Chronicle API Feeds

Overview

Another method of ingesting your security data into Chronicle, is to use a Chronicle API feed to poll external data-feeds. Google supports API feeds for the types of log data listed in the following Chronicle API Feed Types table.

Before you begin

To set up a Chronicle API feed, you'll need to provide your Chronicle representative with the following prerequisite information:

OAuth 2.0:

• clientId
• clientSecret
• tenantId

Username and Password:

• Username
• Password

Token HTTP header:

• Customer's API token

SSL Client certificate:

• Encoded private key
• SSL certificate

Chronicle API Feed Types

Data Type	Log Type	Authentication	Additional Information	Permissions
Anomali ThreatStream	ANOMALI_IOC	Username and Password	N/A	None
Azure MDM Intune Audit Events	AZURE_MDM_INTUNE	OAuth 2.0	N/A	DeviceManagementApps.Read.All
Azure AD Sign-Ins	AZURE_AD	OAuth 2.0	N/A	AuditLog.Read.All, Directory.Read.All
Azure AD Context	AZURE_AD_CONTEXT	OAuth 2.0	retrieve_devices (optional)	Directory.Read.All
Duo Auth	DUO_AUTH	Username and Password	N/A
Duo User	DUO_USER_CONTEXT	Username and Password	N/A
Fox-IT STIX	FOX_IT_STIX	Username, Password, and SSL Client certificate	taxii_config	None
ImpervaWAF	IMPERVA_WAF	HTTP Headers	initial_start_time (optional)	None
Microsoft 365 Management	OFFICE_365	OAuth 2.0	Tenant ID (use the one from auth), Content Types	ActivityFeed.Read, ActivityFeed.ReadDlp (if wanting DLP data)
Microsoft Graph Alerts	MICROSOFT_GRAPH_ALERT	OAuth 2.0	Subscription ID (Optional)	SecurityEvents.Read.All
Microsoft Security Center Alerts	MICROSOFT_SECURITY_CENTER_ALERT	OAuth 2.0	Subscription ID	Security Reader Role
Mimecast Secure Email Gateway	MIMECAST_MAIL	HTTP Header(s)	access_key, app_id, app_key, secret_key	None
Netskope	NETSKOPE_ALERT	HTTP Header	Hostname, Feed name (events/alerts), content type, initial_start_time (optional)	None
Okta Audit Logs	OKTA	HTTP Header	Hostname, API Token	None
Okta User Context	OKTA_USER_CONTEXT	HTTP Header	Hostname, API Token	manager_id_reference_field
Palo Alto Networks Autofocus IOC	PAN_IOC	HTTP Header(s)	feed_id, feed_name	None
Palo Alto Networks Cortex XDR	CORTEX_XDR	HTTP Headers	hostname, endpoint, initial_start_time (optional)	Make sure the API key is an advanced key, not a standard key
Proofpoint SIEM API	PROOFPOINT_MAIL	Username and Password	N/A	None
Proofpoint on Demand	PROOFPOINT_ON_DEMAND	HTTP Header(s)	proofpoint_on_demand_source_details, initial_start_time (optional)	None
Rapid7 InsightVM	RAPID7_INSIGHT	HTTP Header	initial_start_time (optional)	None
Recorded Future Risklists	RECORDED_FUTURE_IOC	HTTP Header(s)	N/A	None
RH-ISAC IOC	RH_ISAC_IOC	Username/Password with OAuth 2.0	tags, queue_delay, initial_start_time (all optional)	None
Salesforce	SALESFORCE	OAUTH 2.0	Hostname, initial_start_time (optional)	None
ServiceNow CMDB	SERVICENOW_CMDB	Username/Password	Hostname, Feed name (Table name)	None
Thinkst Canary	THINKST_CANARY	HTTP Header	Hostname	None
ThreatConnect IOC	THREATCONNECT_IOC	Username/Password	Hostname, Owners, Initial Start Time, Queue Delay, Owner Queue Delay (Optional)	None
Workspace Users	WORKSPACE_USERS	OAUTH 2.0	workspace_customer_id	admin.directory.user.readonly
Workspace Activity	WORKSPACE_ACTIVITY	OAUTH 2.0	workspace_customer_id, workspace_applications	admin.reports.audit.readonly
Workspace Alerts	WORKSPACE_ALERTS	OAUTH 2.0	workspace_customer_id	apps.alerts
Workspace Privileges	WORKSPACE_PRIVILEGES	OAUTH 2.0	workspace_customer_id	admin.directory.rolemanagement.readonly
Workspace Mobile	WORKSPACE_MOBILE	OAUTH 2.0	workspace_customer_id	admin.directory.device.mobile.readonly
Workspace Chrome	WORKSPACE_CHROMEOS	OAUTH 2.0	workspace_customer_id	device.chromeos.readonly
Workspace GROUPS	WORKSPACE_GROUPS	OAUTH 2.0	workspace_customer_id	directory.group.readonly
Symantec Event Export	SYMANTEC_EVENT_EXPORT	HTTP Header	N/A	None