Feed Management API

How to authenticate with the Chronicle API

This Chronicle API uses the OAuth 2.0 protocol for authentication and authorization. Your application can complete these tasks using either of the following implementations:

  • Using the Google API client library for your computer language.

  • Directly interfacing with the OAuth 2.0 system using HTTP.

See the reference documentation for the Google Authentication library in Python.

Google Authentication libraries are a subset of the Google API client libraries. See other language implementations.

Getting API authentication credentials

Your Chronicle representative will provide you with a Google Developer Service Account Credential to enable the API client to communicate with the API.

You also need to provide the Auth Scope when initializing your API client. OAuth 2.0 uses a scope to limit an application's access to an account. When an application requests a scope, the access token issued to the application is limited to the scope granted.

Use the following scope to initialize your Google API client:

https://www.googleapis.com/auth/chronicle-backstory

Python example

The following Python example demonstrates how to use the OAuth2 credentials and HTTP client using google.oauth2 and googleapiclient.

# Imports required for the sample - Google Auth and API Client Library Imports.
# Get these packages from https://pypi.org/project/google-api-python-client/ or run $ pip
# install google-api-python-client from your terminal
from google.oauth2 import service_account
from googleapiclient import _auth

SCOPES = ['https://www.googleapis.com/auth/chronicle-backstory']

# The apikeys-demo.json file contains the customer's OAuth 2 credentials.
# SERVICE_ACCOUNT_FILE is the full path to the apikeys-demo.json file
# ToDo: Replace this with the full path to your OAuth2 credentials
SERVICE_ACCOUNT_FILE = '/customer-keys/apikeys-demo.json'

# Create a credential using Google Developer Service Account Credential and Chronicle API
# Scope.
credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)

# Build an HTTP client to make authorized OAuth requests.
http_client = _auth.authorized_http(credentials)

# <your code continues here>

Chronicle API query limits

The Chronicle API enforces limits on the volume of requests that can be made by any one customer against the Chronicle platform. If you reach or exceed the query limit, the Chronicle API server returns HTTP 429 (RESOURCE_EXHAUSTED) to the caller. When developing applications for the Chronicle API, Chronicle recommends that you enforce rate limits within your system to avoid resource exhaustion. These limits apply to all of the Chronicle APIs, including the Search, Customer Management, and Tooling APIs.

The following limit for the Chronicle Customer Management API is being enforced and is measured in queries per second (QPS):

Chronicle API API Method Limit
Feed Management CreateFeed 1 QPS
GetFeed 1 QPS
ListFeeds 1 QPS
UpdateFeed 1 QPS
DeleteFeed 1 QPS

Python example using OAuth2 credentials and HTTP client

The following Python example demonstrates how to use the OAuth2 credentials and HTTP client using google.oauth2 and googleapiclient.

# Imports required for the sample - Google Auth and API Client Library Imports.
# Get these packages from https://pypi.org/project/google-api-python-client/ or
# run $ pip install google-api-python-client from your terminal

from google.auth.transport import requests
from google.oauth2 import service_account

SCOPES = ['https://www.googleapis.com/auth/chronicle-backstory']

# The apikeys-demo.json file contains the customer's OAuth 2 credentials.
# SERVICE_ACCOUNT_FILE is the full path to the apikeys-demo.json file
# ToDo: Replace this with the full path to your OAuth2 credentials

SERVICE_ACCOUNT_FILE = '/customer-keys/apikeys-demo.json'

# Create a credential using Google Developer Service Account Credential and Chronicle # API Scope.

credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)

# Build an HTTP session to make authorized OAuth requests.

http_session = requests.AuthorizedSession(credentials)

# <your code continues here>

CreateFeed

Creates a third party data feed in your Chronicle instance.

Note: CreateFeed uses the POST method.

Request

https://backstory.googleapis.com/v1/feeds
Request Body

Note: The following is an example of a request body that changes based on the log type you configure. Please see the Sample Requests section below for other log types.

