REST Resource: projects.locations.instances.feeds

Resource: Feed

Feed is a resource that contains feed information needed to create a feed.

JSON representation
{
  "name": string,
  "display_name": string,
  "details": {
    object (FeedDetails)
  },
  "state": enum (State),
  "failure_msg": string,
  "read_only": boolean,
  "last_feed_initiation_time": string,
  "failure_details": {
    object (FeedFailureDetails)
  }
}
Fields
name

string

The resource name of the feed. Format: projects/{project}/locations/{location}/instances/{instance}/feeds/{feed}

display_name

string

Customer-provided feed name.

details

object (FeedDetails)

Additional details of the feed, these details are dynamic and will be different for each of the feeds.

state

enum (State)

Output only. State of the feed.

failure_msg

string

Output only. Details about the most recent failure when feed state is FAILED.

read_only

boolean

Output only. Whether this feed can be updated or deleted.

last_feed_initiation_time

string (Timestamp format)

Output only. Latest timestamp when the transfer was successful for the feed.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

failure_details

object (FeedFailureDetails)

Output only. Failure details for the feed. If the feed is in the failure state, this field will contain the details of the error cause and actions.

FeedDetails

Additional details of the feed, these details are dynamic and will be different for each of the feeds.

JSON representation
{
  "feed_source_type": enum (FeedSourceType),
  "log_type": string,
  "asset_namespace": string,
  "labels": {
    string: string,
    ...
  },

  // Union field details can be only one of the following:
  "anomali_settings": {
    object (AnomaliIocSettings)
  },
  "azure_ad_context_settings": {
    object (AzureADContextSettings)
  },
  "cloud_passage_settings": {
    object (CloudPassageSettings)
  },
  "cortex_xdr_settings": {
    object (CortexXDRSettings)
  },
  "duo_auth_settings": {
    object (DuoAuthSettings)
  },
  "duo_user_context_settings": {
    object (DuoUserContextSettings)
  },
  "microsoft_graph_alert_settings": {
    object (MicrosoftGraphAlertSettings)
  },
  "microsoft_security_center_alert_settings": {
    object (MicrosoftSecurityCenterAlertSettings)
  },
  "mimecast_mail_settings": {
    object (MimecastMailSettings)
  },
  "office365_settings": {
    object (Office365Settings)
  },
  "proofpoint_mail_settings": {
    object (ProofpointMailSettings)
  },
  "recorded_future_ioc_settings": {
    object (RecordedFutureIocSettings)
  },
  "workday_settings": {
    object (WorkdaySettings)
  },
  "pan_ioc_settings": {
    object (PanIocSettings)
  },
  "okta_settings": {
    object (OktaSettings)
  },
  "okta_user_context_settings": {
    object (OktaUserContextSettings)
  },
  "fox_it_stix_settings": {
    object (FoxITStixSettings)
  },
  "threat_connect_ioc_settings": {
    object (ThreatConnectIoCSettings)
  },
  "service_now_cmdb_settings": {
    object (ServiceNowCMDBSettings)
  },
  "imperva_waf_settings": {
    object (ImpervaWAFSettings)
  },
  "thinkst_canary_settings": {
    object (ThinkstCanarySettings)
  },
  "rh_isac_ioc_settings": {
    object (RHIsacIocSettings)
  },
  "rapid7_insight_settings": {
    object (Rapid7InsightSettings)
  },
  "salesforce_settings": {
    object (SalesforceSettings)
  },
  "netskope_alert_settings": {
    object (NetskopeAlertSettings)
  },
  "azure_mdm_intune_settings": {
    object (AzureMDMIntuneSettings)
  },
  "azure_ad_settings": {
    object (AzureADSettings)
  },
  "proofpoint_on_demand_settings": {
    object (ProofpointOnDemandSettings)
  },
  "workspace_users_settings": {
    object (WorkspaceUsersSettings)
  },
  "workspace_activity_settings": {
    object (WorkspaceActivitySettings)
  },
  "workspace_alerts_settings": {
    object (WorkspaceAlertsSettings)
  },
  "workspace_privileges_settings": {
    object (WorkspacePrivilegesSettings)
  },
  "workspace_mobile_settings": {
    object (WorkspaceMobileSettings)
  },
  "workspace_chrome_os_settings": {
    object (WorkspaceChromeOSSettings)
  },
  "workspace_groups_settings": {
    object (WorkspaceGroupsSettings)
  },
  "azure_ad_audit_settings": {
    object (AzureADAuditSettings)
  },
  "symantec_event_export_settings": {
    object (SymantecEventExportSettings)
  },
  "qualys_vm_settings": {
    object (QualysVMSettings)
  },
  "pan_prisma_cloud_settings": {
    object (PanPrismaCloudSettings)
  },
  "gcs_settings": {
    object (GoogleCloudStorageSettings)
  },
  "http_settings": {
    object (HttpSettings)
  },
  "sftp_settings": {
    object (SftpSettings)
  },
  "amazon_s3_settings": {
    object (AmazonS3Settings)
  },
  "azure_blob_store_settings": {
    object (AzureBlobStoreSettings)
  },
  "amazon_sqs_settings": {
    object (AmazonSQSSettings)
  },
  "google_cloud_identity_devices_settings": {
    object (GoogleCloudIdentityDevicesSettings)
  },
  "google_cloud_identity_device_users_settings": {
    object (GoogleCloudIdentityDeviceUsersSettings)
  },
  "crowdstrike_detects_settings": {
    object (CrowdStrikeDetectsSettings)
  },
  "mandiant_ioc_settings": {
    object (MandiantIoCSettings)
  },
  "sentinelone_alert_settings": {
    object (SentineloneAlertSettings)
  },
  "qualys_scan_settings": {
    object (QualysScanSettings)
  },
  "pubsub_settings": {
    object (PubsubSettings)
  },
  "amazon_kinesis_firehose_settings": {
    object (AmazonKinesisFirehoseSettings)
  },
  "webhook_settings": {
    object (WebhookSettings)
  },
  "dummy_log_type_settings": {
    object (DummyLogTypeSettings)
  },
  "https_push_google_cloud_pubsub_settings": {
    object (HttpsPushGoogleCloudPubSubSettings)
  },
  "https_push_amazon_kinesis_firehose_settings": {
    object (HttpsPushAmazonKinesisFirehoseSettings)
  },
  "https_push_webhook_settings": {
    object (HttpsPushWebhookSettings)
  },
  "aws_ec2_hosts_settings": {
    object (AWSEC2HostsSettings)
  },
  "aws_ec2_instances_settings": {
    object (AWSEC2InstancesSettings)
  },
  "aws_ec2_vpcs_settings": {
    object (AWSEC2VpcsSettings)
  },
  "aws_iam_settings": {
    object (AWSIAMSettings)
  },
  "omniflow_gcs_settings": {
    object (OmniflowGoogleCloudStorageSettings)
  },
  "omniflow_amazon_s3_settings": {
    object (OmniflowAmazonS3Settings)
  },
  "omniflow_amazon_sqs_settings": {
    object (OmniflowAmazonSQSSettings)
  },
  "netskope_alert_v2_settings": {
    object (NetskopeAlertV2Settings)
  },
  "gcs_v2_settings": {
    object (GoogleCloudStorageV2Settings)
  },
  "amazon_s3_v2_settings": {
    object (AmazonS3V2Settings)
  },
  "amazon_sqs_v2_settings": {
    object (AmazonSQSV2Settings)
  },
  "azure_event_hub_settings": {
    object (AzureEventHubSettings)
  },
  "trellix_hx_hosts_settings": {
    object (TrellixHxHostsSettings)
  },
  "azure_blob_store_v2_settings": {
    object (AzureBlobStoreV2Settings)
  }
  // End of list of possible types for union field details.
}
Fields
feed_source_type

enum (FeedSourceType)

