Feed management API

This reference guide explains how to use the Chronicle feed management API to programmatically create, run, and manage data feeds that send logs to your Chronicle instance. For details about how to use the Chronicle UI to create and manage feeds, see the Feed management user guide.

About data feeds

You can use Chronicle data feeds to ingest log data into your Chronicle instance from the following:

  • Chronicle-supported cloud storage services, such as Google Cloud Storage
  • Third-party data sources with a Chronicle-supported API, such as Microsoft 365
  • Files accessible directly using HTTP(S) requests

Each feed that you create is composed of a data source type and a log type. Google Cloud Storage, third-party APIs, and HTTP-accessible files are examples of source types. For each data source type that Chronicle supports, Chronicle also supports specific log types. For example, for the Google Cloud Storage source type, Chronicle supports the Carbon Black log type and many others. The list of supported log types varies by source type.

When you create a feed, you specify the source type, log type, required permissions, authentication details, and more. As part of its security design, Chronicle stores user credentials (for example, credentials that you provide so a Chronicle feed can ingest log data from a third-party API) in Secret Manager.

If Chronicle provides a default parser for the log type, then the ingested log data is stored in both Chronicle Unified Data Model (UDM) format and raw log format.

Supported source types and log types

Chronicle supports the following source types:

Feed source type Description
Third-party API Ingest data from a third-party API.
Google Cloud Storage Ingest data from a Google Cloud Storage bucket.
Amazon S3 Ingest data from an Amazon Simple Storage Service bucket.
Amazon SQS Ingest data from an Amazon Simple Queue Service queue whose entries point to files stored in S3
Azure Blobstore Ingest data from Azure Blob Storage.
HTTP(S) Ingest data from files accessible by an HTTP(S) request. Do not use this source type to interact with third-party APIs. Use the API feed source type for third-party APIs supported by Chronicle.

There are several ways to view a list of currently supported log types:

  • Chronicle UI. To view the list of supported log types for each source type, go to Settings > Feeds > Add New and use the Source Type and Log Type menus. For details, see Creating and editing feeds .

  • API reference documentation. To view a list of supported log types for third-party API feeds, see Configuration by log type .

  • Feed Schema API. To view log types for any source type, you can also use the Feed Schema API .

Prerequisites

Each data feed has its own set of prerequisites that must be completed prior to setting up the feed in Chronicle. You can find the prerequisites as follows:

  • Prerequisites for each source type are listed in Configuration by source type .

  • Prerequisites for each log type ingested using the API feed source type are listed in Configuration by log type .

  • Prerequisites for all log types ingested using any source type are listed in the Chronicle UI. Go to Settings > Feeds > Add New, select a Source Type and Log Type, and review the required fields. For details, see Creating and editing feeds .

For example, if you set up a data feed from a Google Cloud Storage bucket, you might need to complete the following tasks:

  1. Use the feed management fetchFeedServiceAccount method to get a Chronicle service account that Chronicle uses to ingest data.
  2. Grant access to the Chronicle service account to the relevant Cloud Storage objects. For more information, see Grant access to the Chronicle service account.

How to authenticate with the Chronicle API

This Chronicle API uses the OAuth 2.0 protocol for authentication and authorization. Your application can complete these tasks using either of the following implementations:

  • Using the Google API Client Library for your computer language.

  • Directly interfacing with the OAuth 2.0 system using HTTP.

See the reference documentation for the Google Authentication library in Python.

Google Authentication libraries are a subset of the Google API client libraries. See other language implementations.

Getting API authentication credentials

Your Chronicle representative will provide you with a Google Developer Service Account Credential to enable the API client to communicate with the API.

You also must provide the Auth Scope when initializing your API client. OAuth 2.0 uses a scope to limit an application's access to an account. When an application requests a scope, the access token issued to the application is limited to the scope granted.

Use the following scope to initialize your Google API client:

https://www.googleapis.com/auth/chronicle-backstory

Python example

The following Python example demonstrates how to use the OAuth2 credentials and HTTP client using google.oauth2 and googleapiclient.

# Imports required for the sample - Google Auth and API Client Library Imports.
# Get these packages from https://pypi.org/project/google-api-python-client/ or run $ pip
# install google-api-python-client from your terminal
from google.oauth2 import service_account
from googleapiclient import _auth

SCOPES = ['https://www.googleapis.com/auth/chronicle-backstory']

# The apikeys-demo.json file contains the customer's OAuth 2 credentials.
# SERVICE_ACCOUNT_FILE is the full path to the apikeys-demo.json file
# ToDo: Replace this with the full path to your OAuth2 credentials
SERVICE_ACCOUNT_FILE = '/customer-keys/apikeys-demo.json'

# Create a credential using Google Developer Service Account Credential and Chronicle API
# Scope.
credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)

# Build an HTTP client to make authorized OAuth requests.
http_client = _auth.authorized_http(credentials)

# <your code continues here>

Chronicle API query limits

The Chronicle API enforces limits on the volume of requests that can be made by any one customer against the Chronicle platform. If you reach or exceed the query limit, the Chronicle API server returns HTTP 429 (RESOURCE_EXHAUSTED) to the caller. When developing applications for the Chronicle API, Chronicle recommends that you enforce rate limits within your system to avoid resource exhaustion. These limits apply to all of the Chronicle APIs, including the feed management API.

The feed management API enforces the following limits, which are measured in queries per second (QPS):

Chronicle API API Method Limit
Feed management Create Feed 1 QPS
Get Feed 1 QPS
List Feeds 1 QPS
Update Feed 1 QPS
Delete Feed 1 QPS

Control the rate of ingestion

When the data ingestion rate for a tenant reaches a certain threshold, Chronicle restricts the rate of ingestion for new data feeds to prevent a source with a high ingestion rate from affecting the ingestion rate of another data source.

The feeds that ingest data at a rate higher than the threshold are restricted, resulting in delayed ingestion. When the rate of feed ingestion is restricted, excess data is queued to be ingested, so there is a delay but no data is lost.

The ingestion volume and tenant's usage history determine the threshold. If the rate of ingestion does not deviate greatly, then there is no effect on the ingestion rate.

Python example using OAuth2 credentials and HTTP client

The following Python example demonstrates how to use the OAuth2 credentials and the HTTP client using google.oauth2 and googleapiclient.

# Imports required for the sample - Google Auth and API Client Library Imports.
# Get these packages from https://pypi.org/project/google-api-python-client/ or
# run $ pip install google-api-python-client from your terminal

from google.auth.transport import requests
from google.oauth2 import service_account

SCOPES = ['https://www.googleapis.com/auth/chronicle-backstory']

# The apikeys-demo.json file contains the customer's OAuth 2 credentials.
# SERVICE_ACCOUNT_FILE is the full path to the apikeys-demo.json file
# ToDo: Replace this with the full path to your OAuth2 credentials

SERVICE_ACCOUNT_FILE = '/customer-keys/apikeys-demo.json'

# Create a credential using Google Developer Service Account Credential and Chronicle # API Scope.

credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)

# Build an HTTP session to make authorized OAuth requests.

http_session = requests.AuthorizedSession(credentials)

# <your code continues here>

Regional endpoints

Chronicle provides regional endpoints for each API.

  • Dammamhttps://me-central2-backstory.googleapis.com
  • Europe Multi-Regionhttps://europe-backstory.googleapis.com
  • Frankfurthttps://europe-west3-backstory.googleapis.com
  • Londonhttp://europe-west2-backstory.googleapis.com
  • Mumbaihttp://asia-south1-backstory.googleapis.com
  • Singaporehttps://asia-southeast1-backstory.googleapis.com
  • Sydneyhttps://australia-southeast1-backstory.googleapis.com
  • Tel Avivhttps://me-west1-backstory.googleapis.com
  • Tokyohttps://asia-northeast1-backstory.googleapis.com
  • United States Multi-Regionhttps://backstory.googleapis.com
  • Zurichhttps://europe-west6-backstory.googleapis.com

Feed Schema API reference

The Feed Schema API returns information that is useful for constructing valid feed management API requests. For example, you can get the data structure representing the entire feed schema. This structure defines the specific fields to specify for each valid combination of feed source type and log type. Alternatively, you can get a list of all log types compatible with a particular feed source type.

Specifically, the feed schema contains:

  • Information about each valid feed source type:
    • A human-readable name
    • A human-readable description
    • Whether feeds with a given feed source type can be modified using the API, or are read-only
  • Information about each log type:
    • A human-readable name
    • Whether feeds with a given log type can be modified using the API, or are read-only
  • Which log types are compatible with which feed source types
  • Information about the specific fields to specify for each valid combination of log type and feed source type:
    • A human-readable field name and description
    • Compatibility with other fields
    • Semantic type (e.g. URI, "secret", etc)
    • Whether the field is required
    • What a valid value for the field looks like

The schema can be accessed using a few different methods.

GetFeedSchema

This method returns a structure representing the entire feed schema. The schema is comprised of a list of "feed source type schemas" each of which describe the supported feed source types. Each feed source types' schema contains a list of "log type schemas" that correspond to the set of log types that are compatible with the feed source type and describe the log type. Each log type schema contains a list of "details field schemas" that describe those fields you would set when issuing a Create Feed request, for instance, or expect to see as a result of a ListFeed or GetFeed response. The field schemas specified are unique to the particular combination of log type and feed source type.

Request

GET https://backstory.googleapis.com/v1/feedSchema

Response

{
  "feedSourceTypeSchemas": [{
      "name": "feedSourceTypeSchemas/AMAZON_S3",
      "displayName": "Amazon S3",
      "description": "Amazon Simple Storage Service, a service offered by Amazon Web Services that provides object storage through a web service interface",
      "feedSourceType": "AMAZON_S3",
      "logTypeSchemas": [{
          "name": "feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/AWS_CLOUDTRAIL",
          "displayName": "AWS Cloudtrail",
          "logType": "AWS_CLOUDTRAIL",
          "detailsFieldSchemas": [{
              "fieldPath": "details.amazon_s3_settings.authentication.access_key_id",
              "displayName": "Access key ID",
              "description": "An account access key that is a 20-character alphanumeric string, for example AKIAIOSFODNN7EXAMPLE",
              "type": "STRING",
              "exampleInput": "AKIAIOSFODNN7EXAMPLE",
            },
            ...
            {
              "fieldPath": "details.amazon_s3_settings.s3_uri",
              "displayName": "S3 URI",
              "description": "The S3 bucket source URI",
              "type": "STRING_URI",
              "isRequired": true,
              "exampleInput": "s3://cs-prod-cannon-00afe0c847a8/data/",
            }],
        },
        ...
        {
          "name": "feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/ABNORMAL_SECURITY",
          "displayName": "Abnormal Security",
          "logType": "ABNORMAL_SECURITY",
          ...
        }],
    },
    ...
    {
      "name": "feedSourceTypeSchemas/AMAZON_SQS",
      "displayName": "Amazon SQS",
      "description": "Amazon Simple Queue Service, a service offered by Amazon Web Services that provides fully managed message queuing service to transfer messages asynchronously",
      "feedSourceType": "AMAZON_SQS",
      ...
    }],
}

ListFeedSourceTypeSchemas

This method returns information about all feed source types.

Request
GET https://backstory.googleapis.com/v1/feedSourceTypeSchemas
Sample Response
{
  "feedSourceTypeSchemas": [{
      "name": "feedSourceTypeSchemas/AMAZON_S3",
      "displayName": "Amazon S3",
      "description": "Amazon Simple Storage Service, a service offered by Amazon Web Services that provides object storage through a web service interface",
      "feedSourceType": "AMAZON_S3",
    },
    ...
    {
      "name": "feedSourceTypeSchemas/AMAZON_SQS",
      "displayName": "Amazon SQS",
      "description": "Amazon Simple Queue Service, a service offered by Amazon Web Services that provides fully managed message queuing service to transfer messages asynchronously",
      "feedSourceType": "AMAZON_SQS",
    }],
}

ListLogTypeSchemas

This method returns information about all log types compatible with a particular feed source type.

Request
GET https://backstory.googleapis.com/v1/feedSourceTypeSchemas/{feed source type}/logTypeSchemas
Sample Request
https://backstory.googleapis.com/v1/feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas
Sample Response
{
  "logTypeSchemas": [{
      "name": "feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/AWS_CLOUDTRAIL",
      "displayName": "AWS Cloudtrail",
      "logType": "AWS_CLOUDTRAIL",
    },
    ...
    {
      "name": "feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/ABNORMAL_SECURITY",
      "displayName": "Abnormal Security",
      "logType": "ABNORMAL_SECURITY",
      ...
    }],
}

GetLogTypeSchema

This method returns detailed information about all the fields necessary to configure a feed for a particular source type and log type.

