REST Resource: projects.locations.instances.feeds

Resource: Feed

Feed is a resource that contains feed information needed to create a feed.

JSON representation 
{
  "name": string,
  "display_name": string,
  "details": {
    object (FeedDetails)
  },
  "state": enum (State),
  "failure_msg": string,
  "read_only": boolean
}
Fields
name

string

The resource name of the feed. Format: projects/{project}/locations/{location}/instances/{instance}/feeds/{feed}
display_name

string

Customer-provided feed name.
details

object (FeedDetails)

Additional details of the feed, these details are dynamic and will be different for each of the feeds.
state

enum (State)

Output only. State of the feed.
failure_msg

string

Output only. Details about the most recent failure when feed state is FAILED.
read_only

boolean

Output only. Whether this feed can be updated or deleted.

FeedDetails

Additional details of the feed, these details are dynamic and will be different for each of the feeds.

JSON representation 
{
  "feed_source_type": enum (FeedSourceType),
  "log_type": string,
  "asset_namespace": string,
  "labels": {
    string: string,
    ...
  },

  // Union field details can be only one of the following:
  "anomali_settings": {
    object (AnomaliIocSettings)
  },
  "azure_ad_context_settings": {
    object (AzureADContextSettings)
  },
  "cloud_passage_settings": {
    object (CloudPassageSettings)
  },
  "cortex_xdr_settings": {
    object (CortexXDRSettings)
  },
  "duo_auth_settings": {
    object (DuoAuthSettings)
  },
  "duo_user_context_settings": {
    object (DuoUserContextSettings)
  },
  "microsoft_graph_alert_settings": {
    object (MicrosoftGraphAlertSettings)
  },
  "microsoft_security_center_alert_settings": {
    object (MicrosoftSecurityCenterAlertSettings)
  },
  "mimecast_mail_settings": {
    object (MimecastMailSettings)
  },
  "office365_settings": {
    object (Office365Settings)
  },
  "proofpoint_mail_settings": {
    object (ProofpointMailSettings)
  },
  "recorded_future_ioc_settings": {
    object (RecordedFutureIocSettings)
  },
  "workday_settings": {
    object (WorkdaySettings)
  },
  "pan_ioc_settings": {
    object (PanIocSettings)
  },
  "okta_settings": {
    object (OktaSettings)
  },
  "okta_user_context_settings": {
    object (OktaUserContextSettings)
  },
  "fox_it_stix_settings": {
    object (FoxITStixSettings)
  },
  "threat_connect_ioc_settings": {
    object (ThreatConnectIoCSettings)
  },
  "service_now_cmdb_settings": {
    object (ServiceNowCMDBSettings)
  },
  "imperva_waf_settings": {
    object (ImpervaWAFSettings)
  },
  "thinkst_canary_settings": {
    object (ThinkstCanarySettings)
  },
  "rh_isac_ioc_settings": {
    object (RHIsacIocSettings)
  },
  "rapid7_insight_settings": {
    object (Rapid7InsightSettings)
  },
  "salesforce_settings": {
    object (SalesforceSettings)
  },
  "netskope_alert_settings": {
    object (NetskopeAlertSettings)
  },
  "azure_mdm_intune_settings": {
    object (AzureMDMIntuneSettings)
  },
  "azure_ad_settings": {
    object (AzureADSettings)
  },
  "proofpoint_on_demand_settings": {
    object (ProofpointOnDemandSettings)
  },
  "workspace_users_settings": {
    object (WorkspaceUsersSettings)
  },
  "workspace_activity_settings": {
    object (WorkspaceActivitySettings)
  },
  "workspace_alerts_settings": {
    object (WorkspaceAlertsSettings)
  },
  "workspace_privileges_settings": {
    object (WorkspacePrivilegesSettings)
  },
  "workspace_mobile_settings": {
    object (WorkspaceMobileSettings)
  },
  "workspace_chrome_os_settings": {
    object (WorkspaceChromeOSSettings)
  },
  "workspace_groups_settings": {
    object (WorkspaceGroupsSettings)
  },
  "azure_ad_audit_settings": {
    object (AzureADAuditSettings)
  },
  "symantec_event_export_settings": {
    object (SymantecEventExportSettings)
  },
  "qualys_vm_settings": {
    object (QualysVMSettings)
  },
  "pan_prisma_cloud_settings": {
    object (PanPrismaCloudSettings)
  },
  "gcs_settings": {
    object (GoogleCloudStorageSettings)
  },
  "http_settings": {
    object (HttpSettings)
  },
  "sftp_settings": {
    object (SftpSettings)
  },
  "amazon_s3_settings": {
    object (AmazonS3Settings)
  },
  "azure_blob_store_settings": {
    object (AzureBlobStoreSettings)
  },
  "amazon_sqs_settings": {
    object (AmazonSQSSettings)
  },
  "google_cloud_identity_devices_settings": {
    object (GoogleCloudIdentityDevicesSettings)
  },
  "google_cloud_identity_device_users_settings": {
    object (GoogleCloudIdentityDeviceUsersSettings)
  },
  "crowdstrike_detects_settings": {
    object (CrowdStrikeDetectsSettings)
  },
  "mandiant_ioc_settings": {
    object (MandiantIoCSettings)
  },
  "sentinelone_alert_settings": {
    object (SentineloneAlertSettings)
  },
  "qualys_scan_settings": {
    object (QualysScanSettings)
  },
  "pubsub_settings": {
    object (PubsubSettings)
  },
  "amazon_kinesis_firehose_settings": {
    object (AmazonKinesisFirehoseSettings)
  },
  "webhook_settings": {
    object (WebhookSettings)
  },
  "dummy_log_type_settings": {
    object (DummyLogTypeSettings)
  },
  "https_push_google_cloud_pubsub_settings": {
    object (HttpsPushGoogleCloudPubSubSettings)
  },
  "https_push_amazon_kinesis_firehose_settings": {
    object (HttpsPushAmazonKinesisFirehoseSettings)
  },
  "https_push_webhook_settings": {
    object (HttpsPushWebhookSettings)
  }
  // End of list of possible types for union field details.
}
Fields
feed_source_type