{
  "details": {
    "feedSourceType": "API",
    "logType": "DUO_AUTH",
    "duoAuthSettings": {
      "authentication": {
        "user": "USERNAME",
        "secret": "SECRET"
      },
      "hostname": "http://foobar.com"
    }
  }
}
Sample Request
https://backstory.googleapis.com/v1/feeds
{
  "details": {
    "feedSourceType": "API",
    "logType": "DUO_AUTH",
    "duoAuthSettings": {
      "authentication": {
        "user": "USERNAME",
        "secret": "SECRET"
      },
      "hostname": "http://foobar.com"
    }
  }
}
Sample Response
{
 "name": "feeds/19e82867-ab6d-4955-b9c8-bd4aee189439",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "http://foobar.com"
   }
 },
 "feedState": "PENDING_ENABLEMENT"
}

DeleteFeed

Deletes a feed that was configured using the Chronicle Feed Management API.

Note: DeleteFeed uses the DELETE method.

Request

DELETE  https://backstory.googleapis.com/v1/feeds/{feedID}
Sample Request
DELETE https://backstory.googleapis.com/v1/feeds/01777371-b27b-44e7-8b2d-774302d7958f
Sample Response

If the operation is successful, DeleteFeed returns an empty response with 200 OK.

{}

GetFeed

Gets the details of the feed that was configured.

Request

https://backstory.googleapis.com/v1/feeds/{feedID}
Sample Request
https://backstory.googleapis.com/v1/feeds/01777371-b27b-44e7-8b2d-774302d7958f
Sample Response
{
 "name": "feeds/01777371-b27b-44e7-8b2d-774302d7958f",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "http://foobar.com"
   }
 },
 "feedState": "PENDING_ENABLEMENT"
}

ListFeeds

Retrieves all the feeds configured for a given Chronicle instance.

Note: ListFeeeds uses the GET method.

Request
https://backstory.googleapis.com/v1/feeds
Sample Request
https://backstory.googleapis.com/v1/feeds
Sample Response
{
 "feeds": [
   {
     "name": "feeds/19e82867-ab6d-4955-b9c8-bd4aee189439",
     "details": {
       "logType": "AZURE_AD_CONTEXT",
       "feedSourceType": "API",
       "azureAdContextSettings": {}
     },
     "feedState": "PENDING_ENABLEMENT"
   },
   {
     "name": "feeds/cdc096a5-93a8-4854-94d9-c05cf0c14d47",
     "details": {
       "logType": "PAN_PRISMA_CLOUD",
       "feedSourceType": "API",
       "panPrismaCloudSettings": {
         "hostname": "api2.prismacloud.io"
       }
     },
     "feedState": "ACTIVE"
   }
 ]
}

UpdateFeed

Updates the given feed with new details, typically details related to authentication, in a given Chronicle instance.

Note: UpdateFeed uses the PATCH method.

Request
PATCH https://backstory.googleapis.com/v1/feeds/{feedID}
Request Body

Note: The following is an example of a request body that changes based on the log type you configure. Please see the Sample Requests section below for other log types.

Sample Request
{
  "details": {
    "feedSourceType": "API",
    "logType": "DUO_AUTH",
    "duoAuthSettings": {
      "authentication": {
        "user": "USERNAME",
        "secret": "SECRET"
      },
      "hostname": "http://foobar.com"
    }
  }
}
Sample Request
https://backstory.googleapis.com/v1/feeds/01777371-b27b-44e7-8b2d-774302d7958f
{
  "feedDetails": {
    "feedSourceType": "API",
    "logType": "DUO_AUTH",
    "duoAuthSettings": {
      "authentication": {
        "user": "USERNAME",
        "secret": "SECRET"
      },
      "hostname": "http://foobar.com"
    }
  }
}
Sample Response
{
 "name": "feeds/19e82867-ab6d-4955-b9c8-bd4aee189439",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "http://foobar.com"
   }
 },
 "feedState": "PENDING_ENABLEMENT"
}

Sample requests for log types

You can use the following sample logs with the CreateFeed and UpdateFeed methods for the supported log types.