Request
GET https://backstory.googleapis.com/v1/feedSourceTypeSchemas/{feed source type}/logTypeSchemas/{log type}
Sample Request
https://backstory.googleapis.com/v1/feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/AWS_CLOUDTRAIL
Sample Response
{
  "name": "feedSourceTypeSchemas/AMAZON_S3/logTypeSchemas/AWS_CLOUDTRAIL",
  "displayName": "AWS Cloudtrail",
  "logType": "AWS_CLOUDTRAIL",
  "detailsFieldSchemas": [{
      "fieldPath": "details.amazon_s3_settings.authentication.access_key_id",
      "displayName": "Access key ID",
      "description": "An account access key that is a 20-character alphanumeric string, for example AKIAIOSFODNN7EXAMPLE",
      "type": "STRING",
      "exampleInput": "AKIAIOSFODNN7EXAMPLE",
    },
    ...
    {
      "fieldPath": "details.amazon_s3_settings.s3_uri",
      "displayName": "S3 URI",
      "description": "The S3 bucket source URI",
      "type": "STRING_URI",
      "isRequired": true,
      "exampleInput": "s3://cs-prod-cannon-01abc2d345e6/data/",
    }],
}

Feed management API reference

This section describes the endpoints for creating, enabling, and managing feeds.

When creating or editing a feed, you need to specify the feedSourceType and logType in the request body. For details about these fields, see Configuration by source type and Configuration by log type.

Create Feed

Creates a third party data feed in your Chronicle instance.

Request

POST https://backstory.googleapis.com/v1/feeds
Request body

This example shows how to collect authentication logs from Duo Security.

{
  "display_name": "some feed name",
  "details": {
    "feedSourceType": "API",
    "logType": "DUO_AUTH",
    "duoAuthSettings": {
      "authentication": {
        "user": "ABCUSERNAMEDEF",
        "secret": "aBcS3cReTdEf"
      },
      "hostname": "api-abc123.duosecurity.com"
    },
    "namespace": "my-asset-namespace",
    "labels": [{
      "key": "my-ingestion-label-key",
      "value": "my-ingestion-label-value"
    }]
  }
}

Sample request
https://backstory.googleapis.com/v1/feeds
{
  "display_name": "some feed name",
  "details": {
    "feedSourceType": "API",
    "logType": "DUO_AUTH",
    "duoAuthSettings": {
      "authentication": {
        "user": "ABCUSERNAMEDEF",
        "secret": "aBcS3cReTdEf"
      },
      "hostname": "api-abc123.duosecurity.com"
    }
  }
}
Sample successful response
{
 "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
 "display_name": "some feed name",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "api-abc123.duosecurity.com"
   }
 },
 "feedState": "ACTIVE"
}

If the response is unsuccessful, it returns an HTTP status code other than 200 (OK). Be sure to check the body of the response for details of the failure.

Asset namespace

To assign an asset namespace to all events that are ingested from a particular feed, set the "namespace" field within details. The namespace field is a string.

Ingestion label

Ingestion labels are part of Unified Data Model metadata. They are repeated key and value pairs. To assign ingestion labels to all events that are ingested from a particular feed, set the labels field within details. The labels field is an array of JSON objects with key and value fields.

DeleteFeed

Deletes a feed that was configured using the Chronicle feed management API.

Request

DELETE  https://backstory.googleapis.com/v1/feeds/{feedID}
Sample request
DELETE https://backstory.googleapis.com/v1/feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567
Sample response

If the operation is successful, Delete Feed returns an empty response with an HTTP status code 200 (OK).

{}

Enable Feed

Enables an INACTIVE feed, which allows it to be executed.

Request
POST https://backstory.googleapis.com/v1/feeds/{feedID}:enable
Sample request
POST https://backstory.googleapis.com/v1/feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567:enable
Sample response
{
 "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
 "display_name": "some feed name",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "api-abc123.duosecurity.com"
   }
 },
 "feedState": "ACTIVE"
}

Disable Feed

Disables a feed. A disabled feed has a status of INACTIVE. Disabled feeds will no longer fetch data.

Request
POST https://backstory.googleapis.com/v1/feeds/{feedID}:disable
Sample request
POST https://backstory.googleapis.com/v1/feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567:disable
Sample response
{
 "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
 "display_name": "some feed name",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "api-abc123.duosecurity.com"
   }
 },
 "feedState": "INACTIVE"
}

Get Feed

Gets the details of the feed that was configured.

Request

GET https://backstory.googleapis.com/v1/feeds/{feedID}
Sample request
https://backstory.googleapis.com/v1/feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567
Sample response
{
 "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
 "display_name": "some feed name",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "api-abc123.duosecurity.com"
   }
 },
 "feedState": "ACTIVE"
}

List Feeds

Retrieves all the feeds configured for a given Chronicle instance.

Request
GET https://backstory.googleapis.com/v1/feeds
Sample request
https://backstory.googleapis.com/v1/feeds
Sample response
{
 "feeds": [
   {
     "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
     "details": {
       "logType": "AZURE_AD_CONTEXT",
       "feedSourceType": "API",
       "azureAdContextSettings": {}
     },
     "feedState": "ACTIVE"
   },
   {
     "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
     "display_name": "some feed name",
     "details": {
       "logType": "PAN_PRISMA_CLOUD",
       "feedSourceType": "API",
       "panPrismaCloudSettings": {
         "hostname": "api2.prismacloud.io"
       }
     },
     "feedState": "ACTIVE"
   }
 ]
}

Read only feeds

There may be feeds returned from a List Feeds request that have the field readOnly set to true. Read only feeds cannot be created, updated, or deleted.

Feeds are read-only for a few reasons. For example:

  • Some feed source types are not fully supported by feed management at the moment, and were created before the release of feed management.
  • Some specialized log types are not available to every Chronicle user. If a feed exists with one of these types, it is considered read-only.

Update Feed

Updates the given feed with new details.

Request
PATCH https://backstory.googleapis.com/v1/feeds/{feedID}
Request body

The following examples shows how to update a Duo Auth feed.

Sample request
{
  "display_name": "my feed",
  "details": {
    "feedSourceType": "API",
    "logType": "DUO_AUTH",
    "duoAuthSettings": {
      "authentication": {
        "user": "ABCUSERNAMEDEF",
        "secret": "aBcS3cReTdEf"
      },
      "hostname": "api-abc123.duosecurity.com"
    }
  }
}
Sample response
{
 "display_name": "my feed",
 "name": "feeds/12a34567-bc8d-1111-e9f0-gh1ijk234567",
 "details": {
   "logType": "DUO_AUTH",
   "feedSourceType": "API",
   "duoAuthSettings": {
     "hostname": "api-abc123.duosecurity.com"
   }
 },
 "feedState": "ACTIVE"
}

Fetch service account

Gets a unique service account that Chronicle uses to ingest data. Use this method only if you're setting up a Cloud Storage feed.

Request
GET https://backstory.googleapis.com/v1/fetchFeedServiceAccount
Sample request
GET https://backstory.googleapis.com/v1/fetchFeedServiceAccount
Sample response
"serviceAccount": "xxxxxxxx-0-account@partnercontent.gserviceaccount.com"

Response message fields

This section describes the following fields that are returned in response messages:

  • feedState
  • failureMsg

Feed state

The feedState field can be found in the response message of most operations. feedState gives some insight into the current state of a feed.

feedState Description
"ACTIVE" Feed successfully created and will begin fetching data.
"INACTIVE" Feed has been disabled.
"IN_PROGRESS" Feed is currently attempting to fetch data. A feed will only have this status if it has not previously failed.
"COMPLETED" Feed has recently fetched data successfully.
"FAILED" Feed has failed and has not successfully fetched data since it failed. Mis-configuration is the typical cause of feed failure. Please see the failureMsg field for more information.

Failure message

The failureMsg field can be found in the response message of most operations, but only for those feeds whose feedState is FAILED. It provides more information regarding the nature of the failure, such as the response code returned from the relevant third party. Please refer to the documentation below for your particular feed type to understand how to correctly configure the feed.

Configuration by source type

This section provides information about configuring feed source types. A feed source type defines where data is located and how it's accessed. Valid values for feedSourceType are as follows:

feedSourceType Description
API Ingest data from a third-party API.
GOOGLE_CLOUD_STORAGE Ingest data from a Google Cloud Storage bucket.
AMAZON_S3 Ingest data from an Amazon Simple Storage Service bucket.
AMAZON_SQS Ingest data from an Amazon Simple Queue Service queue whose entries point to files stored in S3
AZURE_BLOBSTORE Ingest data from Azure Blob Storage.
HTTP Ingest data from files accessible by an HTTP(S) request. Note that this *should not* be used to interact with third-party APIs. Use the API feed source type for third-party APIs supported by Chronicle.

API

Use the API feed source type to ingest data from a third-party API. The configuration settings for the API feed source type are specific to the log type that you specify for the feed.

For example, when you use the Feeds API endpoints to configure settings for an API feed data source, you specify API as the value for the details.feedSourceType field. You also specify a supported log type as the value for the details.logType field. The log type determines the additional feed configuration settings that you can specify. Details about these settings are provided in the section for that specific log type in Configuration by log type.

GOOGLE_CLOUD_STORAGE

Data source Ingest schedule details.feedSourceType details.logType
Google Cloud Storage Bucket Every 15 minutes GOOGLE_CLOUD_STORAGE See the Feed Schema API reference to get compatible log types.

Prerequisites

Before you set up a Cloud Storage feed, you must get a Chronicle service account and provide access to the account so that Chronicle can ingest data.

  1. Use the feed management fetchFeedServiceAccount method to get a Chronicle service account.
  2. Grant access to the Chronicle service account to the relevant Cloud Storage objects. For more information, see Grant access to the Chronicle service account.
  3. If VPC Service Controls is enabled, configure an ingress rule to provide access to the Cloud Storage bucket. In this document, see Configure VPC Service Controls.

Configure VPC Service Controls

If VPC Service Controls is enabled, an ingress rule is required to provide access to the Cloud Storage bucket.

The following Cloud Storage methods must be allowed in the ingress rule:

  • google.storage.objects.list. Required for a single file feed.
  • google.storage.objects.get. Required for feeds that require directory or subdirectory access.
  • google.storage.objects.delete. Required for feeds that require deletion of the source file.

Sample ingress rule

- ingressFrom:
  identities:
    - serviceAccount:8911409095528497-0-account@partnercontent.gserviceaccount.com
  sources:
  - accessLevel: "*"
  ingressTo:
  operations:
  - serviceName: storage.googleapis.com
    methodSelectors:
    - method: google.storage.objects.list
    - method: google.storage.objects.get
    - method: google.storage.objects.delete
  resources:
  - projects/PROJECT_ID

Type-specific request fields

Field Required Description
details.gcsSettings.bucketUri Yes The URI which corresponds to the Google Cloud Storage bucket. The format is the same format used by gsutil to specify a resource.
details.gcsSettings.sourceType Yes The type of object indicated by bucketUri. Valid values are:
  • FILES: The URI points to a single file which will be ingested with each execution of the feed.
  • FOLDERS: The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed.
  • FOLDERS_RECURSIVE: The URI points to a directory. All files and directories contains within the indicated directory will be ingested, including all files and directories within those directories, and so on.
details.gcsSettings.sourceDeletionOption Yes Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are:
  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "GOOGLE_CLOUD_STORAGE",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "gcsSettings": {
     "bucketUri": "gs://bucket/file",
     "sourceType": "FOLDERS_RECURSIVE",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
   }
 }
}

AMAZON_S3

Data source Ingest schedule details.feedSourceType details.logType
Amazon Simple Storage Service Bucket Every 15 minutes AMAZON_S3 See the Feed Schema API reference to get compatible log types.

Prerequisites

  1. Create an S3 bucket.
  2. Create a security key for programmatic access.

To learn more about how to configure a feed to ingest data from an Amazon S3 bucket, see Ingest AWS logs.

