Stay organized with collections Save and categorize content based on your preferences.

Feed Management API

This reference guide explains how to use the Chronicle Feed Management API to programmatically create, run, and manage data feeds that send logs to your Chronicle instance. For details about how to use the Chronicle UI to create and manage feeds, see the Feed management user guide.

About data feeds

You can use Chronicle data feeds to ingest log data into your Chronicle instance from the following:

  • Chronicle-supported cloud storage services, such as Google Cloud Storage
  • Third-party data sources with a Chronicle-supported API, such as Microsoft 365
  • Files accessible directly using HTTP(S) requests

Each feed that you create is composed of a data source type and a log type. Google Cloud Storage, third-party APIs, and HTTP-accessible files are examples of source types. For each data source type that Chronicle supports, Chronicle also supports specific log types. For example, for the Google Cloud Storage source type, Chronicle supports the Carbon Black log type and many others. The list of supported log types varies by source type.

When you create a feed, you specify the source type, log type, required permissions, authentication details, and more.

If Chronicle provides a default parser for the log type, then the ingested log data is stored in both Chronicle Unified Data Model (UDM) format and raw log format.

Supported source types and log types

Chronicle supports the following source types:

Feed source type Description
Third-party API Ingest data from a third-party API.
Google Cloud Storage Ingest data from a Google Cloud Storage bucket.
Amazon S3 Ingest data from an Amazon Simple Storage Service bucket.
Amazon SQS Ingest data from an Amazon Simple Queue Service queue whose entries point to files stored in S3
Azure Blobstore Ingest data from Azure Blob Storage.
HTTP(S) Ingest data from files accessible by an HTTP(S) request. Do not use this source type to interact with third-party APIs. Use the API feed source type for third-party APIs supported by Chronicle.

There are several ways to view a list of currently supported log types:

  • Chronicle UI. To view the list of supported log types for each source type, go to Settings > Feeds > Add New and use the Source Type and Log Type menus. For details, see Creating and editing feeds .

  • API reference documentation. To view a list of supported log types for third-party API feeds, see Configuration by log type .

  • Feed Schema API. To view log types for any source type, you can also use the Feed Schema API .

Prerequisites

Each data feed has its own set of prerequisites that must be completed prior to setting up the feed in Chronicle. You can find the prerequisites as follows:

  • Prerequisites for each source type are listed in Configuration by source type .

  • Prerequisites for each log type ingested using the API feed source type are listed in Configuration by log type .

  • Prerequisites for all log types ingested using any source type are listed in the Chronicle UI. Go to Settings > Feeds > Add New, select a Source Type and Log Type, and review the required fields. For details, see Creating and editing feeds .

For example, if you set up a data feed from a Google Cloud Storage bucket, you would need to complete the following prerequisites:

You must first grant Chronicle access. You must add the email address 8911409095528497-0-account@partnercontent.gserviceaccount.com to the permissions of the relevant Google Cloud Storage objects. You must also perform the following actions from the Cloud Storage section in the Google Cloud console.

  • To grant read permission to a specific file, you can edit access on that file and grant the above email Reader access. This can only be done if you have not enabled uniform bucket-level access.
  • To grant read permission to multiple files, you must grant access at the bucket level. Specifically, you must add the email address 8911409095528497-0-account@partnercontent.gserviceaccount.com as a principal to your storage bucket and grant it the IAM role of Storage Object Viewer.
  • If you configure the feed to delete source files, you must add the email address as a principal on your bucket and grant it the IAM role of Storage Object Admin.

How to authenticate with the Chronicle API

This Chronicle API uses the OAuth 2.0 protocol for authentication and authorization. Your application can complete these tasks using either of the following implementations:

  • Using the Google API Client Library for your computer language.

  • Directly interfacing with the OAuth 2.0 system using HTTP.

See the reference documentation for the Google Authentication library in Python.

Google Authentication libraries are a subset of the Google API client libraries. See other language implementations.

Getting API authentication credentials

Your Chronicle representative will provide you with a Google Developer Service Account Credential to enable the API client to communicate with the API.

You also must provide the Auth Scope when initializing your API client. OAuth 2.0 uses a scope to limit an application's access to an account. When an application requests a scope, the access token issued to the application is limited to the scope granted.

Use the following scope to initialize your Google API client:

https://www.googleapis.com/auth/chronicle-backstory

Python example

The following Python example demonstrates how to use the OAuth2 credentials and HTTP client using google.oauth2 and googleapiclient.

# Imports required for the sample - Google Auth and API Client Library Imports.
# Get these packages from https://pypi.org/project/google-api-python-client/ or run $ pip
# install google-api-python-client from your terminal
from google.oauth2 import service_account
from googleapiclient import _auth

SCOPES = ['https://www.googleapis.com/auth/chronicle-backstory']

# The apikeys-demo.json file contains the customer's OAuth 2 credentials.
# SERVICE_ACCOUNT_FILE is the full path to the apikeys-demo.json file
# ToDo: Replace this with the full path to your OAuth2 credentials
SERVICE_ACCOUNT_FILE = '/customer-keys/apikeys-demo.json'

# Create a credential using Google Developer Service Account Credential and Chronicle API
# Scope.
credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)

# Build an HTTP client to make authorized OAuth requests.
http_client = _auth.authorized_http(credentials)

# <your code continues here>

Chronicle API query limits

The Chronicle API enforces limits on the volume of requests that can be made by any one customer against the Chronicle platform. If you reach or exceed the query limit, the Chronicle API server returns HTTP 429 (RESOURCE_EXHAUSTED) to the caller. When developing applications for the Chronicle API, Chronicle recommends that you enforce rate limits within your system to avoid resource exhaustion. These limits apply to all of the Chronicle APIs, including the Feed Management API.

The Feed Management API enforces the following limits, which are measured in queries per second (QPS):

Chronicle API API Method Limit
Feed Management Create Feed 1 QPS
Get Feed 1 QPS
List Feeds 1 QPS
Update Feed 1 QPS
Delete Feed 1 QPS

Python example using OAuth2 credentials and HTTP client

The following Python example demonstrates how to use the OAuth2 credentials and the HTTP client using google.oauth2 and googleapiclient.

# Imports required for the sample - Google Auth and API Client Library Imports.
# Get these packages from https://pypi.org/project/google-api-python-client/ or
# run $ pip install google-api-python-client from your terminal

from google.auth.transport import requests
from google.oauth2 import service_account

SCOPES = ['https://www.googleapis.com/auth/chronicle-backstory']

# The apikeys-demo.json file contains the customer's OAuth 2 credentials.
# SERVICE_ACCOUNT_FILE is the full path to the apikeys-demo.json file
# ToDo: Replace this with the full path to your OAuth2 credentials

SERVICE_ACCOUNT_FILE = '/customer-keys/apikeys-demo.json'

# Create a credential using Google Developer Service Account Credential and Chronicle # API Scope.

credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)

# Build an HTTP session to make authorized OAuth requests.

http_session = requests.AuthorizedSession(credentials)

# <your code continues here>

Regional endpoints

Chronicle provides regional endpoints for each API. For example:

https://backstory.googleapis.com/v1/feeds
https://europe-backstory.googleapis.com/v1/feeds
https://europe-west2-backstory.googleapis.com/v1/feeds
https://asia-southeast1-backstory.googleapis.com/v1/feeds

Feed Schema API reference

The Feed Schema API returns information that is useful for constructing valid Feed Management API requests. For example, you can get the data structure representing the entire feed schema. This structure defines the specific fields to specify for each valid combination of feed source type and log type. Alternatively, you can get a list of all log types compatible with a particular feed source type.

