Live Workshop: Integrate Google SecOps with Bindplane - Join Us on February 26th at 11 AM ET!Sign Up Now

Google SecOps Configuring the 'HTTPS' (Dataplane API) protocol

Overview

The Google SecOps Destination can use either gRPC or HTTPS connection methods. While similar, there are differences in the connection through the use of different API's that the exporter will connect to. Using HTTPS instead of gRPC can be a good option if there are limitations in the environment that make a gRPC connection not possible.

Creating a Role in Google Cloud

We will first need to create a role for our service account to have the Least Privileged User possible. In IAM & Admin within Google Cloud, go to the 'Roles' section in the sidebar. In there we will click "+ CREATE ROLE".

Add Role

For the sake of this walkthrough we can use "Bindplane_Secops" for both our Title and ID. This will make easy to identify the role later. Next go to 'Add Permissions' and in the box next to 'Filter' type chronicle.logs.import and check the box next to the permission, then Add.

Add Permissions

Creating a Service Account in Google Cloud

With the role created, go to the 'Service Accounts' section of the sidebar.

Service Account in the Sidebar

From there, we can 'Create Service Account' up in the top bar of that page. Give the service account a name, and description. From there we can 'Create and Continue'.

Service Account User

Configuring permissions

The next section of the page will allow you to select permissions. We can use the new Role we just created for this purpose: Bindplane_SecOps

Permissions

Create and Download the API Key

With that user created, on the 'Service Accounts' page, click the 3 dots next to the new Service Account. Click 'Manage Keys'.

Click the 'ADD KEY' drop-down and then the 'Create New Key' button. You will want this in JSON.

Add Key

This will download the key to your workstation, we will use it in Bindplane next.

Enable the API

In the 'API's & Services' section of Google cloud, we need to check for the Chroncile API. Click the 'Enable APIS and Services' button at the top of the screen.

Verify API Access

That will bring you to the API Library. Search for APIs & Services search bar in the middle can search for 'chronicle api'. Click the result and make sure it says "API Enabled" with a green check mark next to the 'Manage' button.

Configure the SecOps Destination

Now in Bindplane we can add the Google SecOps destination, first change the protocol to 'https'. Select your region, and the authentication method will be 'json'. Copy the entire JSON file we just downloaded and paste it in the credentials box. Please specify a fallback log type. You can use any valid log type such as 'WINEVTLOG'.
The next few items we can collect from Google SecOps. Go to the Google SecOps settings page. Under 'Profile' we can get our Customer ID, and 'GCP Project Number' is on the same page as well.

Now we need to get our 'Forwarder Config ID' from the 'Forwarders' page in the setting within Google SecOps. If you do not have a forwarder already, go to 'Add New Forwarder', create a name, and click 'Submit'. The Forwarder Config ID we need to enter in Bindplane is the 'Config ID' column on the Forwarder page.

Verify

Now that your destination has been added, you can check for telemetry in SecOps. If you do not see any you may want to add a 'Bindplane Agent' source so you can see your agents log and look for potential errors. Please open a support ticket if you run into problems.