Type-specific request fields

Field Required Description
details.amazonS3Settings.s3Uri Yes The S3 URI to ingest.
details.amazonS3Settings.sourceType Yes The type of file indicated by the URI. Valid values are:
  • FILES: The URI points to a single file which will be ingested with each execution of the feed.
  • FOLDERS: The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed.
  • FOLDERS_RECURSIVE: The URI points to a directory. All files and directories contained within the indicated directory will be ingested, including all files and directories within those directories, and so on.
details.amazonS3Settings.sourceDeletionOption Yes Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are:
  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.
details.amazonS3Settings.authentication.region Yes The region where the S3 bucket resides. For a list of regions, see Amazon S3 regions.
details.amazonS3Settings.authentication.accessKeyId Yes This is the 20 character ID associated with your Amazon IAM account.
details.amazonS3Settings.authentication.secretAccessKey Yes This is the 40 character access key associated with your Amazon IAM account.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "AMAZON_S3",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "amazonS3Settings": {
     "s3Uri": "s3://uri/to/file",
     "sourceType": "FILES",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER",
     "authentication": {
       "region": "US_EAST_1",
       "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
       "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
     },
   }
 }
}

Amazon S3 regions

AWS Region AWS Region code authentication.region
Asia Pacific (Mumbai) ap-south-1 AP_SOUTH_1
Asia Pacific (Seoul) ap-northeast-2 AP_NORTHEAST_2
Asia Pacific (Singapore) ap-southeast-1 AP_SOUTHEAST_1
Asia Pacific (Sydney) ap-southeast-2 AP_SOUTHEAST_2
Asia Pacific (Tokyo) ap-northeast-1 AP_NORTHEAST_1
AWS GovCloud (US-East) us-gov-east-1 US_GOV_EAST_1
AWS GovCloud (US-West) us-gov-west-1 US_GOV_CLOUD
Canada (Central) ca-central-1 CA_CENTRAL_1
China (Beijing) cn-north-1 CN_NORTH_1
China (Ningxia) cn-northwest-1 CN_NORTHWEST_1
Europe (Frankfurt) eu-central-1 EU_CENTRAL_1
Europe (Ireland) eu-west-1 EU_WEST_1
Europe (London) eu-west-2 EU_WEST_2
Europe (Paris) eu-west-3 EU_WEST_3
Europe (Stockholm) eu-north-1 EU_NORTH_1
South America (São Paulo) sa-east-1 SA_EAST_1
US East (N. Virginia) us-east-1 US_EAST_1
US East (Ohio) us-east-2 US_EAST_2
US West (N. California) us-west-1 US_WEST_1
US West (Oregon) us-west-2 US_WEST_2

AMAZON_SQS

Data source details.feedSourceType details.logType
Amazon Simple Storage Service Bucket that sends notifications to an Amazon Simple Queueing Service queue AMAZON_SQS See the Feed Schema API reference to get compatible log types.

Amazon supports SQS queues which contain notifications from a monitored S3 bucket and Chronicle is able to read these notification off of an SQS queue and pull the corresponding files out of the S3 bucket. This is effectively a "push-based" version of an Amazon S3 feed and can be leveraged for better throughput.

When you apply a policy, make sure that you have included sqs:DeleteMessage. Chronicle is not able to delete messages if the sqs:DeleteMessage permission is not attached to the SQS queue. All the messages are accumulated on the AWS side, which causes a delay as Chronicle repeatedly attempts to transfer the same files.

Prerequisites

  1. Create an S3 bucket.
  2. Create an SQS queue.
    • The queue must be a Standard queue, not a FIFO queue.
  3. Set up notifications on your S3 bucket to write to your SQS queue.
    • Be sure to attach an access policy.
  4. Create an access key which will be used to access both the SQS queue and the S3 bucket.

To learn more about how to configure a feed to ingest data from an Amazon SQS queue whose entries point to files stored in an Amazon S3 bucket, see Ingest AWS logs.

Type-specific request fields

Field Required Description
details.amazonSqsSettings.queue Yes The SQS queue name.
details.amazonSqsSettings.region Yes The region where the SQS queue and S3 bucket reside. For a list of regions, see Amazon S3 regions.
details.amazonSqsSettings.accountNumber Yes The account number for the SQS queue and S3 bucket.
details.amazonSqsSettings.sourceDeletionOption Yes Whether to delete the source files in the S3 bucket after they have been transferred to Chronicle. This reduces storage costs. Valid values are:
  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.
details.amazonSqsSettings.authentication.sqsAccessKeySecretAuth.accessKeyId Yes This is the 20 character ID associated with your Amazon IAM account.
details.amazonSqsSettings.authentication.sqsAccessKeySecretAuth.secretAccessKey Yes This is the 40 character access key associated with your Amazon IAM account.
details.amazonSqsSettings.authentication.additionalS3AccessKeySecretAuth.accessKeyId No This is the 20 character ID associated with your Amazon IAM account. Only specify if using a different access key for the S3 bucket.
details.amazonSqsSettings.authentication.additionalS3AccessKeySecretAuth.secretAccessKey No This is the 40 character access key associated with your Amazon IAM account. Only specify if using a different access key for the S3 bucket.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "AMAZON_SQS",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "amazonSqsSettings": {
     "queue": "cs-prod-canon-queue-01234abc56de789f",
     "region": "US_EAST_1",
     "accountNumber": "123456789012",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
     "authentication": {
       "sqsAccessKeySecretAuth": {
         "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
         "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
       },
     },
   }
 }
}

AZURE_BLOBSTORE

Data source Ingest schedule details.feedSourceType details.logType
Microsoft Azure Blob Storage Container Every 15 minutes AZURE_BLOBSTORE See the Feed Schema API reference to get compatible log types.

Prerequisites

You will need either:

To learn more about how to configure a feed to ingest data from Azure Blob Storage, see Ingest Azure Activity logs.

Type-specific request fields

Field Required Description
details.azureBlobStoreSettings.azureUri Yes The URI pointing to a Azure Blob Storage blob or container.
details.azureBlobStoreSettings.sourceType Yes The type of object indicated by the URI. Valid values are:
  • FILES: The URI points to a single blob that will be ingested with each execution of the feed.
  • FOLDERS_RECURSIVE: The URI points to a Blob Storage container.
details.azureBlobStoreSettings.sourceDeletionOption Yes Source file deletion is not supported in Azure. This field's value must be set to SOURCE_DELETION_NEVER.
details.azureBlobStoreSettings.authentication.sharedKey No A shared key, a 512-bit random string in base64 encoding, authorized to access Azure Blob Storage. Required if not specifying an SAS Token.
details.azureBlobStoreSettings.authentication.sasToken No A Shared Access Signature authorized to access the Azure Blob Storage container.

Azure URI source types

When specifying an Azure URI you must also indicate the type of object is indicated by the URI.

details.sourceType Source type
FILES The URI points to a single blob that will be ingested with each execution of the feed.
FOLDERS The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed.
FOLDERS_RECURSIVE The URI points to a Blob Storage container.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "AZURE_BLOBSTORE",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "azureBlobStoreSettings": {
     "azureUri": "https://myaccount.blob.core.windows.net/logging",
     "sourceType": "FOLDERS_RECURSIVE",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
     "authentication": {
       "sharedKey": "Ab12CyDEFG3HI45JklMnopQrs00TU6xVw7xYZ8AbcdeFgHioJkL0MnoPqRsTUvWxYZaBCdEFg9hijKlm0N12pqR==",
     },
   }
 }
}

HTTP

Data source Ingest schedule details.feedSourceType details.logType
Files available over the open internet via an HTTP request. Every 15 minutes HTTP See the Feed Schema API reference to get compatible log types.

WARNING: The HTTP type should not be used to gather data from an API. Please refer to the supported API feed types below.

Type-specific request fields

Field Required Description
details.httpSettings.uri Yes The URI pointing to a file or collection of files.
details.httpSettings.sourceType Yes The type of file indicated by the URI. Valid values are:
  • FILES: The URI points to a single file which will be ingested with each execution of the feed.
  • FOLDERS: The URI points to a directory. All files contained within the directory will be ingested with each execution of the feed.
  • FOLDERS_RECURSIVE: The URI points to a directory. All files and directories contains within the indicated directory will be ingested, including all files and directories within those directories, and so on.
details.httpSettings.sourceDeletionOption Yes Whether to delete source files after they have been transferred to Chronicle. This reduces storage costs. Valid values are:
  • SOURCE_DELETION_NEVER: Never delete files from the source.
  • SOURCE_DELETION_ON_SUCCESS:Delete files and empty directories from the source after successful ingestion.
  • SOURCE_DELETION_ON_SUCCESS_FILES_ONLY:Delete files from the source after successful ingestion.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "HTTP",
   "logType": "LOGTYPE_YOU_WANT_TO_BRING",
   "httpSettings": {
     "uri": "https://url.com/myfile",
     "sourceType": "FILES",
     "sourceDeletionOption": "SOURCE_DELETION_NEVER"
   }
 }
}

Configuration by log type

The table below lists the log types that Chronicle supports for the API feed source type (that is, ingesting data from third-party APIs).

If a log type has Chronicle parser support, the ingested data is stored in Chronicle UDM format as well as raw log data.

Click a Data Source name for detailed reference information, prerequisites, and API examples for the log type.

To learn about prerequisites for other log types and feed source types, see Prerequisites. To learn about feeds in general, see About data feeds.

Data Source Log Type Chronicle Parser Support
Anomali ThreatStream ANOMALI_IOC Yes
CrowdStrike Detection Monitoring CS_DETECTS Yes
Duo Authentication Logs DUO_AUTH Yes
Duo Users DUO_USER_CONTEXT Yes
Fidelis Cloud Passage Events CLOUD_PASSAGE Yes
Fox-IT FOX_IT_STIX No
Google Cloud Identity Devices GCP_CLOUDIDENTITY_DEVICES Yes
Google Cloud Identity Device Users GCP_CLOUDIDENTITY_DEVICEUSERS Yes
Google Workspace Activity WORKSPACE_ACTIVITY Yes
Google Workspace Alerts WORKSPACE_ALERTS Yes
Google Workspace Chrome WORKSPACE_CHROMEOS Yes
Google Workspace Groups WORKSPACE_GROUPS Yes
Google Workspace Mobile WORKSPACE_MOBILE Yes
Google Workspace Privileges WORKSPACE_PRIVILEGES Yes
Google Workspace Users WORKSPACE_USERS Yes
Imperva IMPERVA_WAF Yes
Microsoft Azure AD Directory Audit AZURE_AD_AUDIT Yes
Microsoft Azure AD Context AZURE_AD_CONTEXT Yes
Microsoft Azure AD Sign-Ins AZURE_AD Yes
Microsoft Azure MDM Intune Audit Events AZURE_MDM_INTUNE Yes
Microsoft Graph Security API MICROSOFT_GRAPH_ALERT Yes
Microsoft 365 Management Activity OFFICE_365 Yes
Mimecast Secure Email Gateway MIMECAST_MAIL Yes
Netskope Alerts NETSKOPE_ALERT Yes
Okta System Log OKTA Yes
Okta Users OKTA_USER_CONTEXT Yes
Palo Alto Networks Autofocus PAN_IOC Yes
Palo Alto Networks Cortex XDR CORTEX_XDR Yes
Palo Alto Networks Prisma Cloud Audit Logs PAN_PRISMA_CLOUD Yes
Proofpoint on Demand PROOFPOINT_ON_DEMAND Yes
Proofpoint TAP PROOFPOINT_MAIL Yes
Qualys VM QUALYS_VM Yes
Qualys Scan QUALYS_SCAN No
Rapid7 InsightVM RAPID7_INSIGHT Yes
Recorded Future RECORDED_FUTURE_IOC Yes
RH-ISAC RH_ISAC_IOC Yes
Salesforce SALESFORCE Yes
SentinelOne Alert SENTINELONE_ALERT Yes
ServiceNow CMDB SERVICENOW_CMDB Yes
Symantec Event Export SYMANTEC_EVENT_EXPORT Yes
Thinkst Canary THINKST_CANARY Yes
ThreatConnect THREATCONNECT_IOC Yes
Workday WORKDAY Yes
Workday Audit Logs WORKDAY_AUDIT No
AWS EC2 Hosts AWS_EC2_HOSTS Yes
AWS EC2 Instances AWS_EC2_INSTANCES Yes
AWS EC2 VPCs AWS_EC2_VPCS Yes
AWS Identity and Access Management AWS_IAM Yes

Anomali ThreatStream

This section provides API reference details for the ANOMALI_IOC log type. For details about the data source, see the Anomali ThreatStream documentation.