Source Type of the feed.

log_type

string

LogType. Format: projects/{project}/locations/{location}/instances/{instance}/logTypes/{log_type}

asset_namespace

string

The asset namespace to apply to all logs ingested through this feed.

labels

map (key: string, value: string)

The ingestion metadata labels to apply to all logs ingested through this feed, and the resulting normalized data.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Union field details. Additional details of the feed. Depends on the feed type. details can be only one of the following:
anomali_settings

object (AnomaliIocSettings)

Anomali IOC settings.

azure_ad_context_settings

object (AzureADContextSettings)

Azure AD Context settings.

cloud_passage_settings

object (CloudPassageSettings)

Cloud Passage settings.

cortex_xdr_settings

object (CortexXDRSettings)

Cortex XDR settings.

duo_auth_settings

object (DuoAuthSettings)

Duo Auth settings.

duo_user_context_settings

object (DuoUserContextSettings)

Duo User Context settings.

microsoft_graph_alert_settings

object (MicrosoftGraphAlertSettings)

Microsoft Graph Alert settings.

microsoft_security_center_alert_settings

object (MicrosoftSecurityCenterAlertSettings)

Microsoft Security center alert settings.

mimecast_mail_settings

object (MimecastMailSettings)

Mimecast mail settings.

office365_settings

object (Office365Settings)

Office 365 settings.

proofpoint_mail_settings

object (ProofpointMailSettings)

Proofpoint mail settings.

recorded_future_ioc_settings

object (RecordedFutureIocSettings)

Recorded Future IOC settings.

workday_settings

object (WorkdaySettings)

Workday settings.

pan_ioc_settings

object (PanIocSettings)

PAN IOC settings.

okta_settings

object (OktaSettings)

Okta settings.

okta_user_context_settings

object (OktaUserContextSettings)

Okta user context settings.

fox_it_stix_settings

object (FoxITStixSettings)

Fox-IT STIX settings.

threat_connect_ioc_settings

object (ThreatConnectIoCSettings)

ThreatConnect IOC settings.

service_now_cmdb_settings

object (ServiceNowCMDBSettings)

ServiceNow CMDB settings.

imperva_waf_settings

object (ImpervaWAFSettings)

Imperva WAF settings.

thinkst_canary_settings

object (ThinkstCanarySettings)

Thinkst Canary settings.

rh_isac_ioc_settings

object (RHIsacIocSettings)

RH-ISAC IOC settings.

rapid7_insight_settings

object (Rapid7InsightSettings)

Rapid7 Insight settings.

salesforce_settings

object (SalesforceSettings)

Salesforce settings.

netskope_alert_settings

object (NetskopeAlertSettings)

Netskope alert settings.

azure_mdm_intune_settings

object (AzureMDMIntuneSettings)

Azure MDM Intune settings.

azure_ad_settings

object (AzureADSettings)

Azure AD settings.

proofpoint_on_demand_settings

object (ProofpointOnDemandSettings)

Proofpoint On-Demand settings.

workspace_users_settings

object (WorkspaceUsersSettings)

Workspace users settings.

workspace_activity_settings

object (WorkspaceActivitySettings)

Workspace activity settings.

workspace_alerts_settings

object (WorkspaceAlertsSettings)

Workspace alerts settings.

workspace_privileges_settings

object (WorkspacePrivilegesSettings)

Workspace privileges settings.

workspace_mobile_settings

object (WorkspaceMobileSettings)

Workspace mobile settings.

workspace_chrome_os_settings

object (WorkspaceChromeOSSettings)

Workspace ChromeOS settings.

workspace_groups_settings

object (WorkspaceGroupsSettings)

Workspace Groups settings.

azure_ad_audit_settings

object (AzureADAuditSettings)

Azure AD Audit settings.

symantec_event_export_settings

object (SymantecEventExportSettings)

Symantec Event Export settings.

qualys_vm_settings

object (QualysVMSettings)

Qualys VM settings

pan_prisma_cloud_settings

object (PanPrismaCloudSettings)

PAN Prisma Cloud settings.

gcs_settings

object (GoogleCloudStorageSettings)

Google Cloud Storage settings.

http_settings

object (HttpSettings)

HTTP settings.

sftp_settings

object (SftpSettings)

SFTP settings.

amazon_s3_settings

object (AmazonS3Settings)

Amazon S3 settings.

azure_blob_store_settings

object (AzureBlobStoreSettings)

Azure Blob Storage settings.

amazon_sqs_settings

object (AmazonSQSSettings)

Amazon SQS settings.

google_cloud_identity_devices_settings

object (GoogleCloudIdentityDevicesSettings)

Google Cloud Identity Devices settings.

google_cloud_identity_device_users_settings

object (GoogleCloudIdentityDeviceUsersSettings)

Google Cloud Identity Device Users settings.

crowdstrike_detects_settings

object (CrowdStrikeDetectsSettings)

CrowdStrike Detects API settings.

mandiant_ioc_settings

object (MandiantIoCSettings)

Mandiant IOC settings.

sentinelone_alert_settings

object (SentineloneAlertSettings)

SentinelOne Alert settings.

qualys_scan_settings

object (QualysScanSettings)

Qualys Scan Settings

pubsub_settings

object (PubsubSettings)

Pub/Sub settings.

amazon_kinesis_firehose_settings

object (AmazonKinesisFirehoseSettings)

Amazon Kinesis Firehose settings.

webhook_settings

object (WebhookSettings)

Webhook settings.

dummy_log_type_settings

object (DummyLogTypeSettings)

DummyLogType Settings.

https_push_google_cloud_pubsub_settings

object (HttpsPushGoogleCloudPubSubSettings)

Https push Google Pub/Sub settings.

https_push_amazon_kinesis_firehose_settings

object (HttpsPushAmazonKinesisFirehoseSettings)

Https push Amazon Kinesis Firehose settings.

