This parser extracts fields from Aqua Security logs, transforming them into the Unified Data Model (UDM). It parses the message field as JSON, extracts user, source IP, and other relevant fields, maps them to UDM fields, and categorizes events based on the action field, enriching the data with security context like rule names, descriptions, and CVE details.
Before you begin
Ensure that you have the following prerequisites:
Google SecOps instance.
Privileged access to Aqua Security management console.
Set up feeds
To configure a feed, follow these steps:
Go to SIEM Settings>Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Aqua Security Logs).
Select Webhook as the Source type.
Select Aqua Security as the Log type.
Click Next.
Optional: Specify values for the following input parameters:
Split delimiter: the delimiter that is used to separate log lines, such as \n.
Ingestion labels: the label applied to the events from this feed.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide provides instructions for collecting and parsing Aqua Security logs within Google SecOps, utilizing a webhook feed and transforming the data into the Unified Data Model (UDM).\u003c/p\u003e\n"],["\u003cp\u003eThe Aqua Security log parser extracts key information, such as user data, source IP addresses, and event details from the \u003ccode\u003emessage\u003c/code\u003e field, mapping them to relevant UDM fields and categorizing events based on the \u003ccode\u003eaction\u003c/code\u003e field.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration involves setting up a webhook feed in Google SecOps, generating a secret key, and creating an API key to enable secure log ingestion from Aqua Security.\u003c/p\u003e\n"],["\u003cp\u003eThe process includes detailed steps for specifying the feed endpoint URL, API key, and secret key within both the Google SecOps environment and the Aqua Security console to properly configure the webhook.\u003c/p\u003e\n"],["\u003cp\u003eThe UDM Mapping Table outlines how specific fields in the Aqua Security logs are mapped to UDM fields, showing the logic behind each mapping, including setting default values for various security and metadata parameters.\u003c/p\u003e\n"]]],[],null,["# Collect Aqua Security logs\n==========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nOverview\n--------\n\nThis parser extracts fields from Aqua Security logs, transforming them into the Unified Data Model (UDM). It parses the `message` field as JSON, extracts user, source IP, and other relevant fields, maps them to UDM fields, and categorizes events based on the `action` field, enriching the data with security context like rule names, descriptions, and CVE details.\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- Privileged access to Aqua Security management console.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed (for example, **Aqua Security Logs**).\n5. Select **Webhook** as the **Source type**.\n6. Select **Aqua Security** as the **Log type**.\n7. Click **Next**.\n8. Optional: Specify values for the following input parameters:\n - **Split delimiter** : the delimiter that is used to separate log lines, such as `\\n`.\n - **Asset namespace** : the [asset namespace](/chronicle/docs/investigation/asset-namespaces).\n - **Ingestion labels**: the label applied to the events from this feed.\n9. Click **Next**.\n10. Review the feed configuration in the **Finalize** screen, and then click **Submit**.\n11. Click **Generate Secret Key** to generate a secret key to authenticate this feed.\n12. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.\n13. From the **Details** tab, copy the feed endpoint URL from the **Endpoint Information** field. You need to specify this endpoint URL in your client application.\n14. Click **Done**.\n\nCreate an API key for the webhook feed\n--------------------------------------\n\n1. Go to **Google Cloud console** \\\u003e **Credentials**.\n\n [Go to Credentials](https://console.cloud.google.com/apis/credentials)\n2. Click **Create credentials** , and then select **API key**.\n\n3. Restrict the API key access to the **Chronicle API**.\n\nSpecify the endpoint URL\n------------------------\n\n1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.\n2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:\n\n X-goog-api-key = \u003cvar class=\"readonly\" translate=\"no\"\u003eAPI_KEY\u003c/var\u003e\n X-Webhook-Access-Key = \u003cvar class=\"readonly\" translate=\"no\"\u003eSECRET\u003c/var\u003e\n\n **Recommendation**: Specify the API key as a header instead of specifying it in the URL.\n3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:\n\n \u003cvar translate=\"no\"\u003eENDPOINT_URL\u003c/var\u003e?key=\u003cvar translate=\"no\"\u003eAPI_KEY\u003c/var\u003e&secret=\u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eENDPOINT_URL\u003c/var\u003e: the feed endpoint URL.\n - \u003cvar translate=\"no\"\u003eAPI_KEY\u003c/var\u003e: the API key to authenticate to Google SecOps.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the secret key that you generated to authenticate the feed.\n\nCreating a Webhook in Aqua Security for Google SecOps\n-----------------------------------------------------\n\n1. Sign in to Aqua Security console.\n2. Go to **Settings** \\\u003e **Image Scan Results Webhook**.\n3. Check the **Enable sending image scan results** checkbox.\n4. Enter the `\u003cENDPOINT_URL\u003e`, followed by `\u003cAPI_KEY\u003e` and `\u003cSECRET\u003e`.\n5. Click **Save**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