Specifically, the feed schema contains:

  • Information about each valid feed source type:
    • A human-readable name
    • A human-readable description
    • Whether feeds with a given feed source type can be modified using the API, or are read-only
  • Information about each log type:
    • A human-readable name
    • Whether feeds with a given log type can be modified using the API, or are read-only
  • Which log types are compatible with which feed source types
  • Information about the specific fields to specify for each valid combination of log type and feed source type:
    • A human-readable field name and description
    • Compatibility with other fields
    • Semantic type (e.g. URI, "secret", etc)
    • Whether the field is required
    • What a valid value for the field looks like

The schema can be accessed using a few different methods.

GetFeedSchema

This method returns a structure representing the entire feed schema. The schema is comprised of a list of "feed source type schemas" each of which describe the supported feed source types. Each feed source types' schema contains a list of "log type schemas" that correspond to the set of log types that are compatible with the feed source type and describe the log type. Each log type schema contains a list of "details field schemas" that describe those fields you would set when issuing a Create Feed request, for instance, or expect to see as a result of a ListFeed or GetFeed response. The field schemas specified are unique to the particular combination of log type and feed source type.

Request

GET https://backstory.googleapis.com/v1/feedSchema

Response

{
  "feedSourceTypeSchemas": [{
      "name": "feedSourceTypeSchemas/AMAZON_S3",
      "displayName": "Amazon S3",
      "description": "Amazon Simple Storage Service, a service offered by Amazon Web Services that provides object storage through a web service interface",
      "feedSourceType": "AMAZON_S3",
      "logTypeSchemas": [{
          "name": "feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/AWS_CLOUDTRAIL",
          "displayName": "AWS Cloudtrail",
          "logType": "AWS_CLOUDTRAIL",
          "detailsFieldSchemas": [{
              "fieldPath": "details.amazon_s3_settings.authentication.access_key_id",
              "displayName": "Access key ID",
              "description": "An account access key that is a 20-character alphanumeric string, for example AKIAIOSFODNN7EXAMPLE",
              "type": "STRING",
              "exampleInput": "AKIAIOSFODNN7EXAMPLE",
            },
            ...
            {
              "fieldPath": "details.amazon_s3_settings.s3_uri",
              "displayName": "S3 URI",
              "description": "The S3 bucket source URI",
              "type": "STRING_URI",
              "isRequired": true,
              "exampleInput": "s3://cs-prod-cannon-00afe0c847a8/data/",
            }],
        },
        ...
        {
          "name": "feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/ABNORMAL_SECURITY",
          "displayName": "Abnormal Security",
          "logType": "ABNORMAL_SECURITY",
          ...
        }],
    },
    ...
    {
      "name": "feedSourceTypeSchemas/AMAZON_SQS",
      "displayName": "Amazon SQS",
      "description": "Amazon Simple Queue Service, a service offered by Amazon Web Services that provides fully managed message queuing service to transfer messages asynchronously",
      "feedSourceType": "AMAZON_SQS",
      ...
    }],
}

ListFeedSourceTypeSchemas

This method returns information about all feed source types.

Request
GET https://backstory.googleapis.com/v1/feedSourceTypeSchemas
Sample Response
{
  "feedSourceTypeSchemas": [{
      "name": "feedSourceTypeSchemas/AMAZON_S3",
      "displayName": "Amazon S3",
      "description": "Amazon Simple Storage Service, a service offered by Amazon Web Services that provides object storage through a web service interface",
      "feedSourceType": "AMAZON_S3",
    },
    ...
    {
      "name": "feedSourceTypeSchemas/AMAZON_SQS",
      "displayName": "Amazon SQS",
      "description": "Amazon Simple Queue Service, a service offered by Amazon Web Services that provides fully managed message queuing service to transfer messages asynchronously",
      "feedSourceType": "AMAZON_SQS",
    }],
}

ListLogTypeSchemas

This method returns information about all log types compatible with a particular feed source type.

Request
GET https://backstory.googleapis.com/v1/feedSourceTypeSchemas/{feed source type}/logTypeSchemas
Sample Request
https://backstory.googleapis.com/v1/feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas
Sample Response
{
  "logTypeSchemas": [{
      "name": "feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/AWS_CLOUDTRAIL",
      "displayName": "AWS Cloudtrail",
      "logType": "AWS_CLOUDTRAIL",
    },
    ...
    {
      "name": "feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/ABNORMAL_SECURITY",
      "displayName": "Abnormal Security",
      "logType": "ABNORMAL_SECURITY",
      ...
    }],
}

GetLogTypeSchema

This method returns detailed information about all the fields necessary to configure a feed for a particular source type and log type.

Request
GET https://backstory.googleapis.com/v1/feedSourceTypeSchemas/{feed source type}/logTypeSchemas/{log type}
Sample Request
https://backstory.googleapis.com/v1/feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/AWS_CLOUDTRAIL
Sample Response
{
  "name": "feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/AWS_CLOUDTRAIL",
  "displayName": "AWS Cloudtrail",
  "logType": "AWS_CLOUDTRAIL",
  "detailsFieldSchemas": [{
      "fieldPath": "details.amazon_s3_settings.authentication.access_key_id",
      "displayName": "Access key ID",
      "description": "An account access key that is a 20-character alphanumeric string, for example AKIAIOSFODNN7EXAMPLE",
      "type": "STRING",
      "exampleInput": "AKIAIOSFODNN7EXAMPLE",
    },
    ...
    {
      "fieldPath": "details.amazon_s3_settings.s3_uri",
      "displayName": "S3 URI",
      "description": "The S3 bucket source URI",
      "type": "STRING_URI",
      "isRequired": true,
      "exampleInput": "s3://cs-prod-cannon-01abc2d345e6/data/",
    }],
}

Feed Management API reference

This section describes the endpoints for creating, enabling, and managing feeds.

When creating or editing a feed, you need to specify the feedSourceType and logType in the request body. For details about these fields, see Configuration by source type and Configuration by log type.

Create Feed

Creates a third party data feed in your Chronicle instance.

Request

POST https://backstory.googleapis.com/v1/feeds
Request body

This example shows how to collect authentication logs from Duo Security.

{
  "display_name": "some feed name",
  "details": {
    "feedSourceType": "API",
    "logType": "DUO_AUTH",
    "duoAuthSettings": {
      "authentication": {
        "user": "ABCUSERNAMEDEF",
        "secret": "aBcS3cReTdEf"
      },
      "hostname": "api-abc123.duosecurity.com"
    },
    "namespace": "my-asset-namespace",
    "labels": [{
      "key": "my-ingestion-label-key",
      "value": "my-ingestion-label-value"
    }]
  }
}

Sample request
https://backstory.googleapis.com/v1/feeds
{
  "display_name": "some feed name",
  "details": {
    "feedSourceType": "API",
    "logType": "DUO_AUTH",
    "duoAuthSettings": {
      "authentication": {
        "user": "ABCUSERNAMEDEF",
        "secret": "aBcS3cReTdEf"
      },
      "hostname": "api-abc123.duosecurity.com"
    }
  }
}
Sample successful response
{
 "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
 "display_name": "some feed name",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "api-abc123.duosecurity.com"
   }
 },
 "feedState": "ACTIVE"
}

If the response is unsuccessful, it returns an HTTP status code other than 200 (OK). Be sure to check the body of the response for details of the failure.

Asset namespace

To assign an asset namespace to all events that are ingested from a particular feed, set the "namespace" field within details. The namespace field is a string.

Ingestion label

Ingestion labels are part of Unified Data Model metadata. They are repeated key and value pairs. To assign ingestion labels to all events that are ingested from a particular feed, set the labels field within details. The labels field is an array of JSON objects with key and value fields.

Delete Feed

Deletes a feed that was configured using the Chronicle Feed Management API.

