- Resource: Feed
- FeedDetails
- AnomaliIocSettings
- UsernameSecretAuth
- AzureADContextSettings
- MicrosoftOAuthClientCredentials
- CloudPassageSettings
- CortexXDRSettings
- HttpHeaderAuth
- HeaderKeyValue
- DuoAuthSettings
- DuoUserContextSettings
- MicrosoftGraphAlertSettings
- MicrosoftSecurityCenterAlertSettings
- MimecastMailSettings
- Office365Settings
- ContentType
- ProofpointMailSettings
- RecordedFutureIocSettings
- WorkdaySettings
- WorkdayAuth
- PanIocSettings
- OktaSettings
- OktaUserContextSettings
- FoxITStixSettings
- SSLClientKeypair
- ThreatConnectIoCSettings
- ServiceNowCMDBSettings
- ImpervaWAFSettings
- ThinkstCanarySettings
- RHIsacIocSettings
- OAuthClientCredentials
- Rapid7InsightSettings
- SalesforceSettings
- OAuthPasswordGrantCredentials
- OAuthJWTCredentials
- RSCredentials
- Claims
- NetskopeAlertSettings
- AzureMDMIntuneSettings
- AzureADSettings
- ProofpointOnDemandSettings
- WorkspaceUsersSettings
- WorkspaceActivitySettings
- WorkspaceAlertsSettings
- WorkspacePrivilegesSettings
- WorkspaceMobileSettings
- WorkspaceChromeOSSettings
- WorkspaceGroupsSettings
- AzureADAuditSettings
- SymantecEventExportSettings
- OAuthRefreshToken
- QualysVMSettings
- PanPrismaCloudSettings
- PanPrismaAuth
- GoogleCloudStorageSettings
- URISourceType
- SourceDeletionOption
- HttpSettings
- SftpSettings
- SftpAuth
- AmazonS3Settings
- S3Auth
- S3Region
- AzureBlobStoreSettings
- AzureAuth
- AmazonSQSSettings
- SQSAuth
- SQSAccessKeySecretAuth
- AdditionalS3AccessKeySecretAuth
- GoogleCloudIdentityDevicesSettings
- GoogleCloudIdentityDeviceUsersSettings
- CrowdStrikeDetectsSettings
- MandiantIoCSettings
- SentineloneAlertSettings
- QualysScanSettings
- ApiType
- PubsubSettings
- AmazonKinesisFirehoseSettings
- WebhookSettings
- DummyLogTypeSettings
- HttpsPushGoogleCloudPubSubSettings
- HttpsPushAmazonKinesisFirehoseSettings
- HttpsPushWebhookSettings
- AWSEC2HostsSettings
- AWSEC2InstancesSettings
- AWSEC2VpcsSettings
- AWSIAMSettings
- ApiType
- OmniflowGoogleCloudStorageSettings
- OmniflowSourceDeletionOption
- OmniflowAmazonS3Settings
- OmniflowS3Auth
- OmniflowAmazonSQSSettings
- NetskopeAlertV2Settings
- GoogleCloudStorageV2Settings
- SourceDeletionOptionV2
- AmazonS3V2Settings
- S3AuthV2
- AmazonSQSV2Settings
- SQSAuthV2
- AzureEventHubSettings
- TrellixHxHostsSettings
- TrellixStarXAuthentication
- MssoAuthentication
- TrellixIAMAuthentication
- AzureBlobStoreV2Settings
- AzureAuthV2
- FeedSourceType
- State
- FeedFailureDetails
- Methods
Resource: Feed
Feed is a resource that contains feed information needed to create a feed.
JSON representation |
---|
{ "name": string, "display_name": string, "details": { object ( |
Fields | |
---|---|
name |
The resource name of the feed. Format: projects/{project}/locations/{location}/instances/{instance}/feeds/{feed} |
display_ |
Customer-provided feed name. |
details |
Additional details of the feed, these details are dynamic and will be different for each of the feeds. |
state |
Output only. State of the feed. |
failure_ |
Output only. Details about the most recent failure when feed state is FAILED. |
read_ |
Output only. Whether this feed can be updated or deleted. |
last_ |
Output only. Latest timestamp when the transfer was successful for the feed. Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
failure_ |
Output only. Failure details for the feed. If the feed is in the failure state, this field will contain the details of the error cause and actions. |
FeedDetails
Additional details of the feed, these details are dynamic and will be different for each of the feeds.