enum (FeedSourceType)

Source Type of the feed.
log_type

string

LogType. Format: projects/{project}/locations/{location}/instances/{instance}/logTypes/{log_type}
asset_namespace

string

The asset namespace to apply to all logs ingested through this feed.
labels

map (key: string, value: string)

The ingestion metadata labels to apply to all logs ingested through this feed, and the resulting normalized data.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Union field details. Additional details of the feed. Depends on the feed type. details can be only one of the following:
anomali_settings

object (AnomaliIocSettings)

Anomali IOC settings.
azure_ad_context_settings

object (AzureADContextSettings)

Azure AD Context settings.
cloud_passage_settings

object (CloudPassageSettings)

Cloud Passage settings.
cortex_xdr_settings

object (CortexXDRSettings)

Cortex XDR settings.
duo_auth_settings

object (DuoAuthSettings)

Duo Auth settings.
duo_user_context_settings

object (DuoUserContextSettings)

Duo User Context settings.
microsoft_graph_alert_settings

object (MicrosoftGraphAlertSettings)

Microsoft Graph Alert settings.
microsoft_security_center_alert_settings

object (MicrosoftSecurityCenterAlertSettings)

Microsoft Security center alert settings.
mimecast_mail_settings

object (MimecastMailSettings)

Mimecast mail settings.
office365_settings

object (Office365Settings)

Office 365 settings.
proofpoint_mail_settings

object (ProofpointMailSettings)

Proofpoint mail settings.
recorded_future_ioc_settings

object (RecordedFutureIocSettings)

Recorded Future IOC settings.
workday_settings

object (WorkdaySettings)

Workday settings.
pan_ioc_settings

object (PanIocSettings)

PAN IOC settings.
okta_settings

object (OktaSettings)

Okta settings.
okta_user_context_settings

object (OktaUserContextSettings)

Okta user context settings.
fox_it_stix_settings

object (FoxITStixSettings)

Fox-IT STIX settings.
threat_connect_ioc_settings

object (ThreatConnectIoCSettings)

ThreatConnect IOC settings.
service_now_cmdb_settings

object (ServiceNowCMDBSettings)

ServiceNow CMDB settings.
imperva_waf_settings

object (ImpervaWAFSettings)

Imperva WAF settings.
thinkst_canary_settings

object (ThinkstCanarySettings)

Thinkst Canary settings.
rh_isac_ioc_settings

object (RHIsacIocSettings)

RH-ISAC IOC settings.
rapid7_insight_settings

object (Rapid7InsightSettings)

Rapid7 Insight settings.
salesforce_settings

object (SalesforceSettings)

Salesforce settings.
netskope_alert_settings

object (NetskopeAlertSettings)

Netskope alert settings.
azure_mdm_intune_settings

object (AzureMDMIntuneSettings)

Azure MDM Intune settings.
azure_ad_settings

object (AzureADSettings)

Azure AD settings.
proofpoint_on_demand_settings

object (ProofpointOnDemandSettings)

Proofpoint On-Demand settings.
workspace_users_settings

object (WorkspaceUsersSettings)

Workspace users settings.
workspace_activity_settings

object (WorkspaceActivitySettings)