Request

DELETE  https://backstory.googleapis.com/v1/feeds/{feedID}
Sample request
DELETE https://backstory.googleapis.com/v1/feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567
Sample response

If the operation is successful, Delete Feed returns an empty response with an HTTP status code 200 (OK).

{}

Enable Feed

Enables an INACTIVE feed, which allows it to be executed.

Request
POST https://backstory.googleapis.com/v1/feeds/{feedID}:enable
Sample request
POST https://backstory.googleapis.com/v1/feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567:enable
Sample response
{
 "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
 "display_name": "some feed name",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "api-abc123.duosecurity.com"
   }
 },
 "feedState": "ACTIVE"
}

Disable Feed

Disables a feed. A disabled feed has a status of INACTIVE. Disabled feeds will no longer fetch data.

Request
POST https://backstory.googleapis.com/v1/feeds/{feedID}:disable
Sample request
POST https://backstory.googleapis.com/v1/feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567:disable
Sample response
{
 "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
 "display_name": "some feed name",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "api-abc123.duosecurity.com"
   }
 },
 "feedState": "INACTIVE"
}

Get Feed

Gets the details of the feed that was configured.

Request

GET https://backstory.googleapis.com/v1/feeds/{feedID}
Sample request
https://backstory.googleapis.com/v1/feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567
Sample response
{
 "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
 "display_name": "some feed name",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "api-abc123.duosecurity.com"
   }
 },
 "feedState": "ACTIVE"
}

List Feeds

Retrieves all the feeds configured for a given Chronicle instance.

Request
GET https://backstory.googleapis.com/v1/feeds
Sample request
https://backstory.googleapis.com/v1/feeds
Sample response
{
 "feeds": [
   {
     "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
     "details": {
       "logType": "AZURE_AD_CONTEXT",
       "feedSourceType": "API",
       "azureAdContextSettings": {}
     },
     "feedState": "ACTIVE"
   },
   {
     "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
     "display_name": "some feed name",
     "details": {
       "logType": "PAN_PRISMA_CLOUD",
       "feedSourceType": "API",
       "panPrismaCloudSettings": {
         "hostname": "api2.prismacloud.io"
       }
     },
     "feedState": "ACTIVE"
   }
 ]
}

Read only feeds

There may be feeds returned from a List Feeds request that have the field readOnly set to true. Read only feeds cannot be created, updated, or deleted.

Feeds are read-only for a few reasons. For example:

  • Some feed source types are not fully supported by Feed Management at the moment, and were created before the release of Feed Management.
  • Some specialized log types are not available to every Chronicle user. If a feed exists with one of these types, it is considered read-only.

Update Feed

Updates the given feed with new details.

Request
PATCH https://backstory.googleapis.com/v1/feeds/{feedID}
Request body

The following examples shows how to update a Duo Auth feed.

Sample request
{
  "display_name": "my feed",
  "details": {
    "feedSourceType": "API",
    "logType": "DUO_AUTH",
    "duoAuthSettings": {
      "authentication": {
        "user": "ABCUSERNAMEDEF",
        "secret": "aBcS3cReTdEf"
      },
      "hostname": "api-abc123.duosecurity.com"
    }
  }
}
Sample response
{
 "display_name": "my feed",
 "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "api-abc123.duosecurity.com"
   }
 },
 "feedState": "ACTIVE"
}

Response message fields

This section describes the following fields that are returned in response messages:

  • feedState
  • failureMsg

Feed state

The feedState field can be found in the response message of most operations. feedState gives some insight into the current state of a feed.

feedState Description
"ACTIVE" Feed successfully created and will begin fetching data.
"INACTIVE" Feed has been disabled.
"IN_PROGRESS" Feed is currently attempting to fetch data. A feed will only have this status if it has not previously failed.
"COMPLETED" Feed has recently fetched data successfully.
"FAILED" Feed has failed and has not successfully fetched data since it failed. Mis-configuration is the typical cause of feed failure. Please see the failureMsg field for more information.

Failure message

The failureMsg field can be found in the response message of most operations, but only for those feeds whose feedState is FAILED. It provides more information regarding the nature of the failure, such as the response code returned from the relevant third party. Please refer to the documentation below for your particular feed type to understand how to correctly configure the feed.

Configuration by source type

This section provides information about configuring feed source types. A feed source type defines where data is located and how it's accessed. Valid values for feedSourceType are as follows:

feedSourceType Description
API Ingest data from a third-party API.
GOOGLE_CLOUD_STORAGE Ingest data from a Google Cloud Storage bucket.
AMAZON_S3 Ingest data from an Amazon Simple Storage Service bucket.
AMAZON_SQS Ingest data from an Amazon Simple Queue Service queue whose entries point to files stored in S3
AZURE_BLOBSTORE Ingest data from Azure Blob Storage.
HTTP Ingest data from files accessible by an HTTP(S) request. Note that this *should not* be used to interact with third-party APIs. Use the API feed source type for third-party APIs supported by Chronicle.

API

Use the API feed source type to ingest data from a third-party API. The configuration settings for the API feed source type are specific to the log type that you specify for the feed.

For example, when you use the Feeds API endpoints to configure settings for an API feed data source, you specify API as the value for the details.feedSourceType field. You also specify a supported log type as the value for the details.logType field. The log type determines the additional feed configuration settings that you can specify. Details about these settings are provided in the section for that specific log type in Configuration by log type.

GOOGLE_CLOUD_STORAGE

Data source Ingest schedule details.feedSourceType details.logType
Google Cloud Storage Bucket Every 15 minutes GOOGLE_CLOUD_STORAGE See the Feed Schema API reference to get compatible log types.

Prerequisites

Before setting up a Google Cloud Storage feed, you must grant Chronicle access. You must add the email address 8911409095528497-0-account@partnercontent.gserviceaccount.com to the permissions of the relevant Google Cloud Storage object(s). Perform the following actions from the Cloud Storage section in the Google Cloud Console (console.cloud.google.com)

  • To grant read permission to a specific file, you can edit access on that file and grant the above email Reader access. This can only be done if you have not enabled uniform bucket-level access.
  • To grant read permission to multiple files you must grant access at the bucket level. Specifically, you must add the above email as a principal to your storage bucket and grant it the IAM role of Storage Object Viewer.
  • If you configure the feed to delete source files (see below for how to do this), you must add the above email as a principal on your bucket and grant it the IAM role of Storage Object Admin.

Type-specific request fields

Field Required Description
details.gcsSettings.bucketUri Yes The URI which corresponds to the Google Cloud Storage bucket. The format is the same format used by gsutil to specify a resource.
details.gcsSettings.sourceType Yes The type of object indicated by bucketUri. Valid values are:
  • FILES: The URI points to a single file which will be ingested with each execution of the feed.
  • FOLDERS: The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed.
  • FOLDERS_RECURSIVE: The URI points to a directory. All files and directories contains within the indicated directory will be ingested, including all files and directories within those directories, and so on.
details.gcsSettings.sourceDeletionOption Yes Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are:
  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "GOOGLE_CLOUD_STORAGE",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "gcsSettings": {
     "bucketUri": "gs://bucket/file",
     "sourceType": "FOLDERS_RECURSIVE",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
   }
 }
}

AMAZON_S3

Data source Ingest schedule details.feedSourceType details.logType
Amazon Simple Storage Service Bucket Every 15 minutes AMAZON_S3 See the Feed Schema API reference to get compatible log types.

