Learn about a step by step process on how to log Windows Sysmon via Bindplane in the Chronicle Integration. Here are the steps.
Installation of Bindplane Agent (observIQ Distro for Open Telemetry Collector) on a Windows Server
Use the following URL to download the Bindplane Agent (observIQ Distribution for OpenTelemetry Collector) which is MSI file for Windows Server.
URL: https://github.com/observIQ/bindplane-otel-collector/releases/latest
After downloading MSI file, install the Bindplane Agent (observIQ Distribution for OpenTelemetry Collector) on the Windows Server:
Through Forwarder:
1. Before You Begin
Step 1:
Verify the Firewall Configuration
a. To install the Bindplane Agent (observIQ Distro for Open Telemetry Collector), need the following requirements:
- Windows 2012 or later
- Internet connectivity
b. In the Firewall, the following Custom Port and Protocol must be allowed from the Servers to the Forwarder.
Custom Port: 11517
Protocol: TCP
c. In the Firewall, the following Hosts must be allowed from the Forwarder to Chronicle.
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west12-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central1-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | northamerica-northeast2-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | oauth2.googleapis.com | 443 |
Step 2:
Add the below Collector to the Forwarder Config File,
- syslog:
common:
enabled: true
data_type: WINEVTLOG
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11517
udp_address: 0.0.0.0:11517
2. Configuring config.yaml file
Step 1. Before configuring the .yaml file, Stop the ‘observIQ Distro for OpenTelemetry Collector’ Service in the Services Panel.
Step 2. Next, open Command Prompt as Administrator, navigate to the directory where the Bindplane Agent is installed, and open the config.yaml file.
Step 3. When opening the config.yaml file, Uncheck the (Always use this app to open .yaml files) option and then attempt to open it in Notepad.
\
Step 4. Now Copy the Query below and paste it into the config.yaml file.
receivers:
windowseventlog/source0__application:
attributes:
log_type: windows_event.application
channel: application
max_reads: 100
poll_interval: 1s
raw: true
start_at: end
windowseventlog/source0__security:
attributes:
log_type: windows_event.security
channel: security
max_reads: 100
poll_interval: 1s
raw: true
start_at: end
windowseventlog/source0__system:
attributes:
log_type: windows_event.system
channel: system
max_reads: 100
poll_interval: 1s
raw: true
start_at: end
processors:
batch:
exporters:
chronicleforwarder/forwarder:
export_type: syslog
raw_log_field: body
syslog:
endpoint: Forwarder IP:11517
transport: tcp
service:
pipelines:
logs/winevtlog:
receivers:
- windowseventlog/source0__system
- windowseventlog/source0__application
- windowseventlog/source0__security
processors: [batch]
exporters: [chronicle/winevtlog]
Step 5. After Saving the config.yaml file, Start the ‘observIQ Distro for OpenTelemetry Collector’ Service.
Step 6. Now, verify that the Windows Event Logs are being ingested to the Forwarder and then to Chronicle.
Directly to Chronicle:
1. Before You Begin
Step 1:
Verify the Firewall Configuration
a. To install the Bindplane Agent (observIQ Distro for Open Telemetry Collector), need the following requirements:
- Windows 2012 or later
- Internet connectivity
- Google SecOps ingestion authentication file
- Google SecOps Customer ID
b. In the Firewall, the following Hosts must be allowed from the Server to Chronicle.
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west12-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central1-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | northamerica-northeast2-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | oauth2.googleapis.com | 443 |
Step 2:
a. Google SecOps ingestion authentication file, this is used to add the required fields in the Creds Section in the Bindplane Query,
To download the authentication file, follow these steps:
- Open the Google SecOps Chronicle.
- Go to SIEM Settings > Collection Agent.
- Download the Google SecOps ingestion authentication file.
b. Google SecOps Customer ID,
To find the customer ID, follow these steps:
- Open the Google SecOps Chronicle.
- Go to SIEM Settings > Profile.
- Copy the Customer ID from the Organization Details section.
2. Configuring config.yaml file
Step 1. Before configuring the .yaml file, Stop the ‘observIQ Distro for Open Telemetry Collector’ Service in the Services Panel.
Step 2. Next, open Command Prompt as Administrator, navigate to the directory where the Bindplane Agent is installed, and open the config.yaml file.
Step 3. When opening the config.yaml file, Uncheck the (Always use this app to open .yaml files) option and then attempt to open it in Notepad.
Step 4. Now Copy the Query below and paste it into the config.yaml file.
receivers:
windowseventlog/source0__application:
attributes:
log_type: windows_event.application
channel: application
max_reads: 100
poll_interval: 1s
raw: true
start_at: end
windowseventlog/source0__security:
attributes:
log_type: windows_event.security
channel: security
max_reads: 100
poll_interval: 1s
raw: true
start_at: end
windowseventlog/source0__system:
attributes:
log_type: windows_event.system
channel: system
max_reads: 100
poll_interval: 1s
raw: true
start_at: end
processors:
batch:
exporters:
chronicle/winevtlog:
endpoint: malachiteingestion-pa.googleapis.com
creds: '{
"type": "service_account",
"project_id": "malachite-projectname",
"private_key_id": "abcdefghijklmnopqrstuvwxyz123456789",
"private_key": "-----BEGIN PRIVATE KEY-----\nhgjgkgkgkgkgkgkgfg78yhjkDGh\n-----END PRIVATE KEY-----\n",
"client_email": "account@malachite-projectname.iam.gserviceaccount.com",
"client_id": "123456789123456789",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/account%40malachite-projectname.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}'
log_type: 'WINEVTLOG'
override_log_type: false
raw_log_field: body
customer_id: 'dddddddd-dddd-dddd-dddd-dddddddddddd'
service:
pipelines:
logs/winevtlog:
receivers:
- windowseventlog/source0__system
- windowseventlog/source0__application
- windowseventlog/source0__security
processors: [batch]
exporters: [chronicle/winevtlog]
Step 5. Now refer to Step 2 (a & b) in ‘Before You Begin’ sub-section under ‘Directly to Chronicle’ section.
Google SecOps ingestion authentication file, copy the data from the authentication file and replace it in the exporters (which are highlighted).
Step 6. Google SecOps Customer ID, copy the Customer ID and paste it into the ‘customer_id’ under exporters.
Step 7. After Saving the config.yaml file, Start the ‘observIQ Distro for Open Telemetry Collector’ Service.
Step 8. Now, verify that the Windows Event Logs are being ingested into Chronicle.
Comments
0 comments
Please sign in to leave a comment.