Skip to main content

Hi,

I have configured my BindPlane agents to collect logs from the Windows Security Events, Microsoft-Windows-PowerShell/Operational, and Sysmon channels. For each log source, I have specified the log type in the processor configuration as per the documentation.

I have set up three different ports on the destination, with each port designated to receive a specific log type. Logs are being sent and received on all three ports as expected.

However, in Google SecOps, when I search for logs from the Microsoft-Windows-PowerShell/Operational channel, I observe that some logs are incorrectly categorized as Windows Events log type instead of PowerShell log type. This issue does not occur for all logs; some logs from the PowerShell channel are correctly written as the PowerShell log type, while others are misclassified as Sysmon or Windows Events or misclassified as Powershell when its Windows Events etc.

My forwarder is configured to listen 20 different log types, and this issue only occurs with BindPlane agents forwarding logs from the Windows Security Events, Powershell and Sysmon channels.

Is there anyone who can help identify the cause of this issue?

That Security-Auditing channel isn't in the Source configuration on Bindplane.

 

 

By default, BindPlane will send each source to all destinations in the config. So with this config you are ingesting each log 3 times, as each data type. You will need to put filter by regex (or condition depending on your license) processors in front of each SecOps forwarder destination to filter out the log type you don't want. For example, you would need to put a filter in front of your PowerShell destination that only allows PowerShell logs through. Same goes for Sysmon and regular Windows Event. 

See https://medium.com/@thatsiemguy/bindplane-secops-processor-b271cc93ab90 for examples on how to use the new SecOps Processor in BindPlane, which solves for this use case.

Try below. This works for me.
Source Name = WINEVTLOG (or something similar)
Custom Channels: <Empty>
Preprocessor --> Add Field -- > Attribute--> chronicle_log_type=WINEVTLOG



Source Name = WINDOWS_SYSMON (or something similar)
Custom Channels: Microsoft-Windows-Sysmon/Operational
Preprocessor --> Add Field -- > Attribute--> chronicle_log_type=WINDOWS_SYSMON


Source Name = WINDOWS_DEFENDER_AV (or something similar)
Custom Channels: Microsoft-Windows-Windows-Defender/Operational
Preprocessor --> Add Field -- > Attribute--> chronicle_log_type=WINDOWS_DEFENDER_AV


Source Name = POWERSHELL (or something similar)
Custom Channels: Microsoft-Windows-PowerShell/Operational
Preprocessor --> Add Field -- > Attribute--> chronicle_log_type=POWERSHELL


[Raw Logs] selected for all Sources


------------------------------


For how to details refer to cmmartin_google blogabove or Bindplane doc


 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.