https_push_webhook_settings

object (HttpsPushWebhookSettings)

Https push Webhook settings.

aws_ec2_hosts_settings

object (AWSEC2HostsSettings)

AWS EC2 Hosts settings.

aws_ec2_instances_settings

object (AWSEC2InstancesSettings)

AWS EC2 Instances settings.

aws_ec2_vpcs_settings

object (AWSEC2VpcsSettings)

AWS EC2 Vpcs settings.

aws_iam_settings

object (AWSIAMSettings)

AWS IAM settings.

omniflow_gcs_settings

object (OmniflowGoogleCloudStorageSettings)

Settings for Omniflow based Cloud Storage Feeds.

omniflow_amazon_s3_settings

object (OmniflowAmazonS3Settings)

Settings for Omniflow based Amazon S3 Feeds.

omniflow_amazon_sqs_settings

object (OmniflowAmazonSQSSettings)

Settings for Omniflow based Amazon SQS Feeds.

netskope_alert_v2_settings

object (NetskopeAlertV2Settings)

Netskope alert V2 settings.

gcs_v2_settings

object (GoogleCloudStorageV2Settings)

Settings for Google Cloud Storage Omniflow feeds.

amazon_s3_v2_settings

object (AmazonS3V2Settings)

Settings for S3 Omniflow feeds.

amazon_sqs_v2_settings

object (AmazonSQSV2Settings)

Settings for SQS Omniflow feeds.

azure_event_hub_settings

object (AzureEventHubSettings)

Settings for Omniflow based native ingestion from azure event hub.

trellix_hx_hosts_settings

object (TrellixHxHostsSettings)

Settings for Trellix HX Host Metadata.

azure_blob_store_v2_settings

object (AzureBlobStoreV2Settings)

Settings for Azure Blobstore Omniflow feeds.

AnomaliIocSettings

Anomali IOC settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  }
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

UsernameSecretAuth

Info for username and secret based authentication.

JSON representation
{
  "user": string,
  "secret": string
}
Fields
user

string

Username of an identity used for authentication.

secret

string

Secret of the account identified by user_name.

AzureADContextSettings

Azure AD Context settings.

JSON representation
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "retrieve_devices": boolean,
  "retrieve_groups": boolean,
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

retrieve_devices

boolean

Whether to retrieve device information in user context.

retrieve_groups

boolean

Whether to retrieve group information in user context.

tenant_id

string

Tenant ID.

hostname

string

API Hostname.

auth_endpoint

string

API Auth Endpoint.

MicrosoftOAuthClientCredentials

Microsoft OAuth 2.0 client credentials grant.

JSON representation
{
  "client_id": string,
  "client_secret": string
}
Fields
client_id

string

Client ID.

client_secret

string

Client secret.

CloudPassageSettings

CloudPassage settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "event_types": [
    string
  ]
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

event_types[]

string

Event types filter for the events API.

CortexXDRSettings

PAN Cortex XDR settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string,
  "endpoint": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

hostname

string

API Hostname.

endpoint

string

API Endpoint.

HttpHeaderAuth

HTTP header based authentication.

JSON representation
{
  "header_key_values": [
    {
      object (HeaderKeyValue)
    }
  ]
}
Fields
header_key_values[]

object (HeaderKeyValue)

Header key-value pairs.

HeaderKeyValue

Header key-value pairs.

JSON representation
{
  "key": string,
  "value": string
}
Fields
key

string

Key.

value

string

Value.

DuoAuthSettings

Duo Authentication settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

hostname

string

API Hostname.

DuoUserContextSettings

Duo User Context settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

hostname

string

API hostname.

MicrosoftGraphAlertSettings

Microsoft Graph Alert settings.

JSON representation
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

tenant_id

string

Tenant ID.

hostname

string

API Hostname.

auth_endpoint

string

API Auth Endpoint.

MicrosoftSecurityCenterAlertSettings

Microsoft Security Center alert settings.

JSON representation
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "subscription_id": string,
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

subscription_id

string

Subscription ID of the Microsoft security center alert settings alert.

tenant_id

string

Tenant ID.

hostname

string

API Hostname.

auth_endpoint

string

API Auth Endpoint.

MimecastMailSettings

Mimecast Mail settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

hostname

string

API Hostname.

Office365Settings

Office 365 settings.

JSON representation
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "tenant_id": string,
  "content_type": enum (ContentType),
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

tenant_id

string

Tenant ID.

content_type

enum (ContentType)

Supported office 365 content type.

hostname

string

API Hostname.

auth_endpoint

string

API Auth Endpoint.

ContentType

Office 365 supported content types: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference#working-with-the-office-365-management-activity-api

Enums
CONTENT_TYPE_UNSPECIFIED Unspecified content type.
AUDIT_AZURE_ACTIVE_DIRECTORY Audit.AzureActiveDirectory.
AUDIT_EXCHANGE Audit.Exchange.
AUDIT_SHARE_POINT Audit.SharePoint.
AUDIT_GENERAL Audit.General.
DLP_ALL DLP.All.

ProofpointMailSettings

Proofpoint Mail settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  }
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

RecordedFutureIocSettings

Recorded Future IOC settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  }
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

WorkdaySettings

Workday settings.

JSON representation
{
  "authentication": {
    object (WorkdayAuth)
  },
  "hostname": string,
  "tenant_id": string
}
Fields
authentication

object (WorkdayAuth)

Input only. Authentication.

hostname

string

API Hostname.

tenant_id

string

Tenant ID.

WorkdayAuth

Authentication for Workday.

JSON representation
{
  "user": string,
  "secret": string,
  "token_endpoint": string,
  "client_id": string,
  "client_secret": string,
  "refresh_token": string
}
Fields
user

string

Username. This is unused: Workday feeds were originally configured using a username and secret authentication method, but only the secret field was used, and it was used to supply the OAuth access token.

secret

string

The access token used to authenticate against Workday. This field is called "secret" to maintain backwards compatibility. Workday was (only) configured using username (which was unused) and secret (which is used as the access token). Either this field or all of the other OAuth fields below must be specified.

token_endpoint

string

Token endpoint to get the OAuth token from.

client_id

string

Client ID.

client_secret

string

Client Secret.

refresh_token

string

Refresh Token.

PanIocSettings

PAN IOC settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "feed_id": string,
  "feed": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

feed_id

string

PAN IOC feed ID.

feed

string

PAN IOC feed name.

OktaSettings

Okta settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

hostname

string

API Hostname.

OktaUserContextSettings

Okta user context settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string,
  "manager_id_reference_field": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

hostname

string

API Hostname.

manager_id_reference_field

string

Manager id reference field.

FoxITStixSettings

Fox-IT STIX settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "ssl": {
    object (SSLClientKeypair)
  },
  "poll_service_uri": string,
  "collection": string
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

ssl

object (SSLClientKeypair)

SSL client key pair.

poll_service_uri

string

TAXII poll service URI.

collection

string

Collection available at the poll service.