Workspace activity settings.
workspace_alerts_settings

object (WorkspaceAlertsSettings)

Workspace alerts settings.
workspace_privileges_settings

object (WorkspacePrivilegesSettings)

Workspace privileges settings.
workspace_mobile_settings

object (WorkspaceMobileSettings)

Workspace mobile settings.
workspace_chrome_os_settings

object (WorkspaceChromeOSSettings)

Workspace ChromeOS settings.
workspace_groups_settings

object (WorkspaceGroupsSettings)

Workspace Groups settings.
azure_ad_audit_settings

object (AzureADAuditSettings)

Azure AD Audit settings.
symantec_event_export_settings

object (SymantecEventExportSettings)

Symantec Event Export settings.
qualys_vm_settings

object (QualysVMSettings)

Qualys VM settings
pan_prisma_cloud_settings

object (PanPrismaCloudSettings)

PAN Prisma Cloud settings.
gcs_settings

object (GoogleCloudStorageSettings)

Google Cloud Storage settings.
http_settings

object (HttpSettings)

HTTP settings.
sftp_settings

object (SftpSettings)

SFTP settings.
amazon_s3_settings

object (AmazonS3Settings)

Amazon S3 settings.
azure_blob_store_settings

object (AzureBlobStoreSettings)

Azure Blob Storage settings.
amazon_sqs_settings

object (AmazonSQSSettings)

Amazon SQS settings.
google_cloud_identity_devices_settings

object (GoogleCloudIdentityDevicesSettings)

Google Cloud Identity Devices settings.
google_cloud_identity_device_users_settings

object (GoogleCloudIdentityDeviceUsersSettings)

Google Cloud Identity Device Users settings.
crowdstrike_detects_settings

object (CrowdStrikeDetectsSettings)

CrowdStrike Detects API settings.
mandiant_ioc_settings

object (MandiantIoCSettings)

Mandiant IOC settings.
sentinelone_alert_settings

object (SentineloneAlertSettings)

SentinelOne Alert settings.
qualys_scan_settings

object (QualysScanSettings)

Qualys Scan Settings
pubsub_settings

object (PubsubSettings)

Pub/Sub settings.
amazon_kinesis_firehose_settings

object (AmazonKinesisFirehoseSettings)

Amazon Kinesis Firehose settings.
webhook_settings

object (WebhookSettings)

Webhook settings.
dummy_log_type_settings

object (DummyLogTypeSettings)

DummyLogType Settings.
https_push_google_cloud_pubsub_settings

object (HttpsPushGoogleCloudPubSubSettings)

Https push Google Pub/Sub settings.
https_push_amazon_kinesis_firehose_settings

object (HttpsPushAmazonKinesisFirehoseSettings)

Https push Amazon Kinesis Firehose settings.
https_push_webhook_settings

object (HttpsPushWebhookSettings)

Https push Webhook settings.

AnomaliIocSettings

Anomali IOC settings.

JSON representation 
{
  "authentication": {
    object (UsernameSecretAuth)
  }
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

UsernameSecretAuth

Info for username and secret based authentication.

JSON representation 
{
  "user": string,
  "secret": string
}
Fields
user

string

Username of an identity used for authentication.
secret

string

Secret of the account identified by user_name.

AzureADContextSettings

Azure AD Context settings.

JSON representation 
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "retrieve_devices": boolean,
  "retrieve_groups": boolean,
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.
retrieve_devices

boolean

Whether to retrieve device information in user context.
retrieve_groups

boolean

Whether to retrieve group information in user context.
tenant_id

string

Tenant ID.
hostname

string

API Hostname.
auth_endpoint

string

API Auth Endpoint.

MicrosoftOAuthClientCredentials

Microsoft OAuth 2.0 client credentials grant.

JSON representation 
{
  "client_id": string,
  "client_secret": string
}
Fields
client_id

string

Client ID.
client_secret

string

Client secret.

CloudPassageSettings

CloudPassage settings.

JSON representation 
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "event_types": [
    string
  ]
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.
event_types[]

string

Event types filter for the events API.

CortexXDRSettings

PAN Cortex XDR settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string,
  "endpoint": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
hostname

string

API Hostname.
endpoint

string

API Endpoint.

HttpHeaderAuth

HTTP header based authentication.

JSON representation 
{
  "header_key_values": [
    {
      object (HeaderKeyValue)
    }
  ]
}
Fields
header_key_values[]

object (HeaderKeyValue)

Header key-value pairs.

HeaderKeyValue

Header key-value pairs.

JSON representation 
{
  "key": string,
  "value": string
}
Fields
key

string

Key.
value

string

Value.

DuoAuthSettings

Duo Authentication settings.

JSON representation 
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.
hostname

string

API Hostname.