Data source Ingest schedule details.feedSourceType details.logType
api.threatstream.com/api/v2/intelligence Every minute API ANOMALI_IOC

Prerequisites

  • Get the values for all required request fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.anomaliSettings.authentication.user Yes Username
details.anomaliSettings.authentication.secret Yes API key

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "ANOMALI_IOC",
   "anomaliSettings": {
     "authentication": {
       "user": "USERNAME",
       "secret": "APIKEY"
     },
   }
 }
}

AWS EC2 Hosts

This section provides API reference details for the AWS_EC2_HOSTS log type.

Prerequisites

  • Get the values for all required request fields.
  • Get the following required permissions:

Type-specific request fields

The following table lists the field values required when creating a feed to collect data for the AWS_EC2_HOSTS log type.

Field Required Description
details.awsEc2HostsSettings.authentication.user Yes This is the 20 character ID associated with your Amazon IAM account.
details.awsEc2HostsSettings.authentication.secret Yes This is the 40 character access key associated with your Amazon IAM account.

Sample Create Feed request

{
  "details": {
      "awsEc2HostsSettings": {
          "authentication": {
              "user": "AccessKeyID",
              "secret": "SecretAccessKey"
          }
      },
      "feedSourceType": "API",
      "logType": "AWS_EC2_HOSTS"
  }
}

AWS EC2 Instances

This section provides API reference details for the AWS_EC2_INSTANCES log type.

Prerequisites

  • Get the values for all required request fields.
  • Get the following required permissions:

Type-specific request fields

The following table lists the field values required when creating a feed to collect data for the AWS_EC2_INSTANCES log type.

Field Required Description
details.awsEc2InstancesSettings.authentication.user Yes This is the 20 character ID associated with your Amazon IAM account.
details.awsEc2InstancesSettings.authentication.secret Yes This is the 40 character access key associated with your Amazon IAM account.

Sample Create Feed request

{
  "details": {
      "awsEc2InstancesSettings": {
          "authentication": {
              "user": "AccessKeyID",
              "secret": "SecretAccessKey"
          }
      },
      "feedSourceType": "API",
      "logType": "AWS_EC2_INSTANCES"
  }
}

AWS EC2 VPCs

This section provides API reference details for the AWS_EC2_VPCS log type.

Prerequisites

  • Get the values for all required request fields.
  • Get the following required permissions:

Type-specific request fields

The following table lists the field values required when creating a feed to collect data for the AWS_EC2_VPCS log type.

Field Required Description
details.awsEc2VpcsSettings.authentication.user Yes This is the 20 character ID associated with your Amazon IAM account.
details.awsEc2VpcsSettings.authentication.secret Yes This is the 40 character access key associated with your Amazon IAM account.

Sample Create Feed request

{
  "details": {
      "awsEc2VpcsSettings": {
          "authentication": {
              "user": "AccessKeyID",
              "secret": "SecretAccessKey"
          }
      },
      "feedSourceType": "API",
      "logType": "AWS_EC2_VPCS"
  }
}

AWS Identity and Access Management

This section provides API reference details for the AWS_IAM log type.

Prerequisites

  • Get the values for all required request fields.
  • Get the following required permissions:

Type-specific request fields

The following table lists the field values required when creating a feed to collect data for the AWS_IAM log type.

Field Required Description
details.awsIamSettings.authentication.user Yes This is the 20 character ID associated with your Amazon IAM account.
details.awsIamSettings.authentication.secret Yes This is the 40 character access key associated with your Amazon IAM account.
details.awsIamSettings.apiType Yes API which needs to be called (Users/Roles/Groups).

Sample Create Feed request

{
  "details": {
      "awsIamSettings": {
          "authentication": {
              "user": "AccessKeyID",
              "secret": "SecretAccessKey"
          },
          "apiType": "USERS"
      },
      "feedSourceType": "API",
      "logType": "AWS_IAM"
  }
}

CrowdStrike Detection Monitoring

This section provides API reference details for the CS_DETECTS log type. For details about the data source, see the CrowdStrike Detection Monitoring documentation.

Data source Ingest schedule details.feedSourceType details.logType
  • api.crowdstrike.com/detects/queries/detects/v1
  • api.crowdstrike.com/detects/entities/summaries/GET/v1
Every minute API CS_DETECTS

Prerequisites

  • Get the values for all required request fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.crowdstrikeDetectsSettings.authentication.clientId Yes OAuth Client ID
details.crowdstrikeDetectsSettings.authentication.clientSecret Yes OAuth Client Secret
details.crowdstrikeDetectsSettings.authentication.tokenEndpoint Yes Authentication URL
details.crowdstrikeDetectsSettings.hostname Yes API Endpoint URL

Sample Create Feed request

{
  "details": {
    "feedSourceType": "API",
    "logType": "CS_DETECTS",
    "crowdstrikeDetectsSettings": {
      "authentication": {
          "clientId": "CLIENT ID",
          "clientSecret": "CLIENT SECRET",
          "tokenEndpoint": "https://api.us-2.crowdstrike.com/oauth2/token"
      },
      "hostname": "api.crowdstrike.com"
    }
  }
}

Steps to enable Crowdstrike Feed

Create a CrowdStrike API Client
  1. Within the CrowdStrike application, create an API client by navigating to Support and resources > API clients and keys.

    Select API clients and keys

  2. Create a new API Client with API scopes granting permission to Read Detections.

    Configure API client

  3. Record the values for: Base URL + Client ID + Client Secret. You will need these to set up the Feed in Chronicle.

    New OAuth2 API client

Setup the Chronicle feed
  1. Launch Chronicle, then select the Settings menu.
  2. Select Feeds in the left pane and click Add New.
  3. Select the Third Party API Source Type and Crowdstrike Detection Monitoring log type.

    Set CS_DETECTS source type and log type

  4. Fill in the requested parameters gathered earlier from CrowdStrike and click Submit.

    Set CS_DETECTS input parameters

The feed will begin to retrieve all detections from the CrowdStrike instance in chronological order. Detections older than 6 months will be dropped. After the backfill is complete, which can take some time depending on the number of detections in CrowdStrike, the feed checks for new detections every 5 minutes.

Duo Authentication Logs

This section provides API reference details for the DUO_AUTH log type. For details about the data source, see the Duo Authentication Logs documentation.

Data source Ingest schedule details.feedSourceType
API_HOSTNAME/admin/v2/logs/authentication

Replace API_HOSTNAME with the fully qualified domain name of the API instance.

Every 30 minutes API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.duoAuthSettings.authentication.user Yes The username to authenticate to Duo.
details.duoAuthSettings.authentication.secret Yes The secret to authenticate to Duo.
details.duoAuthSettings.hostname Yes The fully qualified domain name for your instance of the API, such as api-myinstance.duosecurity.com.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "DUO_AUTH",
     "duoAuthSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "SECRET"
       },
       "hostname": "api-mytenant.duosecurity.com"
     }
   }
}

Duo Users

This section provides API reference details for the DUO_USER_CONTEXT log type. For details about the data source, see the Duo Users documentation.

Data source Ingest schedule details.feedSourceType
API_HOSTNAME/admin/v1/users

Replace API_HOSTNAME with the fully qualified domain name of the API instance.

Every 24 hours API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.duoUserContextSettings.authentication.user Yes The username to authenticate to Duo.
details.duoUserContextSettings.authentication.secret Yes The secret to authenticate to Duo.
details.duoUserContextSettings.hostname Yes The fully qualified domain name for your instance of the API, such as api-myinstance.duosecurity.com.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "DUO_USER_CONTEXT",
     "duoUserContextSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "SECRET"
       },
       "hostname": "api-mytenant.duosecurity.com"
     }
   }
}

Fidelis Cloud Passage Events

This section provides API reference details for the CLOUD_PASSAGE log type. For details about the data source, see the Cloud Passage Events documentation.

Data source Ingest schedule details.feedSourceType
api.cloudpassage.com/events?event_types Every minute API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.cloudPassageSettings.authentication.user Yes The username that is used for authentication.
details.cloudPassageSettings.authentication.secret Yes The secret that is for authentication.
details.cloudPassageSettings.eventTypes No The type of events to include in the response. If you don't specify any event types, then the following event types are fetched: fim_target_integrity_changed, lids_rule_failed, and sca_rule_failed.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "CLOUD_PASSAGE",
     "cloudPassageSettings": {
       "authentication": {
         "user": "api_key_id",
         "secret": "api_key_secret",
       }
       "eventTypes": [
         "fim_target_integrity_changed",
         "lids_rule_failed",
         "sca_rule_failed"
       ],
     }
   }
}

Fox-IT

This section provides API reference details for the FOX_IT_STIX log type. For details about the data source, see the Fox-IT documentation.

Prerequisites

  • Get the values for all authentication and SSL fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "FOX_IT_STIX",
     "foxItStixSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "SECRET"
       },
       "ssl": {
         "sslCertificate": "<cert>",
         "encodedPrivateKey": "key"
       }
       "pollServiceURI": "https://stix.fox-it.com/services/poll",
       "collection": "mycollection"
     }
   }
}

Google Cloud Identity Devices

This section provides API reference details for the GCP_CLOUDIDENTITY_DEVICES log type. For details about the data source, see the Google Cloud Identity Devices documentation.

Data source Ingest schedule details.feedSourceType
cloudidentity.googleapis.com/v1/devices Every 24 hours API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.googleCloudIdentityDevicesSettings.authentication.tokenEndpoint Yes The endpoint to retrieve the OAuth JSON web token.
details.googleCloudIdentityDevicesSettings.authentication.claims.issuer Yes The JWT claims issuer, which is usually a client ID.
details.googleCloudIdentityDevicesSettings.authentication.claims.subject Yes The JWT claims subject, which is usually an email ID.
details.googleCloudIdentityDevicesSettings.authentication.claims.auidence Yes The JWT claims audience.
details.googleCloudIdentityDevicesSettings.authentication.rsCredentials.privateKey Yes An RSA private key in PEM format.
details.googleCloudIdentityDevicesSettings.apiVersion No The API version to use to fetch device information. The value must be either v1, v1beta1, or vx. If no version is specified, v1 version is used.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "GCP_CLOUDIDENTITY_DEVICES",
   "googleCloudIdentityDevicesSettings": {
     "authentication": {
       "tokenEndPoint": "jwt_token_uri",
       "claims": {
         "issuer": "jwt_client_email",
         "subject": "user_email",
         "audience": "jwt_token_uri"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
     "apiVersion": "v1",
   }
 }
}

Google Cloud Identity Device Users

This section provides API reference details for the GCP_CLOUDIDENTITY_DEVICEUSERS log type. For details about the data source, see the Google Cloud Identity Device Users documentation.

Data source Ingest schedule details.feedSourceType
cloudidentity.googleapis.com/v1/devices/-/deviceUsers Every 24 hours API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.googleCloudIdentityDeviceUsersSettings.authentication.tokenEndpoint Yes The endpoint to retrieve the OAuth JSON web token.
details.googleCloudIdentityDeviceUsersSettings.authentication.claims.issuer Yes The JWT claims issuer, which is usually a client ID.
details.googleCloudIdentityDeviceUsersSettings.authentication.claims.subject Yes The JWT claims subject, which is usually an email ID.
details.googleCloudIdentityDeviceUsersSettings.authentication.claims.auidence Yes The JWT claims audience.
details.googleCloudIdentityDeviceUsersSettings.authentication.rsCredentials.privateKey Yes An RSA private key in PEM format.
details.googleCloudIdentityDeviceUsersSettings.apiVersion No The API version to use to fetch device information. The value must be either v1, v1beta1, or vx. If no version is specified, v1 version is used.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "GCP_CLOUDIDENTITY_DEVICEUSERS",
   "googleCloudIdentityDeviceUsersSettings": {
     "authentication": {
       "tokenEndPoint": "jwt_token_uri",
       "claims": {
         "issuer": "jwt_client_email",
         "subject": "user_email",
         "audience": "jwt_token_uri"
       },
       "rsCredentials": {
         "private_key": "privatekey"
       }
     },
   }
 }
}

Google Workspace Activities

This section provides API reference details for the WORKSPACE_ACTIVITY log type. For details about the data source, see the Google Workspace Activities documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every hour API WORKSPACE_ACTIVITY

Prerequisites

In order for Chronicle to ingest Google Workspace activities, you must do the following:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes the Reports admin privilege, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

To learn more about how to configure a feed to ingest Google Workspace logs, see Collect Google Workspace logs.

