Console
    Start free

    Collect Vectra Alerts logs

    Supported in:

    This document explains how to ingest Vectra Alerts logs to Google Security Operations using the Vectra SIEM Connector and Bindplane.

    Vectra AI is a network detection and response platform that generates security alerts for threat detections across cloud, data center, and IoT environments. The platform uses AI-driven behavioral analysis to identify hidden cyberattacks in real time.

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • Windows Server 2016 or later, or Linux host with systemd
    • Network connectivity between the Bindplane agent and the Vectra AI platform
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
    • Privileged access to the Vectra AI platform with administrator permissions

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.

    3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.

    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sc query observiq-otel-collector

    The service should show as RUNNING.

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sudo  
systemctl  
status  
observiq-otel-collector

    The service should show as active (running).

    Additional installation resources

    For additional installation options and troubleshooting, see Bindplane agent installation guide .

    Configure Bindplane agent to ingest syslog and send to Google SecOps

    Locate the configuration file

    • Linux:

       sudo  
nano  
/etc/bindplane-agent/config.yaml

    • Windows:

       notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

    Edit the configuration file

    • Replace the entire contents of config.yaml with the following configuration:

        receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/vectra_alerts 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 '<customer_id>' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 VECTRA_ALERTS 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/vectra_alerts_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/vectra_alerts

    Configuration parameters

    • Replace the following placeholders:

      • Receiver configuration:

        • listen_address : IP address and port to listen on:
          • 0.0.0.0 to listen on all interfaces (recommended)
          • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)

      • Exporter configuration:

        • creds_file_path : Full path to ingestion authentication file:
          • Linux: /etc/bindplane-agent/ingestion-auth.json
          • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
        • customer_id : Customer ID copied from the Google SecOps console
        • endpoint : Regional endpoint URL:
          • US: malachiteingestion-pa.googleapis.com
          • Europe: europe-malachiteingestion-pa.googleapis.com
          • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
          • See Regional Endpoints for complete list

    Save the configuration file

    • After editing, save the file:
      • Linux: Press Ctrl+O , then Enter , then Ctrl+X
      • Windows: Click File > Save

    Restart the Bindplane agent to apply the changes

    • To restart the Bindplane agent in Linux:

      1. Run the following command:

         sudo  
systemctl  
restart  
observiq-otel-collector

      2. Verify the service is running:

         sudo  
systemctl  
status  
observiq-otel-collector

      3. Check logs for errors:

         sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    • To restart the Bindplane agent in Windows:

      1. Choose one of the following options:

        • Command Prompt or PowerShell as administrator:

           net stop observiq-otel-collector && net start observiq-otel-collector

        • Services console:

          1. Press Win+R , type services.msc , and press Enter.
          2. Locate observIQ OpenTelemetry Collector.
          3. Right-click and select Restart.

      2. Verify the service is running:

         sc query observiq-otel-collector

      3. Check logs for errors:

          type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Configure Vectra Alerts syslog forwarding

    Deploy the Vectra SIEM Connector to forward alert data to the Bindplane agent.

    1. Deploy the Vectra SIEM Connector (available as a Docker container or standalone application).
    2. Configure the connector with your Vectra AI Platform URL (for example, https://your-tenant.vectra.ai ) and API credentials.
    3. Set the output destination to syslog with the following parameters:
      • Syslog Server: Enter the IP address of the Bindplane agent host.
      • Port: Enter 514 (or the port configured in the Bindplane agent).
      • Protocol: Select UDP(matching the Bindplane receiver configuration).
    4. Select the event categories to forward:
      • Detections
      • Audits
      • Health events

