This parser extracts fields from Onfido SYSLOG and JSON formatted logs, mapping them to the UDM. It parses the message field using grok, handles JSON payloads if present, and maps specific product event types to UDM event types. This includes setting the event type to USER_LOGIN for successful logins and USER_UNCATEGORIZED for other events. It also populates UDM fields for user information, source IP, and security result details.
Before you begin
Ensure that you have the following prerequisites:
Google SecOps instance.
Privileged access to Onfido Dashboard.
Set up feeds
To configure a feed, follow these steps:
Go to SIEM Settings>Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, Onfido Logs.
Select Webhook as the Source type.
Select Onfido as the Log type.
Click Next.
Optional: Specify values for the following input parameters:
Split delimiter: the delimiter that is used to separate log lines, such as \n.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
Recommendation: Specify the API key as a header instead of specifying it in the URL.
If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:
ENDPOINT_URL?key=API_KEY&secret=SECRET
Replace the following:
ENDPOINT_URL: the feed endpoint URL.
API_KEY: the API key to authenticate to Google SecOps.
SECRET: the secret key that you generated to authenticate the feed.
Configure the Onfido webhook
Sign in to the Onfido Dashboard.
Go to Settings>Webhooks.
Click Add Webhook.
Specify values for the following input parameters:
Webhook URL: enter the <ENDPOINT_URL> of the Google SecOps API endpoint.
Events: select the events that should trigger the webhook (for example, select check.completed or report.completed).
Click Save to create the webhook.
UDM Mapping Table
Log Field
UDM Mapping
Logic
category
security_result.category_details
The value of the category field from the raw log is assigned to security_result.category_details.
check_id
metadata.product_log_id
The value of the check_id field extracted from the json_data field in the raw log is assigned to metadata.product_log_id. If prod_evt_type is "Successful login", the value "AUTHTYPE_UNSPECIFIED" is assigned.
metadata.event_timestamp
The timestamp from the raw log entry is converted to epoch seconds and assigned to metadata.event_timestamp.
metadata.event_type
If prod_evt_type is "Successful login", the value USER_LOGIN is assigned. Otherwise, USER_UNCATEGORIZED is assigned.
metadata.product_name
The parser code sets the value to "ONFIDO".
prod_evt_type
metadata.product_event_type
The value of the prod_evt_type field from the raw log is assigned to metadata.product_event_type.
metadata.vendor_name
The parser code sets the value to "ONFIDO".
metadata.product_version
The parser code sets the value to "ONFIDO".
security_result.action
security_result.action
If prod_evt_type is "Successful login", the value ALLOW is assigned.
src_ip
principal.ip
The value of the src_ip field from the raw log is assigned to principal.ip.
user_email
target.user.email_addresses
The value of the user_email field from the raw log is assigned to target.user.email_addresses.
user_name
target.user.user_display_name
The value of the user_name field from the raw log is assigned to target.user.user_display_name.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Collect Onfido logs\n===================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis parser extracts fields from Onfido SYSLOG and JSON formatted logs, mapping them to the UDM. It parses the message field using grok, handles JSON payloads if present, and maps specific product event types to UDM event types. This includes setting the event type to `USER_LOGIN` for successful logins and `USER_UNCATEGORIZED` for other events. It also populates UDM fields for user information, source IP, and security result details.\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- Privileged access to Onfido Dashboard.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed; for example, **Onfido Logs**.\n5. Select **Webhook** as the **Source type**.\n6. Select **Onfido** as the **Log type**.\n7. Click **Next**.\n8. Optional: Specify values for the following input parameters:\n - **Split delimiter** : the delimiter that is used to separate log lines, such as `\\n`.\n9. Click **Next**.\n10. Review the feed configuration in the **Finalize** screen, and then click **Submit**.\n11. Click **Generate Secret Key** to generate a secret key to authenticate this feed.\n12. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.\n13. From the **Details** tab, copy the feed endpoint URL from the **Endpoint Information** field. You need to specify this endpoint URL in your client application.\n14. Click **Done**.\n\nCreate an API key for the webhook feed\n--------------------------------------\n\n1. Go to **Google Cloud console \\\u003e Credentials**.\n\n [Go to Credentials](https://console.cloud.google.com/apis/credentials)\n2. Click **Create credentials** , and then select **API key**.\n\n3. Restrict the API key access to the **Google Security Operations API**.\n\nSpecify the endpoint URL\n------------------------\n\n1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.\n2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:\n\n X-goog-api-key = \u003cvar class=\"readonly\" translate=\"no\"\u003eAPI_KEY\u003c/var\u003e\n X-Webhook-Access-Key = \u003cvar class=\"readonly\" translate=\"no\"\u003eSECRET\u003c/var\u003e\n\n **Recommendation**: Specify the API key as a header instead of specifying it in the URL.\n3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:\n\n \u003cvar translate=\"no\"\u003eENDPOINT_URL\u003c/var\u003e?key=\u003cvar translate=\"no\"\u003eAPI_KEY\u003c/var\u003e&secret=\u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eENDPOINT_URL\u003c/var\u003e: the feed endpoint URL.\n - \u003cvar translate=\"no\"\u003eAPI_KEY\u003c/var\u003e: the API key to authenticate to Google SecOps.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the secret key that you generated to authenticate the feed.\n\n### Configure the Onfido webhook\n\n1. Sign in to the Onfido Dashboard.\n2. Go to **Settings** \\\u003e **Webhooks**.\n3. Click **Add Webhook**.\n4. Specify values for the following input parameters:\n\n - **Webhook URL** : enter the `\u003cENDPOINT_URL\u003e` of the Google SecOps API endpoint.\n\n | **Note:** Append the `\u003cAPI_KEY\u003e` and `\u003cSECRET\u003e` to the endpoint URL `\u003cENDPOINT_URL\u003e?key=\u003cAPI_KEY\u003e&secret=\u003cSECRET\u003e`.\n - **Events:** select the events that should trigger the webhook (for example, select **check.completed** or **report.completed**).\n5. Click **Save** to create the webhook.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
