Google SecOps

Connect a Google SecOps instance to Bindplane to unlock helpful features

Overview

The Google SecOps integration connects Bindplane to your Google SecOps instance, enabling two key features:

SecOps Pipelines: Create and manage log processing pipelines directly in Google SecOps from Bindplane.
Validate SecOps Parser: Test a log type's parser against raw log samples without deploying changes, letting you verify parsing behavior before it reaches your live environment.

Connecting the Google SecOps Integration

It is highly recommended to setup the Google SecOps Pipelines for a given tenant with only 1 Bindplane Project

Prerequisites

A Google SecOps instance
A supported Bindplane plan

New Google SecOps customers as of March 2026 or later may need to contact their Google SecOps Account Manager to get access to the "Data Processing Pipelines Preview" in order to use this integration

Setup

Navigate to your Bindplane Project Settings page
Scroll down to the Integrations section and click Connect
Provide details about your SecOps instance:
- Customer ID
- GCP Project Number
Configure an Authentication Method View the example commands below for configuring IAM resources.
1. Service Account JSON The Service Account JSON authentication method requires providing the JSON key to a service account residing in the same GCP Project as your Google SecOps Instance. The service account must have the required IAM permissions as described below.
2. Workload Identity Federation (WIF) WIF authentication allows you to authenticate the Google SecOps Integration without providing raw credentials. This authentication method is only supported in Bindplane Cloud. The following documentation provides instructions on how to set up WIF auth. How to Connect the Google SecOps Integration with WIF Auth
Click Connect to complete the integration setup. If successful, the SecOps Pipelines tab will now appear in Bindplane, and the Validate SecOps Parser button will be present when viewing snapshots of telemetry being sent to a Google SecOps Destination.

Required IAM Permissions

The service account used by the Google SecOps integration requires either of the following:

The "Chronicle API Admin" Role

A custom role with the following permissions

chronicle.logProcessingPipelines.list
chronicle.logProcessingPipelines.get
chronicle.logProcessingPipelines.create
chronicle.logProcessingPipelines.update
chronicle.logProcessingPipelines.delete
chronicle.logProcessingPipelines.associateStreams
chronicle.logProcessingPipelines.dissociateStreams
chronicle.logProcessingPipelines.fetchAssociatedPipeline
chronicle.logProcessingPipelines.fetchSampleLogsByStreams
chronicle.logProcessingPipelines.testPipeline
chronicle.logTypes.list
chronicle.logTypes.get
chronicle.feeds.list
chronicle.feeds.get
chronicle.logs.list
chronicle.parsers.list
chronicle.parsers.run

Example Commands

Below are gcloud CLI command templates for creating a custom role with the minimum required permissions, and binding it to a service account.

Create custom IAM role

# Replace PROJECT_ID with your Google Cloud project ID (not the project number).
gcloud iam roles create BindplaneSecOpsIntegration \
  --project=PROJECT_ID \
  --title="Bindplane SecOps Integration" \
  --description="Grants Bindplane the permissions required for the Google SecOps integration." \
  --permissions=\
chronicle.feeds.get,\
chronicle.feeds.list,\
chronicle.logs.list,\
chronicle.logProcessingPipelines.associateStreams,\
chronicle.logProcessingPipelines.create,\
chronicle.logProcessingPipelines.delete,\
chronicle.logProcessingPipelines.dissociateStreams,\
chronicle.logProcessingPipelines.fetchAssociatedPipeline,\
chronicle.logProcessingPipelines.fetchSampleLogsByStreams,\
chronicle.logProcessingPipelines.get,\
chronicle.logProcessingPipelines.list,\
chronicle.logProcessingPipelines.testPipeline,\
chronicle.logProcessingPipelines.update,\
chronicle.logTypes.get,\
chronicle.logTypes.list,\
chronicle.parsers.list,\
chronicle.parsers.run \
  --stage=GA

Bind the role to a service account

# Replace PROJECT_ID and SERVICE_ACCOUNT_EMAIL with the appopriate values.
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \
  --role="projects/PROJECT_ID/roles/BindplaneSecOpsIntegration"

Disconnecting the Integration

To disconnect the integration, go to Project Settings, Integrations, select Google SecOps, and click Disconnect. You will no longer have access to the SecOps Pipelines page or the Validate SecOps Parser feature. However, existing pipelines already deployed to Google SecOps are not deleted when disconnecting the integration.

PreviousKeyboard Shortcuts

Last updated 29 days ago

Was this helpful?