SSLClientKeypair

An SSL client certificate keypair.

JSON representation
{
  "encoded_private_key": string,
  "ssl_certificate": string
}
Fields
encoded_private_key

string

The encoded private key. The string should be a private key in PEM format, and should include the begin header and end footer lines. It may also include newlines.

Example: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F23074E02CF47304

-----END RSA PRIVATE KEY-----

ssl_certificate

string

The encoded SSL certificate. The string should be an SSL certificate in PEM format, and should include the begin header and end footer lines. It may also include newlines.

Example: -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----

ThreatConnectIoCSettings

ThreatConnect IOC Settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string,
  "owners": [
    string
  ]
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

hostname

string

API Hostname.

owners[]

string

Owners.

ServiceNowCMDBSettings

ServiceNow CMDB settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string,
  "feedname": string
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

hostname

string

API Hostname.

feedname

string

Feedname.

ImpervaWAFSettings

Imperva WAF settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  }
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

ThinkstCanarySettings

Thinkst Canary settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

hostname

string

API Hostname.

RHIsacIocSettings

RH-ISAC settings.

JSON representation
{
  "authentication": {
    object (OAuthClientCredentials)
  }
}
Fields
authentication

object (OAuthClientCredentials)

Input only. Authentication.

OAuthClientCredentials

OAuth 2.0 client credentials grant. See https://tools.ietf.org/html/rfc6749.

JSON representation
{
  "token_endpoint": string,
  "client_id": string,
  "client_secret": string
}
Fields
token_endpoint

string

Token endpoint.

client_id

string

Client ID.

client_secret

string

Client secret.

Rapid7InsightSettings

Rapid7 Insight settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "endpoint": string,
  "hostname": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

endpoint

string

Rapid7 API endpoint. Should be "vulnerabilities" or "assets".

hostname

string

API Hostname.

SalesforceSettings

Salesforce settings.

JSON representation
{
  "hostname": string,

  // Union field authentication can be only one of the following:
  "oauth_password_grant_auth": {
    object (OAuthPasswordGrantCredentials)
  },
  "oauth_jwt_credentials": {
    object (OAuthJWTCredentials)
  }
  // End of list of possible types for union field authentication.
}
Fields
hostname

string

API hostname.

Union field authentication. Possible types of authentication. authentication can be only one of the following:
oauth_password_grant_auth

object (OAuthPasswordGrantCredentials)

Input only. OAuthPasswordGrantCredentials auth.

oauth_jwt_credentials

object (OAuthJWTCredentials)

Input only. OAuthJWTCredentials auth.

OAuthPasswordGrantCredentials

OAuth 2.0 password grant. See https://tools.ietf.org/html/rfc6749.

JSON representation
{
  "token_endpoint": string,
  "client_id": string,
  "client_secret": string,
  "user": string,
  "password": string
}
Fields
token_endpoint

string

Token endpoint to get the OAuth token from.

client_id

string

Client ID.

client_secret

string

Client secret.

user

string

Username.

password

string

Password.

OAuthJWTCredentials

OAuth 2.0 JWT grant. See, https://tools.ietf.org/html/rfc7519

JSON representation
{
  "token_endpoint": string,
  "claims": {
    object (Claims)
  },

  // Union field credentials can be only one of the following:
  "rs_credentials": {
    object (RSCredentials)
  }
  // End of list of possible types for union field credentials.
}
Fields
token_endpoint

string

Token endpoint to get the OAuth token from.

claims

object (Claims)

Claims.

Union field credentials. Credentials. credentials can be only one of the following:
rs_credentials

object (RSCredentials)

RS credentials.

RSCredentials

RS credentials.

JSON representation
{
  "private_key": string
}
Fields
private_key

string

Private key in PEM format.

Claims

Claims identifying a specific customer.

JSON representation
{
  "issuer": string,
  "subject": string,
  "audience": string
}
Fields
issuer

string

Issuer. Usually the client_id.

subject

string

Subject. Usually the email.

audience

string

Audience.

NetskopeAlertSettings

Netskope Alert settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string,
  "feedname": string,
  "content_type": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

hostname

string

API Hostname.

feedname

string

Feedname.

content_type

string

Content type.

AzureMDMIntuneSettings

Azure MDM Intune settings.

JSON representation
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

tenant_id

string

Tenant ID.

hostname

string

API Hostname.

auth_endpoint

string

API Auth Endpoint.

AzureADSettings

Azure AD settings.

JSON representation
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

tenant_id

string

Tenant ID.

hostname

string

API Hostname.

auth_endpoint

string

API Auth Endpoint.

ProofpointOnDemandSettings

Proofpoint On-demand settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "cluster_id": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

cluster_id

string

Cluster ID.

WorkspaceUsersSettings

Workspace Users settings.

JSON representation
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.

workspace_customer_id

string

Customer ID.

WorkspaceActivitySettings

Workspace Activity settings.

JSON representation
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string,
  "applications": [
    string
  ]
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.

workspace_customer_id

string

Customer ID.

applications[]

string

Applications.

WorkspaceAlertsSettings

Workspace Alert settings.

JSON representation
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.

workspace_customer_id

string

Customer ID.

WorkspacePrivilegesSettings

Workspace Privileges settings.

JSON representation
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.

workspace_customer_id

string

Customer ID.

WorkspaceMobileSettings

Workspace Mobile settings.

JSON representation
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.

workspace_customer_id

string

Customer ID.

WorkspaceChromeOSSettings

Workspace Chrome OS settings.

JSON representation
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.

workspace_customer_id

string

Customer ID.

WorkspaceGroupsSettings

Workspace Groups settings.

JSON representation
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "workspace_customer_id": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.

workspace_customer_id

string

Customer ID.

AzureADAuditSettings

Azure AD Audit settings.

JSON representation
{
  "authentication": {
    object (MicrosoftOAuthClientCredentials)
  },
  "tenant_id": string,
  "hostname": string,
  "auth_endpoint": string
}
Fields
authentication

object (MicrosoftOAuthClientCredentials)

Input only. Authentication.

tenant_id

string

Tenant ID.

hostname

string

API Hostname.

auth_endpoint

string

API Auth Endpoint.

SymantecEventExportSettings

Symantec Event Export settings.

JSON representation
{
  "authentication": {
    object (OAuthRefreshToken)
  }
}
Fields
authentication

object (OAuthRefreshToken)

Input only. Authentication.

OAuthRefreshToken

OAuth 2.0 refresh token grant. See https://tools.ietf.org/html/rfc6749.

JSON representation
{
  "token_endpoint": string,
  "client_id": string,
  "client_secret": string,
  "refresh_token": string
}
Fields
token_endpoint

string

Token endpoint to get the OAuth token from.

client_id

string

Client ID.

client_secret

string

Client secret.

refresh_token

string

Refresh token.