AMAZON S3

The possible values for sourceDeletionOption are as follows:

  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS: Delete files and empty directories from the source after a successful fetch completes.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY: Delete files from the source after a successful fetch completes.
{
 "details": {
   "feedSourceType": "AMAZON_S3",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "amazonS3Settings": {
     "authentication": {
       "accessKeyId": "fake",
       "secretAccessKey": "fake",
       "clientId": "fake",
       "clientSecret": "fake",
       "refreshUri": "uri",
       "region": "US_EAST_1",
     },
     "s3Uri": "s3://uri/to/file",
     "sourceType": "FILES",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
   }
 }
}

AMAZON SQS

The possible values for sourceDeletionOption are as follows:

  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS: Delete files and empty directories from the source after a successful fetch completes.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY: Delete files from the source after a successful fetch completes.
{
 "details": {
   "feedSourceType": "AMAZON_SQS",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "amazonSqsSettings": {
     "authentication": {
       "sqsAccessKeySecretAuth": {
         "accessKeyId": "fake",
         "secretAccessKey": "fake"
       },
       "additionalS3AccessKeySecretAuth": {
         "accessKeyId": "fake",
         "secretAccessKey": "fake"
       },
     },
     "queue": "queueName",
     "region": "US_EAST_1",
     "accountNumber": "fake",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
   }
 }
}

ANOMALI_IOC

{
 "details": {
   "feedSourceType": "API",
   "logType": "ANOMALI_IOC",
   "anomaliSettings": {
     "authentication": {
       "user": "USERNAME",
       "secret": "SECRET"
     },
   }
 }
}

AZURE_AD

{
 "details": {
   "feedSourceType": "API",
   "logType": "AZURE_AD",
   "azureAdSettings": {
     "authentication": {
       "clientId": "7ab79b26-f3ef-425c-9221-cf95a36f19b6",
       "clientSecret": "clientSecret",
     }
     "tenantId": "0fc279f9-fe30-41be-97d3-abe1d7681418"
   }
 }
}

AZURE_AD_AUDIT

{
 "details": {
   "feedSourceType": "API",
   "logType": "AZURE_AD_AUDIT",
   "azureAdAuditSettings": {
     "authentication": {
       "clientId": "7ab79b26-f3ef-425c-9221-cf95a36f19b6",
       "clientSecret": "clientSecret",
     }
     "tenantId": "0fc279f9-fe30-41be-97d3-abe1d7681418"
   }
 }
}

AZURE_AD_CONTEXT

{
 "details": {
   "feedSourceType": "API",
   "logType": "AZURE_AD_CONTEXT",
   "azureAdContextSettings": {
     "authentication": {
       "clientId": "7ab79b26-f3ef-425c-9221-cf95a36f19b6",
       "clientSecret": "clientSecret",
     }
     "tenantId": "0fc279f9-fe30-41be-97d3-abe1d7681418",
     "retrieveDevices": false,
     "retrieveGroups": false
   }
 }
}

AZURE_MDM_INTUNE

{
   "details": {
     "feedSourceType": "API",
     "logType": "AZURE_MDM_INTUNE",
     "azureMdmIntuneSettings": {
       "authentication": {
         "clientId": "7ab79b26-f3ef-425c-9221-cf95a36f19b6",
         "clientSecret": "clientSecret",
       }
       "tenantId": "0fc279f9-fe30-41be-97d3-abe1d7681418"
     }
   }
}

AZURE BLOB STORE

The possible values for sourceDeletionOption are as follows:

  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS: Delete files and empty directories from the source after a successful fetch completes.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY: Delete files from the source after a successful fetch completes.
{
 "details": {
   "feedSourceType": "AZURE_BLOBSTORE",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "azureBlobStoreSettings": {
     "authentication": {
       "sasToken": "token", // OR "shared_key": "key"
     },
     "azureUri": "uritofiles",
     "sourceType": "FOLDERS",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
   }
 }
}

CORTEX_XDR

{
   "details": {
     "feedSourceType": "API",
     "logType": "CORTEX_XDR",
     "cortexXdrSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "key"
            "value": "value"
         }],
       },
       "hostname": "http://foobar.com",
       "endpoint": "endpoint"
     }
   }
}

