Complimentary Gartner® Report! 'A CTO's Guide to Open-Source Software: Answering the Top 10 FAQs.'Read more

Google SecOps (Chronicle)

Currently only v2 of the ingestion API is supported

Supported Types

MetricsLogsTraces

Prerequisites

Before setting up the Google SecOps destination, ensure you have a Google Cloud account and access to the Google SecOps security analytics platform. More details on setting this up can be found in the Google Cloud documentation here.

Configuration Fields

FieldDescription
EndpointThe endpoint for sending to Google SecOps.
Authentication MethodMethod used for authenticating to Google Cloud: auto, json, file.
CredentialsJSON value from a Google Service Account credential file. Required if Authentication Method is set to 'json'.
Credentials FilePath to a Google Service Account credential file on the collector system. Required if Authentication Method is set to 'file'.
Log TypeType of log to be sent to Google SecOps. The Supported Log Types can be seen here.
Customer IDThe customer ID used for sending logs.
Raw Log FieldThe OTTL formatted field name that contains the raw log data.

Sources

Google SecOps expects to be sent raw unstructured logs. Therefore, when sending logs to SecOps, you should only use the following supported sources:

  • Windows Events (With Advanced -> “Raw Logs” enabled)
  • Microsoft SQL Server
  • Common Event Format
  • CSV
  • File
  • HTTP
  • TCP
  • UDP

Log Type Handling / Google SecOps Parsing

Google Secops uses the log_type ingestion label to determine which SecOps Parser should be applied to logs. In BindPlane you can set the log_type ingestion label in one of the following ways:

  1. Automatic Mapping: BindPlane will automatically create the log_type ingestion label for sources that use one of the following log_types. In these cases, you don’t need to take any action.

    attributes[“log_type”]chronicle_log_type (Ingestion Label)
    windows_event.securityWINEVTLOG
    windows_event.applicationWINEVTLOG
    windows_event.systemWINEVTLOG
    sql_serverMICROSFT_SQL
  2. Set Google SecOps Log Type: You can specify a new log attribute called chronicle_log_type and set its value to the appropriate SecOps ingestion label (log_type). It’s best practice to always explicitly set this when sending logs to Google Secops. You should use the Add Fields processor to set this attribute.

    observIQ docs - Chronicle Destination - image 1

    Note: This field will take precedence over any automatic mapping that may occur.

  3. Fallback: The Google SecOps Destination has a Log Type field that you can set as a fallback option, in the case that you did not set chronicle_log_type or BindPlane couldn’t automatically map the log_type for you.

Credentials

This exporter requires a Google Cloud service account with access to the Google SecOps API. The service account must have access to the endpoint specfied in the config. Besides the default endpoint (https://malachiteingestion-pa.googleapis.com), there are also regional endpoints that can be used here.

For additional information on accessing SecOps, see the Chronicle documentation.

Supported Retry and Queuing Settings

This destination supports the following retry and queuing settings:

Sending QueuePersistent QueueRetry on Failure

Example Configuration

Basic Configuration

This configuration sets up the Google SecOps destination with necessary details such as region, authentication method, credentials, and log type.

observIQ docs - Chronicle Destination - image 1