    5. Start the connector and verify that alert logs are being forwarded by checking the Bindplane agent logs.

    UDM mapping table

    Log Field UDM Mapping Logic
    assigned_date
    		 additional.fields.assigned_date_label Set label with key "Assigned Date" and value from assigned_date
    assigned_to
    		 additional.fields.assigned_to_label Set label with key "Assigned To" and value from assigned_to
    c_score
    		 additional.fields.c_score_label Set label with key "c_score" and value from c_score
    category
    		 security_result.category_details Value copied directly
    certainty
    		 additional.fields.certainty_label Set label with key "Certainty" and value from certainty
    created_timestamp
    		 metadata.event_timestamp Converted using format yyyy-MM-ddTHH:mm:ssZ
    custom_detection
    		 additional.fields.custom_detection_label Set label with key "Custom Detection" and value from custom_detection
    data_source.connection_id
    		 security_result.detection_fields.connection_id_label Set label with key "Connection ID" and value from data_source.connection_id
    data_source.connection_name
    		 security_result.detection_fields.connection_name_label Set label with key "Connection Name" and value from data_source.connection_name
    data_source.type
    		 security_result.detection_fields.data_source_type_label Set label with key "Data Source Type" and value from data_source.type
    description
    		 metadata.description Value copied directly
    detection
    		 additional.fields.detection_label Set label with key "Detection" and value from detection
    detection_category
    		 additional.fields.detection_category_label Set label with key "Detection Category" and value from detection_category
    detection_type
    		 additional.fields.detection_type_label Set label with key "Detection Type" and value from detection_type
    detection_url
    		 principal.url Value copied directly
    filtered_by_ai
    		 additional.fields.filtered_by_ai_label Set label with key "Filtered By AI" and value from filtered_by_ai
    filtered_by_rule
    		 additional.fields.filtered_by_rule_label Set label with key "Filtered By Rule" and value from filtered_by_rule
    filtered_by_user
    		 additional.fields.filtered_by_user_label Set label with key "Filtered By User" and value from filtered_by_user
    first_timestamp
    		 additional.fields.first_timestamp_label Set label with key "First Timestamp" and value from first_timestamp
    gd_first_timestamp
    		 security_result.detection_fields.gd_first_timestamp_label Set label with key "first_timestamp" and value from gd_first_timestamp
    gd_grouping_field
    		 security_result.detection_fields.gd_grouping_field_label Set label with key "grouping_field" and value from gd_grouping_field
    gd_last_timestamp
    		 security_result.detection_fields.gd_last_timestamp_label Set label with key "group_details_last_timestamp" and value from gd_last_timestamp
    gd_uuid
    		 security_result.detection_fields.gd_uuid_label Set label with key "gd_uuid" and value from gd_uuid
    grp_description
    		 security_result.detection_fields.grp_description_label Set label with key "grp_description" and value from grp_description
    grp_id
    		 security_result.detection_fields.grp_id_label Set label with key "grp_id" and value from grp_id
    grp_last_modified
    		 security_result.detection_fields.grp_last_modified_label Set label with key "grp_last_modified" and value from grp_last_modified
    grp_last_modified_by
    		 security_result.detection_fields.grp_last_modified_by_label Set label with key "grp_last_modified_by" and value from grp_last_modified_by
    grp_name
    		 security_result.detection_fields.grp_name_label Set label with key "grp_name" and value from grp_name
    grp_type
    		 security_result.detection_fields.grp_type_label Set label with key "grp_type" and value from grp_type
    id
    		 metadata.product_log_id Value copied directly
    intermediary
    		 intermediary Value copied directly
    is_custom_model
    		 additional.fields.is_custom_model_label Set label with key "is_custom_model" and value from is_custom_model
    is_marked_custom
    		 additional.fields.is_marked_custom_label Set label with key "is_marked_custom" and value from is_marked_custom
    is_targeting_key_asset
    		 additional.fields.is_targeting_key_asset_label Set label with key "is_targeting_key_asset" and value from is_targeting_key_asset
    is_triaged
    		 additional.fields.is_triaged_label Set label with key "is_triaged" and value from is_triaged
    last_timestamp
    		 additional.fields.last_timestamp_label Set label with key "last_timestamp" and value from last_timestamp
    note
    		 additional.fields.note_label Set label with key "note" and value from note
    note_modified_by
