I’m excited to share a custom solution I’ve developed that will make our Bindplane Agent monitoring process much easier and more efficient. With this setup, agent status can now be monitored in real time directly from Google SecOps, eliminating the need to repeatedly check the Bindplane console.
What This Solution Does
- Integrates Bindplane API with Google SecOps SOAR.
- Automates ingestion of agent status logs into Google SecOps SIEM.
- Triggers alerts whenever an agent becomes inactive.
- Provides a single pane of glass for the SOC team to monitor agent health.
Key Components
- Bindplane API.
- SOAR IDE script to fetch and ingest agent data.
- SIEM rule to detect inactive agents and generate alerts.
Benefits
✔ Real-time monitoring without manual console checks.
✔ Automated alerts for inactive agents.
✔ Streamlined workflow within existing security tools.
Prerequisites
Before you begin, ensure you have:
- Access to Bindplane with permissions to generate an API key
- Access to Google SecOps SOAR (IDE)
- Access to Google SecOps SIEM to create ingestion rules and alerts
- Google SecOps Customer ID for log ingestion
Detailed Steps
Step 1: Generate Bindplane API Key
Follow the official Bindplane documentation to create an API key:
https://docs.bindplane.com/cli-and-api/api-keys
This key will allow the SOAR IDE to query Bindplane agent status.
Step 2: SOAR IDE for fetching Bindplane Agent Status
- In Google SecOps SOAR, create a new IDE integration.
- The following Python script calls the Bindplane API, extracts key details for each agent, and ingests them into the Google SecOps Ingestion API under log type.
You may extend this script to include additional fields if required.
SOAR IDE Script
# Define the Bindplane API URL and the API Key
url = "https://app.bindplane.com/v1/agents" # Bindplane API Endpoint for Agent details
api_key = "xxxxx-xxxxx-xxxxxxxx-xxxxx" #Your Bindplane API Key
# Set the headers with the API key
headers = {
"X-Bindplane-Api-Key": api_key
}
# Make the GET request to the API
response = requests.get(url, headers=headers)
# Initialize an empty list to hold the formatted agent data
agents_data = []
# Check if the request was successful (status code 200)
if response.status_code == 200:
# Parse the response JSON
data = response.json()
# Iterate over the list of agents
for agent in data.get('agents', []):
user_defined_time = str(datetime.now(timezone.utc))
agent_name = agent.get('name', 'Unknown')
agent_status_code = agent.get('status', 'Unknown')
# Map the status code to active/inactive
agent_status = "active" if agent_status_code == 1 else "inactive"
# Extract additional attributes
os_family = agent.get('labels', {}).get('attributes/os.family', 'Unknown')
agent_version = agent.get('labels', {}).get('bindplane/agent-version', 'Unknown')
# Extract assigned configuration
assigned_configuration = agent.get('configurationStatus', {}).get('assigned', 'Unknown')
# Create dictionary for this agent's data
agent_data = {
"Agent Name": agent_name,
"Status": agent_status,
"OS": os_family,
"Agent Version": agent_version,
"Assigned Configuration": assigned_configuration
}
agents_data.append(agent_data)
# Send each agent record to SecOps Ingestion API
for agent in agents_data:
json_dict = {
"customer_id": "xxx-xxxxx-xxxxx-xxxx-xxx", # Your SecOps SIEM Customer ID
"log_type": "<LOG_TYPE>", #Enter log type in which you want this data to ingest.
"entries": [
{
"log_text": json.dumps(agent)
}
]
}
serialized_data = json.dumps(json_dict)
GCM.send_logs(serialized_data) # Send logs to SIEM ingestion API
Step 3: Create SIEM Rule to Detect Inactive Agents
After ingestion begins, create a rule in Google SecOps SIEM to alert when a Bindplane agent reports "Status": "inactive".
SIEM Rule
rule BINDPLANE_AGENT_NOT_REPORTING {
meta:
author = "Suraj Kadav"
description = "This rule will trigger an alert when any Bindplane agent goes offline/disconnected."
severity = "Critical"
events:
$e.metadata.log_type = "BINDPLANE_AGENT"
$e.extracted.fields["Status"] = "inactive"
outcome:
$Agent_Name = $e.extracted.fields["Agent Name"]
$Agent_Status = $e.extracted.fields["Status"]
$System_OS = $e.extracted.fields["OS"]
$Agent_Version = $e.extracted.fields["Agent Version"]
$Agent_Configuration = $e.extracted.fields["Assigned Configuration"]
condition:
$e
}
Tip : Consider adding a suppress/threshold to avoid flapping alerts (e.g., require 2–3 consecutive inactive observations or a time window).
Optional Enhancements
- Additional Agent details
- OS-based grouping
- Dashboards
- Optimize code for faster performance.
This solution is created to simplify operations and improve visibility of Bindplane Agent status for the SOC team. If you’re interested in implementing it or have ideas for enhancements, feel free to reach out or drop your suggestions in the comments!