Prerequisites

  1. Create an S3 bucket.
  2. Create a security key for programmatic access.

Type-specific request fields

Field Required Description
details.amazonS3Settings.s3Uri Yes The S3 URI to ingest.
details.amazonS3Settings.sourceType Yes The type of file indicated by the URI. Valid values are:
  • FILES: The URI points to a single file which will be ingested with each execution of the feed.
  • FOLDERS: The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed.
  • FOLDERS_RECURSIVE: The URI points to a directory. All files and directories contained within the indicated directory will be ingested, including all files and directories within those directories, and so on.
details.amazonS3Settings.sourceDeletionOption Yes Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are:
  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.
details.amazonS3Settings.authentication.region Yes The region where the S3 bucket resides. For a list of regions, see Amazon S3 regions.
details.amazonS3Settings.authentication.accessKeyId Yes This is the 20 character ID associated with your Amazon IAM account.
details.amazonS3Settings.authentication.secretAccessKey Yes This is the 40 character access key associated with your Amazon IAM account.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "AMAZON_S3",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "amazonS3Settings": {
     "s3Uri": "s3://uri/to/file",
     "sourceType": "FILES",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER",
     "authentication": {
       "region": "US_EAST_1",
       "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
       "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
     },
   }
 }
}

Amazon S3 regions

AWS Region AWS Region code authentication.region
Asia Pacific (Mumbai) ap-south-1 AP_SOUTH_1
Asia Pacific (Seoul) ap-northeast-2 AP_NORTHEAST_2
Asia Pacific (Singapore) ap-southeast-1 AP_SOUTHEAST_1
Asia Pacific (Sydney) ap-southeast-2 AP_SOUTHEAST_2
Asia Pacific (Tokyo) ap-northeast-1 AP_NORTHEAST_1
AWS GovCloud (US-East) us-gov-east-1 US_GOV_EAST_1
AWS GovCloud (US-West) us-gov-west-1 US_GOV_CLOUD
Canada (Central) ca-central-1 CA_CENTRAL_1
China (Beijing) cn-north-1 CN_NORTH_1
China (Ningxia) cn-northwest-1 CN_NORTHWEST_1
Europe (Frankfurt) eu-central-1 EU_CENTRAL_1
Europe (Ireland) eu-west-1 EU_WEST_1
Europe (London) eu-west-2 EU_WEST_2
Europe (Paris) eu-west-3 EU_WEST_3
Europe (Stockholm) eu-north-1 EU_NORTH_1
South America (São Paulo) sa-east-1 SA_EAST_1
US East (N. Virginia) us-east-1 US_EAST_1
US East (Ohio) us-east-2 US_EAST_2
US West (N. California) us-west-1 US_WEST_1
US West (Oregon) us-west-2 US_WEST_2

AMAZON_SQS

Data source details.feedSourceType details.logType
Amazon Simple Storage Service Bucket that sends notifications to an Amazon Simple Queueing Service queue AMAZON_SQS See the Feed Schema API reference to get compatible log types.

Amazon supports SQS queues which contain notifications from a monitored S3 bucket and Chronicle is able to read these notification off of an SQS queue and pull the corresponding files out of the S3 bucket. This is effectively a "push-based" version of an Amazon S3 feed and can be leveraged for better throughput.

Prerequisites

  1. Create an S3 bucket.
  2. Create an SQS queue.
    • The queue must be a Standard queue, not a FIFO queue.
  3. Set up notifications on your S3 bucket to write to your SQS queue.
    • Be sure to attach an access policy.
  4. Create an access key which will be used to access both the SQS queue and the S3 bucket.

Type-specific request fields

Field Required Description
details.amazonSqsSettings.queue Yes The SQS queue name.
details.amazonSqsSettings.region Yes The region where the SQS queue and S3 bucket reside. For a list of regions, see Amazon S3 regions.
details.amazonSqsSettings.accountNumber Yes The account number for the SQS queue and S3 bucket.
details.amazonSqsSettings.sourceDeletionOption Yes Whether to delete the source files in the S3 bucket after they have been transferred to Chronicle. This reduces storage costs. Valid values are:
  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.
details.amazonSqsSettings.authentication.sqsAccessKeySecretAuth.accessKeyId Yes This is the 20 character ID associated with your Amazon IAM account.
details.amazonSqsSettings.authentication.sqsAccessKeySecretAuth.secretAccessKey Yes This is the 40 character access key associated with your Amazon IAM account.
details.amazonSqsSettings.authentication.additionalS3AccessKeySecretAuth.accessKeyId No This is the 20 character ID associated with your Amazon IAM account. Only specify if using a different access key for the S3 bucket.
details.amazonSqsSettings.authentication.additionalS3AccessKeySecretAuth.secretAccessKey No This is the 40 character access key associated with your Amazon IAM account. Only specify if using a different access key for the S3 bucket.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "AMAZON_SQS",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "amazonSqsSettings": {
     "queue": "cs-prod-canon-queue-01234abc56de789f",
     "region": "US_EAST_1",
     "accountNumber": "123456789012",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
     "authentication": {
       "sqsAccessKeySecretAuth": {
         "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
         "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
       },
     },
   }
 }
}

AZURE_BLOBSTORE

Data source Ingest schedule details.feedSourceType details.logType
Microsoft Azure Blob Storage Container Every 15 minutes AZURE_BLOBSTORE See the Feed Schema API reference to get compatible log types.

Prerequisites

You will need either:

Type-specific request fields

Field Required Description
details.azureBlobStoreSettings.azureUri Yes The URI pointing to a Azure Blob Storage blob or container.
details.azureBlobStoreSettings.sourceType Yes The type of object indicated by the URI. Valid values are:
  • FILES: The URI points to a single blob that will be ingested with each execution of the feed.
  • FOLDERS_RECURSIVE: The URI points to a Blob Storage container.
details.azureBlobStoreSettings.sourceDeletionOption Yes Source file deletion is not supported in Azure. This field's value must be set to SOURCE_DELETION_NEVER.
details.azureBlobStoreSettings.authentication.sharedKey No A shared key, a 512-bit random string in base64 encoding, authorized to access Azure Blob Storage. Required if not specifying an SAS Token.
details.azureBlobStoreSettings.authentication.sasToken No A Shared Access Signature authorized to access the Azure Blob Storage container.

Azure URI source types

When specifying an Azure URI you must also indicate the type of object is indicated by the URI.

details.sourceType Source type
FILES The URI points to a single blob that will be ingested with each execution of the feed.
FOLDERS The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed.
FOLDERS_RECURSIVE The URI points to a Blob Storage container.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "AZURE_BLOBSTORE",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "azureBlobStoreSettings": {
     "azureUri": "https://myaccount.blob.core.windows.net/logging",
     "sourceType": "FOLDERS_RECURSIVE",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
     "authentication": {
       "sharedKey": "Ab12CyDEFG3HI45JklMnopQrs00TU6xVw7xYZ8AbcdeFgHioJkL0MnoPqRsTUvWxYZaBCdEFg9hijKlm0N12pqR==",
     },
   }
 }
}

HTTP

Data source Ingest schedule details.feedSourceType details.logType
Files available over the open internet via an HTTP request. Every 15 minutes HTTP See the Feed Schema API reference to get compatible log types.

WARNING: The HTTP type should not be used to gather data from an API. Please refer to the supported API feed types below.

Type-specific request fields

Field Required Description
details.httpSettings.uri Yes The URI pointing to a file or collection of files.
details.httpSettings.sourceType Yes The type of file indicated by the URI. Valid values are:
  • FILES: The URI points to a single file which will be ingested with each execution of the feed.
  • FOLDERS: The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed.
  • FOLDERS_RECURSIVE: The URI points to a directory. All files and directories contains within the indicated directory will be ingested, including all files and directories within those directories, and so on.
details.httpSettings.sourceDeletionOption Yes Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are:
  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "HTTP",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "httpSettings": {
     "uri": "https://url.com/myfile",
     "sourceType": "FILES",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
   }
 }
}

Configuration by log type

The table below lists the log types that Chronicle supports for the API feed source type (that is, ingesting data from third-party APIs).