    		 additional.fields.note_modified_by_label Set label with key "note_modified_by" and value from note_modified_by
    note_modified_timestamp
    		 additional.fields.note_modified_timestamp_label Set label with key "note_modified_timestamp" and value from note_modified_timestamp
    notes
    		 additional.fields.notes_label Set label with key "notes" and value from notes
    principal
    		 principal Value copied directly
    security_result
    		 security_result Value copied directly
    sensor
    		 additional.fields.sensor_label Set label with key "sensor" and value from sensor
    sensor_name
    		 additional.fields.sensor_name_label Set label with key "sensor_name" and value from sensor_name
    src
    		 src Value copied directly
    src_account
    		 additional.fields.src_account_label Set label with key "src_account" and value from src_account
    src_host.certainty
    		 additional.fields.src_certainty_label Set label with key "src_host_certainty" and value from src_host.certainty
    src_host.id
    		 principal.user.userid Value copied directly
    gd_src_host_ip, src_ip, src_host.ip
    		 principal.ip Merged from gd_src_host_ip, src_ip, src_host.ip; last merge wins
    src_ip, src_host.ip
    		 principal.asset.ip Merged from src_ip, src_host.ip; last merge wins
    src_host.is_key_asset
    		 additional.fields.src_host_is_key_asset_label Set label with key "src_host_is_key_asset" and value from src_host.is_key_asset
    src_host.name
    		 principal.hostname Value copied directly
    src_host.threat
    		 additional.fields.src_host_threat_label Set label with key "src_host_threat" and value from src_host.threat
    src_host.url
    		 src.url Value copied directly
    src_host_group_description
    		 security_result.detection_fields.src_host_group_description_label Set label with key "src_host_group_description" and value from src_host_group_description
    src_host_group_id
    		 security_result.detection_fields.src_host_group_id_label Set label with key "src_host_group_id" and value from src_host_group_id
    src_host_group_last_modified
    		 security_result.detection_fields.src_host_group_last_modified_label Set label with key "src_host_group_last_modified" and value from src_host_group_last_modified
    src_host_group_last_modified_by
    		 security_result.detection_fields.src_host_group_last_modified_by_label Set label with key "src_host_group_last_modified_by" and value from src_host_group_last_modified_by
    src_host_group_name
    		 security_result.detection_fields.src_host_group_name_label Set label with key "src_host_group_name" and value from src_host_group_name
    src_host_group_type
    		 security_result.detection_fields.src_host_group_type_label Set label with key "src_host_group_type" and value from src_host_group_type
    state
    		 security_result.detection_fields.state_label Set label with key "state" and value from state
    summary.num_attempts
    		 additional.fields.num_attempts_label Set label with key "num_attempts" and value from summary.num_attempts
    target
    		 target Value copied directly
    dst_host_ip, dst_ip1
    		 target.ip Merged from dst_host_ip, dst_ip1; last merge wins
    tags
    		 additional.fields.tags_label Set label with key "tags" and value from tags
    t_score
    		 additional.fields.t_score_label Set label with key "t_score" and value from t_score
    targets_key_asset
    		 additional.fields.targets_key_asset_label Set label with key "targets_key_asset" and value from targets_key_asset
    threat
    		 security_result.detection_fields.threat_label Set label with key "threat" and value from threat
    triage_rule_id
    		 security_result.rule_id Value copied directly
    type
    		 additional.fields.type_label Set label with key "type" and value from type
    url
    		 metadata.url_back_to_product Value copied directly
    uuid1
    		 security_result.detection_fields.uuid_label Set label with key "uuid" and value from uuid1
    dst_host_id
    		 security_result.detection_fields.dst_host_id_label Set label with key "dst_host_id" and value from dst_host_id
    dst_host_name
    		 security_result.detection_fields.dst_host_name_label Set label with key "dst_host_name" and value from dst_host_name
    dst_port1
    		 security_result.detection_fields.dst_port_label Set label with key "dst_port" and value from dst_port1
    dst_last_timestamp
    		 security_result.detection_fields.dst_last_timestamp_label Set label with key "dst_last_timestamp" and value from dst_last_timestamp
    		metadata.event_type Set to "NETWORK_CONNECTION" if has_principal == "true" and has_target == "true", else "USER_UNCATEGORIZED" if has_user == "true", else "STATUS_UPDATE" if has_principal == "true", else "GENERIC_EVENT"
    		metadata.product_name Set to "Vectra Alerts"
    		metadata.vendor_name Set to "Vectra Alerts"

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: