Chronicle API Feeds
Overview
Another method of ingesting your security data into Chronicle, is to use a Chronicle API feed to poll external data-feeds. Google supports API feeds for the types of log data listed in the following Chronicle API Feed Types table.
Before you begin
To set up a Chronicle API feed, you'll need to provide your Chronicle representative with the following prerequisite information:
OAuth 2.0:
- clientId
- clientSecret
- tenantId
Username and Password:
- Username
- Password
Token HTTP header:
- Customer's API token
SSL Client certificate:
- Encoded private key
- SSL certificate
Chronicle API Feed Types
| Data Type | Log Type | Authentication | Additional Information |
|---|---|---|---|
| Anomali ThreatStream | ANOMALI_IOC | Username and Password | Permissions: None |
| Azure MDM Intune Audit Events | AZURE_MDM_INTUNE | OAuth 2.0 | Token endpoint for OAuth 2.0: https://login.microsoftonline.com/{tenantId}/oauth2/token.
Permissions: DeviceManagementApps.Read.All |
| Azure AD Sign-Ins | AZURE_AD | OAuth 2.0 | Token endpoint for OAuth 2.0: https://login.microsoftonline.com/{tenantId}/oauth2/token.
Permissions: AuditLog.Read.All, Directory.Read.All |
| Azure AD Context | AZURE_AD_CONTEXT | OAuth 2.0 | retrieve_devices (optional), Token endpoint for OAuth 2.0: https://login.microsoftonline.com/{tenantId}/oauth2/token.
Permissions: Directory.Read.All |
| Azure AD Directory Audit | AZURE_AD_AUDIT | OAuth 2.0 | Tenant ID.
Permissions: AuditLog.Read.All, Directory.Read.All |
| Cloud Passage | CLOUD_PASSAGE | Username/Password with OAuth 2.0 | Permissions: None |
| Duo Auth | DUO_AUTH | Integration Key and Secret Key | |
| Duo User | DUO_USER_CONTEXT | Integration Key and Secret Key | |
| Fox-IT STIX | FOX_IT_STIX | Username, Password, and SSL Client certificate | taxii_config
Permissions: None |
| ImpervaWAF | IMPERVA_WAF | HTTP Headers | initial_start_time (optional)
Permissions: None |
| Microsoft 365 Management | OFFICE_365 | OAuth 2.0 | Token endpoint for OAuth 2.0: https://login.microsoftonline.com/{tenantId}/oauth2/token. Tenant ID (use the one from auth), Content Types.
ActivityFeed.Read, ActivityFeed.ReadDlp (if wanting DLP data) |
| Microsoft Graph Alerts | MICROSOFT_GRAPH_ALERT | OAuth 2.0 | Tenant ID.
Permissions: SecurityEvents.Read.All |
| Microsoft Security Center Alerts | MICROSOFT_SECURITY_CENTER_ALERT | OAuth 2.0 | Tenant ID.
Permissions: Security Reader Role |
| Mimecast Secure Email Gateway | MIMECAST_MAIL | HTTP Header(s) | access_key, app_id, app_key, secret_key
Permissions: None |
| Netskope | NETSKOPE_ALERT | HTTP Header | Hostname, Feed name (events/alerts), content type, initial_start_time (optional)
Permissions: None |
| Okta Audit Logs | OKTA | HTTP Header | Hostname, API Token,
The following key:value must be passed Authorization:{API Token}.
Permissions: None |
| Okta User Context | OKTA_USER_CONTEXT | HTTP Header | Hostname, API Token
Permissions: manager_id_reference_field |
| Palo Alto Networks Autofocus IOC | PAN_IOC | HTTP Header(s) | feed_id, feed_name
Permissions: None |
| Palo Alto Networks Cortex XDR | CORTEX_XDR | HTTP Headers | hostname, endpoint, initial_start_time (optional)
Permissions: Make sure the API key is an advanced key, not a standard key |
| Proofpoint SIEM API | PROOFPOINT_MAIL | Username and Password | Permissions: None |
| Proofpoint on Demand | PROOFPOINT_ON_DEMAND | HTTP Header(s) | proofpoint_on_demand_source_details, initial_start_time (optional)
Permissions: None |
| Rapid7 InsightVM | RAPID7_INSIGHT | HTTP Header | initial_start_time (optional)
Permissions: None |
| Recorded Future Risklists | RECORDED_FUTURE_IOC | HTTP Header(s) | Permissions: None |
| RH-ISAC IOC | RH_ISAC_IOC | Username/Password with OAuth 2.0 | tags, queue_delay, initial_start_time (all optional)
Permissions: None |
| Salesforce | SALESFORCE | OAUTH 2.0 | Hostname, initial_start_time (optional)
Permissions: None |
| ServiceNow CMDB | SERVICENOW_CMDB | Username/Password | Hostname, Feed name (Table name)
Permissions: None |
| Thinkst Canary | THINKST_CANARY | HTTP Header | Hostname
Permissions: None |
| ThreatConnect IOC | THREATCONNECT_IOC | Username/Password | Hostname, Owners, Initial Start Time, Queue Delay, Owner Queue Delay (Optional)
Permissions: None |
| Workspace Users | WORKSPACE_USERS | OAUTH 2.0 | workspace_customer_id
Permissions: admin.directory.user.readonly |
| Workspace Activity | WORKSPACE_ACTIVITY | OAUTH 2.0 | workspace_customer_id, workspace_applications
Permissions: admin.reports.audit.readonly |
| Workspace Alerts | WORKSPACE_ALERTS | OAUTH 2.0 | workspace_customer_id
Permissions: apps.alerts |
| Workspace Privileges | WORKSPACE_PRIVILEGES | OAUTH 2.0 | workspace_customer_id
Permissions: admin.directory.rolemanagement.readonly |
| Workspace Mobile | WORKSPACE_MOBILE | OAUTH 2.0 | workspace_customer_id
Permissions: admin.directory.device.mobile.readonly |
| Workspace Chrome | WORKSPACE_CHROMEOS | OAUTH 2.0 | workspace_customer_id
Permissions: device.chromeos.readonly |
| Workspace GROUPS | WORKSPACE_GROUPS | OAUTH 2.0 | workspace_customer_id
Permissions: directory.group.readonly |
| Symantec Event Export | SYMANTEC_EVENT_EXPORT | HTTP Header | Permissions: None |