JSON representation |
---|
{ "feed_source_type": enum ( |
Fields | |
---|---|
feed_ |
Source Type of the feed. |
log_ |
LogType. Format: projects/{project}/locations/{location}/instances/{instance}/logTypes/{log_type} |
asset_ |
The asset namespace to apply to all logs ingested through this feed. |
labels |
The ingestion metadata labels to apply to all logs ingested through this feed, and the resulting normalized data. An object containing a list of |
Union field details . Additional details of the feed. Depends on the feed type. details can be only one of the following: |
|
anomali_ |
Anomali IOC settings. |
azure_ |
Azure AD Context settings. |
cloud_ |
Cloud Passage settings. |
cortex_ |
Cortex XDR settings. |
duo_ |
Duo Auth settings. |
duo_ |
Duo User Context settings. |
microsoft_ |
Microsoft Graph Alert settings. |
microsoft_ |
Microsoft Security center alert settings. |
mimecast_ |
Mimecast mail settings. |
office365_ |
Office 365 settings. |
proofpoint_ |
Proofpoint mail settings. |
recorded_ |
Recorded Future IOC settings. |
workday_ |
Workday settings. |
pan_ |
PAN IOC settings. |
okta_ |
Okta settings. |
okta_ |
Okta user context settings. |
fox_ |
Fox-IT STIX settings. |
threat_ |
ThreatConnect IOC settings. |
service_ |
ServiceNow CMDB settings. |
imperva_ |
Imperva WAF settings. |
thinkst_ |
Thinkst Canary settings. |
rh_ |
RH-ISAC IOC settings. |
rapid7_ |
Rapid7 Insight settings. |
salesforce_ |
Salesforce settings. |
netskope_ |
Netskope alert settings. |
azure_ |
Azure MDM Intune settings. |
azure_ |
Azure AD settings. |
proofpoint_ |
Proofpoint On-Demand settings. |
workspace_ |
Workspace users settings. |
workspace_ |
Workspace activity settings. |
workspace_ |
Workspace alerts settings. |
workspace_ |
Workspace privileges settings. |
workspace_ |
Workspace mobile settings. |
workspace_ |
Workspace ChromeOS settings. |
workspace_ |
Workspace Groups settings. |
azure_ |
Azure AD Audit settings. |
symantec_ |
Symantec Event Export settings. |
qualys_ |
Qualys VM settings |
pan_ |
PAN Prisma Cloud settings. |
gcs_ |
Google Cloud Storage settings. |
http_ |
HTTP settings. |
sftp_ |
SFTP settings. |
amazon_ |
Amazon S3 settings. |
azure_ |
Azure Blob Storage settings. |
amazon_ |
Amazon SQS settings. |
google_ |
Google Cloud Identity Devices settings. |
google_ |
Google Cloud Identity Device Users settings. |
crowdstrike_ |
CrowdStrike Detects API settings. |
mandiant_ |
Mandiant IOC settings. |
sentinelone_ |
SentinelOne Alert settings. |
qualys_ |
Qualys Scan Settings |
pubsub_ |
Pub/Sub settings. |
amazon_ |
Amazon Kinesis Firehose settings. |
webhook_ |
Webhook settings. |
dummy_ |
DummyLogType Settings. |
https_ |
Https push Google Pub/Sub settings. |
https_ |
Https push Amazon Kinesis Firehose settings. |
https_ |
Https push Webhook settings. |
aws_ |
AWS EC2 Hosts settings. |
aws_ |
AWS EC2 Instances settings. |
aws_ |
AWS EC2 Vpcs settings. |
aws_ |
AWS IAM settings. |
omniflow_ |
Settings for Omniflow based Cloud Storage Feeds. |
omniflow_ |
Settings for Omniflow based Amazon S3 Feeds. |
omniflow_ |
Settings for Omniflow based Amazon SQS Feeds. |
netskope_ |
Netskope alert V2 settings. |
gcs_ |
Settings for Google Cloud Storage Omniflow feeds. |
amazon_ |
Settings for S3 Omniflow feeds. |
amazon_ |
Settings for SQS Omniflow feeds. |
azure_ |
Settings for Omniflow based native ingestion from azure event hub. |
trellix_ |
Settings for Trellix HX Host Metadata. |
azure_ |
Settings for Azure Blobstore Omniflow feeds. |
AnomaliIocSettings
Anomali IOC settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
UsernameSecretAuth
Info for username and secret based authentication.
JSON representation |
---|
{ "user": string, "secret": string } |
Fields | |
---|---|
user |
Username of an identity used for authentication. |
secret |
Secret of the account identified by user_name. |
AzureADContextSettings
Azure AD Context settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
retrieve_ |
Whether to retrieve device information in user context. |
retrieve_ |
Whether to retrieve group information in user context. |
tenant_ |
Tenant ID. |
hostname |
API Hostname. |
auth_ |
API Auth Endpoint. |
MicrosoftOAuthClientCredentials
Microsoft OAuth 2.0 client credentials grant.
JSON representation |
---|
{ "client_id": string, "client_secret": string } |
Fields | |
---|---|
client_ |
Client ID. |
client_ |
Client secret. |
CloudPassageSettings
CloudPassage settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
event_ |
Event types filter for the events API. |
CortexXDRSettings
PAN Cortex XDR settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
endpoint |
API Endpoint. |
HttpHeaderAuth
HTTP header based authentication.
JSON representation |
---|
{
"header_key_values": [
{
object ( |
Fields | |
---|---|
header_ |
Header key-value pairs. |
HeaderKeyValue
Header key-value pairs.