QualysVMSettings

Qualys VM settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication.

hostname

string

API Hostname.

PanPrismaCloudSettings

PAN Prisma Cloud settings.

JSON representation
{
  "authentication": {
    object (PanPrismaAuth)
  },
  "hostname": string
}
Fields
authentication

object (PanPrismaAuth)

Input only. Authentication.

hostname

string

API Hostname.

PanPrismaAuth

PAN Prisma Cloud auth.

JSON representation
{
  "user": string,
  "password": string
}
Fields
user

string

Username.

password

string

Password.

GoogleCloudStorageSettings

Google Cloud Storage settings.

JSON representation
{
  "bucket_uri": string,
  "source_type": enum (URISourceType),
  "source_deletion_option": enum (SourceDeletionOption),
  "chronicle_service_account": string
}
Fields
bucket_uri

string

Bucket URI.

source_type

enum (URISourceType)

The URI source type.

source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

chronicle_service_account

string

Output only. Service Account Chronicle will be using to pull data.

URISourceType

The type of URIs specified in the source URIs.

Enums
URI_SOURCE_TYPE_UNSPECIFIED If encountered, will throw an INVALID_ARGUMENT error.
FILES The type of files pointed to by source_uris are files.
FOLDERS The type of files pointed to by source_uris are folders and Xenon should not descend into subfolders of those folders.
FOLDERS_RECURSIVE The type of files pointed to by source_uris are folders and Xenon should descend into subfolders of those folders.

SourceDeletionOption

Source deletion option controls whether source files should be deleted after transferring.

Enums
SOURCE_DELETION_OPTION_UNSPECIFIED If encountered, will be treated as SOURCE_DELETION_NEVER.
SOURCE_DELETION_NEVER Never delete files from the source.
SOURCE_DELETION_ON_SUCCESS After the fetch completes, if there are no errors, delete files and any directories made empty by the file deletion from the source.
SOURCE_DELETION_ON_SUCCESS_FILES_ONLY After the fetch completes, if there are no errors, delete files (leaving any directories) from the source.

HttpSettings

HTTP settings.

JSON representation
{
  "uri": string,
  "source_type": enum (URISourceType),
  "source_deletion_option": enum (SourceDeletionOption)
}
Fields
uri

string

HTTP URI.

source_type

enum (URISourceType)

The URI source type.

source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

SftpSettings

SFTP settings.

JSON representation
{
  "authentication": {
    object (SftpAuth)
  },
  "uri": string,
  "source_type": enum (URISourceType),
  "source_deletion_option": enum (SourceDeletionOption)
}
Fields
authentication

object (SftpAuth)

Input only. Authentication.

uri

string

SFTP URI.

source_type

enum (URISourceType)

The URI source type.

source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

SftpAuth

SFTP Auth.

JSON representation
{
  "username": string,
  "password": string,
  "private_key": string,
  "private_key_passphrase": string
}
Fields
username

string

Username. Used for username and password authentication.

password

string

Password. Used for username and password authentication.

private_key

string

Private key. Used for private key authentication.

private_key_passphrase

string

Private key passphrase. Used for private key authentication.

AmazonS3Settings

Amazon S3 settings.

JSON representation
{
  "authentication": {
    object (S3Auth)
  },
  "s3_uri": string,
  "source_type": enum (URISourceType),
  "source_deletion_option": enum (SourceDeletionOption)
}
Fields
authentication

object (S3Auth)

Input only. Authentication.

s3_uri

string

S3 URI.

source_type

enum (URISourceType)

The URI source type.

source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

S3Auth

Amazon S3 auth.

JSON representation
{
  "access_key_id": string,
  "secret_access_key": string,
  "client_id": string,
  "client_secret": string,
  "refresh_uri": string,
  "region": enum (S3Region)
}
Fields
access_key_id

string

Access key ID. Used when using access key auth.

secret_access_key

string

Secret access key. Used when using access key auth.

client_id

string

Client ID. Used when using OAuth auth.

client_secret

string

Client secret. Used when using OAuth auth.

refresh_uri

string

Refresh URI. Used when using OAuth auth.

region

enum (S3Region)

S3 Region.

S3Region

AWS S3 regions: https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region.

Enums
S3_REGION_UNSPECIFIED Unspecified region means Auto detect. Auto detect does not successfully detect GOV Cloud.
US_EAST_1 US. N. Virginia (previously known as US_STANDARD).
US_EAST_2 Ohio.
US_WEST_1 N. California.
US_WEST_2 Oregon.
US_GOV_CLOUD Not accessible unless AWS US Govt. account.
US_GOV_EAST_1 Not accessible unless AWS US Govt. account.
EU_WEST_1 Europe. Ireland.
EU_WEST_2 London.
EU_WEST_3 Paris.
EU_CENTRAL_1 Frankfurt.
EU_NORTH_1 Stockholm.
EU_SOUTH_1 Milan.
AP_SOUTH_1 Asia Pacific Mumbai.
AP_SOUTHEAST_1 Singapore.
AP_SOUTHEAST_2 Sydney.
AP_SOUTHEAST_3 Jakarta.
AP_NORTHEAST_1 Tokyo.
AP_NORTHEAST_2 Seoul.
AP_NORTHEAST_3 Osaka.
AP_EAST_1 Hong Kong.
SA_EAST_1 South America. Sao Paulo.
CN_NORTH_1 China - Not accessible unless AWS China account. China - Beijing.
CN_NORTHWEST_1 China - Ningxia.
CA_CENTRAL_1 Canada. Canada Central.
AF_SOUTH_1 Africa. Capetown.
ME_SOUTH_1 Middle East. Bahrain.
AP_SOUTH_2 Asia Pacific (Hyderabad).
AP_SOUTHEAST_4 Asia Pacific (Melbourne).
CA_WEST_1 Canada West (Calgary).
EU_SOUTH_2 Europe (Spain).
EU_CENTRAL_2 Europe (Zurich).
IL_CENTRAL_1 Israel (Tel Aviv).
ME_CENTRAL_1 Middle East (UAE).

AzureBlobStoreSettings

Azure Blob Storage settings.

JSON representation
{
  "authentication": {
    object (AzureAuth)
  },
  "azure_uri": string,
  "source_type": enum (URISourceType),
  "source_deletion_option": enum (SourceDeletionOption)
}
Fields
authentication

object (AzureAuth)

Input only. Authentication.

azure_uri

string

Azure URI.

source_type

enum (URISourceType)

The URI source type.

source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

AzureAuth

Azure auth.

JSON representation
{

  // Union field auth_type can be only one of the following:
  "shared_key": string,
  "sas_token": string
  // End of list of possible types for union field auth_type.
}
Fields
Union field auth_type. Type of auth used with Azure. auth_type can be only one of the following:
shared_key

string

Shared Key.

sas_token

string

SAS Token.