If a log type has Chronicle parser support, the ingested data is stored in Chronicle UDM format as well as raw log data.

Click a Data Source name for detailed reference information, prerequisites, and API examples for the log type.

To learn about prerequisites for other log types and feed source types, see Prerequisites. To learn about feeds in general, see About data feeds.

Data Source Log Type Chronicle Parser Support
Anomali ThreatStream ANOMALI_IOC Yes
CrowdStrike Detection Monitoring CS_DETECTS Yes
Duo Authentication Logs DUO_AUTH Yes
Duo Users DUO_USER_CONTEXT Yes
Fidelis Cloud Passage Events CLOUD_PASSAGE Yes
Fox-IT FOX_IT_STIX No
Google Cloud Identity Devices GCP_CLOUDIDENTITY_DEVICES Yes
Google Cloud Identity Device Users GCP_CLOUDIDENTITY_DEVICEUSERS Yes
Google Workspace Activity WORKSPACE_ACTIVITY Yes
Google Workspace Alerts WORKSPACE_ALERTS Yes
Google Workspace Chrome WORKSPACE_CHROMEOS Yes
Google Workspace Groups WORKSPACE_GROUPS Yes
Google Workspace Mobile WORKSPACE_MOBILE Yes
Google Workspace Privileges WORKSPACE_PRIVILEGES Yes
Google Workspace Users WORKSPACE_USERS Yes
Imperva IMPERVA_WAF Yes
Microsoft Azure AD Directory Audit AZURE_AD_AUDIT Yes
Microsoft Azure AD Context AZURE_AD_CONTEXT Yes
Microsoft Azure AD Sign-Ins AZURE_AD Yes
Microsoft Azure Defender for Cloud Alerts MICROSOFT_SECURITY_CENTER_ALERT No
Microsoft Azure MDM Intune Audit Events AZURE_MDM_INTUNE Yes
Microsoft Graph Security API MICROSOFT_GRAPH_ALERT Yes
Microsoft 365 Management Activity OFFICE_365 Yes
Mimecast Secure Email Gateway MIMECAST_MAIL Yes
Netskope Alerts NETSKOPE_ALERT Yes
Okta System Log OKTA Yes
Okta Users OKTA_USER_CONTEXT Yes
Palo Alto Networks Autofocus PAN_IOC Yes
Palo Alto Networks Cortex XDR CORTEX_XDR Yes
Palo Alto Networks Prisma Cloud Audit Logs PAN_PRISMA_CLOUD Yes
Proofpoint on Demand PROOFPOINT_ON_DEMAND Yes
Proofpoint SIEM API PROOFPOINT_MAIL Yes
Qualys VM QUALYS_VM Yes
Rapid7 InsightVM RAPID7_INSIGHT Yes
Recorded Future RECORDED_FUTURE_IOC Yes
RH-ISAC RH_ISAC_IOC Yes
Salesforce SALESFORCE Yes
SentinelOne Alert SENTINELONE_ALERT Yes
ServiceNow CMDB SERVICENOW_CMDB Yes
Symantec Event Export SYMANTEC_EVENT_EXPORT Yes
Thinkst Canary THINKST_CANARY Yes
ThreatConnect THREATCONNECT_IOC Yes
Workday WORKDAY Yes

Anomali ThreatStream

This section provides API reference details for the ANOMALI_IOC log type. For details about the data source, see the Anomali ThreatStream documentation.

Data source Ingest schedule details.feedSourceType details.logType
api.threatstream.com Every minute API ANOMALI_IOC

Prerequisites

  • Get the values for all required request fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.anomaliSettings.authentication.user Yes Username
details.anomaliSettings.authentication.secret Yes API key

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "ANOMALI_IOC",
   "anomaliSettings": {
     "authentication": {
       "user": "USERNAME",
       "secret": "APIKEY"
     },
   }
 }
}

CrowdStrike Detection Monitoring

This section provides API reference details for the CS_DETECTS log type. For details about the data source, see the CrowdStrike Detection Monitoring documentation.

Data source Ingest schedule details.feedSourceType details.logType
api.crowdstrike.com Every minute API CS_DETECTS

Prerequisites

  • Get the values for all required request fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.crowdstrikeDetectsSettings.authentication.clientId Yes OAuth Client ID
details.crowdstrikeDetectsSettings.authentication.clientSecret Yes OAuth Client Secret
details.crowdstrikeDetectsSettings.authentication.tokenEndpoint Yes Authentication URL
details.crowdstrikeDetectsSettings.hostname Yes API Endpoint URL

Sample Create Feed request

{
  "details": {
    "feedSourceType": "API",
    "logType": "CS_DETECTS",
    "crowdstrikeDetectsSettings": {
      "authentication": {
          "clientId": "CLIENT ID",
          "clientSecret": "CLIENT SECRET",
          "tokenEndpoint": "https://api.us-2.crowdstrike.com/oauth2/token"
      },
      "hostname": "api.crowdstrike.com"
    }
  }
}

Steps to enable Crowdstrike Feed

Create a CrowdStrike API Client
  1. Within the CrowdStrike application, create an API client by navigating to Support and resources > API clients and keys.

    Select API clients and keys

  2. Create a new API Client with API scopes granting permission to Read Detections.

    Configure API client

  3. Record the values for: Base URL + Client ID + Client Secret. You will need these to set up the Feed in Chronicle.

    New OAuth2 API client

Setup the Chronicle feed
  1. Launch Chronicle, then select the Settings menu.
  2. Select Feeds in the left pane and click Add New.
  3. Select the Third Party API Source Type and Crowdstrike Detection Monitoring log type.

    Set CS_DETECTS source type and log type

  4. Fill in the requested parameters gathered earlier from CrowdStrike and click Submit.

    Set CS_DETECTS input parameters

The feed will begin to retrieve all detections from the CrowdStrike instance in chronological order. Detections older than 6 months will be dropped. After the backfill is complete, which can take some time depending on the number of detections in CrowdStrike, the feed checks for new detections every 5 minutes.

Duo Authentication Logs

This section provides API reference details for the DUO_AUTH log type. For details about the data source, see the Duo Authentication Logs documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "DUO_AUTH",
     "duoAuthSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "SECRET"
       },
       "hostname": "api-mytenant.duosecurity.com"
     }
   }
}

Duo Users

This section provides API reference details for the DUO_USER_CONTEXT log type. For details about the data source, see the Duo Users documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "DUO_USER_CONTEXT",
     "duoUserContextSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "SECRET"
       },
       "hostname": "api-mytenant.duosecurity.com"
     }
   }
}

Fidelis Cloud Passage Events

This section provides API reference details for the CLOUD_PASSAGE log type. For details about the data source, see the Cloud Passage Events documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "CLOUD_PASSAGE",
     "cloudPassageSettings": {
       "authentication": {
         "user": "api_key_id",
         "secret": "api_key_secret",
       }
       "eventTypes": [
         "fim_target_integrity_changed",
         "lids_rule_failed",
         "sca_rule_failed"
       ],
     }
   }
}

Fox-IT

This section provides API reference details for the FOX_IT_STIX log type. For details about the data source, see the Fox-IT documentation.