DuoUserContextSettings

Duo User Context settings.

JSON representation 
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.
hostname

string

API hostname.

MicrosoftGraphAlertSettings

Microsoft Graph Alert settings.

JSON representation 
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.
tenant_id

string

Tenant ID.
hostname

string

API Hostname.
auth_endpoint

string

API Auth Endpoint.

MicrosoftSecurityCenterAlertSettings

Microsoft Security Center alert settings.

JSON representation 
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "subscription_id": string,
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.
subscription_id

string

Subscription ID of the Microsoft security center alert settings alert.
tenant_id

string

Tenant ID.
hostname

string

API Hostname.
auth_endpoint

string

API Auth Endpoint.

MimecastMailSettings

Mimecast Mail settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
hostname

string

API Hostname.

Office365Settings

Office 365 settings.

JSON representation 
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "tenant_id": string,
  "content_type": enum (ContentType),
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.
tenant_id

string

Tenant ID.
content_type

enum (ContentType)

Supported office 365 content type.
hostname

string

API Hostname.
auth_endpoint

string

API Auth Endpoint.

ContentType

Office 365 supported content types: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference#working-with-the-office-365-management-activity-api

Enums
CONTENT_TYPE_UNSPECIFIED Unspecified content type.
AUDIT_AZURE_ACTIVE_DIRECTORY Audit.AzureActiveDirectory.
AUDIT_EXCHANGE Audit.Exchange.
AUDIT_SHARE_POINT Audit.SharePoint.
AUDIT_GENERAL Audit.General.
DLP_ALL DLP.All.

ProofpointMailSettings

Proofpoint Mail settings.

JSON representation 
{
  "authentication": {
    object (UsernameSecretAuth)
  }
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

RecordedFutureIocSettings

Recorded Future IOC settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  }
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

WorkdaySettings

Workday settings.

JSON representation 
{
  "authentication": {
    object (WorkdayAuth)
  },
  "hostname": string,
  "tenant_id": string
}
Fields
authentication

object (WorkdayAuth)

Input only. Authentication.
hostname

string

API Hostname.
tenant_id

string

Tenant ID.

WorkdayAuth

Authentication for Workday.

JSON representation 
{
  "user": string,
  "secret": string,
  "token_endpoint": string,
  "client_id": string,
  "client_secret": string,
  "refresh_token": string
}
Fields
user

string

Username. This is unused: Workday feeds were originally configured using a username and secret authentication method, but only the secret field was used, and it was used to supply the OAuth access token.
secret

string

The access token used to authenticate against Workday. This field is called "secret" to maintain backwards compatibility. Workday was (only) configured using username (which was unused) and secret (which is used as the access token). Either this field or all of the other OAuth fields below must be specified.
token_endpoint

string

Token endpoint to get the OAuth token from.
client_id

string

Client ID.
client_secret

string

Client Secret.
refresh_token

string

Refresh Token.

PanIocSettings

PAN IOC settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "feed_id": string,
  "feed": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
feed_id

string

PAN IOC feed ID.
feed

string

PAN IOC feed name.

OktaSettings

Okta settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
hostname

string

API Hostname.

OktaUserContextSettings

Okta user context settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string,
  "manager_id_reference_field": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
hostname

string

API Hostname.
manager_id_reference_field

string

Manager id reference field.

FoxITStixSettings

Fox-IT STIX settings.

JSON representation 
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "ssl": {
    object (SSLClientKeypair)
  },
  "poll_service_uri": string,
  "collection": string
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.
ssl

object (SSLClientKeypair)

SSL client key pair.
poll_service_uri

string

TAXII poll service URI.
collection

string

Collection available at the poll service.

SSLClientKeypair

An SSL client certificate keypair.

JSON representation 
{
  "encoded_private_key": string,
  "ssl_certificate": string
}
Fields
encoded_private_key

string

The encoded private key. The string should be a private key in PEM format, and should include the begin header and end footer lines. It may also include newlines.

Example: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F23074E02CF47304

-----END RSA PRIVATE KEY-----
ssl_certificate

string

The encoded SSL certificate. The string should be an SSL certificate in PEM format, and should include the begin header and end footer lines. It may also include newlines.

Example: -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

ThreatConnectIoCSettings

ThreatConnect IOC Settings.

JSON representation 
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string,
  "owners": [
    string
  ]
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.
hostname

string

API Hostname.
owners[]

string

Owners.

ServiceNowCMDBSettings

ServiceNow CMDB settings.

JSON representation 
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string,
  "feedname": string
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.
hostname

string

API Hostname.
feedname

string

Feedname.

ImpervaWAFSettings

Imperva WAF settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  }
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

ThinkstCanarySettings

Thinkst Canary settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
hostname

string

API Hostname.