Type-specific request fields

Field Required Description
details.workspaceActivitySettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceActivitySettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceActivitySettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with Reports privilege.
details.workspaceActivitySettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceActivitySettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Note that literal newline characters (\n) should be replaced with carriage returns. Also note that the field name is rsCredentials, and not rsaCredentials.
details.workspaceActivitySettings.workspaceCustomerId Yes The Google Workspace customer ID. The customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C', then prepend what you have with a 'C'.
details.workspaceActivitySettings.applications Yes The Google Workspace applications to gather activities for. See below for valid values.

Google Workspace applications

Activities are associated with one or more applications. The applications that Chronicle supports include the following.

details.workspaceActivitySettings.applications Description
access_transparency Access Transparency log events
admin Admin log events
calendar Calendar log events
chat Chat log events
drive Drive log events
gcp Google Cloud activity events
gplus Currents log events
groups Groups log events
groups_enterprise Groups Enterprise log events
jamboard Jamboard log events
login User log events
meet Meet log events
mobile Device log events
rules Rule log events (beta)
saml SAML log events
token OAuth log events
user_accounts User log events
context_aware_access Context-Aware Access log events
chrome Chrome log events
data_studio Looker Studio log events
keep Keep log events

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_ACTIVITY",
   "workspaceActivitySettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
     "applications": [
       "admin",
       "groups",
       "mobile"
     ],
   }
 }
}

Google Workspace Alerts

This section provides API reference details for the WORKSPACE_ALERTS log type. For details about the data source, see the Google Workspace Alerts documentation.

Data source Ingest schedule details.feedSourceType details.logType
alertcenter.googleapis.com Every hour API WORKSPACE_ALERTS

Prerequisites

For Chronicle to ingest Google Workspace alerts, complete the following steps:

  1. Enable the Alert Center API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Alert Center API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes Alert Center view access, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

To learn more about how to configure a feed to ingest Google Workspace logs, see Collect Google Workspace logs.

Type-specific request fields

Field Required Description
details.workspaceAlertsSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceAlertsSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceAlertsSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with Alert Center view access.
details.workspaceAlertsSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceAlertsSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the Alert Center API. Note that literal newline characters (\n) should be replaced with carriage returns. Also note that the field name is rsCredentials, and not rsaCredentials.
details.workspaceAlertsSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must not have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have has a leading 'C', then remove it before including in your request.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_ALERTS",
   "workspaceAlertsSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "1e2x3ample",
   }
 }
}

Google Workspace ChromeOS Devices

This section provides API reference details for the WORKSPACE_CHROMEOS log type. For details about the data source, see the Google Workspace ChromeOS Devices documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every 24 hours API WORKSPACE_CHROMEOS

Prerequisites

For Chronicle to ingest Google Workspace ChromeOS devices, complete the following steps:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes Chrome Management Settings access, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

To learn more about how to configure a feed to ingest Google Workspace logs, see Collect Google Workspace logs.

Type-specific request fields

Field Required Description
details.workspaceChromeOsSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceChromeOsSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceChromeOsSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with Reports privilege.
details.workspaceChromeOsSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceChromeOsSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Replace the literal newline characters (\n) with carriage returns. The field name is rsCredentials, and not rsaCredentials.
details.workspaceChromeOsSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C', then prepend what you have with a 'C'.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_CHROMEOS",
   "workspaceChromeOsSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
   }
 }
}

Google Workspace Groups

This section provides API reference details for the WORKSPACE_GROUPS log type. For details about the data source, see the Google Workspace Groups documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every 24 hours API WORKSPACE_GROUPS

Prerequisites

For Chronicle to ingest Google Workspace ChromeOS devices, complete the following steps:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes Admin API Group read privileges, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

To learn more about how to configure a feed to ingest Google Workspace logs, see Collect Google Workspace logs.

Type-specific request fields

Field Required Description
details.workspaceGroupsSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with the Admin API Group read privilege.
details.workspaceGroupsSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Note that literal newline characters (\n) should be replaced with carriage returns. Note that the field name is rsCredentials, and not rsaCredentials.
details.workspaceGroupsSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C' then prepend what you have with a 'C'.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_GROUPS",
   "workspaceGroupsSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
   }
 }
}

Google Workspace Mobile Devices

This section provides API reference details for the WORKSPACE_MOBILE log type. For details about the data source, see the Google Workspace Mobile Devices documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every 24 hours API WORKSPACE_GROUPS

Prerequisites

In order for Chronicle to ingest Google Workspace ChromeOS devices, complete the following steps:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes Admin API Group read privileges, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

To learn more about how to configure a feed to ingest Google Workspace logs, see Collect Google Workspace logs.

Type-specific request fields

Field Required Description
details.workspaceGroupsSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with the Admin API Group read privilege.
details.workspaceGroupsSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceGroupsSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Note that literal newline characters (\n) should be replaced with carriage returns. Note that the field name is rsCredentials, and not rsaCredentials.
details.workspaceGroupsSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C' then prepend what you have with a 'C'.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_MOBILE",
   "workspaceMobileSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
   }
 }
}

Google Workspace Privileges

This section provides API reference details for the WORKSPACE_PRIVILEGES log type. For details about the data source, see the Google Workspace Privileges documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every 24 hours API WORKSPACE_PRIVILEGES

Prerequisites

In order for Chronicle to ingest Google Workspace ChromeOS devices, complete the following steps:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it a super admin role.
  6. Locate your Google Workspace customer ID.

To learn more about how to configure a feed to ingest Google Workspace logs, see Collect Google Workspace logs.

Type-specific request fields

Field Required Description
details.workspacePrivilegesSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspacePrivilegesSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspacePrivilegesSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user.
details.workspacePrivilegesSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspacePrivilegesSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Note that literal newline characters (\n) should be replaced with carriage returns. Note that the field name is rsCredentials, and not rsaCredentials.
details.workspacePrivilegesSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C' then prepend what you have with a 'C'.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_PRIVILEGES",
   "workspacePrivilegesSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
   }
 }
}

Google Workspace Users

This section provides API reference details for the WORKSPACE_USERS log type. For details about the data source, see the Google Workspace Users documentation.

Data source Ingest schedule details.feedSourceType details.logType
admin.googleapis.com Every 24 hours API WORKSPACE_USERS

Prerequisites

For Chronicle to ingest Google Workspace ChromeOS devices, complete the following steps:

  1. Enable the Admin SDK API on your Google Cloud project.
  2. Create a Service Account which will be used to authenticate against the Admin API.
  3. Generate a JSON key for the Service Account.
  4. Create a domain-wide delegation for the Service Account with the following OAuth scope:
  5. Create a Google Workspace user and assign it an admin role which includes Admin API User read privileges, or create a custom role which includes that privilege.
  6. Locate your Google Workspace customer ID.

To learn more about how to configure a feed to ingest Google Workspace logs, see Collect Google Workspace logs.

Type-specific request fields

Field Required Description
details.workspaceUserSettings.authentication.tokenEndpoint Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceUserSettings.authentication.claims.issuer Yes The value of the client_email field in the JSON key for the service account created to access the admin API.
details.workspaceUserSettings.authentication.claims.subject Yes The email address of the Google Workspace admin user with the Admin API User read privilege.
details.workspaceUserSettings.authentication.claims.audience Yes The value of the token_uri field in the JSON key for the service account created to access the admin API.
details.workspaceUserSettings.authentication.rsCredentials.privateKey Yes The value of the private_key field in the JSON key for the service account created to access the admin API. Note that literal newline characters (\n) should be replaced with carriage returns. Note that the field name is rsCredentials, and not rsaCredentials.
details.workspaceUserSettings.workspaceCustomerId Yes The Google Workspace customer ID. Note that the customer ID must have a leading 'C' character. The customer ID may appear differently depending on where in the Google admin console it is found. If the customer ID you have does not have a leading 'C' then prepend what you have with a 'C'.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "WORKSPACE_USERS",
   "workspaceUserSettings": {
     "authentication": {
       "tokenEndpoint": "https://accounts.google.com/o/oauth2/token",
       "claims": {
         "issuer": "service-account@project.iam.gserviceaccount.com",
         "subject": "user@domain.com",
         "audience": "https://accounts.google.com/o/oauth2/token"
       },
       "rsCredentials": {
         "privateKey": "-----BEGIN PRIVATE KEY-----
ABCDeFGHIJKLMnopqrsT0u1VWXY...z/abCdefgHIJK+lMN2o345P=
         -----END PRIVATE KEY-----"
       },
     },
     "workspaceCustomerId": "C1e2x3ample",
   }
 }
}

Imperva

This section provides API reference details for the IMPERVA_WAF log type. For details about the data source, see the Imperva documentation.

Data source Ingest schedule details.feedSourceType
api.imperva.com/audit-trail/v2/events Every 24 hours API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.impervaWafSettings.authentication.headerKeyValues Yes The HTTP header used to authenticate api.imperva.com in key-value format.

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "IMPERVA_WAF",
     "impervaWafSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "key"
            "value": "value"
         }],
       }
     }
   }
}

Microsoft Azure Active Directory Audit

This section provides API reference details for the AZURE_AD_AUDIT log type. For details about the data source, see the Azure Active Directory Audit documentation.

Data source Ingest schedule details.feedSourceType details.logType
graph.microsoft.com Every minute API AZURE_AD_AUDIT

Prerequisites

  • Get an Azure AD Premium P1 or P2 license. For more information, see What licenses do I need?.
  • Get the values for all required request fields. Note that the token endpoint for OAuth 2.0 is: https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • The user whose credentials are used to authenticate against the Microsoft Graph API to access directory audits must have the permissions AuditLog.Read.All and Directory.Read.All.

Type-specific request fields

Field Required Description
details.azureAdAuditSettings.authentication.clientId Yes OAuth client ID (a UUID)
details.azureAdAuditSettings.authentication.clientSecret Yes OAuth client Secret
details.azureAdAuditSettings.tenantId Yes Tenant ID (a UUID)
details.azureAdAuditSettings.hostname No API Full Path, default value : "graph.microsoft.com/v1.0/auditLogs/directoryAudits"

Test the API endpoint by using curl

Before you create the feed, you can test the Microsoft Graph API endpoint by using curl.

  1. Request an OAuth token to authenticate your request to the API resource.
    curl 'https://login.microsoftonline.com/TENANT_ID/oauth2/token' \
        --data-urlencode 'grant_type=client_credentials' \
        --data-urlencode 'client_id=CLIENT_ID' \
        --data-urlencode 'client_secret=CLIENT_SECRET' \
        --data-urlencode 'resource=https://graph.microsoft.com'
    

    Replace the following:

    • CLIENT_ID: OAuth client ID
    • CLIENT_SECRET: OAuth client secret
    • TENANT_ID: Tenant ID

    The result of the curl request is a JSON response that contains the OAuth access token.

  2. Send a request to the Microsoft Graph API endpoint using the OAuth token.
    curl 'https://graph.microsoft.com/v1.0/auditLogs/signIns' \
        --header 'Accept: application/json' \
        --header 'Authorization: Bearer ACCESS_TOKEN'
    

    Replace ACCESS_TOKEN with the value of the OAuth access token that you obtained from the previous step.

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "AZURE_AD_AUDIT",
   "azureAdAuditSettings": {
     "authentication": {
       "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
       "clientSecret": "clientSecret",
     }
     "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
     "hostname": "graph.microsoft.com/v1.0/auditLogs/directoryAudits",
   }
 }
}

Microsoft Azure Active Directory Organizational Context

This section provides API reference details for the AZURE_AD_CONTEXT log type. For details about the data source, see the Microsoft Graph API List users endpoint, which this feed uses to retrieve device and group data.

Data source Ingest schedule details.feedSourceType details.logType
graph.microsoft.com Every 24 hours API AZURE_AD_CONTEXT

Prerequisites

  • Get the values for all required request fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • The user whose credentials are used to authenticate against Microsoft Graph API to access organizational context must have permissions Directory.Read.All.

