Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Google SecOps Configuring the 'HTTPS' protocol

Overview

The Google SecOps Destination can use either gRPC or HTTPS connection methods. While similar, there are differences in the connection through the use of different API's that the exporter will connect to. Using HTTPS instead of gRPC can be a good option if there are limitations in the environment that make a gRPC connection not possible.

Creating a Service Account in Google Cloud

Navigate to IAM & Admin in Google Cloud to create a service account that we will use. We will first go to the 'Service Accounts' section.

Service Account in the Sidebar

From there, we can 'Create Service Account' up in the top bar of that page. Give the service account a name, and description. From there we can 'Create and Continue'.

Service Account User

Configuring permissions

The next section of the page will allow you to select permissions. These are most usually the only permissions needed, but it depends on your organization:

Chronicle API Admin Chronicle Service Agent Chronicle SOAR Service Agent

Permissions

Create and Download the API Key

With that user created, on the 'Service Accounts' page, click the 3 dots next to the new Service Account. Click 'Manage Keys'.

Click the 'ADD KEY' drop-down and then the 'Create New Key' button. You will want this in JSON.

Add Key

This will download the key to your workstation, we will use it in Bindplane next.

Enable the API

In the 'API's & Services' section of Google cloud, we need to check for the Chroncile API. Click the 'Enable APIS and Services' button at the top of the screen.

Verify API Access

That will bring you to the API Library. Search for APIs & Services search bar in the middle can search for 'chronicle api'. Click the result and make sure it says "API Enabled" with a green check mark next to the 'Manage' button.

Configure the SecOps Destination

Now in Bindplane we can add the Google SecOps destination, first change the protocol to 'https'. Select your region, and the authentication method will be 'json'. Copy the entire JSON file we just downloaded and paste it in the credentials box. Please specify a fallback log type. You can use any valid log type such as 'WINEVTLOG'.
The next few items we can collect from Google SecOps. Go to the Google SecOps settings page. Under 'Profile' we can get our Customer ID, and 'GCP Project ID' is on the same page as well.

Now we need to get our 'Forwarder Config ID' from the 'Forwarders' page in the setting within Google SecOps. If you do not have a forwarder already, go to 'Add New Forwarder', create a name, and click 'Submit'. The Forwarder Config ID we need to enter in Bindplane is the 'Config ID' column on the Forwarder page.

Verify

Now that your destination has been added, you can check for telemetry in SecOps. If you do not see any you may want to add a 'Bindplane Agent' source so you can see your agents log and look for potential errors. Please open a support ticket if you run into problems.