RHIsacIocSettings

RH-ISAC settings.

JSON representation 
{
  "authentication": {
    object (OAuthClientCredentials)
  }
}
Fields
authentication

object (OAuthClientCredentials)

Input only. Authentication.

OAuthClientCredentials

OAuth 2.0 client credentials grant. See https://tools.ietf.org/html/rfc6749.

JSON representation 
{
  "token_endpoint": string,
  "client_id": string,
  "client_secret": string
}
Fields
token_endpoint

string

Token endpoint.
client_id

string

Client ID.
client_secret

string

Client secret.

Rapid7InsightSettings

Rapid7 Insight settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "endpoint": string,
  "hostname": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
endpoint

string

Rapid7 API endpoint. Should be "vulnerabilities" or "assets".
hostname

string

API Hostname.

SalesforceSettings

Salesforce settings.

JSON representation 
{
  "hostname": string,

  // Union field authentication can be only one of the following:
  "oauth_password_grant_auth": {
    object (OAuthPasswordGrantCredentials)
  },
  "oauth_jwt_credentials": {
    object (OAuthJWTCredentials)
  }
  // End of list of possible types for union field authentication.
}
Fields
hostname

string

API hostname.
Union field authentication. Possible types of authentication. authentication can be only one of the following:
oauth_password_grant_auth

object (OAuthPasswordGrantCredentials)

Input only. OAuthPasswordGrantCredentials auth.
oauth_jwt_credentials

object (OAuthJWTCredentials)

Input only. OAuthJWTCredentials auth.

OAuthPasswordGrantCredentials

OAuth 2.0 password grant. See https://tools.ietf.org/html/rfc6749.

JSON representation 
{
  "token_endpoint": string,
  "client_id": string,
  "client_secret": string,
  "user": string,
  "password": string
}
Fields
token_endpoint

string

Token endpoint to get the OAuth token from.
client_id

string

Client ID.
client_secret

string

Client secret.
user

string

Username.
password

string

Password.

OAuthJWTCredentials

OAuth 2.0 JWT grant. See, https://tools.ietf.org/html/rfc7519

JSON representation 
{
  "token_endpoint": string,
  "claims": {
    object (Claims)
  },

  // Union field credentials can be only one of the following:
  "rs_credentials": {
    object (RSCredentials)
  }
  // End of list of possible types for union field credentials.
}
Fields
token_endpoint

string

Token endpoint to get the OAuth token from.
claims

object (Claims)

Claims.
Union field credentials. Credentials. credentials can be only one of the following:
rs_credentials

object (RSCredentials)

RS credentials.

RSCredentials

RS credentials.

JSON representation 
{
  "private_key": string
}
Fields
private_key

string

Private key in PEM format.

Claims

Claims identifying a specific customer.

JSON representation 
{
  "issuer": string,
  "subject": string,
  "audience": string
}
Fields
issuer

string

Issuer. Usually the client_id.
subject

string

Subject. Usually the email.
audience

string

Audience.

NetskopeAlertSettings

Netskope Alert settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string,
  "feedname": string,
  "content_type": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
hostname

string

API Hostname.
feedname

string

Feedname.
content_type

string

Content type.

AzureMDMIntuneSettings

Azure MDM Intune settings.

JSON representation 
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.
tenant_id

string

Tenant ID.
hostname

string

API Hostname.
auth_endpoint

string

API Auth Endpoint.

AzureADSettings

Azure AD settings.

JSON representation 
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.
tenant_id

string

Tenant ID.
hostname

string

API Hostname.
auth_endpoint

string

API Auth Endpoint.

ProofpointOnDemandSettings

Proofpoint On-demand settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "cluster_id": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
cluster_id

string

Cluster ID.

WorkspaceUsersSettings

Workspace Users settings.

JSON representation 
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.
workspace_customer_id

string

Customer ID.

WorkspaceActivitySettings

Workspace Activity settings.

JSON representation 
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string,
  "applications": [
    string
  ]
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.
workspace_customer_id

string

Customer ID.
applications[]

string

Applications.

WorkspaceAlertsSettings

Workspace Alert settings.

JSON representation 
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.
workspace_customer_id

string

Customer ID.

WorkspacePrivilegesSettings

Workspace Privileges settings.

JSON representation 
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.
workspace_customer_id

string

Customer ID.

WorkspaceMobileSettings

Workspace Mobile settings.

JSON representation 
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.
workspace_customer_id

string

Customer ID.

WorkspaceChromeOSSettings

Workspace Chrome OS settings.

JSON representation 
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.
workspace_customer_id

string

Customer ID.