JSON representation |
---|
{ "key": string, "value": string } |
Fields | |
---|---|
key |
Key. |
value |
Value. |
DuoAuthSettings
Duo Authentication settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
DuoUserContextSettings
Duo User Context settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API hostname. |
MicrosoftGraphAlertSettings
Microsoft Graph Alert settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
tenant_ |
Tenant ID. |
hostname |
API Hostname. |
auth_ |
API Auth Endpoint. |
MicrosoftSecurityCenterAlertSettings
Microsoft Security Center alert settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
subscription_ |
Subscription ID of the Microsoft security center alert settings alert. |
tenant_ |
Tenant ID. |
hostname |
API Hostname. |
auth_ |
API Auth Endpoint. |
MimecastMailSettings
Mimecast Mail settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
Office365Settings
Office 365 settings.
JSON representation |
---|
{ "authentication": { object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
tenant_ |
Tenant ID. |
content_ |
Supported office 365 content type. |
hostname |
API Hostname. |
auth_ |
API Auth Endpoint. |
ContentType
Office 365 supported content types: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference#working-with-the-office-365-management-activity-api
Enums | |
---|---|
CONTENT_TYPE_UNSPECIFIED |
Unspecified content type. |
AUDIT_AZURE_ACTIVE_DIRECTORY |
Audit.AzureActiveDirectory. |
AUDIT_EXCHANGE |
Audit.Exchange. |
AUDIT_SHARE_POINT |
Audit.SharePoint. |
AUDIT_GENERAL |
Audit.General. |
DLP_ALL |
DLP.All. |
ProofpointMailSettings
Proofpoint Mail settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
RecordedFutureIocSettings
Recorded Future IOC settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
WorkdaySettings
Workday settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
tenant_ |
Tenant ID. |
WorkdayAuth
Authentication for Workday.
JSON representation |
---|
{ "user": string, "secret": string, "token_endpoint": string, "client_id": string, "client_secret": string, "refresh_token": string } |
Fields | |
---|---|
user |
Username. This is unused: Workday feeds were originally configured using a username and secret authentication method, but only the secret field was used, and it was used to supply the OAuth access token. |
secret |
The access token used to authenticate against Workday. This field is called "secret" to maintain backwards compatibility. Workday was (only) configured using username (which was unused) and secret (which is used as the access token). Either this field or all of the other OAuth fields below must be specified. |
token_ |
Token endpoint to get the OAuth token from. |
client_ |
Client ID. |
client_ |
Client Secret. |
refresh_ |
Refresh Token. |
PanIocSettings
PAN IOC settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
feed_ |
PAN IOC feed ID. |
feed |
PAN IOC feed name. |
OktaSettings
Okta settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
OktaUserContextSettings
Okta user context settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
manager_ |
Manager id reference field. |
FoxITStixSettings
Fox-IT STIX settings.
JSON representation |
---|
{ "authentication": { object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
ssl |
SSL client key pair. |
poll_ |
TAXII poll service URI. |
collection |
Collection available at the poll service. |
SSLClientKeypair
An SSL client certificate keypair.
JSON representation |
---|
{ "encoded_private_key": string, "ssl_certificate": string } |
Fields | |
---|---|
encoded_ |
The encoded private key. The string should be a private key in PEM format, and should include the begin header and end footer lines. It may also include newlines. Example: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F23074E02CF47304 |
ssl_ |
The encoded SSL certificate. The string should be an SSL certificate in PEM format, and should include the begin header and end footer lines. It may also include newlines. Example: -----BEGIN CERTIFICATE----- |
ThreatConnectIoCSettings
ThreatConnect IOC Settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
owners[] |
Owners. |
ServiceNowCMDBSettings
ServiceNow CMDB settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
feedname |
Feedname. |
ImpervaWAFSettings
Imperva WAF settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
ThinkstCanarySettings
Thinkst Canary settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
RHIsacIocSettings
RH-ISAC settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
OAuthClientCredentials
OAuth 2.0 client credentials grant. See https://tools.ietf.org/html/rfc6749.
JSON representation |
---|
{ "token_endpoint": string, "client_id": string, "client_secret": string } |
Fields | |
---|---|
token_ |
Token endpoint. |
client_ |
Client ID. |
client_ |
Client secret. |
Rapid7InsightSettings
Rapid7 Insight settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
endpoint |
Rapid7 API endpoint. Should be "vulnerabilities" or "assets". |
hostname |
API Hostname. |
SalesforceSettings
Salesforce settings.
JSON representation |
---|
{ "hostname": string, // Union field |
Fields | |
---|---|
hostname |
API hostname. |
Union field authentication . Possible types of authentication. authentication can be only one of the following: |
|
oauth_ |
Input only. OAuthPasswordGrantCredentials auth. |
oauth_ |
Input only. OAuthJWTCredentials auth. |
OAuthPasswordGrantCredentials
OAuth 2.0 password grant. See https://tools.ietf.org/html/rfc6749.