Prerequisites

  • Get the values for all authentication and SSL fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "FOX_IT_STIX",
     "foxItStixSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "SECRET"
       },
       "ssl": {
         "sslCertificate": "<cert>",
         "encodedPrivateKey": "key"
       }
       "pollServiceURI": "https://stix.fox-it.com/services/poll",
       "collection": "mycollection"
     }
   }
}

Google Cloud Identity Devices

This section provides API reference details for the GCP_CLOUDIDENTITY_DEVICES log type. For details about the data source, see the Google Cloud Identity Devices documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "GCP_CLOUDIDENTITY_DEVICES",
   "googleCloudIdentityDevicesSettings": {
     "authentication": {
       "tokenEndPoint": "jwt_token_uri",
       "claims": {
         "issuer": "jwt_client_email",
         "subject": "user_email",
         "audience": "jwt_token_uri"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
     "apiVersion": "v1",
   }
 }
}

Google Cloud Identity Device Users

This section provides API reference details for the GCP_CLOUDIDENTITY_DEVICEUSERS log type. For details about the data source, see the Google Cloud Identity Device Users documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "GCP_CLOUDIDENTITY_DEVICEUSERS",
   "googleCloudIdentityDeviceUsersSettings": {
     "authentication": {
       "tokenEndPoint": "jwt_token_uri",
       "claims": {
         "issuer": "jwt_client_email",
         "subject": "user_email",
         "audience": "jwt_token_uri"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
   }
 }
}

Google Workspace Activities

This section provides API reference details for the WORKSPACE_ACTIVITY log type. For details about the data source, see the Google Workspace Activities documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every hour API WORKSPACE_ACTIVITY

Prerequisites

In order for Chronicle to ingest Google Workspace activities, you must do the following:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes the Reports admin privilege, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

Type-specific request fields

Field Required Description
details.workspaceActivitySettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceActivitySettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceActivitySettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with Reports privilege.
details.workspaceActivitySettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceActivitySettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Note that literal newline characters (\n) should be replaced with carriage returns. Also note that the field name is rsCredentials, and not rsaCredentials.
details.workspaceActivitySettings.workspaceCustomerId Yes The Google Workspace customer ID. The customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C', then prepend what you have with a 'C'.
details.workspaceActivitySettings.applications Yes The Google Workspace applications to gather activities for. See below for valid values.

Google Workspace applications

Activities are associated with one or more applications. The applications that Chronicle supports include the following.

details.workspaceActivitySettings.applications Description
access_transparency Access Transparency log events
admin Admin log events
calendar Calendar log events
chat Chat log events
drive Drive log events
gcp Google Cloud activity events
gplus Currents log events
groups Groups log events
groups_enterprise Groups Enterprise log events
jamboard Jamboard log events
login User log events
meet Meet log events
mobile Device log events
rules Rule log events (beta)
saml SAML log events
token OAuth log events
user_accounts User log events
context_aware_access Context-Aware Access log events
chrome Chrome log events
data_studio Looker Studio log events
keep Keep log events

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_ACTIVITY",
   "workspaceActivitySettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
     "applications": [
       "admin",
       "groups",
       "mobile"
     ],
   }
 }
}

Google Workspace Alerts

This section provides API reference details for the WORKSPACE_ALERTS log type. For details about the data source, see the Google Workspace Alerts documentation.

Data source Ingest schedule details.feedSourceType details.logType
alertcenter.googleapis.com Every hour API WORKSPACE_ALERTS

Prerequisites

For Chronicle to ingest Google Workspace alerts, complete the following steps:

  1. Enable the Alert Center API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Alert Center API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes Alert Center view access, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

Type-specific request fields

Field Required Description
details.workspaceAlertsSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceAlertsSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceAlertsSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with Alert Center view access.
details.workspaceAlertsSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceAlertsSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the Alert Center API. Note that literal newline characters (\n) should be replaced with carriage returns. Also note that the field name is rsCredentials, and not rsaCredentials.
details.workspaceAlertsSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must not have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have has a leading 'C', then remove it before including in your request.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_ALERTS",
   "workspaceAlertsSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "1e2x3ample",
   }
 }
}

Google Workspace ChromeOS Devices

This section provides API reference details for the WORKSPACE_CHROMEOS log type. For details about the data source, see the Google Workspace ChromeOS Devices documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every 24 hours API WORKSPACE_CHROMEOS

Prerequisites

For Chronicle to ingest Google Workspace ChromeOS devices, complete the following steps:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes Chrome Management Settings access, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

Type-specific request fields

Field Required Description
details.workspaceChromeOsSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceChromeOsSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceChromeOsSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with Reports privilege.
details.workspaceChromeOsSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceChromeOsSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Replace the literal newline characters (\n) with carriage returns. The field name is rsCredentials, and not rsaCredentials.
details.workspaceChromeOsSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C', then prepend what you have with a 'C'.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_CHROMEOS",
   "workspaceChromeOsSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
   }
 }
}

Google Workspace Groups

This section provides API reference details for the WORKSPACE_GROUPS log type. For details about the data source, see the Google Workspace Groups documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every 24 hours API WORKSPACE_GROUPS

Prerequisites

For Chronicle to ingest Google Workspace ChromeOS devices, complete the following steps:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes Admin API Group read privileges, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

Type-specific request fields

Field Required Description
details.workspaceGroupsSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with the Admin API Group read privilege.
details.workspaceGroupsSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Note that literal newline characters (\n) should be replaced with carriage returns. Note that the field name is rsCredentials, and not rsaCredentials.
details.workspaceGroupsSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C' then prepend what you have with a 'C'.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_GROUPS",
   "workspaceGroupsSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
   }
 }
}

Google Workspace Mobile Devices

This section provides API reference details for the WORKSPACE_MOBILE log type. For details about the data source, see the Google Workspace Mobile Devices documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every 24 hours API WORKSPACE_GROUPS

Prerequisites

In order for Chronicle to ingest Google Workspace ChromeOS devices, complete the following steps:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes Admin API Group read privileges, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

Type-specific request fields

Field Required Description
details.workspaceGroupsSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with the Admin API Group read privilege.
details.workspaceGroupsSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Note that literal newline characters (\n) should be replaced with carriage returns. Note that the field name is rsCredentials, and not rsaCredentials.
details.workspaceGroupsSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C' then prepend what you have with a 'C'.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_MOBILE",
   "workspaceMobileSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
   }
 }
}

Google Workspace Privileges

This section provides API reference details for the WORKSPACE_PRIVILEGES log type. For details about the data source, see the Google Workspace Privileges documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every 24 hours API WORKSPACE_PRIVILEGES

Prerequisites

In order for Chronicle to ingest Google Workspace ChromeOS devices, complete the following steps:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it a super admin role.
  6. Locate your Google Workspace customer ID.

Type-specific request fields

Field Required Description
details.workspacePrivilegesSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspacePrivilegesSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspacePrivilegesSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user.
details.workspacePrivilegesSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspacePrivilegesSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Note that literal newline characters (\n) should be replaced with carriage returns. Note that the field name is rsCredentials, and not rsaCredentials.
details.workspacePrivilegesSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C' then prepend what you have with a 'C'.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_PRIVILEGES",
   "workspacePrivilegesSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
   }
 }
}

Google Workspace Users

This section provides API reference details for the WORKSPACE_USERS log type. For details about the data source, see the Google Workspace Users documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every 24 hours API WORKSPACE_USERS

Prerequisites

For Chronicle to ingest Google Workspace ChromeOS devices, complete the following steps:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes Admin API User read privileges, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

Type-specific request fields

Field Required Description
details.workspaceUserSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceUserSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceUserSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with the Admin API User read privilege.
details.workspaceUserSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceUserSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Note that literal newline characters (\n) should be replaced with carriage returns. Note that the field name is rsCredentials, and not rsaCredentials.
details.workspaceUserSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C' then prepend what you have with a 'C'.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_USERS",
   "workspaceUserSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
   }
 }
}

Imperva

This section provides API reference details for the IMPERVA_WAF log type. For details about the data source, see the Imperva documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "IMPERVA_WAF",
     "impervaWafSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "key"
            "value": "value"
         }],
       }
     }
   }
}

Microsoft Azure Active Directory Audit

This section provides API reference details for the AZURE_AD_AUDIT log type. For details about the data source, see the Azure Active Directory Audit documentation.