DUO_AUTH

{
   "details": {
     "feedSourceType": "API",
     "logType": "DUO_AUTH",
     "duoAuthSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "SECRET"
       },
       "hostname": "http://foobar.com"
     }
   }
}

DUO_USER_CONTEXT

{
   "details": {
     "feedSourceType": "API",
     "logType": "DUO_USER_CONTEXT",
     "duoUserContextSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "SECRET"
       },
       "hostname": "http://foobar.com"
     }
   }
}

FOX_IT_STIX

{
   "details": {
     "feedSourceType": "API",
     "logType": "FOX_IT_STIX",
     "foxItStixSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "SECRET"
       },
       "ssl": {
         "sslCertificate": "<cert>",
         "encodedPrivateKey": "key"
       }
       "pollServiceURI": "http://foobar.com",
       "collection": "mycollection"
     }
   }
}

GOOGLE CLOUD STORAGE

The possible values for sourceDeletionOption are as follows:

  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS: Delete files and empty directories from the source after a successful fetch completes.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY: Delete files from the source after a successful fetch completes.
{
 "details": {
   "feedSourceType": "GOOGLE_CLOUD_STORAGE",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "gcsSettings": {
     "bucket_uri": "gs://bucket/file",
     "sourceType": "FOLDERS_RECURSIVE",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
   }
 }
}

HTTP(S) ENDPOINT

The possible values for sourceDeletionOption are as follows:

  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS: Delete files and empty directories from the source after a successful fetch completes.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY: Delete files from the source after a successful fetch completes.
{
 "details": {
   "feedSourceType": "HTTP",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "httpSettings": {
     "uri": "https://url.com/myfile",
     "sourceType": "FILES",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
   }
 }
}

IMPERVA_WAF

{
   "details": {
     "feedSourceType": "API",
     "logType": "IMPERVA_WAF",
     "impervaWafSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "key"
            "value": "value"
         }],
       }
     }
   }
}

MICROSOFT_GRAPH_ALERT

{
   "details": {
     "feedSourceType": "API",
     "logType": "MICROSOFT_GRAPH_ALERT",
     "microsoftGraphAlertSettings": {
       "authentication": {
         "clientId": "7ab79b26-f3ef-425c-9221-cf95a36f19b6",
         "clientSecret": "clientSecret",
       }
       "tenantId": "0fc279f9-fe30-41be-97d3-abe1d7681418"
     }
   }
}

MICROSOFT_SECURITY_CENTER_ALERT

{
   "details": {
     "feedSourceType": "API",
     "logType": "MICROSOFT_SECURITY_CENTER_ALERT",
     "microsoftSecurityCenterAlertSettings": {
       "authentication": {
         "clientId": "7ab79b26-f3ef-425c-9221-cf95a36f19b6",
         "clientSecret": "clientSecret",
       }
       "tenantId": "0fc279f9-fe30-41be-97d3-abe1d7681418",
       "subscriptionId": "0fc279f9-fe30-41be-97d3-abe1d7681418"
     }
   }
}

MIMECAST_MAIL

{
   "details": {
     "feedSourceType": "API",
     "logType": "MIMECAST_MAIL",
     "mimecastMailSettings": {
       "authentication": {
         "headerKeyValues": [
           {
             "key": "access_key",
             "value": "ACCESS_KEY"
           },
           {
             "key": "app_id",
             "value": "APP_ID"
           },
           {
             "key": "app_key",
             "value": "APP_KEY"
           },
           {
             "key": "secret_key",
             "value": "SECRET_KEY"
           }
         ]
       }
     }
   }
}

NETSKOPE_ALERT

{
   "details": {
     "feedSourceType": "API",
     "logType": "NETSKOPE_ALERT",
     "netskopeAlertSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname",
       "feedName": "feedname"
     }
   }
}

OFFICE_365

The possible values for contentType are as follows:

