Chronicle API Feeds

Overview

Another method of ingesting your security data into Chronicle, is to use a Chronicle API feed to poll external data-feeds. Google supports API feeds for the types of log data listed in the following Chronicle API Feed Types table.

Before you begin

To set up a Chronicle API feed, you'll need to provide your Chronicle representative with the following prerequisite information:

OAuth 2.0:

  • clientId
  • clientSecret
  • tenantId

Username and Password:

  • Username
  • Password

Token HTTP header:

  • Customer's API token

SSL Client certificate:

  • Encoded private key
  • SSL certificate

Chronicle API Feed Types

Data Type Log Type Authentication Additional Information Permissions
Anomali ThreatStream ANOMALI_IOC Username and Password N/A None
Azure MDM Intune Audit Events AZURE_MDM_INTUNE OAuth 2.0 N/A DeviceManagementApps.Read.All
Azure AD Sign-Ins AZURE_AD OAuth 2.0 N/A AuditLog.Read.All, Directory.Read.All
Azure AD Context AZURE_AD_CONTEXT OAuth 2.0 retrieve_devices (optional) Directory.Read.All
Duo Auth DUO_AUTH Username and Password N/A
Duo User DUO_USER_CONTEXT Username and Password N/A
Fox-IT STIX FOX_IT_STIX Username, Password, and SSL Client certificate taxii_config None
ImpervaWAF IMPERVA_WAF HTTP Headers initial_start_time (optional) None
Microsoft 365 Management OFFICE_365 OAuth 2.0 Tenant ID (use the one from auth), Content Types ActivityFeed.Read, ActivityFeed.ReadDlp (if wanting DLP data)
Microsoft Graph Alerts MICROSOFT_GRAPH_ALERT OAuth 2.0 Subscription ID (Optional) SecurityEvents.Read.All
Microsoft Security Center Alerts MICROSOFT_SECURITY_CENTER_ALERT OAuth 2.0 Subscription ID Security Reader Role
Mimecast Secure Email Gateway MIMECAST_MAIL HTTP Header(s) access_key, app_id, app_key, secret_key None
Netskope NETSKOPE_ALERT HTTP Header Hostname, Feed name (events/alerts), content type, initial_start_time (optional) None
Okta Audit Logs OKTA HTTP Header Hostname, API Token None
Okta User Context OKTA_USER_CONTEXT HTTP Header Hostname, API Token manager_id_reference_field
Palo Alto Networks Autofocus IOC PAN_IOC HTTP Header(s) feed_id, feed_name None
Palo Alto Networks Cortex XDR CORTEX_XDR HTTP Headers hostname, endpoint, initial_start_time (optional) Make sure the API key is an advanced key, not a standard key
Proofpoint SIEM API PROOFPOINT_MAIL Username and Password N/A None
Proofpoint on Demand PROOFPOINT_ON_DEMAND HTTP Header(s) proofpoint_on_demand_source_details, initial_start_time (optional) None
Rapid7 InsightVM RAPID7_INSIGHT HTTP Header initial_start_time (optional) None
Recorded Future Risklists RECORDED_FUTURE_IOC HTTP Header(s) N/A None
RH-ISAC IOC RH_ISAC_IOC Username/Password with OAuth 2.0 tags, queue_delay, initial_start_time (all optional) None
Salesforce SALESFORCE OAUTH 2.0 Hostname, initial_start_time (optional) None
ServiceNow CMDB SERVICENOW_CMDB Username/Password Hostname, Feed name (Table name) None
Thinkst Canary THINKST_CANARY HTTP Header Hostname None
ThreatConnect IOC THREATCONNECT_IOC Username/Password Hostname, Owners, Initial Start Time, Queue Delay, Owner Queue Delay (Optional) None
Workspace Users WORKSPACE_USERS OAUTH 2.0 workspace_customer_id admin.directory.user.readonly
Workspace Activity WORKSPACE_ACTIVITY OAUTH 2.0 workspace_customer_id, workspace_applications admin.reports.audit.readonly
Workspace Alerts WORKSPACE_ALERTS OAUTH 2.0 workspace_customer_id apps.alerts
Workspace Privileges WORKSPACE_PRIVILEGES OAUTH 2.0 workspace_customer_id admin.directory.rolemanagement.readonly
Workspace Mobile WORKSPACE_MOBILE OAUTH 2.0 workspace_customer_id admin.directory.device.mobile.readonly
Workspace Chrome WORKSPACE_CHROMEOS OAUTH 2.0 workspace_customer_id device.chromeos.readonly
Workspace GROUPS WORKSPACE_GROUPS OAUTH 2.0 workspace_customer_id directory.group.readonly
Symantec Event Export SYMANTEC_EVENT_EXPORT HTTP Header N/A None