Data source Ingest schedule details.feedSourceType details.logType
graph.microsoft.com Every minute API AZURE_AD_AUDIT

Prerequisites

  • Get the values for all required request fields. Note that the token endpoint for OAuth 2.0 is: https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • The user whose credentials are used to authenticate against the Microsoft Graph API to access directory audits must have the permissions AuditLog.Read.All and Directory.Read.All.

Type-specific request fields

Field Required Description
details.azureAdAuditSettings.authentication.clientId Yes OAuth client ID (a UUID)
details.azureAdAuditSettings.authentication.clientSecret Yes OAuth client Secret
details.azureAdAuditSettings.tenantId Yes Tenant ID (a UUID)
details.azureAdAuditSettings.hostname No API Full Path, default value : "graph.microsoft.com/v1.0/auditLogs/directoryAudits"

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "AZURE_AD_AUDIT",
   "azureAdAuditSettings": {
     "authentication": {
       "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
       "clientSecret": "clientSecret",
     }
     "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
     "hostname": "graph.microsoft.com/v1.0/auditLogs/directoryAudits",
   }
 }
}

Microsoft Azure Active Directory Organizational Context

This section provides API reference details for the AZURE_AD_CONTEXT log type. For details about the data source, see the Azure Active Directory Organizational Context documentation.

Data source Ingest schedule details.feedSourceType details.logType
graph.microsoft.com Every 24 hours API AZURE_AD_AUDIT

Prerequisites

  • Get the values for all required request fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • The user whose credentials are used to authenticate against Microsoft Graph API to access organizational context must have permissions Directory.Read.All.

Type-specific request fields

Field Required Description
details.azureAdContextSettings.authentication.clientId Yes OAuth client ID (a UUID)
details.azureAdContextSettings.authentication.clientSecret Yes OAuth client secret
details.azureAdContextSettings.tenantId Yes Tenant ID (a UUID)
details.azureAdContextSettings.retrieveDevices No Whether to retrieve device information
details.azureAdContextSettings.retrieveGroups No Whether to retrieve user group information
details.azureAdContextSettings.hostname No API Full Path, default value : graph.microsoft.com/beta

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "AZURE_AD_CONTEXT",
   "azureAdContextSettings": {
     "authentication": {
       "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
       "clientSecret": "clientSecret",
     }
     "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
     "retrieveDevices": false,
     "retrieveGroups": false,
     "hostname": "graph.microsoft.com/beta",
   }
 }
}

Microsoft Azure Active Directory Sign-ins

This section provides API reference details for the AZURE_AD log type. For details about the data source, see the Azure Active Directory Sign-ins documentation.

Data source Ingest schedule details.feedSourceType details.logType
graph.microsoft.com Every hour API AZURE_AD

Prerequisites

  • Get the values for all required request fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • The user whose credentials are used to authenticate against Microsoft Graph API to access sign-ins must have permissions AuditLog.Read.All and Directory.Read.All.

Type-specific request fields

Field Required Description
details.azureAdSettings.authentication.clientId Yes OAuth client ID (a UUID)
details.azureAdSettings.authentication.clientSecret Yes OAuth client Secret
details.azureAdSettings.tenantId Yes Tenant ID (a UUID)
details.azureAdSettings.hostname No API Full Path, default value : graph.microsoft.com/v1.0/auditLogs/signIns

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "AZURE_AD",
   "azureAdSettings": {
     "authentication": {
       "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
       "clientSecret": "clientSecret",
     }
     "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
     "hostname": "graph.microsoft.com/v1.0/auditLogs/signIns",
   }
 }
}

Microsoft Azure Defender for Cloud Alerts

This section provides API reference details for the MICROSOFT_SECURITY_CENTER_ALERT log type. For details about the data source, see the Azure Defender for Cloud Alerts documentation.

  • Get the values for all required request fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "MICROSOFT_SECURITY_CENTER_ALERT",
     "microsoftSecurityCenterAlertSettings": {
       "authentication": {
         "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
         "clientSecret": "clientSecret",
       }
       "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
       "subscriptionId": "0ab1234c5-de67-89fg-01h2-ijk3l4567890",
       "hostname": "management.azure.com",
     }
   }
}

Microsoft Azure Microsoft Device Management Intune Audit Events

This section provides API reference details for the AZURE_MDM_INTUNE log type. For details about the data source, see the Azure Microsoft Device Management Intune Audit Events documentation.

Prerequisites

  • Get the values for all authentication fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "AZURE_MDM_INTUNE",
     "azureMdmIntuneSettings": {
       "authentication": {
         "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
         "clientSecret": "clientSecret",
       }
       "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
       "hostname": "graph.microsoft.com/beta/deviceManagement/auditEvents",
     }
   }
}

Microsoft Graph Security API Alerts

This section provides API reference details for the MICROSOFT_GRAPH_ALERT log type. For details about the data source, see the Microsoft Graph Security API Alerts documentation.

Prerequisites

  • Get the values for authentication fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • The user whose credentials are used must have permissions SecurityEvents.Read.All.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "MICROSOFT_GRAPH_ALERT",
     "microsoftGraphAlertSettings": {
       "authentication": {
         "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
         "clientSecret": "clientSecret",
       }
       "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
       "hostname": "graph.microsoft.com/v1.0/security/alerts",
     }
   }
}

Microsoft Office 365 Management Activity

This section provides API reference details for the OFFICE_365 log type. For details about the data source, see the Microsoft Office 365 Management Activity documentation.

Data source Ingest schedule details.feedSourceType details.logType
manage.office.com Every minute API OFFICE_365

Prerequisites

  • Get the values for all required request fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • The user whose credentials are used to authenticate against the API must have permissions ActivityFeed.Read. If ingesting DLP data then the permission ActivityFeed.ReadDlp must be specified.

Type-specific request fields

Field Required Description
details.office365Settings.authentication.clientId Yes OAuth client ID (a UUID)
details.office365Settings.authentication.clientSecret Yes OAuth client secret
details.office365Settings.tenantId Yes Tenant ID (a UUID)
details.office365Settings.contentType Yes The type of logs to fetch. See below to see the valid values for contentType.
details.office365Settings.hostname No API Full Path, default value: manage.office.com/api/v1.0

Office 365 Content Type

This section provides API reference details for the OFFICE_365 log type. For details about the data source, see the Office 365 Content Type documentation.

details.office365Settings.contentType Description
AUDIT_AZURE_ACTIVE_DIRECTORY Azure active directory audit logs.
AUDIT_EXCHANGE Azure exchange audit logs.
AUDIT_SHARE_POINT Azure share point audit logs.
AUDIT_GENERAL All other workloads not included in other Audit content types.
DLP_ALL DLP events only for all workloads.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "OFFICE_365",
     "office365Settings": {
       "authentication": {
         "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
         "clientSecret", "clientSecret",
       },
       "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789"",
       "contentType": "AUDIT_AZURE_ACTIVE_DIRECTORY",
       "hostname": "manage.office.com/api/v1.0",
     }
   }
}

Mimecast

This section provides API reference details for the MIMECAST_MAIL log type. For details about the data source, see the Mimecast documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "MIMECAST_MAIL",
     "mimecastMailSettings": {
       "authentication": {
         "headerKeyValues": [
           {
             "key": "access_key",
             "value": "ACCESS_KEY"
           },
           {
             "key": "app_id",
             "value": "APP_ID"
           },
           {
             "key": "app_key",
             "value": "APP_KEY"
           },
           {
             "key": "secret_key",
             "value": "SECRET_KEY"
           }
         ]
       },
       "hostname": "xx-api.mimecast.com"
     }
   }
}

Netskope Alerts

This section provides API reference details for the NETSKOPE_ALERT log type. For details about the data source, see the Netskope Alerts documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "NETSKOPE_ALERT",
     "netskopeAlertSettings": {
       "authentication": {
         "headerKeyValues": [{
          "key": "token",
          "value": "token_value"
         }]
       },
       "content_type": "all",
       "hostname": "myinstance.goskope.com",
       "feedName": "alerts"
     }
   }
}

Okta System Log

This section provides API reference details for the OKTA log type. For details about the data source, see the Okta System Log documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "OKTA",
     "oktaSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "Authorization",
            "value": "APITOKEN"
          }]
       },
       "hostname": "hostname"
     }
   }
}

Okta Users

This section provides API reference details for the OKTA_USER_CONTEXT log type. For details about the data source, see the Okta Users documentation.

