This document specifies the scope of the services delivered to the end customer through solution provider.
Installation of Bindplane Agent (observIQ Distro for Open Telemetry Collector) on a Windows AD Server
Use the following URL to download the Bindplane Agent (observIQ Distribution for OpenTelemetry Collector) which is MSI file for Windows Server.
URL: https://github.com/observIQ/bindplane-otel-collector/releases/latest
After downloading MSI file, install the Bindplane Agent (observIQ Distribution for OpenTelemetry Collector) on the Windows Server:
Creating a PowerShell Script & Configuring Task Scheduler on a Windows AD Server.
1. On every Microsoft Windows Active Directory Server, create and configure a PowerShell script to collect log data to an output file. Bindplane Agent reads the output file and sends data directly to the Chronicle.
2. Create the PowerShell script. See the following Query. Change the value of $OUTPUTFILEPATH
to the location where the output file should be written. This file will be read by Bindplane Agent and data being stored in the JSON format.
# Import the Active Directory module
Import-Module ActiveDirectory
# Define the output file path
$outputFilePath = "C:\AD\output.json"
# Remove the old file if it exists
if (Test-Path $outputFilePath) {
Remove-Item $outputFilePath
}
# Get user objects from Active Directory and convert them to JSON
Get-ADUser -Filter * -Properties * | ForEach-Object {
$User = Get-ADUser -Identity $_.DistinguishedName -Properties *
$User | ConvertTo-JSON -Compress | Out-File -Encoding UTF8 -Append -FilePath $OUTPUTFILEPATH
}
# Get computer objects from Active Directory and convert them to JSON
Get-ADComputer -Filter * -Properties * | ForEach-Object {
# Excluding attributes
$Computer = Get-ADComputer -Identity $_.DistinguishedName -Properties * |
Select-Object -Property * -ExcludeProperty 'ms-Mcs-AdmPwd', 'msDS-KeyCredentialLink', 'unicodePwd', 'userPassword', 'lmPwdHistory', 'ntPwdHistory', 'supplementalCredentials', 'ms-TS-GatewayUserPassword', 'cACertificate', 'userCertificate', 'userSMIMECertificate'
$Computer | ConvertTo-JSON -Compress | Out-File -Encoding UTF8 -Append -FilePath $OUTPUTFILEPATH
}
# Output a confirmation message
Write-Host "New output file created: $OUTPUTFILEPATH"
Running PowerShell Script Using Task Scheduler
Use this procedure to create a recurring task to run the script and fetch and write data to the output file.
- Open the Task Scheduler application.
- Click Create task on the right panel.
- Enter the Name and Description of the task.
- Select Run whether user is logged on or not” radio button and then select the check box corresponding to the Do not store password.
- Select the Run with highest privileges check box to make sure all data is retrieved.
6. On the Triggers tab, set the frequency at which you want to repeat the task.
7. On the Actions tab, click New... to create a new action for the task and from the Action drop-down menu, select Start a program as the action type.
8. In the "Program/script" field, browse and select the path to the PowerShell executable (powershell.exe). You can usually find it in the "C:\Windows\System32\WindowsPowerShell\v1.0" directory.
9. In the Add arguments (optional) field, provide the full path to your PowerShell script, including its file extension (e.g., "C:\AD\AD.ps1")
10. Click OK and Save to create a Task Scheduler as shown below.
Note: By running the Task Scheduler daily, the PowerShell script will be executed, replacing the previous output file with a newly generated one
Through Forwarder
1. Before you Begin
Step 1:
Verify the Firewall Configuration
a. To install the Bindplane Agent (observIQ Distro for Open Telemetry Collector), ensure the following requirements are met:
- Windows 2012 or later
- Internet connectivity
b. In the Firewall, the following Custom Port and Protocol must be allowed from the Servers to the Forwarder.
- Custom Port: 11736
- Protocol: TCP
c. In the Firewall, the following Hosts must be allowed from the Forwarder to Chronicle.
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west12-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central1-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | northamerica-northeast2-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | oauth2.googleapis.com | 443 |
Step 2:
Add the below Collector to the Forwarder Config File,
- syslog:
common:
enabled: true
data_type: WINDOWS_AD
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11736
udp_address: 0.0.0.0:11736
2. Configuring config.yaml file
Step 1. Before configuring the .yaml file, Stop the ‘observIQ Distro for OpenTelemetry Collector’ Service in the Services Panel.
