Collect Netwrix Privilege Secure for Discovery (formerly Remediant SecureONE) logs

Supported in:

This document explains how to ingest Netwrix Privilege Secure for Discovery (formerly Remediant SecureONE) logs to Google Security Operations using the Bindplane agent.

Netwrix Privilege Secure for Discovery is an agentless privileged access management (PAM) solution that provides dynamic Just-in-Time (JIT) privileged account access. It eliminates standing privileges by providing continuous visibility into privileged accounts, effectively preventing lateral movement attacks and reducing an organization's attack surface.

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance
  • A Windows 2016 or later or Linux host with systemd
  • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
  • Privileged access to the Remediant SecureONE appliance (SSH access to the node running fluentd)
  • Remediant SecureONE version 2.8 or later (or the s1_fluentd service upgraded to fluentd version 1)

Get a Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File.
  4. Save the file securely on the system where Bindplane will be installed.

Get a Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows Installation

  1. Open the Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux Installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional Installation Resources

For additional installation options, see the Bindplane agent installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

Locate the configuration file

  • Linux:

    sudo nano /opt/observiq-otel-collector/config.yaml

Edit the configuration file

  • Replace the entire contents of config.yaml with the following configuration:

    receivers:
  tcplog:
    # Replace the port and IP address as required
    listen_address: "0.0.0.0:514"

exporters:
  chronicle/chronicle_w_labels:
    compression: gzip
    # Adjust the path to the credentials file you downloaded in Step 1
    creds_file_path: '/path/to/ingestion-authentication-file.json'
    # Replace with your actual customer ID from Step 2
    customer_id: '<customer_id>'
    endpoint: malachiteingestion-pa.googleapis.com
    # Add optional ingestion labels for better organization
    log_type: 'REMEDIANT_SECUREONE'
    raw_log_field: body
    ingestion_labels:

service:
  pipelines:
    logs/source0__chronicle_w_labels-0:
      receivers:
        - tcplog
      exporters:
        - chronicle/chronicle_w_labels
    • Replace the port and IP address as required in your infrastructure.
    • Replace <customer_id> with the actual Customer ID.
    • Update /path/to/ingestion-authentication-file.json to the file path where you saved the authentication file.

Restart Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart observiq-otel-collector

  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop observiq-otel-collector && net start observiq-otel-collector

Configure Remediant SecureONE syslog forwarding

  1. Use SSH to connect to the Remediant SecureONE node running the fluentd service.

  2. Back up the existing fluentd configuration file:

    sudo cp /secureone/conf/fluentd/fluent.conf /secureone/conf/fluentd/fluent.conf.$(date +%Y.%m.%d)

  3. Open the fluentd configuration file for editing:

    sudo vim /secureone/conf/fluentd/fluent.conf

  4. Edit the match docker.** section to add the remote_syslog store. Replace the entire file contents with the following configuration:

    #fluent.conf for fluentd version 1
<source>
  @type forward
</source>
<filter docker.**>
  @type parser
  time_key key3
  format json
  key_name log
  reserve_data true
</filter>
<match docker.**>
  @type copy
  <store>
    @type remote_syslog
    host BINDPLANE_IP
    port 514
    protocol tcp
    packet_size 4096
    program secureone
    hostname SECUREONE_HOSTNAME
    <format>
      @type single_value
      message_key log
    </format>
  </store>
  <store>
    @type stdout_pp
    pp true
    time_color blue
    tag_color yellow
    record_colored true
  </store>
</match>
<match **>
  @type stdout_pp
  pp true
  time_color blue
  tag_color yellow
  record_colored true
</match>

  5. Replace the following values:

    • BINDPLANE_IP: Enter the IP address of the Bindplane agent host (for example, 10.100.11.13).
    • 514: Enter the port number matching the Bindplane agent listen_address port.
    • SECUREONE_HOSTNAME: Enter the hostname of the SecureONE node (for example, secureone-prod-01).

