --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \
        --role='roles/securitycenter.admin'
    

Configure Event Forwarding Integration with Google SCC

This action can be performed only by an Administrator

To forward event data to Google SCC:

  1. Log in to Sysdig Secure as admin.

  2. From the Settings module, navigate to the Events Forwarding tab.

  3. Click the Add Integration button.

  4. Select Google SCC from the drop-down menu.

  5. Configure the required options:

    • Integration Name: Define an integration name.
    • Organization: Set the ID of your GCP organization.
    • JSON credentials: Updload JSON credentials that you previously generated from a service account or user.
  • Data to Send: Select from the drop-down the types of Sysdig data that should be forwarded. Note that since only GCP Audit Log events can be forwarded, only Runtime Policy events are shown.
    • Toggle the enable switch as necessary. Remember that you will need to “Test Integration” with the button below before enabling the integration.
  1. Click the Save button to save the integration.