Google Security Operations (SecOps)

Google Security Operations (SecOps):

To add a Google Security Operations (SecOps) destination to Axoflow, complete the following steps.

Prerequisites

Steps

  1. Create a new destination.

    1. Open the Axoflow Console.
    2. Select Topology.
    3. Select + Create New Item > Destination.

  2. Configure the destination.

    1. Select SecOps.

    2. Select which type of configuration you want to use:

      • Simple: Send all data into a namespace with a single log type.
      • Dynamic: Send data to a namespace with a log type based on the content or metadata of the incoming messages (or to a default namespace/log type).
      • Advanced: Specify the full endpoint URL.

    3. Enter a name for the destination.

      Configure the Google SecOps destination

    4. Enter the URL endpoint for the destination.

      • Simple and Dynamic: Enter base URL for the regional service endpoint to use into the Service Endpoint field, for example, https://malachiteingestion-pa.googleapis.com for the US region.
      • Advanced: Enter the full URL to use for ingesting logs into the Endpoint URL field, for example, https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate.

    5. Specify the namespace and log type to send the data to.

      • Simple and Advanced: Enter the Namespace where to send the data and the Log type to assign to the data. All data will be sent to this namespace with the specified log type.
      • Dynamic: Enter the default Namespace and Log type. The data will be sent into this namespace with the specified log type unless it is set during the processing of the message (for example, by the processing steps of the Flow).

      You can use AxoSyslog macros in this field.

    6. Enter the unique ID of your Google SecOps instance into the Customer ID field.

    7. Configure the authentication method to access the GCP project.

      • Automatic (ADC): Use the service account attached to the cloud resource (VM) that hosts AxoRouter.
      • Service Account File: Specify the path where a service account key file is located (for example, /etc/axorouter/user-config/serviceaccount.json). You must manually copy that file to its place, currently you can’t distribute it from Axoflow.

    8. (Optional) Set other options as needed for your environments.

      • Timeout: Number of seconds to wait for a log-forwarding request to complete. If the timeout is exceeded, AxoRouter attempts to reconnect the destination. The default value is unlimited. For more details, see the AxoSyslog documentation.
      • Batch Lines: Number of lines sent to the destination in one batch. AxoRouter waits for this number of lines to accumulate and sends them off in a single batch. Increasing this number increases throughput as more messages are sent in a single batch, but also increases message latency. For more details, see the AxoSyslog documentation.
      • Batch Timeout: Maximal time in milliseconds to wait for a batch to be filled before sending it. The default value (-1) means that the batch should be full before sending, which may result in a long wait if the incoming traffic is low. For more details, see the AxoSyslog documentation.
      • Number of Workers: Used for scaling the destination in case of high message load. Specifies the number of worker threads AxoRouter uses for sending messages to the destination. The default is 1. If high message throughput is not a concern, leave it on 1. For maximum performance, increase it up to the number of CPU cores available on AxoRouter. For more details, see the AxoSyslog documentation.

    9. Select Create.

  3. Create a flow to connect the new destination to an AxoRouter instance.

    1. Select Flows.

    2. Select Create New Flow.

    3. Enter a name for the flow, for example, my-test-flow.

      Create a flow

    4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

      It also makes more complex filtering possible, using the Equals, Contains (partial match), and Match (regular expression match) operators. Note that:

      • To execute the search, click Search, or hit ESC then ENTER.
      • Axoflow Console autocompletes the built-in and custom labels and field names, as well as their most frequent values, but doesn’t autocomplete labels and variables created by data parsing and processing steps.
      • You can use the AND and OR operators to combine expressions, and also parenthesis if needed.

    5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

      By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

      AxoRouter as destination

    6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

      1. Add a Classify, a Parse, and a Reduce step, in that order, to automatically remove redundant and empty fields from your data.
      2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet AND meta.product = fortigate query.
      3. Save the processing steps.

      Example processing steps

    7. Select Create.

    8. The new flow appears in the Flows list.

      The new flow