  6. Save the configuration file and exit the editor.

  7. Restart the fluentd service to apply the new configuration:

    s1 restart fluentd

  8. Verify the fluentd version and running configuration:

    sudo docker exec -it $(sudo docker ps | grep fluentd | cut -d' ' -f1) fluent-gem list | grep fluentd

  9. Validate the configuration syntax:

    sudo docker exec -it $(sudo docker ps | grep fluentd | cut -d' ' -f1) fluentd -c /fluentd/etc/fluent.conf --dry-run

  10. Verify logs are being forwarded by monitoring traffic on the syslog port:

    sudo tcpdump -vv -i any port 514

For more information, see the Netwrix Privilege Secure for Discovery documentation.

UDM mapping table

Log Field UDM Mapping Logic
access_tokenId_label additional.fields Merged
access_tokenType_label additional.fields Merged
access_type_label additional.fields Merged
createdBy_label additional.fields Merged
details.failover_dc_label additional.fields Merged
details.initial_dc_label additional.fields Merged
details.sync_end_ts_label additional.fields Merged
duration_label additional.fields Merged
ldapName_label additional.fields Merged
manage_local_sids_label additional.fields Merged
persistent_label additional.fields Merged
req_query_limit_label additional.fields Merged
req_query_page_label additional.fields Merged
scan_label additional.fields Merged
secure_label additional.fields Merged
strict_secure_label additional.fields Merged
sync_start_ts_label additional.fields Merged
targetSystem_cn_label additional.fields Merged
targetSystem_distinguishedName_label additional.fields Merged
targetSystem_operatingSystem_label additional.fields Merged
user_distinguishedName_label additional.fields Merged
req_headers_host intermediary.asset.hostname Directly mapped
req_headers_host intermediary.hostname Directly mapped
json_message metadata.description Directly mapped
msg metadata.description Directly mapped
time metadata.event_timestamp Parsed as ISO8601
event_type metadata.event_type Directly mapped
name metadata.product_event_type Directly mapped
req_id metadata.product_log_id Directly mapped
req.method network.http.method Directly mapped
res.statusCode network.http.response_code Renamed/mapped
req_header_user_agent network.http.user_agent Directly mapped
targetSystem.domain_netbios principal.administrative_domain Directly mapped
user_domain_fqdn principal.administrative_domain Directly mapped
source_application principal.application Directly mapped
req_headers_host principal.hostname Directly mapped
targetSystem.cn principal.hostname Directly mapped
client_ip principal.ip Merged
remote_address principal.ip Merged
client_ua_os principal.platform Mapped: (?i)windowsWINDOWS, (?i)linuxLINUX, (?i)macMAC
client_ua_platform principal.platform_version Directly mapped
client_ua_version principal.platform_version Directly mapped
req.remotePort principal.port Renamed/mapped
script_cmd principal.process.command_line Directly mapped
pid principal.process.pid Directly mapped
browser_label principal.resource.attribute.labels Merged
req_header_map_label principal.resource.attribute.labels Merged
system principal.resource.product_object_id Directly mapped
domain_netbios_label principal.user.attribute.labels Merged
objectSid_label principal.user.attribute.labels Merged
user_domain_label principal.user.attribute.labels Merged
user_domain_netbios_label principal.user.attribute.labels Merged
user_id_label principal.user.attribute.labels Merged
user_objectSid_label principal.user.attribute.labels Merged
authData.access.role principal.user.role_name Directly mapped
user_user principal.user.user_display_name Directly mapped
access.user.sAMAccountName principal.user.userid Directly mapped
user_cn principal.user.userid Directly mapped
user_sid principal.user.windows_sid Directly mapped
disabled_label security_result.detection_fields Merged
disabled_label1 security_result.detection_fields Merged
level_label security_result.detection_fields Merged
req_id_key_label security_result.detection_fields Merged
req_params_computerId_label security_result.detection_fields Merged
targetSystem_id_label security_result.detection_fields Merged
hostname src.hostname Directly mapped
ldapName target.administrative_domain Directly mapped
targetsystem target.asset.hostname Directly mapped
server target.hostname Directly mapped
targetsystem target.hostname Directly mapped
header_map_label target.resource.attribute.labels Merged
req.url target.url Directly mapped
user_user target.user.userid Directly mapped
N/A metadata.product_name Constant: SecureONE
N/A metadata.vendor_name Constant: Remediant
N/A principal.platform Constant: WINDOWS

Need more help? Get answers from Community members and Google SecOps professionals.