  • AUDIT_AZURE_ACTIVE_DIRECTORY: Include Azure active directory audit logs.
  • AUDIT_EXCHANGE: Include Azure exchange audit logs.
  • AUDIT_SHARE_POINT: Include Azure share point audit logs.
  • AUDIT_GENERAL: Include all other workloads not included in other Audit content types.
  • DLP_ALL: Include DLP events only for all workloads.
{
   "details": {
     "feedSourceType": "API",
     "logType": "OFFICE_365",
     "office365Settings": {
       "authentication": {
         "clientId": "7ab79b26-f3ef-425c-9221-cf95a36f19b6",
         "clientSecret", "clientSecret",
       },
       "tenantId": "0fc279f9-fe30-41be-97d3-abe1d7681418"",
       "contentType": "AUDIT_AZURE_ACTIVE_DIRECTORY"
     }
   }
}

OKTA

{
   "details": {
     "feedSourceType": "API",
     "logType": "OKTA",
     "oktaSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "Authorization",
            "value": "APITOKEN"
          }]
       },
       "hostname": "hostname"
     }
   }
}

OKTA_USER_CONTEXT

managerIdReferenceField is required when you use a non-Okta ID to reference managers. It should be a JSON field path pointing to the field that contains the manager ID in the result of a call to the "users" Okta API.

{
   "details": {
     "feedSourceType": "API",
     "logType": "OKTA_USER_CONTEXT",
     "oktaSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "Authorization",
            "value": "APITOKEN"
          }]
       },
       "hostname": "hostname",
       "managerIdReferenceField": "fooId"
     }
   }
}

PAN_IOC

{
   "details": {
     "feedSourceType": "API",
     "logType": "PAN_IOC",
     "panIocSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "key"
            "value": "value"
         }],
       }
       "feedId": "ID",
       "feed": "feed"
     }
   }
}

PAN_PRISMA_CLOUD

{
   "details": {
     "feedSourceType": "API",
     "logType": "PAN_PRISMA_CLOUD",
     "panPrismaCloudSettings": {
       "authentication": {
         "user": "user",
         "password": "password"
       },
       "hostname": "api2.prismacloud.io"
     }
   }
}

PROOFPOINT_MAIL

{
   "details": {
     "feedSourceType": "API",
     "logType": "PROOFPOINT_MAIL",
     "proofpointMailSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       }
     }
   }
}

PROOFPOINT_ON_DEMAND

{
   "details": {
     "feedSourceType": "API",
     "logType": "PROOFPOINT_ON_DEMAND",
     "proofPointOnDemandSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "clusterId": "ID"
     }
   }
}

RAPID7_INSIGHT

The endpoint for Rapid7 should be either "vulnerabilities" or "assets".

{
   "details": {
     "feedSourceType": "API",
     "logType": "RAPID7_INSIGHT",
     "rapid7InsightSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "X-Api-Key",
            "value": "APIKEY"
         }],
       },
       "endpoint": "assets"
     }
   }
}

RECORDED_FUTURE_IOC

{
   "details": {
     "feedSourceType": "API",
     "logType": "RECORDED_FUTURE_IOC",
     "recordedFutureIocSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
     }
   }
}

RH_ISAC_IOC

{
   "details": {
     "feedSourceType": "API",
     "logType": "RH_ISAC_IOC",
     "rhIsacIocSettings": {
       "authentication": {
         "tokenEndPoint": "endpoint",
         "clientId": "clientId",
         "clientSecret": "clientSecret"
       }
     }
   }
}

SALESFORCE

{
   "details": {
     "feedSourceType": "API",
     "logType": "SALESFORCE",
     "salesforceSettings": {
       "authentication": {
         "tokenEndpoint": "endpoint",
         "clientId": "clientId",
         "clientSecret": "clientSecret",
         "user": "user",
         "password": "password"
       },
       "hostname": "hostname"
     }
   }
}

SERVICENOW_CMDB

{
   "details": {
     "feedSourceType": "API",
     "logType": "SERVICENOW_CMDB",
     "servicenowCmdbSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname",
       "feedname": "feedname"
     }
   }
}

THINKST_CANARY

{
   "details": {
     "feedSourceType": "API",
     "logType": "THINKST_CANARY",
     "thinkstCanarySettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname"
     }
   }
}

THREATCONNECT_IOC

{
   "details": {
     "feedSourceType": "API",
     "logType": "THREATCONNECT_IOC",
     "threatConnectIocSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname",
       "owners": [{
         "owner"
       }]
     }
   }
}