JSON representation |
---|
{ "token_endpoint": string, "client_id": string, "client_secret": string, "user": string, "password": string } |
Fields | |
---|---|
token_ |
Token endpoint to get the OAuth token from. |
client_ |
Client ID. |
client_ |
Client secret. |
user |
Username. |
password |
Password. |
OAuthJWTCredentials
OAuth 2.0 JWT grant. See, https://tools.ietf.org/html/rfc7519
JSON representation |
---|
{ "token_endpoint": string, "claims": { object ( |
Fields | |
---|---|
token_ |
Token endpoint to get the OAuth token from. |
claims |
Claims. |
Union field credentials . Credentials. credentials can be only one of the following: |
|
rs_ |
RS credentials. |
RSCredentials
RS credentials.
JSON representation |
---|
{ "private_key": string } |
Fields | |
---|---|
private_ |
Private key in PEM format. |
Claims
Claims identifying a specific customer.
JSON representation |
---|
{ "issuer": string, "subject": string, "audience": string } |
Fields | |
---|---|
issuer |
Issuer. Usually the client_id. |
subject |
Subject. Usually the email. |
audience |
Audience. |
NetskopeAlertSettings
Netskope Alert settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
feedname |
Feedname. |
content_ |
Content type. |
AzureMDMIntuneSettings
Azure MDM Intune settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
tenant_ |
Tenant ID. |
hostname |
API Hostname. |
auth_ |
API Auth Endpoint. |
AzureADSettings
Azure AD settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
tenant_ |
Tenant ID. |
hostname |
API Hostname. |
auth_ |
API Auth Endpoint. |
ProofpointOnDemandSettings
Proofpoint On-demand settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
cluster_ |
Cluster ID. |
WorkspaceUsersSettings
Workspace Users settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
workspace_ |
Customer ID. |
WorkspaceActivitySettings
Workspace Activity settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
workspace_ |
Customer ID. |
applications[] |
Applications. |
WorkspaceAlertsSettings
Workspace Alert settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
workspace_ |
Customer ID. |
WorkspacePrivilegesSettings
Workspace Privileges settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
workspace_ |
Customer ID. |
WorkspaceMobileSettings
Workspace Mobile settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
workspace_ |
Customer ID. |
WorkspaceChromeOSSettings
Workspace Chrome OS settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
workspace_ |
Customer ID. |
WorkspaceGroupsSettings
Workspace Groups settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
workspace_ |
Customer ID. |
AzureADAuditSettings
Azure AD Audit settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
tenant_ |
Tenant ID. |
hostname |
API Hostname. |
auth_ |
API Auth Endpoint. |
SymantecEventExportSettings
Symantec Event Export settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
OAuthRefreshToken
OAuth 2.0 refresh token grant. See https://tools.ietf.org/html/rfc6749.
JSON representation |
---|
{ "token_endpoint": string, "client_id": string, "client_secret": string, "refresh_token": string } |
Fields | |
---|---|
token_ |
Token endpoint to get the OAuth token from. |
client_ |
Client ID. |
client_ |
Client secret. |
refresh_ |
Refresh token. |
QualysVMSettings
Qualys VM settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
PanPrismaCloudSettings
PAN Prisma Cloud settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
PanPrismaAuth
PAN Prisma Cloud auth.
JSON representation |
---|
{ "user": string, "password": string } |
Fields | |
---|---|
user |
Username. |
password |
Password. |
GoogleCloudStorageSettings
Google Cloud Storage settings.
JSON representation |
---|
{ "bucket_uri": string, "source_type": enum ( |
Fields | |
---|---|
bucket_ |
Bucket URI. |
source_ |
The URI source type. |
source_ |
Source deletion option. |
chronicle_ |
Output only. Service Account Chronicle will be using to pull data. |
URISourceType
The type of URIs specified in the source URIs.
Enums | |
---|---|
URI_SOURCE_TYPE_UNSPECIFIED |
If encountered, will throw an INVALID_ARGUMENT error. |
FILES |
The type of files pointed to by source_uris are files. |
FOLDERS |
The type of files pointed to by source_uris are folders and Xenon should not descend into subfolders of those folders. |
FOLDERS_RECURSIVE |
The type of files pointed to by source_uris are folders and Xenon should descend into subfolders of those folders. |
SourceDeletionOption
Source deletion option controls whether source files should be deleted after transferring.
Enums | |
---|---|
SOURCE_DELETION_OPTION_UNSPECIFIED |
If encountered, will be treated as SOURCE_DELETION_NEVER . |
SOURCE_DELETION_NEVER |
Never delete files from the source. |
SOURCE_DELETION_ON_SUCCESS |
After the fetch completes, if there are no errors, delete files and any directories made empty by the file deletion from the source. |
SOURCE_DELETION_ON_SUCCESS_FILES_ONLY |
After the fetch completes, if there are no errors, delete files (leaving any directories) from the source. |
HttpSettings
HTTP settings.
JSON representation |
---|
{ "uri": string, "source_type": enum ( |
Fields | |
---|---|
uri |
HTTP URI. |
source_ |
The URI source type. |
source_ |
Source deletion option. |
SftpSettings
SFTP settings.
JSON representation |
---|
{ "authentication": { object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
uri |
SFTP URI. |
source_ |
The URI source type. |
source_ |
Source deletion option. |
SftpAuth
SFTP Auth.
JSON representation |
---|
{ "username": string, "password": string, "private_key": string, "private_key_passphrase": string } |
Fields | |
---|---|
username |
Username. Used for username and password authentication. |
password |
Password. Used for username and password authentication. |
private_ |
Private key. Used for private key authentication. |
private_ |
Private key passphrase. Used for private key authentication. |
AmazonS3Settings
Amazon S3 settings.
JSON representation |
---|
{ "authentication": { object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
s3_ |
S3 URI. |
source_ |
The URI source type. |
source_ |
Source deletion option. |
S3Auth
Amazon S3 auth.
JSON representation |
---|
{
"access_key_id": string,
"secret_access_key": string,
"client_id": string,
"client_secret": string,
"refresh_uri": string,
"region": enum ( |
Fields | |
---|---|
access_ |
Access key ID. Used when using access key auth. |
secret_ |
Secret access key. Used when using access key auth. |
client_ |
Client ID. Used when using OAuth auth. |
client_ |
Client secret. Used when using OAuth auth. |
refresh_ |
Refresh URI. Used when using OAuth auth. |
region |
S3 Region. |
S3Region
AWS S3 regions: https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region.
Enums | |
---|---|
S3_REGION_UNSPECIFIED |
Unspecified region means Auto detect. Auto detect does not successfully detect GOV Cloud. |
US_EAST_1 |
US. N. Virginia (previously known as US_STANDARD). |
US_EAST_2 |
Ohio. |
US_WEST_1 |
N. California. |
US_WEST_2 |
Oregon. |
US_GOV_CLOUD |
Not accessible unless AWS US Govt. account. |
US_GOV_EAST_1 |
Not accessible unless AWS US Govt. account. |
EU_WEST_1 |
Europe. Ireland. |
EU_WEST_2 |
London. |
EU_WEST_3 |
Paris. |
EU_CENTRAL_1 |
Frankfurt. |
EU_NORTH_1 |
Stockholm. |
EU_SOUTH_1 |
Milan. |
AP_SOUTH_1 |
Asia Pacific Mumbai. |
AP_SOUTHEAST_1 |
Singapore. |
AP_SOUTHEAST_2 |
Sydney. |
AP_SOUTHEAST_3 |
Jakarta. |
AP_NORTHEAST_1 |
Tokyo. |
AP_NORTHEAST_2 |
Seoul. |
AP_NORTHEAST_3 |
Osaka. |
AP_EAST_1 |
Hong Kong. |
SA_EAST_1 |
South America. Sao Paulo. |
CN_NORTH_1 |
China - Not accessible unless AWS China account. China - Beijing. |
CN_NORTHWEST_1 |
China - Ningxia. |
CA_CENTRAL_1 |
Canada. Canada Central. |
AF_SOUTH_1 |
Africa. Capetown. |
ME_SOUTH_1 |
Middle East. Bahrain. |
AP_SOUTH_2 |
Asia Pacific (Hyderabad). |
AP_SOUTHEAST_4 |
Asia Pacific (Melbourne). |
CA_WEST_1 |
Canada West (Calgary). |
EU_SOUTH_2 |
Europe (Spain). |
EU_CENTRAL_2 |
Europe (Zurich). |
IL_CENTRAL_1 |
Israel (Tel Aviv). |
ME_CENTRAL_1 |
Middle East (UAE). |
AzureBlobStoreSettings
Azure Blob Storage settings.
JSON representation |
---|
{ "authentication": { object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
azure_ |
Azure URI. |
source_ |
The URI source type. |
source_ |
Source deletion option. |
AzureAuth
Azure auth.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field auth_type . Type of auth used with Azure. auth_type can be only one of the following: |
|
shared_ |
Shared Key. |
sas_ |
SAS Token. |
AmazonSQSSettings
Amazon SQS settings.
JSON representation |
---|
{ "region": enum ( |
Fields | |
---|---|
region |
S3 Region. |
queue |
Name of the queue. |
account_ |
Account number of the owner of the queue. |
authentication |
Input only. Authentication. |
source_ |
Source deletion option. |
SQSAuth
Amazon SQS auth.
JSON representation |
---|
{ "sqs_access_key_secret_auth": { object ( |
Fields | |
---|---|
sqs_ |
SQS access key secret auth. |
additional_ |
Authentication for the S3 bucket referred to by the items in the SQS queue. This is only required if it is different from the authentication for the queue. |
SQSAccessKeySecretAuth
Amazon SQS access key and secret auth.
