Chronicle API Feeds


Another method of ingesting your security data into Chronicle, is to use a Chronicle API feed to poll external data-feeds. Google supports API feeds for the types of log data listed in the following Chronicle API Feed Types table.

Before you begin

To set up a Chronicle API feed, you'll need to provide your Chronicle representative with the following prerequisite information:

OAuth 2.0:

  • clientId
  • clientSecret
  • tenantId

Username and Password:

  • Username
  • Password

Token HTTP header:

  • Customer's API token

SSL Client certificate:

  • Encoded private key
  • SSL certificate

Chronicle API Feed Types

Data Type Log Type Authentication Additional Information Permissions
Anomali ThreatStream ANOMALI_IOC Username and Password N/A None
Azure MDM Intune Audit Events AZURE_MDM_INTUNE OAuth 2.0 Token endpoint for OAuth 2.0:{tenantId}/oauth2/token. DeviceManagementApps.Read.All
Azure AD Sign-Ins AZURE_AD OAuth 2.0 Token endpoint for OAuth 2.0:{tenantId}/oauth2/token. AuditLog.Read.All, Directory.Read.All
Azure AD Context AZURE_AD_CONTEXT OAuth 2.0 retrieve_devices (optional), Token endpoint for OAuth 2.0:{tenantId}/oauth2/token. Directory.Read.All
Azure AD Directory Audit AZURE_AD_AUDIT OAuth 2.0 Tenant ID. AuditLog.Read.All, Directory.Read.All
Cloud Passage CLOUD_PASSAGE Username/Password with OAuth 2.0 N/A None
Duo Auth DUO_AUTH Integration Key and Secret Key N/A
Duo User DUO_USER_CONTEXT Integration Key and Secret Key N/A
Fox-IT STIX FOX_IT_STIX Username, Password, and SSL Client certificate taxii_config None
ImpervaWAF IMPERVA_WAF HTTP Headers initial_start_time (optional) None
Microsoft 365 Management OFFICE_365 OAuth 2.0 Token endpoint for OAuth 2.0:{tenantId}/oauth2/token. Tenant ID (use the one from auth), Content Types. ActivityFeed.Read, ActivityFeed.ReadDlp (if wanting DLP data)
Microsoft Graph Alerts MICROSOFT_GRAPH_ALERT OAuth 2.0 Tenant ID. SecurityEvents.Read.All
Microsoft Security Center Alerts MICROSOFT_SECURITY_CENTER_ALERT OAuth 2.0 Tenant ID. Security Reader Role
Mimecast Secure Email Gateway MIMECAST_MAIL HTTP Header(s) access_key, app_id, app_key, secret_key None
Netskope NETSKOPE_ALERT HTTP Header Hostname, Feed name (events/alerts), content type, initial_start_time (optional) None
Okta Audit Logs OKTA HTTP Header Hostname, API Token None
Okta User Context OKTA_USER_CONTEXT HTTP Header Hostname, API Token manager_id_reference_field
Palo Alto Networks Autofocus IOC PAN_IOC HTTP Header(s) feed_id, feed_name None
Palo Alto Networks Cortex XDR CORTEX_XDR HTTP Headers hostname, endpoint, initial_start_time (optional) Make sure the API key is an advanced key, not a standard key
Proofpoint SIEM API PROOFPOINT_MAIL Username and Password N/A None
Proofpoint on Demand PROOFPOINT_ON_DEMAND HTTP Header(s) proofpoint_on_demand_source_details, initial_start_time (optional) None
Rapid7 InsightVM RAPID7_INSIGHT HTTP Header initial_start_time (optional) None
Recorded Future Risklists RECORDED_FUTURE_IOC HTTP Header(s) N/A None
RH-ISAC IOC RH_ISAC_IOC Username/Password with OAuth 2.0 tags, queue_delay, initial_start_time (all optional) None
Salesforce SALESFORCE OAUTH 2.0 Hostname, initial_start_time (optional) None
ServiceNow CMDB SERVICENOW_CMDB Username/Password Hostname, Feed name (Table name) None
Thinkst Canary THINKST_CANARY HTTP Header Hostname None
ThreatConnect IOC THREATCONNECT_IOC Username/Password Hostname, Owners, Initial Start Time, Queue Delay, Owner Queue Delay (Optional) None
Workspace Users WORKSPACE_USERS OAUTH 2.0 workspace_customer_id
Workspace Activity WORKSPACE_ACTIVITY OAUTH 2.0 workspace_customer_id, workspace_applications admin.reports.audit.readonly
Workspace Alerts WORKSPACE_ALERTS OAUTH 2.0 workspace_customer_id apps.alerts
Workspace Privileges WORKSPACE_PRIVILEGES OAUTH 2.0 workspace_customer_id
Workspace Mobile WORKSPACE_MOBILE OAUTH 2.0 workspace_customer_id
Workspace Chrome WORKSPACE_CHROMEOS OAUTH 2.0 workspace_customer_id device.chromeos.readonly
Workspace GROUPS WORKSPACE_GROUPS OAUTH 2.0 workspace_customer_id
Symantec Event Export SYMANTEC_EVENT_EXPORT HTTP Header N/A None