Chronicle API Feeds
Overview
Another method of ingesting your security data into Chronicle, is to use a Chronicle API feed to poll external data-feeds. Google supports API feeds for the types of log data listed in the following Chronicle API Feed Types table.
Before you begin
To set up a Chronicle API feed, you'll need to provide your Chronicle representative with the following prerequisite information:
OAuth 2.0:
- clientId
- clientSecret
- tenantId
Username and Password:
- Username
- Password
Token HTTP header:
- Customer's API token
SSL Client certificate:
- Encoded private key
- SSL certificate
Chronicle API Feed Types
Data Type | Log Type | Authentication | Additional Information | Permissions |
Anomali ThreatStream | ANOMALI_IOC | Username and Password | N/A | None |
Azure MDM Intune Audit Events | AZURE_MDM_INTUNE | OAuth 2.0 | Token endpoint for OAuth 2.0: https://login.microsoftonline.com/{tenantId}/oauth2/token. | DeviceManagementApps.Read.All |
Azure AD Sign-Ins | AZURE_AD | OAuth 2.0 | Token endpoint for OAuth 2.0: https://login.microsoftonline.com/{tenantId}/oauth2/token. | AuditLog.Read.All , Directory.Read.All
|
Azure AD Context | AZURE_AD_CONTEXT | OAuth 2.0 | retrieve_devices (optional), Token endpoint for OAuth 2.0: https://login.microsoftonline.com/{tenantId}/oauth2/token. | Directory.Read.All
|
Azure AD Directory Audit | AZURE_AD_AUDIT | OAuth 2.0 | Tenant ID. | AuditLog.Read.All, Directory.Read.All
|
Cloud Passage | CLOUD_PASSAGE | Username/Password with OAuth 2.0 | N/A | None |
Duo Auth | DUO_AUTH | Integration Key and Secret Key | N/A | |
Duo User | DUO_USER_CONTEXT | Integration Key and Secret Key | N/A | |
Fox-IT STIX | FOX_IT_STIX | Username, Password, and SSL Client certificate | taxii_config | None |
ImpervaWAF | IMPERVA_WAF | HTTP Headers | initial_start_time (optional) | None |
Microsoft 365 Management | OFFICE_365 | OAuth 2.0 | Token endpoint for OAuth 2.0: https://login.microsoftonline.com/{tenantId}/oauth2/token. Tenant ID (use the one from auth), Content Types. | ActivityFeed.Read , ActivityFeed.ReadDlp (if wanting DLP data)
|
Microsoft Graph Alerts | MICROSOFT_GRAPH_ALERT | OAuth 2.0 | Tenant ID. | SecurityEvents.Read.All |
Microsoft Security Center Alerts | MICROSOFT_SECURITY_CENTER_ALERT | OAuth 2.0 | Tenant ID. | Security Reader Role |
Mimecast Secure Email Gateway | MIMECAST_MAIL | HTTP Header(s) | access_key, app_id, app_key, secret_key | None |
Netskope | NETSKOPE_ALERT | HTTP Header | Hostname, Feed name (events/alerts), content type, initial_start_time (optional) | None |
Okta Audit Logs | OKTA | HTTP Header | Hostname, API Token | None |
Okta User Context | OKTA_USER_CONTEXT | HTTP Header | Hostname, API Token | manager_id_reference_field |
Palo Alto Networks Autofocus IOC | PAN_IOC | HTTP Header(s) | feed_id, feed_name | None |
Palo Alto Networks Cortex XDR | CORTEX_XDR | HTTP Headers | hostname, endpoint, initial_start_time (optional) | Make sure the API key is an advanced key, not a standard key |
Proofpoint SIEM API | PROOFPOINT_MAIL | Username and Password | N/A | None |
Proofpoint on Demand | PROOFPOINT_ON_DEMAND | HTTP Header(s) | proofpoint_on_demand_source_details, initial_start_time (optional) | None |
Rapid7 InsightVM | RAPID7_INSIGHT | HTTP Header | initial_start_time (optional) | None |
Recorded Future Risklists | RECORDED_FUTURE_IOC | HTTP Header(s) | N/A | None |
RH-ISAC IOC | RH_ISAC_IOC | Username/Password with OAuth 2.0 | tags, queue_delay, initial_start_time (all optional) | None |
Salesforce | SALESFORCE | OAUTH 2.0 | Hostname, initial_start_time (optional) | None |
ServiceNow CMDB | SERVICENOW_CMDB | Username/Password | Hostname, Feed name (Table name) | None |
Thinkst Canary | THINKST_CANARY | HTTP Header | Hostname | None |
ThreatConnect IOC | THREATCONNECT_IOC | Username/Password | Hostname, Owners, Initial Start Time, Queue Delay, Owner Queue Delay (Optional) | None |
Workspace Users | WORKSPACE_USERS | OAUTH 2.0 | workspace_customer_id | admin.directory.user.readonly |
Workspace Activity | WORKSPACE_ACTIVITY | OAUTH 2.0 | workspace_customer_id, workspace_applications | admin.reports.audit.readonly |
Workspace Alerts | WORKSPACE_ALERTS | OAUTH 2.0 | workspace_customer_id | apps.alerts |
Workspace Privileges | WORKSPACE_PRIVILEGES | OAUTH 2.0 | workspace_customer_id | admin.directory.rolemanagement.readonly |
Workspace Mobile | WORKSPACE_MOBILE | OAUTH 2.0 | workspace_customer_id | admin.directory.device.mobile.readonly |
Workspace Chrome | WORKSPACE_CHROMEOS | OAUTH 2.0 | workspace_customer_id | device.chromeos.readonly |
Workspace GROUPS | WORKSPACE_GROUPS | OAUTH 2.0 | workspace_customer_id | directory.group.readonly |
Symantec Event Export | SYMANTEC_EVENT_EXPORT | HTTP Header | N/A | None |