Google SecOps with Bindplane Quick Start

Sign up for Bindplane Cloud. We recommend using Bindplane Cloud to get started. It's the fastest and easiest way to build out your telemetry pipelines. It includes a free tier for proof-of-concepts and development projects.

If you want to see self-hosted options, view the solutions, here.

Bindplane Architecture Diagram

Configure your Bindplane Organization

Give your Organization a name.

After you sign in for the first time, you can check in the Organization, Project, and License level in the upper right menu.

Configure the SecOps Destination

Create a Configuration with a Destination for sending data to your Google SecOps instance.

Destinations can be created within Configurations for Agents. You'll learn how to create one in the Library, so that it can be used by multiple Configurations.

Go to Library in the UI. Click Add Destination, and select Google SecOps.

You can use two different APIs within Google SecOps. This guide will showcase the default gRPC API.

You can set the appropriate region, by following the “Read More About Regional Endpoints” link and finding the endpoint appropriate for your area.

Customer ID

You can find your SecOps Customer ID under Settings > Profile > Organization Details in the SecOps Interface.

JSON Authentication

JSON Authentication is the recommended Authentication Method for sending data to SecOps.

You can download a JSON file from the SecOps Interface under Settings > Collection Agents > Ingestion Authentication File.

Copy and paste the JSON contents into the Credentials field and set the Customer ID. These are the two required settings to send data to Google SecOps.

Save the configuration, and name the Destination Configuration.

It's now saved to the Library and can be used for any of your Configurations.

Configure Linux auditd Log Collection

Now, you'll configure collection of auditd logs on a Linux machine.

Install a Collector

First, deploy the BDOT Collector on your Linux machine. Navigate to Agents > Platform Linux, and select Agent Type of 1.x.

The next step will have a one-line install script. Run this on your Linux machine wait to see the OTel Collector appear in the list.

Configure the Linux auditd Logs Source

Create a new Configuration.

Add the "File" Source.

Add the default file path for auditd.

1/var/log/audit/audit.log

Set Parse Format: None. This is because parsing is done in Google SecOps and is not required beforehand.

Set the Start At to beginning.

Add the Google SecOps Destination that was created earlier and Save the Configuration.

The configuration will not have any collectors attached right away. To add a collector, click the Add Agent at the bottom of the Configuration and Start Rollout to deploy it.

View the Configuration File

You can view the OpenTelemetry Collector pipeline configuration by clicking View Configuration File.

This pipeline may be useful for troubleshooting, or as a reference. This is the configuration that is rolled out to the collectors via the OpAMP protocol.

1# This configuration is managed by Bindplane.
2# Configuration: linux-auditd-secops:1
3receivers:
4  filelog/source@_01JH89S7FGQE45F1SWFTGKN81N:
5    delete_after_read: false
6    encoding: utf-8
7    fingerprint_size: 1kb
8    force_flush_period: 500ms
9    include:
10      - /var/log/audit/audit.log
11    include_file_name: true
12    include_file_name_resolved: false
13    include_file_path: false
14    include_file_path_resolved: false
15    max_concurrent_files: 1024
16    max_log_size: 1MiB
17    operators:
18      - field: attributes.log_type
19      type: add
20      value: file
21    poll_interval: 200ms
22    retry_on_failure:
23      enabled: false
24    start_at: beginning
25    storage: file_storage/source@_01JH89S7FGQE45F1SWFTGKN81N
26
27processors:
28  resourcedetection/source@_01JH89S7FGQE45F1SWFTGKN81N:
29    detectors:
30      - system
31    system:
32      hostname_sources:
33        - os
34
35exporters:
36  chronicle/SecOps:
37  compression: gzip
38  creds: (sensitive)
39  customer_id: b536658e-469e-44a5-b764-d5ab15b72ce0
40  endpoint: malachiteingestion-pa.googleapis.com
41  log_type: NIX_SYSTEM
42  namespace: null
43  raw_log_field: body
44  retry_on_failure:
45    enabled: true
46    initial_interval: Ss
47    max_elapsed_time: 300s
48    max_interval: 30s
49  sending_queue:
50    enabled: true
51    num_consumers: 10
52    queue_size: 5000
53    storage: file_storage/SecOps
54  timeout: 5s
55
56extensions:
57  file_storage/SecOps:
58    compaction:
59      directory: ${0IQ_OTEL_COLLECTOR_HOME}/storage
60      on_rebound: true
61    directory: ${0I1Q_OTEL_COLLECTOR_HOME}/storage
62  file_storage/source@_01JH89S7FGQE45F1SWFTGKN81N:
63    compaction:
64      directory: ${0IQ_OTEL_COLLECTOR_HOME}/storage
65      on_rebound: true
66    directory: ${0I1Q_OTEL_COLLECTOR_HOME}/storage
67
68# ...

Configure SecOps Standardization Processor

The auditd logs are now flowing to Google SecOps via the collector. You can see it in the processor view where Bindplane shows a snapshot of the telemetry via the OpAMP connection.

Follow the Recommendation with View, where it will show an example SecOps Standardization processor configuration.

Set these values in the SecOps Standardization Processor configuration:

• Log type: AUDITD
• Namepace: linux-app-audit
• Ingestion Labels KV: application training

This will add the following Attributes field. Note that these fields could also be added manually with the Add Fields processor. The SecOps Standardization makes this easy to do.

Silent Host Monitoring

View the Silent Host Monitoring how-to guide to learn more.

Configure Windows Events Log Collection

The same configuration will work for Windows Events as a Source.

Make sure to check Raw Logs, under Advanced in the Windows Event Source