Forwarding to Google SecOps (Formerly Google Chronicle)

Sysdig supports forwarding events to Google SecOps (formerly Google Chronicle), Google Cloud Platform’s centralized interface for aggregating security tools, logs, and more. This page describes how to forward data such as events, platform audit, and activity audit from Sysdig to Chronicle.

Event Forwarding to Google SecOps is authenticated with a Service Account. The legacy authentication method, involving an API Key, continues to be supported. However, we recommend that you use Service Accounts for authentication. See Service Accounts.

Prerequisites

Event forwards originate from region-specific IPs. For the full list of outbound IPs by region, see SaaS Regions and IP Ranges. Update your firewall and allow inbound requests from these IP addresses to enable Sysdig to handle event forwarding.

Configure Event Forwarding

To set up Event Forwarding to Google SecOps with a Service Account:

  1. Log in to Sysdig Secure as Admin.

  2. Open Settings > Event Forwarding. Alternatively, Integrations > Event Forwarding.

  3. From the top right corner, select Add Integration and Google SecOps.

  4. Specify the following:

    • Integration Name: A unique name to help you identify the SecOps integration.

    • Customer ID: The Google Customer ID associated with your GCP account. In the Google SecOps UI, find this in Settings > Profile > IDP USER ID.

    • Namespace: User-configured environment namespace to identify the data domain the logs originated from. Use namespace as a tag to identify the appropriate data domain for indexing and enrichment functionality.

    • JSON Credentials: Upload your Google Chronicle JSON credentials. See Getting API Authentication Credentials.

    • Region: Select your region, such as US, Europe, or Asia.

    • Data to Send: From the drop-down, select which data to forward, such as activity audit, Sysdig platform audit, and runtime policy events. The available list depends on the Sysdig features and products you have enabled.

  5. Test the integration, then toggle Enabled to activate it.

  6. Click Save to finish.

Configure Agent Local Forwarding

Review the configuration steps and use the following parameters for this integration.

TypeAttributeRequired?TypeAllowed valuesDefaultDescription
CHRONICLEcredentialsOAuth2yesstringThe Google Chronicle JSON credentials
CHRONICLEregionnostringus, europe, asia-southeast1usThe target region
CHRONICLEchronicleCustomerIdyesstringThe Google Chronicle Customer ID
CHRONICLEnamespaceyesstringThe namespace to identify the data domain