WORKDAY

{
   "details": {
     "feedSourceType": "API",
     "logType": "WORKDAY",
     "workdaySettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname",
       "tenantId": "ID"
     }
   }
}

WORKSPACE_USERS

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_USERS",
   "workspaceUserSettings": {
     "authentication": {
       "tokenEndPoint": "endpoint",
       "claims": {
         "issuer": "tokenissuer_clientid",
         "subject": "subject_email",
         "audience": "audience"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
     "workspaceCustomerId": "ID"
   }
 }
}

WORKSPACE_ACTIVITY

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_ACTIVITY",
   "workspaceActivitySettings": {
     "authentication": {
       "tokenEndpoint": "endpoint",
       "claims": {
         "issuer": "tokenissuer_clientid",
         "subject": "subject_email",
         "audience": "audience"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
     "workspaceCustomerId": "ID",
     "applications": [
       "app1",
       "app2"
     ],
   }
 }
}

WORKSPACE_ALERTS

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_ALERTS",
   "workspaceAlertsSettings": {
     "authentication": {
       "tokenEndpoint": "endpoint",
       "claims": {
         "issuer": "tokenissuer_clientid",
         "subject": "subject_email",
         "audience": "audience"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
     "workspaceCustomerId": "ID",
   }
 }
}

WORKSPACE_PRIVILEGES

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_PRIVILEGES",
   "workspacePrivilegesSettings": {
     "authentication": {
       "tokenEndpoint": "endpoint",
       "claims": {
         "issuer": "tokenissuer_clientid",
         "subject": "subject_email",
         "audience": "audience"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
     "workspaceCustomerId": "ID",
   }
 }
}

WORKSPACE_MOBILE

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_MOBILE",
   "workspaceMobileSettings": {
     "authentication": {
       "tokenEndpoint": "endpoint",
       "claims": {
         "issuer": "tokenissuer_clientid",
         "subject": "subject_email",
         "audience": "audience"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
     "workspaceCustomerId": "ID",
   }
 }
}

WORKSPACE_CHROMEOS

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_CHROMEOS",
   "workspaceChromeOsSettings": {
     "authentication": {
       "tokenEndPoint": "endpoint",
       "claims": {
         "issuer": "tokenissuer_clientid",
         "subject": "subject_email",
         "audience": "audience"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
     "workspaceCustomerId": "ID",
   }
 }
}

WORKSPACE_GROUPS

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_GROUPS",
   "workspaceGroupsSettings": {
     "authentication": {
       "tokenEndPoint": "endpoint",
       "claims": {
         "issuer": "tokenissuer_clientid",
         "subject": "subject_email",
         "audience": "audience"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
     "workspaceCustomerId": "ID",
   }
 }
}

GCP_CLOUDIDENTITY_DEVICES

{
 "details": {
   "feedSourceType": "API",
   "logType": "GCP_CLOUDIDENTITY_DEVICES",
   "googleCloudIdentityDevicesSettings": {
     "authentication": {
       "tokenEndPoint": "endpoint",
       "claims": {
         "issuer": "tokenissuer_clientid",
         "subject": "subject_email",
         "audience": "audience"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
     "apiVersion": "v1"
   }
 }
}

GCP_CLOUDIDENTITY_DEVICEUSERS

{
 "details": {
   "feedSourceType": "API",
   "logType": "GCP_CLOUDIDENTITY_DEVICEUSERS",
   "googleCloudIdentityDeviceUsersSettings": {
     "authentication": {
       "tokenEndPoint": "endpoint",
       "claims": {
         "issuer": "tokenissuer_clientid",
         "subject": "subject_email",
         "audience": "audience"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
   }
 }
}

CLOUD_PASSAGE

{
 "details": {
   "feedSourceType": "API",
   "logType": "CLOUD_PASSAGE",
   "cloudPassageSettings": {
     "authentication": {
       "user": "user",
       "secret": "secret"
     },
     "event_types": [
       "fim_target_integrity_changed",
       "lids_rule_failed",
       "sca_rule_failed"
     ],
   }
 }
}