AmazonSQSSettings

Amazon SQS settings.

JSON representation
{
  "region": enum (S3Region),
  "queue": string,
  "account_number": string,
  "authentication": {
    object (SQSAuth)
  },
  "source_deletion_option": enum (SourceDeletionOption)
}
Fields
region

enum (S3Region)

S3 Region.

queue

string

Name of the queue.

account_number

string

Account number of the owner of the queue.

authentication

object (SQSAuth)

Input only. Authentication.

source_deletion_option

enum (SourceDeletionOption)

Source deletion option.

SQSAuth

Amazon SQS auth.

JSON representation
{
  "sqs_access_key_secret_auth": {
    object (SQSAccessKeySecretAuth)
  },
  "additional_s3_access_key_secret_auth": {
    object (AdditionalS3AccessKeySecretAuth)
  }
}
Fields
sqs_access_key_secret_auth

object (SQSAccessKeySecretAuth)

SQS access key secret auth.

additional_s3_access_key_secret_auth

object (AdditionalS3AccessKeySecretAuth)

Authentication for the S3 bucket referred to by the items in the SQS queue. This is only required if it is different from the authentication for the queue.

SQSAccessKeySecretAuth

Amazon SQS access key and secret auth.

JSON representation
{
  "access_key_id": string,
  "secret_access_key": string
}
Fields
access_key_id

string

Access key ID.

secret_access_key

string

Secret access key.

AdditionalS3AccessKeySecretAuth

Additional S3 access key secret auth.

JSON representation
{
  "access_key_id": string,
  "secret_access_key": string
}
Fields
access_key_id

string

Access key ID.

secret_access_key

string

Secret access key.

GoogleCloudIdentityDevicesSettings

Google Cloud Identity Devices settings.

JSON representation
{
  "authentication": {
    object (OAuthJWTCredentials)
  },
  "api_version": string
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication

api_version

string

API Version

GoogleCloudIdentityDeviceUsersSettings

Google Cloud Identity Device Users settings.

JSON representation
{
  "authentication": {
    object (OAuthJWTCredentials)
  }
}
Fields
authentication

object (OAuthJWTCredentials)

Input only. Authentication.

CrowdStrikeDetectsSettings

CrowdStrike Detects settings.

JSON representation
{
  "authentication": {
    object (OAuthClientCredentials)
  },
  "hostname": string
}
Fields
authentication

object (OAuthClientCredentials)

Input only. OAuthClientCredentials.

hostname

string

API Hostname.

MandiantIoCSettings

Mandiant IOC settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "start_time": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

start_time

string (Timestamp format)

time since when to start fetching the IOCs

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

SentineloneAlertSettings

SentinelOne Alert settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string,
  "initial_start_time": string,
  "is_alert_api_subscribed": boolean
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

hostname

string

Hostname of SentinelOne alert settings.

initial_start_time

string

initialStartTime from when to fetch the alerts

is_alert_api_subscribed

boolean

Is the customer subscribed to Alerts Api

QualysScanSettings

Qualys Scan settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "hostname": string,
  "api_type": enum (ApiType)
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication

hostname

string

Hostname.

api_type

enum (ApiType)

Supported Qualys Scan api type.

ApiType

API Type

Enums
API_TYPE_UNSPECIFIED Unspecified API Type
SCAN_SUMMARY_OUTPUT Scan Summaries
SCAN_COMPLIANCE_OUTPUT Scan Compliance
SCAN_COMPLIANCE_CONTROL_OUTPUT Scan Compliance Control

PubsubSettings

Settings required by Google Cloud Pub/Sub Feeds(HTTP-Push).

JSON representation
{
  "google_service_account_email": string
}
Fields
google_service_account_email

string

Google Service Account Email.

AmazonKinesisFirehoseSettings

This type has no fields.

Settings required by Amazon Kinesis Firehose Feeds(HTTP-Push).

WebhookSettings

This type has no fields.

Settings required by Webhook Feeds(HTTP-Push).

DummyLogTypeSettings

Settings required by Feeds of DummyLogType(used for testing purposes).

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "api_endpoint": string
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

api_endpoint

string

Full API Endpoint.

HttpsPushGoogleCloudPubSubSettings

Settings required by Google Cloud Platform Pub/Sub Feeds(HTTPS-Push V2).

JSON representation
{
  "split_delimiter": string
}
Fields
split_delimiter

string

Optional. Delimiter to split on for the feed.

HttpsPushAmazonKinesisFirehoseSettings

Settings required by Amazon Kinesis Firehose Feeds(HTTPS-Push V2).

JSON representation
{
  "split_delimiter": string
}
Fields
split_delimiter

string

Optional. Delimiter to split on for the feed.

HttpsPushWebhookSettings

Settings required by Webhook Feeds(HTTPS-Push V2).

JSON representation
{
  "split_delimiter": string
}
Fields
split_delimiter

string

Optional. Delimiter to split on for the feed.

AWSEC2HostsSettings

AWS EC2 Hosts Settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  }
}
Fields
authentication

object (UsernameSecretAuth)

Input only. UsernameSecretAuth.

AWSEC2InstancesSettings

AWS EC2 Instances Settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  }
}
Fields
authentication

object (UsernameSecretAuth)

Input only. UsernameSecretAuth.

AWSEC2VpcsSettings

AWS EC2 Vpcs Settings.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  }
}
Fields
authentication

object (UsernameSecretAuth)

Input only. UsernameSecretAuth.

AWSIAMSettings

AWSIAMSettings contains details needed for creating an AWS IAM feed.

JSON representation
{
  "authentication": {
    object (UsernameSecretAuth)
  },
  "api_type": enum (ApiType)
}
Fields
authentication

object (UsernameSecretAuth)

Input only. Authentication

api_type

enum (ApiType)

Supported AWS IAM api type.

ApiType

API Type

Enums
API_TYPE_UNSPECIFIED API Type Unspecified
USERS Users.
ROLES Roles.
GROUPS Groups.

OmniflowGoogleCloudStorageSettings

OmniflowGoogleCloudStorageSettings. NEXT TAG: 5

JSON representation
{
  "bucket_uri": string,
  "source_deletion_option": enum (OmniflowSourceDeletionOption),
  "chronicle_service_account": string,
  "max_lookback_days": string
}
Fields
bucket_uri

string

Required. Bucket URI.

source_deletion_option

enum (OmniflowSourceDeletionOption)

Optional. Source deletion option.

chronicle_service_account

string

Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project.

max_lookback_days

string

Optional. Maximum File Age to ingest in days.

OmniflowSourceDeletionOption

Source deletion option.

