Installation of Bindplane Agent (observIQ Distro for Open Telemetry Collector) on a Windows Server:
Use the following URL to download the Bindplane Agent (observIQ Distribution for OpenTelemetry Collector) which is MSI file for Windows Server.
URL: https://github.com/observIQ/bindplane-otel-collector/releases/latest
After downloading MSI file, install the Bindplane Agent (observIQ Distribution for OpenTelemetry Collector) on the Windows Server:
Set up Sysmon on the Windows Server
1. Download the Sysmon using the URL below. The file will be in ZIP format.
https://download.sysinternals.com/files/Sysmon.zip
2. Once downloaded, extract the Sysmon. After extraction, you will find four files in the folder.
3. Now, open the Command Prompt as Administrator, navigate to the folder where Sysmon is downloaded, and install Sysmon using the command below.
> sysmon64.exe -accepteula -i
4. After installation, check whether the Sysmon64 service is running in the Services panel.
Through Forwarder:
1. Before you begin
Step 1:
Verify the Firewall Configuration
a. To install the Bindplane Agent (observIQ Distro for Open Telemetry Collector), need the following requirements:
- Windows 2012 or later
- Internet connectivity
b. In the Firewall, the following Custom Port and Protocol must be allowed from the Servers to the Forwarder.
Custom Port: 11664
Protocol: TCP
c. In the Firewall, the following Hosts must be allowed from the Forwarder to Chronicle.
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west12-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central1-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | northamerica-northeast2-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | oauth2.googleapis.com | 443 |
Step 2:
Add the below Collector to the Forwarder Config File,
- syslog:
common:
enabled: true
data_type: WINDOWS_SYSMON
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11664
udp_address: 0.0.0.0:11664
2. Configuring config.yaml file:
Step 1. Before configuring the .yaml file, Stop the ‘observIQ Distro for OpenTelemetry Collector’ Service in the Services Panel.
Step 2. Next, open Command Prompt as Administrator, navigate to the directory where the Bindplane Agent is installed, and open the config.yaml file.
Step 3. When opening the config.yaml file, Uncheck the (Always use this app to open .yaml files) option and then attempt to open it in Notepad.
Step 4. Now Copy the Query below and paste it into the config.yaml file.
receivers:
windowseventlog/sysmon:
channel: Microsoft-Windows-Sysmon/Operational
raw: true
processors:
batch:
exporters:
chronicleforwarder/sysmon:
export_type: syslog
raw_log_field: body
syslog:
endpoint: Forwarder IP:11664
transport: tcp
service:
pipelines:
logs/winsysmon:
receivers:
- windowseventlog/sysmon
processors: [batch]
exporters: [chronicleforwarder/sysmon]
Step 5. After Saving the config.yaml file, Start the ‘observIQ Distro for OpenTelemetry Collector’ Service.
Step 6. Now, verify that the Windows Sysmon Logs are being ingested to the Forwarder and then to Chronicle.
Directly to Chronicle:
1. Before you begin
Step 1:
Verify the Firewall Configuration
a. To install the Bindplane Agent (observIQ Distro for Open Telemetry Collector), need the following requirements:
- Windows 2012 or later
- Internet connectivity
- Google SecOps ingestion authentication file
- Google SecOps Customer ID
b. In the Firewall, the following Hosts must be allowed from the Server to Chronicle.
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west12-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central1-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | northamerica-northeast2-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | oauth2.googleapis.com | 443 |
Step 2:
a. Google SecOps ingestion authentication file, this is used to add the required fields in the Creds Section in the Bindplane Query,
To download the authentication file, follow these steps:
- Open the Google SecOps Chronicle.
- Go to SIEM Settings > Collection Agent.
- Download the Google SecOps ingestion authentication file.
b. Google SecOps Customer ID,
To find the customer ID, follow these steps:
- Open the Google SecOps Chronicle.
- Go to SIEM Settings > Profile.
- Copy the Customer ID from the Organization Details section.
2. Configuring config.yaml file:
Step 1. Before configuring the .yaml file, Stop the ‘observIQ Distro for Open Telemetry Collector’ Service in the Services Panel.
Step 2. Next, open Command Prompt as Administrator, navigate to the directory where the Bindplane Agent is installed, and open the config.yaml file.
Step 3. When opening the config.yaml file, Uncheck the (Always use this app to open .yaml files) option and then attempt to open it in Notepad.
Step 4. Now Copy the Query below and paste it into the config.yaml file.
receivers:
windowseventlog/sysmon:
channel: Microsoft-Windows-Sysmon/Operational
raw: true
processors:
batch:
exporters:
chronicle/winsysmon:
endpoint: malachiteingestion-pa.googleapis.com
creds: '{
"type": "service_account",
"project_id": "malachite-projectname",
"private_key_id": "abcdefghijklmnopqrstuvwxyz123456789",
"private_key": "-----BEGIN PRIVATE KEY-----\nhgjgkgkgkgkgkgkgfg78yhjkDGh\n-----END PRIVATE KEY-----\n",
"client_email": "account@malachite-projectname.iam.gserviceaccount.com",
"client_id": "123456789123456789",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/account%40malachite-projectname.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}'
log_type: 'WINDOWS_SYSMON'
override_log_type: false
raw_log_field: body
customer_id: 'dddddddd-dddd-dddd-dddd-dddddddddddd'
service:
pipelines:
logs/winsysmon:
receivers:
- windowseventlog/sysmon
processors: [batch]
exporters: [chronicle/winsysmon]
Step 5. Now refer to Step 2 (a & b) in ‘Before You Begin’ sub-section under ‘Directly to Chronicle’ section.
Google SecOps ingestion authentication file, copy the data from the authentication file and replace it in the exporters (which are highlighted).
Step 6. Google SecOps Customer ID, copy the Customer ID and paste it into the ‘customer_id’ under exporters.
Step 7. After Saving the config.yaml file, Start the ‘observIQ Distro for Open Telemetry Collector’ Service.
Step 8. Now, verify that the Windows Sysmon Logs are being ingested into Chronicle.
Comments
0 comments
Please sign in to leave a comment.