Google SecOps with Bindplane Quick Start
Sign up for Bindplane Cloud. We recommend using Bindplane Cloud to get started. It's the fastest and easiest way to build out your telemetry pipelines. It includes a free tier for proof-of-concepts and development projects.
If you want to see self-hosted options, view the solutions, here.
Bindplane Architecture Diagram
Configure your Bindplane Organization
Give your Organization a name.
After you sign in for the first time, you can check in the Organization, Project, and License level in the upper right menu.
Configure the SecOps Destination
Create a Configuration with a Destination for sending data to your Google SecOps instance.
Destinations can be created within Configurations for Agents. You'll learn how to create one in the Library, so that it can be used by multiple Configurations.
Go to Library in the UI. Click Add Destination, and select Google SecOps.
You can use two different APIs within Google SecOps. This guide will showcase the default gRPC API.
You can set the appropriate region, by following the “Read More About Regional Endpoints” link and finding the endpoint appropriate for your area.
Customer ID
You can find your SecOps Customer ID under Settings > Profile > Organization Details in the SecOps Interface.
JSON Authentication
JSON Authentication is the recommended Authentication Method for sending data to SecOps.
You can download a JSON file from the SecOps Interface under Settings > Collection Agents > Ingestion Authentication File.
Copy and paste the JSON contents into the Credentials field and set the Customer ID. These are the two required settings to send data to Google SecOps.
Save the configuration, and name the Destination Configuration.
It's now saved to the Library and can be used for any of your Configurations.
Configure Linux auditd Log Collection
auditd Log CollectionNow, you'll configure collection of auditd logs on a Linux machine.
Install a Collector
First, deploy the BDOT Collector on your Linux machine. Navigate to Agents > Platform Linux, and select Agent Type of 1.x.
The next step will have a one-line install script. Run this on your Linux machine wait to see the OTel Collector appear in the list.
Configure the Linux auditd Logs Source
auditd Logs SourceCreate a new Configuration.
Add the "File" Source.
Add the default file path for auditd.
/var/log/audit/audit.logSet Parse Format: None. This is because parsing is done in Google SecOps and is not required beforehand.
Set the Start At to beginning.
Add the Google SecOps Destination that was created earlier and Save the Configuration.
The configuration will not have any collectors attached right away. To add a collector, click the Add Agent at the bottom of the Configuration and Start Rollout to deploy it.
View the Configuration File
You can view the OpenTelemetry Collector pipeline configuration by clicking View Configuration File.
This pipeline may be useful for troubleshooting, or as a reference. This is the configuration that is rolled out to the collectors via the OpAMP protocol.
# This configuration is managed by Bindplane.
# Configuration: linux-auditd-secops:1
receivers:
filelog/source@_01JH89S7FGQE45F1SWFTGKN81N:
delete_after_read: false
encoding: utf-8
fingerprint_size: 1kb
force_flush_period: 500ms
include:
- /var/log/audit/audit.log
include_file_name: true
include_file_name_resolved: false
include_file_path: false
include_file_path_resolved: false
max_concurrent_files: 1024
max_log_size: 1MiB
operators:
- field: attributes.log_type
type: add
value: file
poll_interval: 200ms
retry_on_failure:
enabled: false
start_at: beginning
storage: file_storage/source@_01JH89S7FGQE45F1SWFTGKN81N
processors:
resourcedetection/source@_01JH89S7FGQE45F1SWFTGKN81N:
detectors:
- system
system:
hostname_sources:
- os
exporters:
chronicle/SecOps:
compression: gzip
creds: (sensitive)
customer_id: b536658e-469e-44a5-b764-d5ab15b72ce0
endpoint: malachiteingestion-pa.googleapis.com
log_type: NIX_SYSTEM
namespace: null
raw_log_field: body
retry_on_failure:
enabled: true
initial_interval: Ss
max_elapsed_time: 300s
max_interval: 30s
sending_queue:
enabled: true
num_consumers: 10
queue_size: 5000
storage: file_storage/SecOps
timeout: 5s
extensions:
file_storage/SecOps:
compaction:
directory: ${0IQ_OTEL_COLLECTOR_HOME}/storage
on_rebound: true
directory: ${0I1Q_OTEL_COLLECTOR_HOME}/storage
file_storage/source@_01JH89S7FGQE45F1SWFTGKN81N:
compaction:
directory: ${0IQ_OTEL_COLLECTOR_HOME}/storage
on_rebound: true
directory: ${0I1Q_OTEL_COLLECTOR_HOME}/storage
# ...Configure SecOps Standardization Processor
The auditd logs are now flowing to Google SecOps via the collector. You can see it in the processor view where Bindplane shows a snapshot of the telemetry via the OpAMP connection.
Follow the Recommendation with View, where it will show an example SecOps Standardization processor configuration.
Set these values in the SecOps Standardization Processor configuration:
Log type: AUDITD
Namespace: linux-app-audit
Ingestion Labels KV: application training
This will add the following Attributes field. Note that these fields could also be added manually with the Add Fields processor. The SecOps Standardization makes this easy to do.
Silent Host Monitoring
View the Silent Host Monitoring how-to guide to learn more.
Configure Windows Events Log Collection
The same configuration will work for Windows Events as a Source.
Make sure to check Raw Logs, under Advanced in the Windows Event Source
Last updated
Was this helpful?