JSON representation |
---|
{ "access_key_id": string, "secret_access_key": string } |
Fields | |
---|---|
access_ |
Access key ID. |
secret_ |
Secret access key. |
AdditionalS3AccessKeySecretAuth
Additional S3 access key secret auth.
JSON representation |
---|
{ "access_key_id": string, "secret_access_key": string } |
Fields | |
---|---|
access_ |
Access key ID. |
secret_ |
Secret access key. |
GoogleCloudIdentityDevicesSettings
Google Cloud Identity Devices settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication |
api_ |
API Version |
GoogleCloudIdentityDeviceUsersSettings
Google Cloud Identity Device Users settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
CrowdStrikeDetectsSettings
CrowdStrike Detects settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. OAuthClientCredentials. |
hostname |
API Hostname. |
MandiantIoCSettings
Mandiant IOC settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
start_ |
time since when to start fetching the IOCs Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted.Examples: |
SentineloneAlertSettings
SentinelOne Alert settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
Hostname of SentinelOne alert settings. |
initial_ |
initialStartTime from when to fetch the alerts |
is_ |
Is the customer subscribed to Alerts Api |
QualysScanSettings
Qualys Scan settings.
JSON representation |
---|
{ "authentication": { object ( |
Fields | |
---|---|
authentication |
Input only. Authentication |
hostname |
Hostname. |
api_ |
Supported Qualys Scan api type. |
ApiType
API Type
Enums | |
---|---|
API_TYPE_UNSPECIFIED |
Unspecified API Type |
SCAN_SUMMARY_OUTPUT |
Scan Summaries |
SCAN_COMPLIANCE_OUTPUT |
Scan Compliance |
SCAN_COMPLIANCE_CONTROL_OUTPUT |
Scan Compliance Control |
PubsubSettings
Settings required by Google Cloud Pub/Sub Feeds(HTTP-Push).
JSON representation |
---|
{ "google_service_account_email": string } |
Fields | |
---|---|
google_ |
Google Service Account Email. |
AmazonKinesisFirehoseSettings
This type has no fields.
Settings required by Amazon Kinesis Firehose Feeds(HTTP-Push).
WebhookSettings
This type has no fields.
Settings required by Webhook Feeds(HTTP-Push).
DummyLogTypeSettings
Settings required by Feeds of DummyLogType(used for testing purposes).
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
api_ |
Full API Endpoint. |
HttpsPushGoogleCloudPubSubSettings
Settings required by Google Cloud Platform Pub/Sub Feeds(HTTPS-Push V2).
JSON representation |
---|
{ "split_delimiter": string } |
Fields | |
---|---|
split_ |
Optional. Delimiter to split on for the feed. |
HttpsPushAmazonKinesisFirehoseSettings
Settings required by Amazon Kinesis Firehose Feeds(HTTPS-Push V2).
JSON representation |
---|
{ "split_delimiter": string } |
Fields | |
---|---|
split_ |
Optional. Delimiter to split on for the feed. |
HttpsPushWebhookSettings
Settings required by Webhook Feeds(HTTPS-Push V2).
JSON representation |
---|
{ "split_delimiter": string } |
Fields | |
---|---|
split_ |
Optional. Delimiter to split on for the feed. |
AWSEC2HostsSettings
AWS EC2 Hosts Settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. UsernameSecretAuth. |
AWSEC2InstancesSettings
AWS EC2 Instances Settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. UsernameSecretAuth. |
AWSEC2VpcsSettings
AWS EC2 Vpcs Settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. UsernameSecretAuth. |
AWSIAMSettings
AWSIAMSettings contains details needed for creating an AWS IAM feed.
JSON representation |
---|
{ "authentication": { object ( |
Fields | |
---|---|
authentication |
Input only. Authentication |
api_ |
Supported AWS IAM api type. |
ApiType
API Type
Enums | |
---|---|
API_TYPE_UNSPECIFIED |
API Type Unspecified |
USERS |
Users. |
ROLES |
Roles. |
GROUPS |
Groups. |
OmniflowGoogleCloudStorageSettings
OmniflowGoogleCloudStorageSettings. NEXT TAG: 5
JSON representation |
---|
{
"bucket_uri": string,
"source_deletion_option": enum ( |
Fields | |
---|---|
bucket_ |
Required. Bucket URI. |
source_ |
Optional. Source deletion option. |
chronicle_ |
Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project. |
max_ |
Optional. Maximum File Age to ingest in days. |
OmniflowSourceDeletionOption
Source deletion option.
Enums | |
---|---|
OMNIFLOW_SOURCE_DELETION_OPTION_UNSPECIFIED |
If encountered, will be treated as SOURCE_DELETION_NEVER . |
OMNIFLOW_SOURCE_DELETION_NEVER |
Never delete files from the source. |
OMNIFLOW_SOURCE_DELETION_ON_SUCCESS |
After the fetch completes, if there are no errors, delete files and any directories made empty by the file deletion from the source. |
OmniflowAmazonS3Settings
OmniflowAmazonS3Settings. NEXT TAG: 5
JSON representation |
---|
{ "authentication": { object ( |
Fields | |
---|---|
authentication |
Required. Authentication. |
s3_ |
Required. S3 URI. |
source_ |
Optional. Source deletion option. |
max_ |
Optional. Maximum File Age to ingest in days. |
OmniflowS3Auth
A message containing fields used to authenticate with Amazon S3.