WorkspaceGroupsSettings

Workspace Groups settings.

JSON representation 
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.
workspace_customer_id

string

Customer ID.

AzureADAuditSettings

Azure AD Audit settings.

JSON representation 
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.
tenant_id

string

Tenant ID.
hostname

string

API Hostname.
auth_endpoint

string

API Auth Endpoint.

SymantecEventExportSettings

Symantec Event Export settings.

JSON representation 
{
  "authentication": {
    object (OAuthRefreshToken)
  }
}
Fields
authentication

object (OAuthRefreshToken)

Input only. Authentication.

OAuthRefreshToken

OAuth 2.0 refresh token grant. See https://tools.ietf.org/html/rfc6749.

JSON representation 
{
  "token_endpoint": string,
  "client_id": string,
  "client_secret": string,
  "refresh_token": string
}
Fields
token_endpoint

string

Token endpoint to get the OAuth token from.
client_id

string

Client ID.
client_secret

string

Client secret.
refresh_token

string

Refresh token.

QualysVMSettings

Qualys VM settings.

JSON representation 
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.
hostname

string

API Hostname.

PanPrismaCloudSettings

PAN Prisma Cloud settings.

JSON representation 
{
  "authentication": {
    object (PanPrismaAuth)
  },
  "hostname": string
}
Fields
authentication

object (PanPrismaAuth)

Input only. Authentication.
hostname

string

API Hostname.

PanPrismaAuth

PAN Prisma Cloud auth.

JSON representation 
{
  "user": string,
  "password": string
}
Fields
user

string

Username.
password

string

Password.

GoogleCloudStorageSettings

Google Cloud Storage settings.

JSON representation 
{
  "bucket_uri": string,
  "source_type": enum (URISourceType),
  "source_deletion_option": enum (SourceDeletionOption),
  "chronicle_service_account": string
}
Fields
bucket_uri

string

Bucket URI.
source_type

enum (URISourceType)

The URI source type.
source_deletion_option

enum (SourceDeletionOption)

Source deletion option.
chronicle_service_account

string

Output only. Service Account Chronicle will be using to pull data.

URISourceType

The type of URIs specified in the source URIs.

Enums
URI_SOURCE_TYPE_UNSPECIFIED If encountered, will throw an INVALID_ARGUMENT error.
FILES The type of files pointed to by source_uris are files.
FOLDERS The type of files pointed to by source_uris are folders and Xenon should not descend into subfolders of those folders.
FOLDERS_RECURSIVE The type of files pointed to by source_uris are folders and Xenon should descend into subfolders of those folders.

SourceDeletionOption

Source deletion option controls whether source files should be deleted after transferring.

Enums
SOURCE_DELETION_OPTION_UNSPECIFIED If encountered, will be treated as SOURCE_DELETION_NEVER.
SOURCE_DELETION_NEVER Never delete files from the source.
SOURCE_DELETION_ON_SUCCESS After the fetch completes, if there are no errors, delete files and any directories made empty by the file deletion from the source.
SOURCE_DELETION_ON_SUCCESS_FILES_ONLY After the fetch completes, if there are no errors, delete files (leaving any directories) from the source.

HttpSettings

HTTP settings.

JSON representation 
{
  "uri": string,
  "source_type": enum (URISourceType),
  "source_deletion_option": enum (SourceDeletionOption)
}
Fields
uri

string

HTTP URI.
source_type

enum (URISourceType)

The URI source type.
source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

SftpSettings

SFTP settings.

JSON representation 
{
  "authentication": {
    object (SftpAuth)
  },
  "uri": string,
  "source_type": enum (URISourceType),
  "source_deletion_option": enum (SourceDeletionOption)
}
Fields
authentication

object (SftpAuth)

Input only. Authentication.
uri

string

SFTP URI.
source_type

enum (URISourceType)

The URI source type.
source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

SftpAuth

SFTP Auth.

JSON representation 
{
  "username": string,
  "password": string,
  "private_key": string,
  "private_key_passphrase": string
}
Fields
username

string

Username. Used for username and password authentication.
password

string

Password. Used for username and password authentication.
private_key

string

Private key. Used for private key authentication.
private_key_passphrase

string

Private key passphrase. Used for private key authentication.

AmazonS3Settings

Amazon S3 settings.

JSON representation 
{
  "authentication": {
    object (S3Auth)
  },
  "s3_uri": string,
  "source_type": enum (URISourceType),
  "source_deletion_option": enum (SourceDeletionOption)
}
Fields
authentication

object (S3Auth)

Input only. Authentication.
s3_uri

string

S3 URI.
source_type

enum (URISourceType)

The URI source type.
source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

S3Auth

Amazon S3 auth.

