Configuration is loaded from cloud-connector.yaml file.

rules:
  - secure:
      url: https://secure.sysdig.com
  - git:
      url: https://github.com/sysdiglabs/cloudtrail-rules
  - s3:
      bucket: bucket-name
  - gcs:
      bucket: bucket-name
  - directory:
      path: ./rules
ingestors:
  - cloudtrail-sns-sqs:
      queueURL: https://sqs.REGION.amazonaws.com/XXXXX/cloud-connector-demo
      interval: 1m
  - cloudtrail-sns-http:
      url: /cloudtrail
  - cloudtrail-http:
      url: /cloudtrail-debug
  - auditlog:
      project: XXXX
      interval: 5m
  - auditlog-http:
      url: /auditlog-debug
notifiers:
  - console: {}
  - metrics: {}
  - cloudwatch:
      logGroup: cloud-connector-test
      logStream: test
#   - securityhub:
#       productArn: arn:aws:securityhub:eu-west-1:485156241564:product/485156241564/default
  - secure:
      url: https://app.sysdigcloud.com

Rule providers

You are able to have have different rule providers at the same time. Rules are loaded in order. In this example rules are loaded and merged from secure, then git, then a s3 bucket and finally a local directory.

Lists and macros can use the append feature to extend the behaviour from rules loaded before them.

secure

Loads the rules from the Sysdig Secure backend, using the HTTP API.

Parameters:

The environment variable SECURE_API_TOKEN must be set to a valid API token.

git

Loads the rules from a Git repository

If you need to clone a private repository you can pass the credentials here https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/.

Parameters:

s3

Loads the rules from a S3 bucket. The provider will retrieve all the files ending in .yaml and .yml recursively. You may need to specify a path for the files, so no other files conflict with them.

For example, if the files are saved in “cloud-connector-rules/rules.yaml”, the path should be “cloud-conector-rules”.

Parameters:

gcs

Loads the rules from a Google Cloud Storage bucket. The provider will retrieve all the files ending in .yaml and .yml recursively. You may need to specify a path for the files, so no other files conflict with them.

For example, if the files are saved in “cloud-connector-rules/rules.yaml”, the path should be “cloud-conector-rules”.

Parameters:

directory

Loads the set of rules from a directory specified by the path parameter.

Ingestors

cloudtrail-sns-sqs

Ingest from AWS SNS notifications over SQS on the queue specified by parameter queueURL. The Cloud Connector will pull events directly from SQS at specified interval.

Parameters:

cloudtrail-sns-http

Ingest from AWS SNS notifications over HTTP on the path specified by parameter url. The Cloud Connector will listen HTTP requests on port 5000.

The SNS notification will trigger retrieving the events from a S3 bucket.

cloudtrail-http

Receive raw JSON events on the url specified by parameter url. The Cloud Connector will listen HTTP requests on port 5000.

This ingestor is only used for debugging purposes.

auditlog

Retrieve Google Cloud Platform Audit Log events. The Cloud Connector will pull events directly from GCP Logging at specified interval.

Parameters:

auditlog-http

Receive raw JSON events on the url specified by parameter url. The Cloud Connector will listen HTTP requests on port 5000.

This ingestor is only used for debugging purposes.

Notifiers

console

Simple notifier that writes alerts to the console.

metrics

This notifier updates a per-alert counter and servers these counters as Prometheus metrics.

cloudwatch

Send alerts to AWS CloudWatch.

Environment variable AWS_REGION must be set, and AWS credentials must be pre-configured.

Parameters:

securityhub

Send alerts to AWS SecurityHub.

Environment variable AWS_REGION must be set, and AWS credentials must be pre-configured.

Parameters:

secure

Send alerts to Sysdig Secure event feed.

The AGENT_KEY environment variable must be set.

Parameters:


Please visit any of the following sections for more information: