# Google SecOps (Chronicle)

{% hint style="danger" %}
**Agent v1.94.2 or later required for HTTPS**

Agents running earlier versions may silently drop logs when the SecOps HTTPS endpoint returns transient errors (429, 502, 504).

See [Resolve Intermittent Ingestion Drop for Google SecOps HTTPS Endpoints](https://docs.bindplane.com/how-to-guides/google-secops/resolve-intermittent-ingestion-drop-for-google-secops-https-endpoints) for details and upgrade instructions.
{% endhint %}

{% hint style="info" %}
For collector v1.63.0 or older, Fallback Log Type is required.
{% endhint %}

***

**Currently v2 of the legacy ingestion API and the alpha version of the DataPlane API are supported**

### Supported Types

| Metrics | Logs | Traces |
| ------- | ---- | ------ |
|         | ✓    |        |

### Prerequisites

Before setting up the Google SecOps destination, ensure you have a Google Cloud account and access to the Google SecOps security analytics platform. More details on setting this up can be found in the Google Cloud documentation [here](https://cloud.google.com/chronicle/docs)

### Configuration Fields

#### Protocol

* `gRPC` selects the legacy API, using the malachite endpoints and gRPC for ingestion
* `https` selects the DataPlane API, using the DataPlane endpoints and HTTP for ingestion - [Setup Walkthrough here](https://docs.bindplane.com/how-to-guides/google-secops/google-secops-configuring-the-https-dataplane-api-protocol)

#### Legacy Ingestion API (Malachite)

<table><thead><tr><th width="214.51953125">Field</th><th>Description</th></tr></thead><tbody><tr><td>Endpoint</td><td>The endpoint for sending to Google SecOps.</td></tr><tr><td>Authentication Method</td><td>Method used for authenticating to Google Cloud: auto, json, file.</td></tr><tr><td>Credentials</td><td>JSON value from a Google Service Account credential file. Required if Authentication Method is set to 'json'.</td></tr><tr><td>Credentials File</td><td>Path to a Google Service Account credential file on the collector system. Required if Authentication Method is set to 'file'.</td></tr><tr><td>Fallback Log Type</td><td>Type of log to be sent to Google SecOps. This field is a fallback if type is not configured using the Google SecOps Standardization processor. The Supported Log Types can be seen <a href="https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers">here</a>.</td></tr><tr><td>Customer ID</td><td>The customer ID used for sending logs.</td></tr><tr><td>Field to Send</td><td>If <code>Send Single Field</code> is selected, <code>Body</code> or <code>Attributes</code> to select the source of the field to send</td></tr><tr><td>Body Field or Attribute Field</td><td>If <code>Send Single Field</code> is selected, an <a href="https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/ottl/contexts/ottllog/README.md">OTTL formatted</a> field from either the <code>Body</code> or <code>Attributes</code> that contains the raw log data</td></tr></tbody></table>

#### DataPlane API (https)

<table><thead><tr><th width="195.84765625">Field</th><th>Description</th></tr></thead><tbody><tr><td>Region</td><td>The Google SecOps region to send to. Ingestion will only succeed for regions your credentials are provisioned for.</td></tr><tr><td>Authentication Method</td><td>Method used for authenticating to Google Cloud: auto, json, file.</td></tr><tr><td>Credentials</td><td>JSON value from a Google Service Account credential file. Required if Authentication Method is set to 'json'.</td></tr><tr><td>Credentials File</td><td>Path to a Google Service Account credential file on the collector system. Required if Authentication Method is set to 'file'.</td></tr><tr><td>Fallback Log Type</td><td>Type of log to be sent to Google SecOps. This field is a fallback if type is not configured using the Google SecOps Standardization processor. The Supported Log Types can be seen <a href="https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers">here</a>.</td></tr><tr><td>Customer ID</td><td>The customer ID used for sending logs.</td></tr><tr><td>GCP Project Number</td><td>The GCP Project Number used for sending logs. This can be located in settings on your profile page.</td></tr><tr><td>Field to Send</td><td>If <code>Send Single Field</code> is selected, <code>Body</code> or <code>Attributes</code> to select the source of the field to send</td></tr><tr><td>Body Field or Attribute Field</td><td>If <code>Send Single Field</code> is selected, an <a href="https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/pkg/ottl/contexts/ottllog/README.md">OTTL formatted</a> field from either the <code>Body</code> or <code>Attributes</code> that contains the raw log data</td></tr></tbody></table>

### Sources

Google SecOps expects to be sent raw unstructured logs. Therefore, when sending logs to SecOps, you should only use the following supported sources:

* Windows Events (With Advanced -> “Raw Logs” enabled)
* Microsoft SQL Server
* Common Event Format
* CSV
* File
* HTTP
* TCP
* UDP

### Log Type Handling / Google SecOps Parsing

Google Secops uses the `log_type` [ingestion label](https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers) to determine which SecOps Parser should be applied to logs. In Bindplane you can set the `log_type` ingestion label in one of the following ways:

1. **Automatic Mapping**: Bindplane will automatically create the `log_type` ingestion label for sources that use one of the following `log_type`s. In these cases, you don’t need to take any action.

   | `attributes[“log_type”]`   | `chronicle_log_type` (Ingestion Label) |
   | -------------------------- | -------------------------------------- |
   | windows\_event.security    | WINEVTLOG                              |
   | windows\_event.application | WINEVTLOG                              |
   | windows\_event.system      | WINEVTLOG                              |
   | sql\_server                | MICROSFT\_SQL                          |
2. **Set Google SecOps Log Type**: You can use the [Google SecOps Standardization Processor](https://docs.bindplane.com/integrations/processors/google-secops-standardization) to specify the appropriate SecOps [ingestion label](https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers) (`log_type`). It’s best practice to always explicitly set this when sending logs to Google Secops. You can optionally specify a namespace to identify an appropriate data domain and add additional ingestion labels to configure custom metadata.

<figure><img src="https://1405008107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FgmiOMzBfoNFwmKJFHMcJ%2Fuploads%2Fgit-blob-c9b83d671f05ec0496e5c31edcbe56f1037ccc59%2Fintegrations-destinations-google-secops-chronicle-image-1.png?alt=media" alt="Bindplane docs - Google SecOps Chronicle - image 1"><figcaption></figcaption></figure>

**Note**: The `log_type` field will take precedence over any automatic mapping that may occur.

3. **Fallback**: The Google SecOps Destination has a Fallback Log Type field that you can set as a fallback option, in the case that you did not set `chronicle_log_type` or Bindplane couldn’t automatically map the `log_type` for you.

### Credentials

This exporter requires a Google Cloud service account with access to the Google SecOps API. The service account must have access to the endpoint specified in the config. For the legacy API (`gRPC`), besides the default endpoint (<https://malachiteingestion-pa.googleapis.com>), there are also regional endpoints that can be used [here](https://cloud.google.com/chronicle/docs/reference/ingestion-api#regional_endpoints). When using the DataPlane API (`https`), the available regions can be found [here](https://cloud.google.com/chronicle/docs/reference/feed-management-api#regional-endpoints). Please note, some region-specific endpoints may not be enabled for all SecOps tenants. If ingestion returns a 403 error, try a multi-region endpoint instead.

For additional information on accessing SecOps, see the [Chronicle documentation](https://cloud.google.com/chronicle/docs/reference/ingestion-api#getting_api_authentication_credentials), and [DataPlane documentation](https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.logTypes.logs/import)

### Supported Retry and Queuing Settings

This destination supports the [retry settings](https://docs.bindplane.com/configuration/bindplane-otel-collector/retry-on-failure), the [sending queue settings](https://docs.bindplane.com/configuration/bindplane-otel-collector/sending-queue), and the [persistent queue settings.](https://docs.bindplane.com/configuration/bindplane-otel-collector/persistent-queue)

| Sending Queue | Persistent Queue | Retry on Failure |
| ------------- | ---------------- | ---------------- |
| ✓             | ✓                | ✓                |

### Log Batch Creation Limits

This exporter supports configuring the batch request size, so as to not exceed the SecOps backend limits. Requests that exceed the configured limit will have their batches recursively split into multiple requests that don't before being sent to Google SecOps. The default limits for this exporter are 4000000 bytes (4 MB) for the request size. This value should not be increased without guidance from your Google SecOps or Bindplane representative.

If the setting is misconfigured to exceed the SecOps backend limit, requests that exceed the backend limit will be rejected and dropped.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bindplane.com/integrations/destinations/google-secops-chronicle.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.