Collect Active Countermeasures AC-Hunter logs
Parser Version:3.0
This document explains how to ingest Active Countermeasures AC-Hunter logs to Google Security Operations using Bindplane.
AC-Hunter is a network threat detection platform by Active Countermeasures that performs automated threat hunting by analyzing network traffic to identify compromised systems communicating with command and control servers. AC-Hunter runs in Docker containers on a Linux server and can forward threat alerts via the syslog protocol to a SIEM or centralized logging server.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance.
- Windows Server 2016 or later, or a Linux host with
systemd. - If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
- Privileged access (SSH with sudo) to the Active Countermeasures AC-Hunter server to edit the configuration file.
- AC-Hunter version 5.3.0 or later (earlier versions contain a bug that blocks sending syslog messages).
- Network path from the AC-Hunter server to the Bindplane agent host on your chosen syslog port (UDP or TCP).
- IP forwarding enabled on the AC-Hunter host to allow Docker containers to send syslog to external servers.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer IDfrom the Organization Detailssection.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" / quiet
Linux installation
- Open a terminal with root or sudo privileges.
-
Run the following command:
sudo sh -c " $( curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) " install_unix.sh
Additional installation resources
For additional installation options, see Bindplane agent installation guide .
Configure the Bindplane agent to ingest syslog and send to Google SecOps
Locate the configuration file
-
Linux:
sudo systemctl status observiq-otel-collector -
Windows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
-
Replace the entire contents of
config.yamlwith the following configuration:receivers : udplog : listen_address : "0.0.0.0:514" exporters : chronicle/ac_hunter : compression : gzip creds_file_path : '/etc/bindplane-agent/ingestion-auth.json' customer_id : '<CUSTOMER_ID>' endpoint : malachiteingestion-pa.googleapis.com log_type : AI_HUNTER raw_log_field : body service : pipelines : logs/ac_hunter_to_chronicle : receivers : - udplog exporters : - chronicle/ac_hunter
Configuration parameters
Replace the following placeholders:
-
Receiver configuration:
-
udplog: Useudplogfor UDP syslog ortcplogfor TCP syslog. Match the protocol configured in AC-Hunter. -
0.0.0.0:514: IP address and port to listen on. Use0.0.0.0to listen on all interfaces.
-
-
Exporter configuration:
-
<CUSTOMER_ID>: Google SecOps Customer ID copied in the previous step. -
/etc/bindplane-agent/ingestion-auth.json: Full path to the ingestion authentication file.- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
-
endpoint: Regional endpoint URL:- US:
malachiteingestion-pa.googleapis.com - Europe:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for a complete list.
- US:
-
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Linux:
-
Run the following command:
sudo systemctl restart observiq-otel-collector -
Verify the service is running:
sudo systemctl status observiq-otel-collector -
Check logs for errors:
sudo journalctl -u observiq-otel-collector -f
To restart the Bindplane agent in Windows:
-
Choose one of the following options:
- Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collector- Services console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
- Press
-
Verify the service is running:
sc query observiq-otel-collector -
Check logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
Configure syslog forwarding on Active Countermeasures AC-Hunter
- Sign in to the AC-Hunter servervia SSH with privileged access.
-
Back up the existing configuration file:
sudo cp /etc/AI-Hunter/config.yaml /etc/AI-Hunter/config.yaml.backup -
Open the configuration file in a text editor:
sudo nano /etc/AI-Hunter/config.yaml -
Locate the Alert:section and the nested Syslog:section. Provide the following configuration details:
Alert : Syslog : Threshold : 20 Protocol : "udp" Address : "BINDPLANE_IP:514" Tag : " AC-Hunter "- Threshold: Enter the minimum threat score to trigger alerts (for example,
20). Systems with scores at or above this value generate syslog alerts. - Protocol: Select
"udp"or"tcp"to match the Bindplane agent receiver configuration. Use""(empty string) to write to the host/dev/logfor rsyslog forwarding. - Address: Enter the Bindplane agent IP address and port (for example,
"10.1.2.3:514"). - Tag: Enter an optional tag for log identification (for example,
" AC-Hunter "). Include a trailing space before the closing quote so the tag does not run into the message text.
- Threshold: Enter the minimum threat score to trigger alerts (for example,
-
Save the configuration file and exit the editor.
-
Restart AC-Hunter to apply the changes:
hunt up -d --force-recreate -
Wait until approximately 20 minutes past the next hour. AC-Hunter imports new hourly logs from sensors and sends syslog alerts for systems that exceed the configured threshold during this import cycle.
-
Verify that syslog messages are arriving at the Bindplane agent host by checking the local syslog log file:
sudo tail -f /var/log/syslog
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
api_msg_label
|
additional.fields
|
Merged |
prev_score
|
metadata.description
|
Directly mapped |
score
|
metadata.description
|
Directly mapped |
ts_date
|
metadata.event_timestamp
|
Parsed as MMM dd HH:mm:ss
|
ts_iso8601
|
metadata.event_timestamp
|
Parsed as ISO8601
|
has_principal
|
metadata.event_type
|
Mapped: true
→ STATUS_UNCATEGORIZED
|
src_ip
|
principal.asset.ip
|
Merged |
src_ip
|
principal.ip
|
Merged |
blacklist_avg_bytes_label
|
principal.labels
|
Merged |
blacklist_in_label
|
principal.labels
|
Merged |
blacklist_out_label
|
principal.labels
|
Merged |
database_label
|
principal.labels
|
Merged |
dns_txt_query_label
|
principal.labels
|
Merged |
invalid_cert_label
|
principal.labels
|
Merged |
max_beacon_label
|
principal.labels
|
Merged |
max_duration_label
|
principal.labels
|
Merged |
prev_score_label
|
principal.labels
|
Merged |
rare_client_label
|
principal.labels
|
Merged |
score_label
|
principal.labels
|
Merged |
unexpected_proto_label
|
principal.labels
|
Merged |
source_module_label
|
principal.resource.attribute.labels
|
Merged |
domain
|
target.asset.hostname
|
Directly mapped |
domain
|
target.hostname
|
Directly mapped |
|
N/A
|
metadata.event_type
|
Constant: STATUS_UNCATEGORIZED
|
|
N/A
|
metadata.product_name
|
Constant: AI hunter
|
|
N/A
|
metadata.vendor_name
|
Constant: Active Countermeasures
|
Change Log
View the Change Log for this parser
Need more help? Get answers from Community members and Google SecOps professionals.

