Solved: Re: Log types getting mixed up

Former Community Member · 01-02-2025 01:25 PM

Hi,

I have configured my BindPlane agents to collect logs from the Windows Security Events, Microsoft-Windows-PowerShell/Operational, and Sysmon channels. For each log source, I have specified the log type in the processor configuration as per the documentation.

I have set up three different ports on the destination, with each port designated to receive a specific log type. Logs are being sent and received on all three ports as expected.

However, in Google SecOps, when I search for logs from the Microsoft-Windows-PowerShell/Operational channel, I observe that some logs are incorrectly categorized as Windows Events log type instead of PowerShell log type. This issue does not occur for all logs; some logs from the PowerShell channel are correctly written as the PowerShell log type, while others are misclassified as Sysmon or Windows Events or misclassified as Powershell when its Windows Events etc.

My forwarder is configured to listen 20 different log types, and this issue only occurs with BindPlane agents forwarding logs from the Windows Security Events, Powershell and Sysmon channels.

Is there anyone who can help identify the cause of this issue?

That Security-Auditing channel isn't in the Source configuration on Bindplane.

cbryant

By default, BindPlane will send each source to all destinations in the config. So with this config you are ingesting each log 3 times, as each data type. You will need to put filter by regex (or condition depending on your license) processors in front of each SecOps forwarder destination to filter out the log type you don't want. For example, you would need to put a filter in front of your PowerShell destination that only allows PowerShell logs through. Same goes for Sysmon and regular Windows Event.

View solution in original post

cbryant

By default, BindPlane will send each source to all destinations in the config. So with this config you are ingesting each log 3 times, as each data type. You will need to put filter by regex (or condition depending on your license) processors in front of each SecOps forwarder destination to filter out the log type you don't want. For example, you would need to put a filter in front of your PowerShell destination that only allows PowerShell logs through. Same goes for Sysmon and regular Windows Event.

cmmartin_google

See https://medium.com/@thatsiemguy/bindplane-secops-processor-b271cc93ab90 for examples on how to use the new SecOps Processor in BindPlane, which solves for this use case.

ashnaiku

Try below. This works for me.
Source Name = WINEVTLOG (or something similar)
Custom Channels: <Empty>
Preprocessor --> Add Field -- > Attribute--> chronicle_log_type=WINEVTLOG

Source Name = WINDOWS_SYSMON (or something similar)
Custom Channels: Microsoft-Windows-Sysmon/Operational
Preprocessor --> Add Field -- > Attribute--> chronicle_log_type=WINDOWS_SYSMON

Source Name = WINDOWS_DEFENDER_AV (or something similar)
Custom Channels: Microsoft-Windows-Windows-Defender/Operational
Preprocessor --> Add Field -- > Attribute--> chronicle_log_type=WINDOWS_DEFENDER_AV

Source Name = POWERSHELL (or something similar)
Custom Channels: Microsoft-Windows-PowerShell/Operational
Preprocessor --> Add Field -- > Attribute--> chronicle_log_type=POWERSHELL

[Raw Logs] selected for all Sources

------------------------------

For how to details refer to cmmartin_google blogabove or Bindplane doc