JSON representation |
---|
{ "access_key_id": string, "secret_access_key": string } |
Fields | |
---|---|
access_ |
Required. Access Key ID for an AWS account (a 20-character, alphanumeric string). |
secret_ |
Required. Secret Access Key. |
OmniflowAmazonSQSSettings
OmniflowAmazonSQSSettings. NEXT TAG: 6
JSON representation |
---|
{ "queue": string, "s3_uri": string, "authentication": { object ( |
Fields | |
---|---|
queue |
Required. Amazon Resource Name(ARN) of the queue. |
s3_ |
Required. S3 URI. |
authentication |
Required. Authentication. |
source_ |
Optional. Source deletion option. |
max_ |
Optional. Maximum File Age to ingest in days. |
NetskopeAlertV2Settings
Netskope Alert V2 settings.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Input only. Authentication. |
hostname |
API Hostname. |
content_ |
Content Category. |
content_ |
Content type. |
GoogleCloudStorageV2Settings
GoogleCloudStorageV2Settings is the settings proto for Omniflow Google Cloud Storage feeds. NEXT TAG: 5
JSON representation |
---|
{
"bucket_uri": string,
"source_deletion_option": enum ( |
Fields | |
---|---|
bucket_ |
Required. Google Cloud Storage Bucket URI for the feed. |
source_ |
Optional. Source deletion option determines if the data from the source is to be deleted after ingestion. |
chronicle_ |
Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project. |
max_ |
Optional. Maximum File Age to ingest in days. |
SourceDeletionOptionV2
Source deletion option determines whether source files should be deleted after transferring.
Enums | |
---|---|
SOURCE_DELETION_OPTION_V2_UNSPECIFIED |
If encountered, will be treated as SOURCE_DELETION_NEVER . |
NEVER |
Never delete files from the source. |
ON_SUCCESS |
After the fetch completes, if there are no errors, delete files and any directories made empty by the file deletion from the source. |
AmazonS3V2Settings
AmazonS3V2Settings is the settings proto for Omniflow S3 feeds. NEXT TAG: 5
JSON representation |
---|
{ "authentication": { object ( |
Fields | |
---|---|
authentication |
Required. Authentication. |
s3_ |
Required. S3 URI. |
source_ |
Optional. Source deletion option. |
max_ |
Optional. Maximum File Age to ingest in days. |
S3AuthV2
A message containing fields used to authenticate with Amazon S3.
JSON representation |
---|
{ "access_key_id": string, "secret_access_key": string } |
Fields | |
---|---|
access_ |
Required. Access Key ID for an AWS account (a 20-character, alphanumeric string). |
secret_ |
Required. Secret Access Key. |
AmazonSQSV2Settings
AmazonSQSV2Settings is the settings proto for Omniflow SQS feeds. NEXT TAG: 6
JSON representation |
---|
{ "queue": string, "s3_uri": string, "authentication": { object ( |
Fields | |
---|---|
queue |
Required. Amazon Resource Name(ARN) of the queue. |
s3_ |
Required. S3 URI. |
authentication |
Required. Authentication. |
source_ |
Optional. Source deletion option. |
max_ |
Optional. Maximum File Age to ingest in days. |
SQSAuthV2
A message containing fields used to authenticate with Amazon SQS.
JSON representation |
---|
{
"additional_s3_access_key_secret_auth": {
object ( |
Fields | |
---|---|
additional_ |
Required. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. |
AzureEventHubSettings
Settings required by Azure Event Hub Feeds.
JSON representation |
---|
{ "name": string, "consumer_group": string, "event_hub_connection_string": string, "azure_storage_connection_string": string, "azure_storage_container": string, "azure_sas_token": string, "event_hub_namespace": string } |
Fields | |
---|---|
name |
Required. Event hub to read from. |
consumer_ |
Required. Event hub consumer group to read from. |
event_ |
Required. Event hub connection string for authentication. |
azure_ |
Required. Blob store connection string for authentication. |
azure_ |
Required. Blob storage container name. |
azure_ |
Required. SAS token |
event_ |
Output only. Event hub namespace |
TrellixHxHostsSettings
Settings required by Feeds of TrellixHxHosts.
JSON representation |
---|
{
"authentication": {
object ( |
Fields | |
---|---|
authentication |
Required. Authentication. |
endpoint |
Required. Trellix HX Device URL. This must be a valid URL with an http or https scheme. It has no default. Usually a device URL is in the form of either: https://xxx.trellix.com/hx/id/ |
TrellixStarXAuthentication
TrellixStarXAuthentication contains a oneof with all of the authentication types supported by Trellix *X devices.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field auth_type . One of multiple potential auth types. auth_type can be only one of the following: |
|
msso |
Input only. MssoAuthentication auth type. |
trellix_ |
Input only. TrellixIAMAuthentication auth type. |
MssoAuthentication
Info for MssoAuthentication using a username, password, and login api endpoint.