Enums
OMNIFLOW_SOURCE_DELETION_OPTION_UNSPECIFIED If encountered, will be treated as SOURCE_DELETION_NEVER.
OMNIFLOW_SOURCE_DELETION_NEVER Never delete files from the source.
OMNIFLOW_SOURCE_DELETION_ON_SUCCESS After the fetch completes, if there are no errors, delete files and any directories made empty by the file deletion from the source.

OmniflowAmazonS3Settings

OmniflowAmazonS3Settings. NEXT TAG: 5

JSON representation
{
  "authentication": {
    object (OmniflowS3Auth)
  },
  "s3_uri": string,
  "source_deletion_option": enum (OmniflowSourceDeletionOption),
  "max_lookback_days": string
}
Fields
authentication

object (OmniflowS3Auth)

Required. Authentication.

s3_uri

string

Required. S3 URI.

source_deletion_option

enum (OmniflowSourceDeletionOption)

Optional. Source deletion option.

max_lookback_days

string

Optional. Maximum File Age to ingest in days.

OmniflowS3Auth

A message containing fields used to authenticate with Amazon S3.

JSON representation
{
  "access_key_id": string,
  "secret_access_key": string
}
Fields
access_key_id

string

Required. Access Key ID for an AWS account (a 20-character, alphanumeric string).

secret_access_key

string

Required. Secret Access Key.

OmniflowAmazonSQSSettings

OmniflowAmazonSQSSettings. NEXT TAG: 6

JSON representation
{
  "queue": string,
  "s3_uri": string,
  "authentication": {
    object (SQSAuth)
  },
  "source_deletion_option": enum (OmniflowSourceDeletionOption),
  "max_lookback_days": string
}
Fields
queue

string

Required. Amazon Resource Name(ARN) of the queue.

s3_uri

string

Required. S3 URI.

authentication

object (SQSAuth)

Required. Authentication.

source_deletion_option

enum (OmniflowSourceDeletionOption)

Optional. Source deletion option.

max_lookback_days

string

Optional. Maximum File Age to ingest in days.

NetskopeAlertV2Settings

Netskope Alert V2 settings.

JSON representation
{
  "authentication": {
    object (HttpHeaderAuth)
  },
  "hostname": string,
  "content_category": string,
  "content_types": [
    string
  ]
}
Fields
authentication

object (HttpHeaderAuth)

Input only. Authentication.

hostname

string

API Hostname.

content_category

string

Content Category.

content_types[]

string

Content type.

GoogleCloudStorageV2Settings

GoogleCloudStorageV2Settings is the settings proto for Omniflow Google Cloud Storage feeds. NEXT TAG: 5

JSON representation
{
  "bucket_uri": string,
  "source_deletion_option": enum (SourceDeletionOptionV2),
  "chronicle_service_account": string,
  "max_lookback_days": integer
}
Fields
bucket_uri

string

Required. Google Cloud Storage Bucket URI for the feed.

source_deletion_option

enum (SourceDeletionOptionV2)

Optional. Source deletion option determines if the data from the source is to be deleted after ingestion.

chronicle_service_account

string

Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project.

max_lookback_days

integer

Optional. Maximum File Age to ingest in days.

SourceDeletionOptionV2

Source deletion option determines whether source files should be deleted after transferring.

Enums
SOURCE_DELETION_OPTION_V2_UNSPECIFIED If encountered, will be treated as SOURCE_DELETION_NEVER.
NEVER Never delete files from the source.
ON_SUCCESS After the fetch completes, if there are no errors, delete files and any directories made empty by the file deletion from the source.

AmazonS3V2Settings

AmazonS3V2Settings is the settings proto for Omniflow S3 feeds. NEXT TAG: 5

JSON representation
{
  "authentication": {
    object (S3AuthV2)
  },
  "s3_uri": string,
  "source_deletion_option": enum (SourceDeletionOptionV2),
  "max_lookback_days": integer
}
Fields
authentication

object (S3AuthV2)

Required. Authentication.

s3_uri

string

Required. S3 URI.

source_deletion_option

enum (SourceDeletionOptionV2)

Optional. Source deletion option.

max_lookback_days

integer

Optional. Maximum File Age to ingest in days.

S3AuthV2

A message containing fields used to authenticate with Amazon S3.

JSON representation
{
  "access_key_id": string,
  "secret_access_key": string
}
Fields
access_key_id

string

Required. Access Key ID for an AWS account (a 20-character, alphanumeric string).

secret_access_key

string

Required. Secret Access Key.

AmazonSQSV2Settings

AmazonSQSV2Settings is the settings proto for Omniflow SQS feeds. NEXT TAG: 6

JSON representation
{
  "queue": string,
  "s3_uri": string,
  "authentication": {
    object (SQSAuthV2)
  },
  "source_deletion_option": enum (SourceDeletionOptionV2),
  "max_lookback_days": integer
}
Fields
queue

string

Required. Amazon Resource Name(ARN) of the queue.

s3_uri

string

Required. S3 URI.

authentication

object (SQSAuthV2)

Required. Authentication.

source_deletion_option

enum (SourceDeletionOptionV2)

Optional. Source deletion option.

max_lookback_days

integer

Optional. Maximum File Age to ingest in days.

SQSAuthV2

A message containing fields used to authenticate with Amazon SQS.

JSON representation
{
  "additional_s3_access_key_secret_auth": {
    object (AdditionalS3AccessKeySecretAuth)
  }
}
Fields
additional_s3_access_key_secret_auth

object (AdditionalS3AccessKeySecretAuth)

Required. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required.

AzureEventHubSettings

Settings required by Azure Event Hub Feeds.

JSON representation
{
  "name": string,
  "consumer_group": string,
  "event_hub_connection_string": string,
  "azure_storage_connection_string": string,
  "azure_storage_container": string,
  "azure_sas_token": string,
  "event_hub_namespace": string
}
Fields
name

string

Required. Event hub to read from.

consumer_group

string

Required. Event hub consumer group to read from.

event_hub_connection_string

string

Required. Event hub connection string for authentication.

azure_storage_connection_string

string

Required. Blob store connection string for authentication.

azure_storage_container

string

Required. Blob storage container name.

azure_sas_token

string

Required. SAS token

event_hub_namespace

string

Output only. Event hub namespace

TrellixHxHostsSettings

Settings required by Feeds of TrellixHxHosts.

JSON representation
{
  "authentication": {
    object (TrellixStarXAuthentication)
  },
  "endpoint": string
}
Fields
authentication

object (TrellixStarXAuthentication)

Required. Authentication.

endpoint

string

Required. Trellix HX Device URL. This must be a valid URL with an http or https scheme. It has no default. Usually a device URL is in the form of either: https://xxx.trellix.com/hx/id// - or - https://htapdeviceproxy.md.mandiant.net/dphb/hx//

TrellixStarXAuthentication

TrellixStarXAuthentication contains a oneof with all of the authentication types supported by Trellix *X devices.