JSON representation 
{
  "access_key_id": string,
  "secret_access_key": string,
  "client_id": string,
  "client_secret": string,
  "refresh_uri": string,
  "region": enum (S3Region)
}
Fields
access_key_id

string

Access key ID. Used when using access key auth.
secret_access_key

string

Secret access key. Used when using access key auth.
client_id

string

Client ID. Used when using OAuth auth.
client_secret

string

Client secret. Used when using OAuth auth.
refresh_uri

string

Refresh URI. Used when using OAuth auth.
region

enum (S3Region)

S3 Region.

S3Region

AWS S3 regions: https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region.

Enums
S3_REGION_UNSPECIFIED Unspecified region means Auto detect. Auto detect does not successfully detect GOV Cloud.
US_EAST_1 US. N. Virginia (previously known as US_STANDARD).
US_EAST_2 Ohio.
US_WEST_1 N. California.
US_WEST_2 Oregon.
US_GOV_CLOUD Not accessible unless AWS US Govt. account.
US_GOV_EAST_1 Not accessible unless AWS US Govt. account.
EU_WEST_1 Europe. Ireland.
EU_WEST_2 London.
EU_WEST_3 Paris.
EU_CENTRAL_1 Frankfurt.
EU_NORTH_1 Stockholm.
EU_SOUTH_1 Milan.
AP_SOUTH_1 Asia Pacific Mumbai.
AP_SOUTHEAST_1 Singapore.
AP_SOUTHEAST_2 Sydney.
AP_SOUTHEAST_3 Jakarta.
AP_NORTHEAST_1 Tokyo.
AP_NORTHEAST_2 Seoul.
AP_NORTHEAST_3 Osaka.
AP_EAST_1 Hong Kong.
SA_EAST_1 South America. Sao Paulo.
CN_NORTH_1 China - Not accessible unless AWS China account. China - Beijing.
CN_NORTHWEST_1 China - Ningxia.
CA_CENTRAL_1 Canada. Canada Central.
AF_SOUTH_1 Africa. Capetown.
ME_SOUTH_1 Middle East. Bahrain.

AzureBlobStoreSettings

Azure Blob Storage settings.

JSON representation 
{
  "authentication": {
    object (AzureAuth)
  },
  "azure_uri": string,
  "source_type": enum (URISourceType),
  "source_deletion_option": enum (SourceDeletionOption)
}
Fields
authentication

object (AzureAuth)

Input only. Authentication.
azure_uri

string

Azure URI.
source_type

enum (URISourceType)

The URI source type.
source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

AzureAuth

Azure auth.

JSON representation 
{

  // Union field auth_type can be only one of the following:
  "shared_key": string,
  "sas_token": string
  // End of list of possible types for union field auth_type.
}
Fields
Union field auth_type. Type of auth used with Azure. auth_type can be only one of the following:
shared_key

string

Shared Key.
sas_token

string

SAS Token.

AmazonSQSSettings

Amazon SQS settings.

JSON representation 
{
  "region": enum (S3Region),
  "queue": string,
  "account_number": string,
  "authentication": {
    object (SQSAuth)
  },
  "source_deletion_option": enum (SourceDeletionOption)
}
Fields
region

enum (S3Region)

S3 Region.
queue

string

Name of the queue.
account_number

string

Account number of the owner of the queue.
authentication

object (SQSAuth)

Input only. Authentication.
source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

SQSAuth

Amazon SQS auth.

JSON representation 
{
  "sqs_access_key_secret_auth": {
    object (SQSAccessKeySecretAuth)
  },
  "additional_s3_access_key_secret_auth": {
    object (AdditionalS3AccessKeySecretAuth)
  }
}
Fields
sqs_access_key_secret_auth

object (SQSAccessKeySecretAuth)

SQS access key secret auth.
additional_s3_access_key_secret_auth

object (AdditionalS3AccessKeySecretAuth)

Authentication for the S3 bucket referred to by the items in the SQS queue. This is only required if it is different from the authentication for the queue.

SQSAccessKeySecretAuth

Amazon SQS access key and secret auth.

JSON representation 
{
  "access_key_id": string,
  "secret_access_key": string
}
Fields
access_key_id

string

Access key ID.
secret_access_key

string

Secret access key.

AdditionalS3AccessKeySecretAuth

Additional S3 access key secret auth.

JSON representation 
{
  "access_key_id": string,
  "secret_access_key": string
}
Fields
access_key_id

string

Access key ID.
secret_access_key

string

Secret access key.

GoogleCloudIdentityDevicesSettings

Google Cloud Identity Devices settings.

JSON representation 
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "api_version": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication
api_version

string

API Version

GoogleCloudIdentityDeviceUsersSettings

Google Cloud Identity Device Users settings.