Step 2. Next, open Command Prompt as Administrator, navigate to the directory where the Bindplane Agent is installed, and open the config.yaml file.
Step 3. When opening the config.yaml file, clear the Always use this app to open .yaml files option and then attempt to open it in Notepad.
Step 4. Now Copy the Query below and paste it in the config.yaml file.
receivers:
filelog/windows_ad:
include:
- C:\AD\output.json
start_at: beginning
exporters:
chronicleforwarder/windows_ad:
export_type: syslog
raw_log_field: body
syslog:
endpoint: Forwarder IP:11736
transport: tcp
service:
pipelines:
logs/winevtlog:
receivers:
- filelog/windows_ad
exporters: [chronicleforwarder/windows_ad]
Step 5. After Saving the config.yaml file, start the ‘observIQ Distro for OpenTelemetry Collector’ Service.
Step 6. Now, Verify that the Windows AD logs are being ingested into the Forwarder and then transmitted to Chronicle.
Directly to Chronicle
1. Before you Begin
Step 1:
Verify the Firewall Configuration
a. To install the Bindplane Agent (observIQ Distro for Open Telemetry Collector), ensure the following requirements are met:
- Windows 2012 or later
- Internet connectivity
- Google SecOps ingestion authentication file
- Google SecOps Customer ID
b. In the Firewall, following Hosts are only allowed from the Server to Chronicle.
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west12-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central1-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | northamerica-northeast2-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | oauth2.googleapis.com | 443 |
Step 2:
a. Google SecOps ingestion authentication file, this is used to add the required fields in the Creds Section in the Bindplane Query,
To download the authentication file, follow these steps:
-
-
- Open the Google SecOps Chronicle.
- Go to SIEM Settings > Collection Agent.
- Download the Google SecOps ingestion authentication file.
-
b. Google SecOps Customer ID,
To find the customer ID, follow these steps:
-
-
- Open the Google SecOps Chronicle.
- Go to SIEM Settings > Profile.
- Copy the Customer ID from the Organization Details section.
-
2. Configuring config.yaml file
Step 1. Before configuring the .yaml file, stop the ‘observIQ Distro for Open Telemetry Collector’ Service in the Services Panel.
Step 2. Now, open the Command Prompt (Run as Administrator) and then navigate to the directory where the Bindplane Agent is installed, and open the config.yaml file
Step 3. When opening the config.yaml file, clear the Always use this app to open .yaml files check box and then try to open it in Notepad.
Step 4. Now Copy the below Query and Paste it in the config.yaml file.
receivers:
filelog/windows_ad:
include:
- C:\AD\output.json
start_at: beginning
exporters:
chronicle/windows_ad:
endpoint: malachiteingestion-pa.googleapis.com
creds: '{
"type": "service_account",
"project_id": "malachite-projectname",
"private_key_id": "abcdefghijklmnopqrstuvwxyz123456789",
"private_key": "-----BEGIN PRIVATE KEY-----\nhgjgkgkgkgkgkgkgfg78yhjkDGh\n-----END PRIVATE KEY-----\n",
"client_email": "account@malachite-projectname.iam.gserviceaccount.com",
"client_id": "123456789123456789",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/account%40malachite-projectname.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}'
log_type: 'WINDOWS_AD'
override_log_type: false
raw_log_field: body
customer_id: 'dddddddd-dddd-dddd-dddd-dddddddddddd'
service:
pipelines:
logs:
receivers:
- filelog/windows_ad
exporters: [chronicle/windows_ad]
Step 5. Now refer to Step 2 (a & b) in 'Before you Begin' sub-section under ‘Directly to Chronicle’ section.
Google SecOps ingestion authentication file, copy the data in authentication file and replace it in the exporters (which are highlighted).
Step 6. Google SecOps Customer ID, copy the Customer ID and paste in the customer_id under exporters.
Step 7. After Saving config.yaml file, start the observIQ Distro for Open Telemetry Collector Service.
Step 8. Now, verify that the Windows AD Logs are being ingested into Chronicle.
Comments
0 comments
Please sign in to leave a comment.