Live Workshop: Integrate Google SecOps with Bindplane - Join Us on January 29th at 11 AM ET!Sign Up Now

Google SecOps Standardization

warning

This processor requires agent version 1.64.0 or newer to send fields to Google SecOps. In older agent versions, namespace and ingestion label fields will be added to telemetry but not parsed in Google SecOps.


Description

The Google SecOps Standardization processor can be used to add the log_type ingestion label, which specefies the appropriate SecOps Parser for your logs.

Use

The Google SecOps Standardization processor is to be used alongside the Google SecOps Exporter. This processor allows the user to configure the log type, namespace, and ingestion labels for logs sent to SecOps.

Supported Types

MetricsLogsTraces

Configuration

FieldDescription
Log TypeThe type of log that will be sent.
NamespaceUser-configured environment namespace to identify the data domain the logs originated from.
Ingestion LabelsKey-value pairs of labels to be applied to the logs when sent to chronicle.

Example Configuration

Configure Google SecOps for Windows events

This example configuration sets logType to "WINEVTLOG", namespace to "security", and ingestionLabels to a key-value pair: "environment" and "production".

Web Interface

observIQ docs - Rename Field - image 1

Standalone Processor

yaml
1apiVersion: bindplane.observiq.com/v1
2kind: Processor
3metadata:
4  id: google_secops_standardization
5  name: google_secops_standardization
6spec:
7  type: google_secops_standardization
8  parameters:
9    - name: telemetry_types
10      value: ['Logs']
11    - name: condition
12      value: 'true'
13    - name: googleSecOpsStandardization
14      value:
15        condition: true
16        logType: WINEVTLOG
17        namespace: status
18        ingestionLabels:
19          environment: production