Prerequisites

  • Get the values for hostname and all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

managerIdReferenceField is required when you use a non-Okta ID to reference managers. It should be a JSON field path pointing to the field that contains the manager ID in the result of a call to the "users" Okta API.

{
   "details": {
     "feedSourceType": "API",
     "logType": "OKTA_USER_CONTEXT",
     "oktaSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "Authorization",
            "value": "APITOKEN"
          }]
       },
       "hostname": "hostname",
       "managerIdReferenceField": "fooId"
     }
   }
}

Palo Alto Networks AutoFocus

This section provides API reference details for the PAN_IOC log type. For details about the data source, see the Palo Alto Networks AutoFocus documentation.

Prerequisites

  • Get the values for feedId, feed, and all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "PAN_IOC",
     "panIocSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "key"
            "value": "value"
         }],
       }
       "feedId": "ID",
       "feed": "feed"
     }
   }
}

Palo Alto Networks Cortex XDR

This section provides API reference details for the CORTEX_XDR log type. For details about the data source, see the Palo Alto Networks Cortex XDR documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Make sure the API key is an advanced key, not a standard key.
  • Get the following required permissions:
    • None

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "CORTEX_XDR",
     "cortexXdrSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "Authorization"
            "value": "api_key"
         },
         {
            "key": "x-xdr-auth-id"
            "value": "api_key_id"
         }
         ],
       },
       "hostname": "api-abcd.xdr.ab.paloaltonetworks.com",
       "endpoint": "incidents"
     }
   }
}

Palo Alto Networks Prisma Cloud Audit Logs

This section provides API reference details for the PAN_PRISMA_CLOUD log type. For details about the data source, see the Palo Alto Networks Prisma Cloud Audit Logs documentation.

Prerequisites

  • Get the x-redlock-auth value and values for all authentication fields. Note that the token endpoint is: https://api.prismacloud.io/audit/redlock
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "PAN_PRISMA_CLOUD",
     "panPrismaCloudSettings": {
       "authentication": {
         "user": "user",
         "password": "password"
       },
       "hostname": "api2.prismacloud.io"
     }
   }
}

Proofpoint on Demand

This section provides API reference details for the PROOFPOINT_ON_DEMAND log type. For details about the data source, see the Proofpoint on Demand documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Other fields

proofpointOnDemandSourceDetails

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "PROOFPOINT_ON_DEMAND",
     "proofpointOnDemandSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "clusterId": "ID"
     }
   }
}

Proofpoint SIEM

This section provides API reference details for the PROOFPOINT_MAIL log type. For details about the data source, see the Proofpoint SIEM documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "PROOFPOINT_MAIL",
     "proofpointMailSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       }
     }
   }
}

Qualys VM

This section provides API reference details for the QUALYS_VM log type. For details about the data source, see the Qualys VM documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "QUALYS_VM",
     "qualysVmSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "PASSWORD"
       },
       "hostname": "qualysapi.qualys.com/api/2.0/fo/asset/host/?action=list"
     }
   }
}

Rapid7 InsightVM

This section provides API reference details for the RAPID7_INSIGHT log type. For details about the data source, see the Rapid7 InsightVM documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Optional fields

initialStartTime

Sample Create Feed request

The endpoint value must be eithervulnerabilities or assets.

{
   "details": {
     "feedSourceType": "API",
     "logType": "RAPID7_INSIGHT",
     "rapid7InsightSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "X-Api-Key",
            "value": "APIKEY"
         }],
       },
       "endpoint": "assets"
       "hostname": "us.api.insight.rapid7.com"
     }
   }
}

Recorded Future

This section provides API reference details for the RECORDED_FUTURE_IOC log type. For details about the data source, see the Recorded Future documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "RECORDED_FUTURE_IOC",
     "recordedFutureIocSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
     }
   }
}

RH-ISAC

This section provides API reference details for the RH_ISAC_IOC log type. For details about the data source, see the RH-ISAC documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Other fields

tags, queueDelay

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "RH_ISAC_IOC",
     "rhIsacIocSettings": {
       "authentication": {
         "tokenEndPoint": "endpoint",
         "clientId": "clientId",
         "clientSecret": "clientSecret"
       }
     }
   }
}

Salesforce

This section provides API reference details for the SALESFORCE log type. For details about the data source, see the Salesforce documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "SALESFORCE",
     "salesforceSettings": {
       "authentication": {
         "tokenEndpoint": "endpoint",
         "clientId": "clientId",
         "clientSecret": "clientSecret",
         "user": "user",
         "password": "password"
       },
       "hostname": "hostname"
     }
   }
}

SentinelOne Alert

This section provides API reference details for the SENTINELONE_ALERT log type. For details about the data source, see the SentinelOne Alert documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "SENTINELONE_ALERT",
     "sentineloneAlertSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "Authorization",
            "value": "ApiToken"
          }]
       },
       "hostname": "hostname"
     }
   }
}

ServiceNow CMDB

This section provides API reference details for the SERVICENOW_CMDB log type. For details about the data source, see the ServiceNow CMDB documentation.

Prerequisites

  • Get the values for all required fields (feedname is the table name).
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "SERVICENOW_CMDB",
     "servicenowCmdbSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname",
       "feedname": "feedname"
     }
   }
}

Symantec Event Export

This section provides API reference details for the SYMANTEC_EVENT_EXPORT log type. For details about the data source, see the Symantec Event Export documentation.

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "SYMANTEC_EVENT_EXPORT",
     "symantecEventExportSettings ": {
       "authentication": {
         "tokenEndPoint": "REFRESH TOKEN URI",
         "clientId": "CLIENT ID",
         "clientSecret": "CLIENT SECRET",
         "refreshToken": "REFRESH TOKEN",
       }
     }
   }
}

Thinkst Canary

This section provides API reference details for the THINKST_CANARY log type. For details about the data source, see the Thinkst Canary documentation.

Prerequisites

  • Get the values for all required fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "THINKST_CANARY",
     "thinkstCanarySettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname"
     }
   }
}

ThreatConnect

This section provides API reference details for the THREATCONNECT_IOC log type. For details about the data source, see the ThreatConnect documentation.

Prerequisites

  • Get the values for all required fields.
  • Get the following required permissions:
    • None

Other fields

queueDelay

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "THREATCONNECT_IOC",
     "threatConnectIocSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname",
       "owners": [{
         "owner"
       }]
     }
   }
}

Workday

This section provides API reference details for the WORKDAY log type. For details about the data source, see the Workday documentation.

Prerequisites

  • Get the values for all required fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "WORKDAY",
     "workdaySettings": {
       "authentication": {
         "user": "ClientID",
         "secret": "ClientSecret"
       },
       "hostname": "hostname",
       "tenantId": "ID"
     }
   }
}