Type-specific request fields

Field Required Description
details.azureAdContextSettings.authentication.clientId Yes OAuth client ID (a UUID)
details.azureAdContextSettings.authentication.clientSecret Yes OAuth client secret
details.azureAdContextSettings.tenantId Yes Tenant ID (a UUID)
details.azureAdContextSettings.retrieveDevices No Whether to retrieve device information
details.azureAdContextSettings.retrieveGroups No Whether to retrieve user group information
details.azureAdContextSettings.hostname No API Full Path, default value : graph.microsoft.com/beta

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "AZURE_AD_CONTEXT",
   "azureAdContextSettings": {
     "authentication": {
       "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
       "clientSecret": "clientSecret",
     }
     "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
     "retrieveDevices": false,
     "retrieveGroups": false,
     "hostname": "graph.microsoft.com/beta",
   }
 }
}

Microsoft Azure Active Directory Sign-ins

This section provides API reference details for the AZURE_AD log type. For details about the data source, see the Azure Active Directory Sign-ins documentation.

Data source Ingest schedule details.feedSourceType details.logType
graph.microsoft.com Every minute API AZURE_AD

Prerequisites

  • Get an Azure AD Premium P1 or P2 license. For more information, see What licenses do I need?.
  • Get the values for all required request fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • The user whose credentials are used to authenticate against Microsoft Graph API to access sign-ins must have permissions AuditLog.Read.All and Directory.Read.All.

Type-specific request fields

Field Required Description
details.azureAdSettings.authentication.clientId Yes OAuth client ID (a UUID)
details.azureAdSettings.authentication.clientSecret Yes OAuth client Secret
details.azureAdSettings.tenantId Yes Tenant ID (a UUID)
details.azureAdSettings.hostname No API Full Path, default value : graph.microsoft.com/v1.0/auditLogs/signIns

Sample Create Feed request

{
 "details": {
   "feedSourceType": "API",
   "logType": "AZURE_AD",
   "azureAdSettings": {
     "authentication": {
       "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
       "clientSecret": "clientSecret",
     }
     "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
     "hostname": "graph.microsoft.com/v1.0/auditLogs/signIns",
   }
 }
}

Microsoft Azure Microsoft Device Management Intune Audit Events

This section provides API reference details for the AZURE_MDM_INTUNE log type. For details about the data source, see the Azure Microsoft Device Management Intune Audit Events documentation.

Data source Ingest schedule details.feedSourceType
The Microsoft Graph REST API endpoint URL. The default value is graph.microsoft.com/beta/deviceManagement/auditEvents Every minute API

Prerequisites

  • Get an active Intune license.
  • Get the values for all authentication fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permission:
    • The provisioned OAuth client must have permission DeviceManagementApps.Read.All or DeviceManagementApps.ReadWrite.All.

Type-specific request fields

Field Required Description
details.azureMdmIntuneSettings.authentication.clientId Yes The OAuth client ID.
details.azureMdmIntuneSettings.authentication.clientSecret Yes The client secret.
details.azureMdmIntuneSettings.tenantId Yes The tenant ID, which is a UUID.
details.azureMdmIntuneSettings.hostname No The Microsoft Graph REST API endpoint URL. The following is the default value: graph.microsoft.com/beta/deviceManagement/auditEvents.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "AZURE_MDM_INTUNE",
     "azureMdmIntuneSettings": {
       "authentication": {
         "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
         "clientSecret": "clientSecret",
       }
       "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
       "hostname": "graph.microsoft.com/beta/deviceManagement/auditEvents",
     }
   }
}

Microsoft Graph Security API Alerts

This section provides API reference details for the MICROSOFT_GRAPH_ALERT log type. For details about the data source, see Microsoft Graph Security Legacy List alerts and List alerts_v2.

Data source Ingest schedule details.feedSourceType
  • graph.microsoft.com/v1.0/security/alerts
  • graph.microsoft.com/beta/security/alerts_v2
Every minute API

Prerequisites

  • Get the values for authentication fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • The user whose credentials are used must have permissions SecurityEvents.Read.All.

Type-specific request fields

Field Required Description
details.microsoftGraphAlertSettings.authentication.clientId Yes OAuth client ID (a UUID)
details.microsoftGraphAlertSettings.authentication.clientSecret Yes OAuth client secret
details.microsoftGraphAlertSettings.tenantId Yes Tenant ID (a UUID)
details.microsoftGraphAlertSettings.authEndpoint Yes The Microsoft Active Directory authentication endpoint. The default value is login.microsoftonline.com.
details.microsoftGraphAlertSettings.hostname No The API full path. The default value is graph.microsoft.com/v1.0/security/alerts

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "MICROSOFT_GRAPH_ALERT",
     "microsoftGraphAlertSettings": {
       "authentication": {
         "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
         "clientSecret": "clientSecret",
       }
       "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789",
       "hostname": "graph.microsoft.com/v1.0/security/alerts",
       "authEndpoint": "login.microsoftonline.com",
     }
   }
}

Microsoft Office 365 Management Activity

This section provides API reference details for the OFFICE_365 log type. For details about the data source, see the Microsoft Office 365 Management Activity documentation.

Data source Ingest schedule details.feedSourceType details.logType
  • manage.office.com
  • manage-gcc.office.com
Every minute API OFFICE_365

Prerequisites

  • Get the values for all required request fields. The token endpoint for OAuth 2.0 is https://login.microsoftonline.com/{tenantId}/oauth2/token
  • Get the following required permissions:
    • The user whose credentials are used to authenticate against the API must have permissions ActivityFeed.Read. If ingesting DLP data then the permission ActivityFeed.ReadDlp must be specified.

To learn more about how to configure a feed to ingest Microsoft Office 365 logs, see Collect Microsoft 365 logs.

Type-specific request fields

Field Required Description
details.office365Settings.authentication.clientId Yes OAuth client ID (a UUID)
details.office365Settings.authentication.clientSecret Yes OAuth client secret
details.office365Settings.tenantId Yes Tenant ID (a UUID)
details.office365Settings.contentType Yes The type of logs to fetch. See below to see the valid values for contentType.
details.office365Settings.hostname No API Full Path, default value: manage.office.com/api/v1.0

Office 365 Content Type

This section provides API reference details for the OFFICE_365 log type. For details about the data source, see the Office 365 Content Type documentation.

details.office365Settings.contentType Description
AUDIT_AZURE_ACTIVE_DIRECTORY Azure active directory audit logs.
AUDIT_EXCHANGE Azure exchange audit logs.
AUDIT_SHARE_POINT Azure share point audit logs.
AUDIT_GENERAL All other workloads not included in other Audit content types.
DLP_ALL DLP events only for all workloads.

Test the API endpoint by using curl

Before you create the feed, you can test the Office 365 Management Activity API endpoint by using curl.

  1. Request an OAuth token to authenticate your request to the API resource.
    curl 'https://login.microsoftonline.com/TENANT_ID/oauth2/token' \
        --data-urlencode 'grant_type=client_credentials' \
        --data-urlencode 'client_id=CLIENT_ID' \
        --data-urlencode 'client_secret=CLIENT_SECRET' \
        --data-urlencode 'resource=https://manage.office.com'
    

    Replace the following:

    • CLIENT_ID: OAuth client ID
    • CLIENT_SECRET: OAuth client secret
    • TENANT_ID: Tenant ID

    The result of the curl request is a JSON response that contains the OAuth access token.

  2. Send a request to the Office 365 Management Activity API using the OAuth token.
    curl 'https://manage.office.com/api/v1.0/TENANT_ID/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory' \
        --header 'Authorization: Bearer ACCESS_TOKEN'
    

    Replace ACCESS_TOKEN with the value of the OAuth access token that you obtained from the previous step.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "OFFICE_365",
     "office365Settings": {
       "authentication": {
         "clientId": "0ab12c34-d5ef-678g-9012-hi34j56k78l9",
         "clientSecret", "clientSecret",
       },
       "tenantId": "0ab123c4-de56-78fg-90h1-ijk2l3456789"",
       "contentType": "AUDIT_AZURE_ACTIVE_DIRECTORY",
       "hostname": "manage.office.com/api/v1.0",
     }
   }
}

Mimecast

This section provides API reference details for the MIMECAST_MAIL log type. For details about the data source, see the Mimecast documentation.

Data source Ingest schedule details.feedSourceType
The fully qualified domain name of your Mimecast API endpoint, such as us-api.mimecast.com. Every minute API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.mimecastMailSettings.authentication.headerKeyValues Yes The configuration in the key-value format that is used to construct the authentication header.
details.mimecastMailSettings.hostname Yes The fully qualified domain name of your Mimecast API endpoint, such as us-api.mimecast.com.

Test the endpoint

The API endpoint used to download Mimecast MTA logs is /api/audit/get-siem-logs. To use this endpoint, send a POST request to /api/audit/get-siem-logs.

For details on how to use the API, see the sample code in the Mimecast documentation.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "MIMECAST_MAIL",
     "mimecastMailSettings": {
       "authentication": {
         "headerKeyValues": [
           {
             "key": "access_key",
             "value": "ACCESS_KEY"
           },
           {
             "key": "app_id",
             "value": "APP_ID"
           },
           {
             "key": "app_key",
             "value": "APP_KEY"
           },
           {
             "key": "secret_key",
             "value": "SECRET_KEY"
           }
         ]
       },
       "hostname": "xx-api.mimecast.com"
     }
   }
}

Netskope Alerts

This section provides API reference details for the NETSKOPE_ALERT log type. For details about the data source, see the Netskope Alerts documentation. Netskope REST API v1 data is supported.

Data source Ingest schedule details.feedSourceType
API_HOSTNAME/api/v1/alerts

Replace API_HOSTNAME with the fully qualified domain name of your Netskope REST API endpoint, such as myinstance.goskope.com.

Every 10 minutes API

Prerequisites

  • Get the values for all authentication fields. Use auth tokens for the Netskope REST API v1.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.netskopeAlertSettings.authentication.headerKeyValues Yes The HTTP header used to authenticate Netskope in key-value format.
details.netskopeAlertSettings.hostname Yes The fully qualified domain name of your Netskope REST API endpoint.
details.netskopeAlertSettings.feedname Yes The REST endpoint to connect to. This can be alerts or events.
details.netskopeAlertSettings.contentType Yes The value of the type query parameter that determines which type of event or alert is acquired.

Optional fields

initialStartTime

Test the API endpoint

Before you create the feed, you can test the Netskope alerts API endpoint by sending a POST request to https://TENANT_URL/api/v1/alerts. This endpoint returns alerts generated by Netskope.

The following is an example request using curl:

curl -X POST 'https://TENANT_URL/api/v1/alerts?' \
    -H 'Content-Type: application/json' \
    -d 'timeperiod=86400' \
    -d 'type=Security%20Assessment' \
    -d 'limit=1' \
    -d 'stimeperiod=2592000' \
    -d 'query=%28compliance_standards.standard%20eq%20%27CSA-CCM-3.0.1%27%29' \
    -d 'token=ACCESS_TOKEN'

Replace the following:

  • TENANT_URL: URL of your tenant
  • ACCESS_TOKEN: OAuth access token

To learn more about the different query parameters that can be used as a part of the request, see the Get Alerts Data page in the Netskope documentation.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "NETSKOPE_ALERT",
     "netskopeAlertSettings": {
       "authentication": {
         "headerKeyValues": [{
          "key": "token",
          "value": "token_value"
         }]
       },
       "content_type": "all",
       "hostname": "myinstance.goskope.com",
       "feedName": "alerts"
     }
   }
}

Okta System Log

This section provides API reference details for the OKTA log type. For details about the data source, see the Okta System Log documentation.

Data source Ingest schedule details.feedSourceType
API_HOSTNAME/api/v1/logs

Replace API_HOSTNAME with the fully qualified domain name of your Okta instance, such as example.okta.com.

Every minute API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.oktaUserContextSettings.authentication.headerKeyValues Yes The HTTP header used to authenticate Okta in key-value format.
details.oktaUserContextSettings.hostname Yes The fully qualified domain name of your Okta instance.

Test the API endpoint

Before you create the feed, you can test the Okta System Log API endpoint by sending a GET request to OKTA_URL/api/v1/logs. This endpoint returns system log events that can be ingested into a SIEM platform.

