Google SecOps Pipelines

Overview

Bindplane's SecOps Pipelines let you create, configure, and manage Data Processing Pipelines directly in Bindplane. These pipelines apply custom OpenTelemetry processors to your log data after it reaches Google SecOps but before parsing and ingestion. You can easily transform, enrich, filter, and redact your SecOps data through Bindplane's interface, all without the need to write raw OTel configurations or manage agent deployments.

Key Benefits

• No agent management: Pipelines automatically run on your Google SecOps data

• Simplified configuration: Use Bindplane's visual interface instead of editing raw OTel configurations and OTTL statements

• Native integration: Access your pipelines directly from your Google SecOps instance via "Open in Bindplane" links

• Pre-ingestion processing: Transform data before it's fully ingested into SecOps

Important Limitations

SecOps Pipelines have some constraints compared to traditional Bindplane configurations:

• Single destination only: All data is exclusively sent to SecOps

• 10 processor limit: Maximum of 10 processors per pipeline

• Limited processor types: Only the Bindplane processors built on OpenTelemetry's transform, filter, and redaction processors are supported at this time

  • See the list of supported processors here

  • See the list of all Bindplane processors here

• No connector support: Connectors are not supported in SecOps Pipelines at this time

When to Use SecOps Pipelines vs. a Bindplane Configuration

SecOps Pipelines are a streamlined subset of Bindplane's full capabilities, scoped specifically for in-flight processing on data already flowing into Google SecOps. A full Bindplane configuration extends beyond that, enabling collection from any source, delivery to any destination, and access to the complete set of processors, routing logic, and more.

Use SecOps Pipelines when:

• You want to configure processing on data being sent to Google SecOps

• Your processing requirements do not require complex processors or connectors (transformations, filtering, redaction)

• You want to avoid managing agents and infrastructure

Use Bindplane configurations when:

• You need to send data to multiple destinations (e.g., Google SecOps + Cloud Storage + ClickHouse)

• You require advanced processors like resource detection, batching, or sampling

• You need complex routing logic with multiple processor nodes

• You need more than 10 processors in your pipeline

Connecting the Google SecOps Integration

Prerequisites

• An Google SecOps instance with the "Data Processing Pipeline Preview" enabled

  • Contact your Google SecOps Account Manager for more information and to get enabled for this preview

• A supported Bindplane Plan

  • Bindplane Enterprise

  • Bindplane (Google Edition)

  • Bindplane Enterprise (Google Edition)

Setup

1. Navigate to your Bindplane Project Settings page

2. Scroll down to the Integrations section and click Connect

3. Provide details about your SecOps instance:

   • Customer ID

   • GCP Project Number

4. Configure an Authentication Method

   1. Service Account JSON The Service Account JSON authentication method requires providing the JSON key to a service account residing in the same GCP Project as your Google SecOps Instance. The service account must have permissions according to Google's Documentation.

   2. Workload Identity Federation (WIF) WIF authentication allows you to authenticate the Google SecOps Integration without providing raw credentials. This authentication method is only supported in Bindplane Cloud. The following documentation provides instructions on how to set up WIF auth. How to Connect the Google SecOps Integration with WIF Auth

5. Once connected, the SecOps Pipelines tab will appear in Bindplane

Working with SecOps Pipelines

Creating a Pipeline

Create a new SecOps Pipeline by going to the SecOps Pipelines page, clicking the Create SecOps Pipeline button, and filling out your desired name and description.

Managing Sources

SecOps Pipelines work with data sources (log types, ingestion methods, feeds) in your SecOps instance. Each data source is referred to as a "Stream" and can be configured by clicking the Add Stream button and following the dialog accordingly.

Clicking the node of an existing stream in your pipeline will allow you to edit or delete the stream as you see fit.

In order to save the changes you've made to your pipeline. Click the Start Rollout button.

Configuring Processors

Configure processors as you normally would in Bindplane by clicking the processor node in the center of your pipeline.

In order to save the changes you've made to your pipeline. Click the Start Rollout button.

Managing Multiple Log Types

If you need different processing for different log types, you must create a separate SecOps Pipeline. Each pipeline can only have one processor configuration that applies to all sources within that pipeline.

Accessing from Google SecOps

From your Google SecOps instance, you can access your pipelines directly:

1. Navigate to Settings -> Data Processing

2. Click a Data Pipeline

3. Click Open in Bindplane to open the associated SecOps Pipeline in Bindplane

Additional Resources

• Google SecOps Data Processing Pipeline Documentation