Set up and manage Data Processing Pipelines

Supported in:

The Data Processing Pipeline feature provides robust control over Google Security Operations data ingestion. Data Processing Pipelines let you manipulate incoming data before it's parsed by Google Security Operations. For example, filter and transform events, or redact sensitive values. This process can help optimize data for Google SecOps, reduce costs, protect sensitive information, and improve compatibility.

This document shows how to use the Bindplane console to configure a connection to a Google SecOps destination instance, create a new Google SecOps Pipeline, set up the Data Processing Pipeline (streams and processors), roll it out to initiate data processing, and view pipeline streams and processors in the Google SecOps console. Example use cases include:

  • Remove empty key-value pairs from raw logs.
  • Redact sensitive data.
  • Add ingestion labels from raw log content.
  • In multi-instance environments, apply ingestion labels to direct-ingestion log data to identify the source stream instance (such as Google Cloud Workspace).
  • Filter Palo Alto Cortex data by field values.
  • Reduce SentinelOne data by category.
  • Extract host information from feeds and direct-ingestion logs and map it to the ingestion_stream field for Cloud Monitoring.

You can configure Data Processing Pipelines for both on-premises and cloud data streams, using either the Bindplane management console or directly using the public Google SecOps Data Pipeline APIs.

A Data Processing Pipeline consists of the following elements:

  • Streams: One or more streams feed data into the data processing pipeline. Each stream is configured for a specific stream type.
  • Processor node: A Data Processing Pipeline has one Processor node that contains one or more processors. Each processor specifies an action to perform on the data (for example, filter, transform, and redact) as it flows through the pipeline.
  • Destination: The Google SecOps destination instance is where the processed data is sent.

Prerequisites

If you intend to use the Bindplane console to manage your Google SecOps Data Processing Pipeline, perform the following steps:

  1. In the Google Security Operations console, grant the installer the required predefined administrator roles. For details, see Assign the Project IAM Admin role in a dedicated project. Under Assign Roles, select the following predefined Identity and Access Management roles:

    • Chronicle API Admin (roles/chronicle.admin)

  2. Install the Bindplane Server console. For SaaS or on-premises, see Install the Bindplane Server console.

  3. In the Bindplane console, connect a Google SecOps destination instance to your Bindplane project. For details, see Connect to a Google SecOps instance.

Manage low-volume SecOps data acknowledgment delays

Ingestion API users who configure their own agent, may experience a potential increase in acknowledgment time for low volume SecOps Pipelines in the Data processing pipeline. Latency averages may rise from 700 ms up to 2 seconds. In such a case. Increase timeout periods and memory as needed. Acknowledgment time drops when data throughput exceeds 4 MBps.

Connect to a Google SecOps instance

Connect to a Google SecOps instance, which will serve as the destination for the output from your Data Processing Pipelines.

To connect to a Google SecOps instance using the Bindplane console:

  1. In the Bindplane console, go to the Manage your project page.
  2. Go to the Integrations card and click Connect to Google SecOps.

  3. In the Edit Integration window that opens, enter the details of the Google SecOps destination instance, that will ingest the output from your Data Processing Pipelines, as follows:

    Field Description
    Region The region of your Google SecOps instance. To find the instance, go to the Google Cloud console, navigate to the Google Security Operations page, and click Instance details.
    Customer ID The customer ID of your Google SecOps instance. In the Google SecOps console, go to Settings > Profile > Organization Details.
    Google Cloud project number The Google Cloud Project Number of your Google SecOps instance.
    To find the project number in the Google SecOps console, go to Settings > Profile > Organization Details.
    Credentials The Service Account credentials required credentials are the JSON value needed to authenticate and access the Google SecOps Data Pipeline APIs. The Service Account must be located in the same Google Cloud project as your Google SecOps instance and requires the Chronicle API Admin role (roles/chronicle.admin) privileges. You can get this JSON value from the Google Service Account credential file. For information about how to create a Service Account and download the JSON file, see Create and delete Service Account keys.