The following is an example request to obtain system log events from a particular point of time in the past:

curl -v -X GET \
    -H "Accept: application/json" \
    -H "Content-Type: application/json" \
    -H "Authorization: SSWS API_TOKEN" \
    "https://OKTA_URL/api/v1/logs?since=DATETIME"

Replace the following:

  • API_TOKEN: OAuth access token
  • OKTA_URL: fully qualified domain name of your Okta instance, such as example.okta.com
  • DATETIME: timestamp in UTC format according to ISO 8601, separating date and time with a T. For example: 2024-01-31T00:00:00Z. The API will fetch the logs recorded after the specified timestamp.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "OKTA",
     "oktaSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "Authorization",
            "value": "APITOKEN"
          }]
       },
       "hostname": "hostname"
     }
   }
}

Okta Users

This section provides API reference details for the OKTA_USER_CONTEXT log type. For details about the data source, see the Okta Users documentation.

Data source Ingest schedule details.feedSourceType
API_HOSTNAME/api/v1/logs

Replace API_HOSTNAME with the fully qualified domain name of your Okta instance, such as example.okta.com.

Every minute API

Prerequisites

  • Get the values for hostname and all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.oktaUserContextSettings.authentication.headerKeyValues Yes The HTTP header used to authenticate Okta in key-value format.
details.oktaUserContextSettings.hostname Yes The fully qualified domain name of your Okta instance.
details.oktaUserContextSettings.managerIdReferenceField No This ID is required when you use a non Okta ID to reference managers.

Sample Create Feed request

managerIdReferenceField is required when you use a non-Okta ID to reference managers. It should be a JSON field path pointing to the field that contains the manager ID in the result of a call to the "users" Okta API.

{
   "details": {
     "feedSourceType": "API",
     "logType": "OKTA_USER_CONTEXT",
     "oktaSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "Authorization",
            "value": "APITOKEN"
          }]
       },
       "hostname": "hostname",
       "managerIdReferenceField": "fooId"
     }
   }
}

Palo Alto Networks AutoFocus

This section provides API reference details for the PAN_IOC log type. For details about the data source, see the Palo Alto Networks AutoFocus documentation.

Prerequisites

  • Get the values for feedId, feed, and all authentication fields.
  • Get the following required permissions:
    • None

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "PAN_IOC",
     "panIocSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "key"
            "value": "value"
         }],
       }
       "feedId": "ID",
       "feed": "feed"
     }
   }
}

Palo Alto Networks Cortex XDR

This section provides API reference details for the CORTEX_XDR log type. For details about the data source, see the Palo Alto Networks Cortex XDR documentation.

Data source Ingest schedule details.feedSourceType
API_HOSTNAME/public_api/v1/incidents/get_incidents

Replace API_HOSTNAME with the fully qualified domain name of your instance, such as api-abcd.xdr.ab.paloaltonetworks.com.

Every five minutes API

Prerequisites

  • Get the values for all authentication fields.
  • Make sure the API key is an advanced key, not a standard key.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.cortexXdrSettings.authentication.headerKeyValues Yes The HTTP header used to authenticate Cortex XDR API in key-value format.
details.cortexXdrSettings.hostname Yes The fully qualified domain name of your Cortex XDR instance.
details.cortexXdrSettings.endpoint No The API endpoint to connect to retrieve logs, which include incidents or alerts.

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "CORTEX_XDR",
     "cortexXdrSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "Authorization"
            "value": "api_key"
         },
         {
            "key": "x-xdr-auth-id"
            "value": "api_key_id"
         }
         ],
       },
       "hostname": "api-abcd.xdr.ab.paloaltonetworks.com",
       "endpoint": "incidents"
     }
   }
}

Palo Alto Networks Prisma Cloud Audit Logs

This section provides API reference details for the PAN_PRISMA_CLOUD log type. For details about the data source, see the Palo Alto Networks Prisma Cloud Audit Logs documentation.

Data source Ingest schedule details.feedSourceType
autofocus.paloaltonetworks.com/api/v1.0/IOCFeed/FEED_ID/FEED_NAME

Replace FEED_ID and FEED_NAME with the Chronicle feed ID and feed name respectively.

Every five minutes API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.panPrismaCloudSettings.authentication.user Yes The Prisma Cloud username.
details.panPrismaCloudSettings.authentication.password Yes The Prisma Cloud password.
details.panPrismaCloudSettings.hostname Yes The Palo Alto Prisma Cloud API hostname.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "PAN_PRISMA_CLOUD",
     "panPrismaCloudSettings": {
       "authentication": {
         "user": "user",
         "password": "password"
       },
       "hostname": "api2.prismacloud.io"
     }
   }
}

Proofpoint on Demand

This section provides API reference details for the PROOFPOINT_ON_DEMAND log type. For details about the data source, see the Proofpoint on Demand documentation.

Data source Ingest schedule details.feedSourceType
The default data endpoint is used. Every hour API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.proofpointOnDemandSettings.authentication.headerKeyValues Yes The HTTP header used to authenticate logstream.proofpoint.com in the key-value format.
details.proofpointOnDemandSettings.clusterId Yes The cluster ID, which is a user group string.

Other fields

proofpointOnDemandSourceDetails

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "PROOFPOINT_ON_DEMAND",
     "proofpointOnDemandSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "clusterId": "ID"
     }
   }
}

Proofpoint TAP

This section provides API reference details for the PROOFPOINT_MAIL log type. For details about the data source, see the Proofpoint SIEM API documentation.

Data source Ingest schedule details.feedSourceType
The default data endpoint is used. Every 24 hours API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.proofpointMailSettings.authentication.user Yes The user account required for authentication.
details.proofpointMailSettings.authentication.secret Yes The secret required for authentication.

Test the endpoint

Before you create the feed, you can test the Proofpoint TAP SIEM API endpoint by sending a GET request to /v2/siem/all.

To fetch events for all clicks and messages relating to known threats within the specified time period, use a GET request as follows:

curl \
"https://tap-api-v2.proofpoint.com/v2/siem/all?format=syslog&sinceSeconds=SECONDS" \
--user "PRINCIPAL:SECRET" \
-s

Replace the following:

  • SECONDS: an integer representing a time window in seconds from the current API server time. For example, 3600.

  • PRINCIPAL: Proofpoint service principal to authenticate to the SIEM API.

  • SECRET: Proofpoint API secret to authenticate to the SIEM API.

To learn more about the different query parameters that can be used as a part of the request, see the Proopoint TAP SIEM API documentation.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "PROOFPOINT_MAIL",
     "proofpointMailSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       }
     }
   }
}

Qualys VM

This section provides API reference details for the QUALYS_VM log type. For details about the data source, see the Qualys VM documentation (PDF).

Data source Ingest schedule details.feedSourceType
The domain and full path of the resource, such as qualysapi.qualys.com/api/2.0/fo/asset/host/?action=list. Every minute API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.qualysVmSettings.authentication.user Yes The user account required for authentication.
details.qualysVmSettings.authentication.secret Yes The secret required for authentication.
details.qualysVmSettings.hostname Yes The domain and full path of the resource, such as qualysapi.qualys.com/api/2.0/fo/asset/host/?action=list.

Test the endpoints by using curl

Before you create the feed, you can test the API endpoints by using curl.

  • To test the endpoint for the Qualys VM Host List API, use the following curl command:
    curl -H "X-Requested-With: Curl Sample" -u "USERNAME:PASSWORD" \
    "https://qualysapi.qg3.apps.qualys.com/api/2.0/fo/asset/host/?action=list"
    
  • To test the endpoint for the Qualys VM Host List Detection API, use the following curl command:
    curl -H "X-Requested-With: Curl Sample" -u "USERNAME:PASSWORD" \
    "https://qualysapi.qg3.apps.qualys.com/api/2.0/fo/asset/host/vm/detection/?action=list"
    

Replace the following:

  • USERNAME: username of your Qualys account
  • PASSWORD: password of your Qualys account

Sample Create Feed request for Qualys VM Host List API

{
   "details": {
     "feedSourceType": "API",
     "logType": "QUALYS_VM",
     "qualysVmSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "PASSWORD"
       },
       "hostname": "qualysapi.qualys.com/api/2.0/fo/asset/host/?action=list"
     }
   }
}

Sample Create Feed request for Qualys VM Host List Detection API

{
   "details": {
     "feedSourceType": "API",
     "logType": "QUALYS_VM",
     "qualysVmSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "PASSWORD"
       },
       "hostname": "qualysapi.qualys.com/api/2.0/fo/asset/host/vm/detection/?action=list"
     }
   }
}

Qualys Scan

This section provides API reference details for the QUALYS_SCAN log type. For details about the data source, see the Qualys VM documentation (PDF).

Data source Ingest schedule details.feedSourceType details.logType
qualysapi.qualys.com Every Day API QUALYS_SCAN

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • Ensure API access is enabled for the user.

Scan APIs

The Qualys Scan APIs that Chronicle supports include the following.

details.qualysScanSettings.api_type Description
SCAN_SUMMARY_OUTPUT Scan Summaries API to identify which hosts were scanned or not scanned and why.
SCAN_COMPLIANCE_OUTPUT Scan Compliance API to list out the compliance scans in your Qualys account.
SCAN_COMPLIANCE_CONTROL_OUTPUT Compliance Control API to view a list of compliance controls which are visible to the user.

Test the endpoints by using curl

Before you create the feed, you can test the API endpoints by using curl.

  • To test the endpoint for the API type SCAN_SUMMARY_OUTPUT, use the following curl command:
    curl -H "X-Requested-With: Curl Sample" -u "USERNAME:PASSWORD" \ 
    "https://qualysapi.qg3.apps.qualys.com/api/2.0/fo/scan/vm/summary/?action=list&scan_datetime_since=DATETIME"
    
  • To test the endpoint for the API type SCAN_COMPLIANCE_OUTPUT, use the following curl command:
    curl -H "X-Requested-With: Curl Sample" -u "USERNAME:PASSWORD" \ 
    "https://qualysapi.qg3.apps.qualys.com/api/2.0/fo/scan/compliance/?action=list&launched_after_datetime=DATETIME"
    
  • To test the endpoint for the API type SCAN_COMPLIANCE_CONTROL_OUTPUT, use the following curl command:
    curl -H "X-Requested-With: Curl Sample" -u "USERNAME:PASSWORD" \ 
    "https://qualysapi.qg3.apps.qualys.com/api/2.0/fo/compliance/control/?action=list&updated_after_datetime=DATETIME"
    

Replace the following:

  • USERNAME: username of your Qualys account
  • PASSWORD: password of your Qualys account
  • DATETIME: timestamp in UTC format according to ISO 8601, separating date and time with a T. For example: 2024-01-31T18:00:42Z. The API will fetch the logs recorded after the specified timestamp.

Sample Create Feed request for Qualys Scan API

{
   "details": {
     "feedSourceType": "API",
     "logType": "QUALYS_SCAN",
     "qualysScanSettings": {
       "authentication": {
         "user": "USERNAME",
         "secret": "PASSWORD"
       },
       "hostname": "qualysapi.qualys.com",
       "api_type": "SCAN_SUMMARY_OUTPUT"
     }
   }
}

Rapid7 InsightVM

This section provides API reference details for the RAPID7_INSIGHT log type. For details about the data source, see the Rapid7 InsightVM documentation.

Data source Ingest schedule details.feedSourceType
The REST endpoint, which must be either vulnerabilities or assets. Every minute API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.rapid7InsightSettings.authentication.headerKeyValues Yes The HTTP header used to authenticate us.api.insight.rapid7.com in key-value format.
details.rapid7InsightSettings.endpoint Yes The REST endpoint to connect to. The endpoint value must be either vulnerabilities or assets.
details.rapid7InsightSettings.hostname No The fully qualified domain name of the Rapid7 endpoint, such as us.api.insight.rapid7.com.

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "RAPID7_INSIGHT",
     "rapid7InsightSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "X-Api-Key",
            "value": ApiToken "API_TOKEN"
         }],
       },
       "endpoint": "assets"
       "hostname": "us.api.insight.rapid7.com"
     }
   }
}

Replace API_TOKEN with your API token.

Recorded Future

This section provides API reference details for the RECORDED_FUTURE_IOC log type. For details about the data source, see the Recorded Future documentation.

Data source Ingest schedule details.feedSourceType
api.recordedfuture.com/v2/fusion/files. Every two hours API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.recordedFutureIocSettings.authentication.headerKeyValues Yes The HTTP header used to authenticate to api.recordedfuture.com in key-value format.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "RECORDED_FUTURE_IOC",
     "recordedFutureIocSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
     }
   }
}

RH-ISAC

This section provides API reference details for the RH_ISAC_IOC log type. For details about the data source, see the RH-ISAC documentation.

