Google SecOps (Chronicle)
warning
For agent v1.63.0 or older, Fallback Log Type is required.
Currently v2 of the legacy ingestion API and the alpha version of the DataPlane API are supported
Supported Types
| Metrics | Logs | Traces |
|---|---|---|
| ✓ |
Prerequisites
Before setting up the Google SecOps destination, ensure you have a Google Cloud account and access to the Google SecOps security analytics platform. More details on setting this up can be found in the Google Cloud documentation here
Configuration Fields
Protocol
gRPCselects the legacy API, using the malachite endpoints and gRPC for injestionhttpsselects the DataPlane API, using the DataPlane endpoints and HTTP for ingestion
Legacy Ingestion API (Malachite)
| Field | Description |
|---|---|
| Endpoint | The endpoint for sending to Google SecOps. |
| Authentication Method | Method used for authenticating to Google Cloud: auto, json, file. |
| Credentials | JSON value from a Google Service Account credential file. Required if Authentication Method is set to 'json'. |
| Credentials File | Path to a Google Service Account credential file on the collector system. Required if Authentication Method is set to 'file'. |
| Log Type | Type of log to be sent to Google SecOps. The Supported Log Types can be seen here. |
| Customer ID | The customer ID used for sending logs. |
| Field to send | If Send Single Field is selected, Body or Attributes to select the source of the field to send |
| Body Field or Attribute Field | If Send Single Field is selected, an OTTL formatted field from either the Body or Attributes that contains the raw log data |
DataPlane API (https)
| Field | Description |
|---|---|
| Region | The Google SecOps region to send to. Injestion will only succeed for regions your credentials are provisioned for. |
| Authentication Method | Method used for authenticating to Google Cloud: auto, json, file. |
| Credentials | JSON value from a Google Service Account credential file. Required if Authentication Method is set to 'json'. |
| Credentials File | Path to a Google Service Account credential file on the collector system. Required if Authentication Method is set to 'file'. |
| Log Type | Type of log to be sent to Google SecOps. The Supported Log Types can be seen here. |
| Customer ID | The customer ID used for sending logs. |
| Project Name | The project name used for sending logs. Found in the Google Cloud Platform section of the SecOps settings. |
| Forwarder Name | The Config ID of the forwarder used for sending logs. Found in the Forwarders section of the SecOps Settings. |
| Field to send | If Send Single Field is selected, Body or Attributes to select the source of the field to send |
| Body Field or Attribute Field | If Send Single Field is selected, an OTTL formatted field from either the Body or Attributes that contains the raw log data |
Sources
Google SecOps expects to be sent raw unstructured logs. Therefore, when sending logs to SecOps, you should only use the following supported sources:
- Windows Events (With Advanced -> “Raw Logs” enabled)
- Microsoft SQL Server
- Common Event Format
- CSV
- File
- HTTP
- TCP
- UDP
Log Type Handling / Google SecOps Parsing
Google Secops uses the log_type ingestion label to determine which SecOps Parser should be applied to logs. In BindPlane you can set the log_type ingestion label in one of the following ways:
-
Automatic Mapping: BindPlane will automatically create the
log_typeingestion label for sources that use one of the followinglog_types. In these cases, you don’t need to take any action.attributes[“log_type”]chronicle_log_type(Ingestion Label)windows_event.security WINEVTLOG windows_event.application WINEVTLOG windows_event.system WINEVTLOG sql_server MICROSFT_SQL -
Set Google SecOps Log Type: You can use the Google SecOps Standardization Processor to specify the appropriate SecOps ingestion label (
log_type). It’s best practice to always explicitly set this when sending logs to Google Secops. You can optionally specify a namespace to identify an appropriate data domain and add additional ingestion labels to configure custom metadata.
Note: The
log_typefield will take precedence over any automatic mapping that may occur. -
Fallback: The Google SecOps Destination has a Fallback Log Type field that you can set as a fallback option, in the case that you did not set
chronicle_log_typeor BindPlane couldn’t automatically map thelog_typefor you.
Credentials
This exporter requires a Google Cloud service account with access to the Google SecOps API. The service account must have access to the endpoint specfied in the config.
For the legacy API (gRPC), besides the default endpoint (https://malachiteingestion-pa.googleapis.com), there are also regional endpoints that can be used here. When using the DataPlane API (https), the available regions can be found here
For additional information on accessing SecOps, see the Chronicle documentation, and DataPlane documentation
Supported Retry and Queuing Settings
This destination supports the following retry and queuing settings:
| Sending Queue | Persistent Queue | Retry on Failure |
|---|---|---|
| ✓ | ✓ | ✓ |