  4. Click Connect. If your connection details are correct and you successfully connect to Google SecOps, you can expect the following:

    • A connection to the Google SecOps instance is opened.
    • The first time you connect, you can see the SecOps Pipelines appears in the Bindplane console.
    • The Bindplane console now displays any Data Processing Pipelines you previously set up for this instance using the API. The system converts some processors you configured using the API into Bindplane processors, and displays others in their raw OpenTelemetry Transformation Language (OTTL) format. You can use the Bindplane console to edit pipelines and processors previously set up using the API.

  5. After you successfully create a connection to a Google SecOps instance, you can create a SecOps Pipeline and set up the Data Processing Pipeline. For details, see Set up a Data Processing Pipeline using the Bindplane console.

Set up a Data Processing Pipeline using the Bindplane console

Using the Bindplane console, you can manage your Google SecOps Data Processing Pipelines, including pipelines set up using the API.

Follow these steps to provision and deploy a new log processing pipeline in Google SecOps, typically using the Bindplane console.

  1. Create a new SecOps Pipeline
  2. Configure a Data Processing Pipeline
    1. Configure streams
    2. Configure processors
  3. Stage the deployment of a Data Processing Pipeline

Create a new Google SecOps pipeline

A Google SecOps pipeline is a container for you to configure one Data Processing Pipeline. To create a new Google SecOps pipeline container, do the following:

  1. In the Bindplane console, click the SecOps Pipelines tab to open the SecOps Pipelines page.
  2. Click Create SecOps Pipeline.
  3. In the Create new SecOps Pipeline window, set the SecOps Pipeline type to Google SecOps (default).
  4. Enter a SecOps Pipeline name and Description.
  5. Click Create. The new pipeline container is now displayed on the SecOps Pipelines page. Proceed to configure the data processing pipeline streams and processors within this container.

Configure a Data Processing Pipeline

A Data Processing Pipeline specifies data Streams to ingest and Processors (for example, filter, transform, or redact) to manipulate the data as it flows to the Google SecOps Destination instance.

A Pipeline configuration card is a visualization of the data processing pipeline where you can configure the data Streams and the Processor node. The Processor node consists of processors that manipulate the data as it flows to the Google SecOps Destination instance.

To configure a Data Processing Pipeline, first Create a new SecOps Pipeline, and then do the following:

  1. In the Bindplane console, click the SecOps Pipelines tab to open the SecOps Pipelines page.
  2. Select the SecOps Pipeline where you want to configure the new Data Processing Pipeline. The Pipeline configuration card opens.

  3. Configure the following:

    1. A Stream. See Configure streams for details.

    2. The Processor node:

      • To add a processor using the Bindplane console, see Configure processors for details.
      • Some custom processors let you edit their raw OTTL code directly.

  4. Once these configurations are complete, see Roll out a Data Processing Pipeline to begin processing the data.

Configure streams

A Stream ingests data according to its configured specifications, and feeds it into the pipeline. A Data Processing Pipeline can have one or more Streams, each configured for a different stream.

To add a Stream, do the following:

  1. In the Pipeline configuration card, click add Add Stream to open the Create Stream window.

  2. In the Create SecOps Stream window, enter details for these fields:

    Field Description
    Log type Log type of the data to ingest.
    Select the log type to ingest. For example, "CrowdStrike Falcon (CS_EDR)".

    Note: You can't select a log type with a warning warning icon.
    A warning icon indicates that the log type is already configured in another stream (in this pipeline or another pipeline in your Google SecOps instance).
    If you want to use such a log type, you must first delete it from the other stream configuration.
    To find the other stream configuration where the log type is configured, see Filter SecOps Pipeline configurations.
    Ingestion method Ingestion method to use to ingest the data for the selected Log type.
    These ingestion methods where previously defined for your Google SecOps instance.
    Select one of the following:
    • All Ingestion Methods
      < Note: Selecting All Ingestion Methods for a Log type prevents you from adding subsequent Streams that use specific Ingestion Methods for that same Log type.
    • Select a specific ingestion method.
      For example, one of the following: "Cloud Native Ingestion", "Feed", "Ingestion API", or "Workspace".
      • Note: Selecting All Ingestion Methods for a Log type prevents you from adding subsequent Streams that use specific Ingestion Methods for that same Log type.
        You will still be able to select other unconfigured specific Ingestion methods for this Log type.
      • If you select Feed as the Ingestion Method, the subsequent field displays a list of available feeds. Select the relevant Feed to define it as the ingestion stream for this configuration.
    Feed The specific feed configuration to use as the ingestion stream for data.
    If you select Feed in the Ingestion method field, the Feed field displays a list of feed names (previously defined for your Google SecOps instance) for the selected Log type.
    Select a specific Feed from the list.