JSON representation 
{
  "authentication": {
    object (OAuthJWTCredentials)
  }
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.

CrowdStrikeDetectsSettings

CrowdStrike Detects settings.

JSON representation 
{
  "authentication": {
    object (OAuthClientCredentials)
  },
  "hostname": string
}
Fields
authentication

object (OAuthClientCredentials)

Input only. OAuthClientCredentials.
hostname

string

API Hostname.

MandiantIoCSettings

Mandiant IOC settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "start_time": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
start_time

string (Timestamp format)

time since when to start fetching the IOCs

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

SentineloneAlertSettings

SentinelOne Alert settings.

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string,
  "initial_start_time": string,
  "is_alert_api_subscribed": boolean
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
hostname

string

Hostname of SentinelOne alert settings.
initial_start_time

string

initialStartTime from when to fetch the alerts
is_alert_api_subscribed

boolean

Is the customer subscribed to Alerts Api

QualysScanSettings

Qualys Scan settings.

JSON representation 
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string,
  "api_type": enum (ApiType)
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication
hostname

string

Hostname.
api_type

enum (ApiType)

Supported Qualys Scan api type.

ApiType

API Type

Enums
API_TYPE_UNSPECIFIED Unspecified API Type
SCAN_SUMMARY_OUTPUT Scan Summaries
SCAN_COMPLIANCE_OUTPUT Scan Compliance
SCAN_COMPLIANCE_CONTROL_OUTPUT Scan Compliance Control

PubsubSettings

Settings required by Google Cloud Pub/Sub Feeds(HTTP-Push).

JSON representation 
{
  "google_service_account_email": string
}
Fields
google_service_account_email

string

Google Service Account Email.

AmazonKinesisFirehoseSettings

This type has no fields.

Settings required by Amazon Kinesis Firehose Feeds(HTTP-Push).

WebhookSettings

This type has no fields.

Settings required by Webhook Feeds(HTTP-Push).

DummyLogTypeSettings

Settings required by Feeds of DummyLogType(used for testing purposes).

JSON representation 
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "api_endpoint": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.
api_endpoint

string

Full API Endpoint.

HttpsPushGoogleCloudPubSubSettings

This type has no fields.

Settings required by Google Cloud Pub/Sub Feeds(HTTPS-Push V2).

HttpsPushAmazonKinesisFirehoseSettings

This type has no fields.

Settings required by Amazon Kinesis Firehose Feeds(HTTPS-Push V2).

HttpsPushWebhookSettings

This type has no fields.

Settings required by Webhook Feeds(HTTPS-Push V2).

FeedSourceType

Different types of feed sources.

Enums
FEED_SOURCE_TYPE_UNSPECIFIED Unspecified feed source type.
GOOGLE_CLOUD_STORAGE Cloud Storage.
HTTP HTTP.
SFTP SFTP.
AMAZON_S3 S3.
AZURE_BLOBSTORE Azure Blobstore.
API API.
AMAZON_SQS SQS.
PUBSUB Pub/Sub.
AMAZON_KINESIS_FIREHOSE AMAZON_KINESIS_FIREHOSE.
WEBHOOK WEBHOOK.
HTTPS_PUSH_GOOGLE_CLOUD_PUBSUB HTTPS GCloud Pub/Sub.
HTTPS_PUSH_AMAZON_KINESIS_FIREHOSE HTTPS Amazon Kinesis Firehose.
HTTPS_PUSH_WEBHOOK HTTPS Webhook.

State

List of states a feed can have.

Enums
STATE_UNSPECIFIED Unspecified feed state.
ACTIVE Feed is configured and ready to ingest data. Newly created feeds have this state. Once ingestion begins the feed will transition out of this state and will not transition back.
INACTIVE Feed is Disabled. When a user disables a feed it will transition to this state regardless of its current state. Once enabled a feed will transition to its previous state.
RUNNING Feed is enabled and currently ingesting data. A feed will transition to this state from an ACTIVE or COMPLETED state when Chronicle has begun fetching data for this feed.
SUCCEEDED Feed is enabled and has recently successfully ingested data. A feed will transition to this state from RUNNING or FAILED once a fetch has completed successfully.
FAILED Feed is enabled, but has recently failed to ingest data. A feed will transition to this state only from RUNNING once a fetch has failed. It will remain in this state until a subsequent fetch has succeeded.

Methods

create

 Creates a feed.

delete

 Deletes a feed.

disable

 Disable feed for ingestion.

enable

 Enable feed for ingestion.

get

 Gets a feed.

importPushLogs

 Import logs coming from https push feeds.

list

 Lists all feeds for the customer.

patch

 Updates the full feed.