JSON representation
{

  // Union field auth_type can be only one of the following:
  "msso": {
    object (MssoAuthentication)
  },
  "trellix_iam": {
    object (TrellixIAMAuthentication)
  }
  // End of list of possible types for union field auth_type.
}
Fields
Union field auth_type. One of multiple potential auth types. auth_type can be only one of the following:
msso

object (MssoAuthentication)

Input only. MssoAuthentication auth type.

trellix_iam

object (TrellixIAMAuthentication)

Input only. TrellixIAMAuthentication auth type.

MssoAuthentication

Info for MssoAuthentication using a username, password, and login api endpoint.

JSON representation
{
  "username": string,
  "password": string,
  "api_endpoint": string
}
Fields
username

string

Required. Username for MSSO authentication. There are no restrictions on the format of the username. It has no default, specifically enforced min / max length or character set. The username will have been provided by an MSSO administrator and it is assumed that they have provided a username that is internally consistent with MSSO authentication requirements / validation.

password

string

Required. Password of the account identified by username. There are no restrictions on the format of the password. It has no default, specifically enforced min / max length or character set. The password will have been provided by an MSSO administrator and it is assumed that they have provided a password that is internally consistent with MSSO authentication requirements / validation.

api_endpoint

string

Required. The login api endpoint url. This must be a valid URL with an http or https scheme. It has no default.

TrellixIAMAuthentication

Settings for TrellixIAMAuthentication.

JSON representation
{
  "client_id": string,
  "client_secret": string,
  "scope": string
}
Fields
client_id

string

Required. Client ID generated in Trellix IAM. This is a unique identifier for the user that is generated in Trellix IAM. It has no default, specifically enforced min / max length or character set. It is assumed that the Client ID generated in Trellix IAM is internally consistent with Trellix IAM authentication requirements / validation.

client_secret

string

Required. Secret associated with the Client ID. This is the secret generated in Trellix IAM for the Client ID. It has no default, specifically enforced min / max length or character set. It is assumed that the secret generated in Trellix IAM is internally consistent with Trellix IAM authentication requirements / validation.

scope

string

Required. OAUTH 2 scope to request for the authentication token. This is the OAUTH 2 scope to request for the authentication token. It has no default, specifically enforced min / max length or character set. It is assumed that the scope provided is internally consistent with Trellix IAM authentication requirements / validation.

AzureBlobStoreV2Settings

AzureBlobStoreV2Settings is the settings proto for Azure Blob Storage feeds.

JSON representation
{
  "azure_uri": string,
  "authentication": {
    object (AzureAuthV2)
  },
  "source_deletion_option": enum (SourceDeletionOptionV2),
  "max_lookback_days": integer
}
Fields
azure_uri

string

Required. Azure URI.

authentication

object (AzureAuthV2)

Required. Authentication.

source_deletion_option

enum (SourceDeletionOptionV2)

Optional. Source deletion option.

max_lookback_days

integer

Optional. Maximum File Age to ingest in days.

AzureAuthV2

A message containing fields used to authenticate with Azure Blob Storage.

JSON representation
{

  // Union field auth_type can be only one of the following:
  "access_key": string,
  "sas_token": string
  // End of list of possible types for union field auth_type.
}
Fields
Union field auth_type. Possible types of authentication. auth_type can be only one of the following:
access_key

string

Required. Access Key also known as shared key.

sas_token

string

Required. SAS Token.

FeedSourceType

Different types of feed sources.

Enums
FEED_SOURCE_TYPE_UNSPECIFIED Unspecified feed source type.
GOOGLE_CLOUD_STORAGE Cloud Storage.
HTTP HTTP.
SFTP SFTP.
AMAZON_S3 S3.
AZURE_BLOBSTORE Azure Blobstore.
API API.
AMAZON_SQS SQS.
PUBSUB Pub/Sub.
AMAZON_KINESIS_FIREHOSE AMAZON_KINESIS_FIREHOSE.
WEBHOOK WEBHOOK.
HTTPS_PUSH_GOOGLE_CLOUD_PUBSUB HTTPS GCloud Pub/Sub.
HTTPS_PUSH_AMAZON_KINESIS_FIREHOSE HTTPS Amazon Kinesis Firehose.
HTTPS_PUSH_WEBHOOK HTTPS Webhook.
OMNIFLOW_GOOGLE_CLOUD_STORAGE
OMNIFLOW_AMAZON_S3

Amazon S3 Feed backed by Omniflow STS.

OMNIFLOW_AMAZON_SQS

Amazon SQS Feed backed by Omniflow STS.

AZURE_EVENT_HUB Microsoft Azure native ingestion for event hub.
GOOGLE_CLOUD_STORAGE_V2 Google Cloud Storage Feed backed by Omniflow STS.
AMAZON_S3_V2 Amazon S3 Feed backed by Omniflow STS.
AMAZON_SQS_V2 Amazon SQS Feed backed by Omniflow STS.
AZURE_BLOBSTORE_V2 Azure Blobstore Feed backed by Omniflow STS.

State

List of states a feed can have.

Enums
STATE_UNSPECIFIED Unspecified feed state.
ACTIVE Feed is configured and ready to ingest data. Newly created feeds have this state. Once ingestion begins the feed will transition out of this state and will not transition back.
INACTIVE Feed is Disabled. When a user disables a feed it will transition to this state regardless of its current state. Once enabled a feed will transition to its previous state.
RUNNING Feed is enabled and currently ingesting data. A feed will transition to this state from an ACTIVE or COMPLETED state when Chronicle has begun fetching data for this feed.
SUCCEEDED Feed is enabled and has recently successfully ingested data. A feed will transition to this state from RUNNING or FAILED once a fetch has completed successfully.
FAILED Feed is enabled, but has recently failed to ingest data. A feed will transition to this state only from RUNNING once a fetch has failed. It will remain in this state until a subsequent fetch has succeeded.

FeedFailureDetails

FeedFailureDetails contains details about the errors thrown by chronicle for the feeds. These are user visible details. These details help user identify the root cause and take appropriate action for the feed errors. NEXT TAG: 5

JSON representation
{
  "error_code": string,
  "http_error_code": integer,
  "error_cause": string,
  "error_action": string
}
Fields
error_code

string

Output only. error_code contains the error code for the feed. The field is populated for the feeds with failed status.

http_error_code

integer

Output only. http_error_code contains the HTTP error code for the feed failure. feed transfer failure may or may not result in http error code.

error_cause

string

Output only. error_cause contains the information regarding the failure cause.

error_action

string

Output only. error_action contains the user action prescribed for remediation of feed error.

Methods

create

Creates a feed.

delete

Deletes a feed.

disable

Disable feed for ingestion.

enable

Enable feed for ingestion.

generateSecret

Generates a new secret for https push feeds which do not support jwt tokens.

get

Gets a feed.

importPushLogs

Import logs coming from https push feeds.

list

Lists all feeds for the customer.

patch

Updates the full feed.