    Note: To see a list of your feeds in your Google SecOps console, go to Settings > Feeds table.

  3. Click Add Stream to save the new stream.

    • The new data Stream is immediately displayed on the Pipeline configuration card.
    • It is automatically connected to the Processor node and the Google SecOps Destination.

Filter SecOps Pipeline configurations

The search bar on the SecOps Pipelines page lets you filter your SecOps Pipelines (Data Processing Pipelines) based on multiple configuration elements. You can locate pipelines by searching for specific criteria, such as log type, ingestion method, or feed name. You can use the following syntax to filter: logtype:value, ingestionmethod:value and feed:value.

For example, to identify stream configurations containing a specific log type, enter the filter logtype: in the search bar and select the log type from the resulting list.

Configure processors

A Data Processing Pipeline has one Processor node, containing one or more processors. Each processor manipulates the stream data sequentially:

  1. The first processor processes the raw stream data.
  2. The resulting output from the first processor is then processed by the next processor.
  3. This sequence continues for all subsequent processors in the order they appear in the Processors pane, with the output of one becoming the input of the next.

Configure the Processor node by adding, removing, or changing the sequence of one or more processors.

To add a processor, follow these steps:

  1. In the Pipeline configuration card, click the Processor node to open the Edit Processors window.
    The Edit Processors window consists of the following panes, arranged by data flow:

    • Input pane (or source pane): Recent incoming stream log data (before processing)
    • Configuration pane (or processor list): Processors and their configurations
    • Output pane (or result pane): Recent outgoing result log data (after processing)

    If the pipeline has been rolled out before, then the system shows the recent incoming log data (before processing) and the recent outgoing log data (after processing) in the panes.

  2. To add a processor, click Add Processor to display the processor list. For your convenience, the processor list is grouped by processor type.
    (To organize the processor list, you can add your own bundles by selecting one or more processors and clicking Add new Processor bundles.)

  3. Select a Processor to add from the list.

  4. Configure the processor as necessary.

  5. Click Save to save the processor configuration in the Processor node.

The system tests the new processor configuration by processing a fresh sample of the incoming stream log data (from the Input pane) and displays the outgoing result data (in the Output pane).

Deploy a Data Processing Pipeline

Once the stream and processor configurations are complete, deploy the pipeline to begin processing data.

To deploy a Data Processing Pipeline, click Start rollout. This activates the Data Processing Pipeline and allows Google's secure infrastructure to begin processing data according to the Data Processing Pipeline configuration.

If the deployment is successful, the Data Processing Pipeline configuration version number is incremented and displayed next to the Data Processing Pipeline name.

View Data Processing Pipeline information from the Google SecOps console

The following sections describe how to view Data Processing Pipeline information from the Google SecOps console:

View configured feeds

The Feeds page shows all the feeds that you configured.

  1. In the Google SecOps console, go to Settings > Feeds. The main page displays all your configured feeds.
  2. Hold the pointer over each row to display the ⋮ More menu. From the menu, you can view feed details, edit, disable, or delete the feed.
  3. Click View Details to view the details window.
  4. Click Open in Bindplane to open the stream configuration for that feed in the Bindplane console.

View Data Processing Pipeline information from the Logtypes page

The Logtypes page shows all available log types. To view Data Processing Pipeline details:

  1. In the Google SecOps console, go to Settings > Logtypes. The main page displays all your log types.
  2. Hold the pointer over each row to display the ⋮ More menu. From the menu, you can view logtype details.
  3. Click View Data Processing to view the details window.
  4. Click Open in Bindplane to open the processor configuration for that processor in the Bindplane console.

Use Google SecOps Data Pipeline APIs

The Google SecOps Data Pipeline APIs allow you to manage your Data Processing Pipelines. The APIs cover all the Data Pipeline functionality, such as creating, updating, deleting, and listing pipelines and associated feeds and log types within them.

Need more help? Get answers from Community members and Google SecOps professionals.