Data source Ingest schedule details.feedSourceType
api.trustar.co/api/1.3/indicators/search. Every 24 hours API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.rhIsacIocSettings.authentication.tokenEndpoint Yes The endpoint to retrieve the OAuth token.
details.rhIsacIocSettings.authentication.clientId Yes The OAuth client ID.
details.rhIsacIocSettings.authentication.clientSecret Yes The OAuth client secret.

Other fields

tags, queueDelay

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "RH_ISAC_IOC",
     "rhIsacIocSettings": {
       "authentication": {
         "tokenEndPoint": "endpoint",
         "clientId": "clientId",
         "clientSecret": "clientSecret"
       }
     }
   }
}

Salesforce

This section provides API reference details for the SALESFORCE log type. For details about the data source, see the Salesforce documentation.

Data source Ingest schedule details.feedSourceType
API_HOSTNAME/services/data/v50.0/query

Replace API_HOSTNAME with the fully qualified domain name of your Salesforce REST API endpoint, such as myinstance.salesforce.com.

Every minute API

Prerequisites

Type-specific request fields

Field Required Description
details.salesforceSettings.hostname Yes The fully qualified domain name of your Salesforce REST API endpoint, such as myinstance.salesforce.com.
details.salesforceSettings.oauthPasswordGrantAuth.tokenEndpoint No The endpoint to retrieve the OAuth token. This field must be specified in the following format: https://SF_INSTANCE.my.salesforce.com/services/oauth2/token?grant_type=password. Replace SF_INSTANCE with your Salesforce instance name. This field is required only for OAuth password grant.
details.salesforceSettings.oauthPasswordGrantAuth.clientId No The OAuth client ID. This field is required only for OAuth password grant.
details.salesforceSettings.oauthPasswordGrantAuth.clientSecret No The OAuth client secret. This field is required only for OAuth password grant.
details.salesforceSettings.oauthPasswordGrantAuth.user No The username used for authentication. This field is required only for OAuth password grant.
details.salesforceSettings.oauthPasswordGrantAuth.password No The password used for authentication. This field is required only for OAuth password grant.
details.salesforceSettings.oauthJwtCredentials.tokenEndpoint No The endpoint to retrieve the OAuth JSON web token. This field is required only for OAuth JWT grant.
details.salesforceSettings.oauthJwtCredentials.claims.issuer No The JWT claims issuer, which is usually a client ID. This field is required only for OAuth JWT grant.
details.salesforceSettings.oauthJwtCredentials.claims.subject No The JWT claims subject, which is usually an email ID. This field is required only for OAuth JWT grant.
details.salesforceSettings.oauthJwtCredentials.claims.audience No The JWT claims audience. This field is required only for OAuth JWT grant.
details.salesforceSettings.oauthJwtCredentials.rsCredentials.privateKey No An RSA private key in PEM format. This field is required only for OAuth JWT grant.

Optional fields

initialStartTime

Test the endpoint

Before you create the feed, you can test the REST API endpoint by sending a GET request to /services/data/vAPI_VERSION/query. The Query resource is used to retrieve field values from a record.

To query event monitoring records based on fields, such as LogDate and EventType, use a GET request as follows:

curl https://SUBDOMAIN.my.salesforce.com/services/data/vAPI_VERSION/query \
    -X GET \
    -H "Authorization: Bearer AUTH_TOKEN" \
    -G \
    --data-urlencode "q=SELECT Id, EventType, LogFile, LogDate, LogFileLength FROM EventLogFile WHERE LogDate > Yesterday AND EventType = 'API'"

Replace the following:

  • SUBDOMAIN: the subdomain name relevant to the Salesforce instance being accessed.
  • API_VERSION: version number of the API endpoint. For example, 60.0.
  • AUTH_TOKEN: OAuth access token.

Sample Create Feed request using OAuth password grant

{
   "details": {
     "feedSourceType": "API",
     "logType": "SALESFORCE",
     "salesforceSettings": {
       "authentication": {
         "tokenEndpoint": "endpoint",
         "clientId": "clientId",
         "clientSecret": "clientSecret",
         "user": "user",
         "password": "password"
       },
       "hostname": "hostname"
     }
   }
}

Sample Create Feed request using OAuth JWT grant

{
   "details": {
     "feedSourceType": "API",
     "logType": "SALESFORCE",
     "salesforceSettings": {
       "authentication": {
         "tokenEndpoint": "endpoint",
         "issuer": "clientId",
         "subject": "emailID",
         "audience": "audience",
         "privateKey": "RSAKey"
       },
       "hostname": "hostname"
     }
   }
}

SentinelOne Alert

This section provides API reference details for the SENTINELONE_ALERT log type. For details about the data source, see the SentinelOne Alert documentation.

Data source Ingest schedule details.feedSourceType
API_HOSTNAME/web/api/v2.1/cloud-detection/alerts

Replace API_HOSTNAME with the fully qualified domain name of SentinelOne API.

Every five minutes API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.sentineloneAlertSettings.authentication.headerKeyValues Yes The HTTP headers to authenticate the SenitnelOne alerts, threats, and static-indicator API in key-value format.
details.sentineloneAlertSettings.hostname Yes The fully qualified domain name of the SenitnelOne API.
details.sentineloneAlertSettings.initialStartTime No The time when the alerts must be fetched.
details.sentineloneAlertSettings.isAlertApiSubscribed No Indicates whether the alerts API is subscribed.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "SENTINELONE_ALERT",
     "sentineloneAlertSettings": {
       "authentication": {
         "headerKeyValues": [{
            "key": "Authorization",
            "value": "ApiToken"
          }]
       },
       "hostname": "hostname",
       "isAlertApiSubscribed": false
     }
   }
}

ServiceNow CMDB

This section provides API reference details for the SERVICENOW_CMDB log type. For details about the data source, see the ServiceNow CMDB documentation.

Data source Ingest schedule details.feedSourceType
The fully qualified domain name of your ServiceNow REST API endpoint, such as myinstance.servicenow.com. Every 24 hours API

Prerequisites

  • Get the values for all the required fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.serviceNowCmdbSettings.authentication.user Yes The username required for authentication.
details.serviceNowCmdbSettings.authentication.secret Yes The secret required for authentication.
details.serviceNowCmdbSettings.hostname Yes The fully qualified domain name of your ServiceNow REST API endpoint, such as myinstance.servicenow.com.
details.serviceNowCmdbSettings.feedname Yes The ServiceNow table, which corresponds to a collection of records.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "SERVICENOW_CMDB",
     "servicenowCmdbSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname",
       "feedname": "feedname"
     }
   }
}

Symantec Event Export

This section provides API reference details for the SYMANTEC_EVENT_EXPORT log type. For details about the data source, see the Symantec Event Export documentation.

Data source Ingest schedule details.feedSourceType
The Symantec Event Export API. Every hour API

Prerequisites

  • Get the values for all authentication fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.symantecEventExportSettings.authentication.tokenEndpoint Yes The endpoint to retrieve the OAuth token.
details.symantecEventExportSettings.authentication.clientId Yes The OAuth client ID.
details.symantecEventExportSettings.authentication.clientSecret Yes The OAuth client secret.
details.symantecEventExportSettings.authentication.refreshToken Yes An OAuth 2.0 token used to refresh access tokens when they expire.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "SYMANTEC_EVENT_EXPORT",
     "symantecEventExportSettings ": {
       "authentication": {
         "tokenEndPoint": "REFRESH TOKEN URI",
         "clientId": "CLIENT ID",
         "clientSecret": "CLIENT SECRET",
         "refreshToken": "REFRESH TOKEN",
       }
     }
   }
}

Thinkst Canary

This section provides API reference details for the THINKST_CANARY log type. For details about the data source, see the Thinkst Canary documentation.

Data source Ingest schedule details.feedSourceType
API_HOSTNAME/api/v1/incidents/all

Replace API_HOSTNAME with the domain name of Thinkst Canary REST API endpoint.

Every 30 minutes API

Prerequisites

  • Get the values for all the required fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.sentineloneAlertSettings.authentication.headerKeyValues Yes The HTTP headers in key-value format.
details.thinkstCanarySettings.hostname Yes The fully qualified domain name of the Thinkst Canary REST API endpoint, such as myinstance.canary.tools.

Test the API endpoint

Before you create the feed, you can test the Canary API endpoint by sending a GET request to DOMAIN/api/v1/incidents/all.

The following is an example request to get all incidents:

curl https://DOMAIN.canary.tools/api/v1/incidents/all \
  -d auth_token=AUTH_TOKEN \
  -d limit=1 \
  -G

Replace the following:

  • DOMAIN: unique hash identifying your Canary Console
  • AUTH_TOKEN: OAuth access token

To learn more about the different query parameters that can be used as a part of the request, see the Canary API documentation.

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "THINKST_CANARY",
     "thinkstCanarySettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname"
     }
   }
}

ThreatConnect

This section provides API reference details for the THREATCONNECT_IOC log type. For details about the data source, see the ThreatConnect documentation.

Data source Ingest schedule details.feedSourceType
The fully qualified domain name of the ThreatConnect REST API endpoint, such as myinstance.threatconnect.com. Every five minutes API

Prerequisites

  • Get the values for all the required fields.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.threatConnectIocSettings.authentication.user Yes The username required for authentication.
details.threatConnectIocSettings.authentication.password Yes The password required for authentication
details.threatConnectIocSettings.hostname Yes The fully qualified domain name of the ThreatConnect REST API endpoint, such as myinstance.threatconnect.com.
details.threatConnectIocSettings.owners Yes All the owner names, where an owner identifies a collection of IoCs.

Other fields

queueDelay

Optional fields

initialStartTime

Sample Create Feed request

{
   "details": {
     "feedSourceType": "API",
     "logType": "THREATCONNECT_IOC",
     "threatConnectIocSettings": {
       "authentication": {
         "user": "user",
         "secret": "secret"
       },
       "hostname": "hostname",
       "owners": [{
         "owner"
       }]
     }
   }
}

Workday

This section provides API reference details for the WORKDAY log type. For details about the data source, see the Workday Administrator Guide (Integrations > Workday REST API).

Data source Ingest schedule details.feedSourceType details.logType
  • {hostname}/ccx/api/v1/{mytentant}/workers
  • {hostname}/ccx/api/v1/{mytentant}/workers/{id}/timeOffEntries
  • {hostname}/ccx/api/v1/{mytentant}/workers/{id}/history
  • {hostname}/ccx/api/v1/{mytentant}/supervisoryOrganizations
Every 24 hours API WORKDAY

Prerequisites

  • In the Workday documentation for configuring OAuth 2.0 for your REST API client, follow the steps in Register API Clients.
  • Get the following required permissions:
    • None

Type-specific request fields

Field Required Description
details.workdaySettings.authentication.secret Yes The access token generated by Workday after completing the steps to register OAuth 2.0 clients with Workday.

To set up authentication, you must either specify the access token or all of the following OAuth fields: token endpoint, client ID, client secret, and refresh token.

details.workdaySettings.authentication.tokenEndpoint" Yes The endpoint from which to get the access token.
details.workdaySettings.authentication.user Yes The client ID generated by Workday after completing the steps to register OAuth 2.0 clients with Workday.
details.workdaySettings.authentication.secret Yes The client secret generated by Workday after completing the steps to register OAuth 2.0 clients with Workday.
details.workdaySettings.authentication.refreshToken Yes The refresh token generated by Workday after completing the steps to register OAuth 2.0 clients with Workday.
details.workdaySettings.hostname Yes The hostname of the Workday REST web service. Example: services1.workday.com.
details.workdaySettings.tenantId Yes The name of the tenant.

Sample Create Feed request

The following sample uses a token endpoint, client ID, client secret, and refresh token:

{
   "details": {
     "feedSourceType": "API",
     "logType": "WORKDAY",
     "workdaySettings": {
       "authentication": {
         "tokenEndpoint": "TokenEndpoint",
         "user": "ClientID",
         "clientSecret": "ClientSecret"
         "refreshToken": "RefreshToken"
       },
       "hostname": "hostname",
       "tenantId": "ID"
     }
   }
}

The following sample uses an access token:

{
   "details": {
     "feedSourceType": "API",
     "logType": "WORKDAY",
     "workdaySettings": {
       "authentication": {
         "secret": "AccessToken"
       },
       "hostname": "hostname",
       "tenantId": "ID"
     }
   }
}