JSON representation |
---|
{ "username": string, "password": string, "api_endpoint": string } |
Fields | |
---|---|
username |
Required. Username for MSSO authentication. There are no restrictions on the format of the username. It has no default, specifically enforced min / max length or character set. The username will have been provided by an MSSO administrator and it is assumed that they have provided a username that is internally consistent with MSSO authentication requirements / validation. |
password |
Required. Password of the account identified by username. There are no restrictions on the format of the password. It has no default, specifically enforced min / max length or character set. The password will have been provided by an MSSO administrator and it is assumed that they have provided a password that is internally consistent with MSSO authentication requirements / validation. |
api_ |
Required. The login api endpoint url. This must be a valid URL with an http or https scheme. It has no default. |
TrellixIAMAuthentication
Settings for TrellixIAMAuthentication.
JSON representation |
---|
{ "client_id": string, "client_secret": string, "scope": string } |
Fields | |
---|---|
client_ |
Required. Client ID generated in Trellix IAM. This is a unique identifier for the user that is generated in Trellix IAM. It has no default, specifically enforced min / max length or character set. It is assumed that the Client ID generated in Trellix IAM is internally consistent with Trellix IAM authentication requirements / validation. |
client_ |
Required. Secret associated with the Client ID. This is the secret generated in Trellix IAM for the Client ID. It has no default, specifically enforced min / max length or character set. It is assumed that the secret generated in Trellix IAM is internally consistent with Trellix IAM authentication requirements / validation. |
scope |
Required. OAUTH 2 scope to request for the authentication token. This is the OAUTH 2 scope to request for the authentication token. It has no default, specifically enforced min / max length or character set. It is assumed that the scope provided is internally consistent with Trellix IAM authentication requirements / validation. |
AzureBlobStoreV2Settings
AzureBlobStoreV2Settings is the settings proto for Azure Blob Storage feeds.
JSON representation |
---|
{ "azure_uri": string, "authentication": { object ( |
Fields | |
---|---|
azure_ |
Required. Azure URI. |
authentication |
Required. Authentication. |
source_ |
Optional. Source deletion option. |
max_ |
Optional. Maximum File Age to ingest in days. |
AzureAuthV2
A message containing fields used to authenticate with Azure Blob Storage.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field auth_type . Possible types of authentication. auth_type can be only one of the following: |
|
access_ |
Required. Access Key also known as shared key. |
sas_ |
Required. SAS Token. |
FeedSourceType
Different types of feed sources.
Enums | |
---|---|
FEED_SOURCE_TYPE_UNSPECIFIED |
Unspecified feed source type. |
GOOGLE_CLOUD_STORAGE |
Cloud Storage. |
HTTP |
HTTP. |
SFTP |
SFTP. |
AMAZON_S3 |
S3. |
AZURE_BLOBSTORE |
Azure Blobstore. |
API |
API. |
AMAZON_SQS |
SQS. |
PUBSUB |
Pub/Sub. |
AMAZON_KINESIS_FIREHOSE |
AMAZON_KINESIS_FIREHOSE. |
WEBHOOK |
WEBHOOK. |
HTTPS_PUSH_GOOGLE_CLOUD_PUBSUB |
HTTPS GCloud Pub/Sub. |
HTTPS_PUSH_AMAZON_KINESIS_FIREHOSE |
HTTPS Amazon Kinesis Firehose. |
HTTPS_PUSH_WEBHOOK |
HTTPS Webhook. |
OMNIFLOW_GOOGLE_CLOUD_STORAGE |
|
OMNIFLOW_AMAZON_S3 |
Amazon S3 Feed backed by Omniflow STS. |
OMNIFLOW_AMAZON_SQS |
Amazon SQS Feed backed by Omniflow STS. |
AZURE_EVENT_HUB |
Microsoft Azure native ingestion for event hub. |
GOOGLE_CLOUD_STORAGE_V2 |
Google Cloud Storage Feed backed by Omniflow STS. |
AMAZON_S3_V2 |
Amazon S3 Feed backed by Omniflow STS. |
AMAZON_SQS_V2 |
Amazon SQS Feed backed by Omniflow STS. |
AZURE_BLOBSTORE_V2 |
Azure Blobstore Feed backed by Omniflow STS. |
State
List of states a feed can have.
Enums | |
---|---|
STATE_UNSPECIFIED |
Unspecified feed state. |
ACTIVE |
Feed is configured and ready to ingest data. Newly created feeds have this state. Once ingestion begins the feed will transition out of this state and will not transition back. |
INACTIVE |
Feed is Disabled. When a user disables a feed it will transition to this state regardless of its current state. Once enabled a feed will transition to its previous state. |
RUNNING |
Feed is enabled and currently ingesting data. A feed will transition to this state from an ACTIVE or COMPLETED state when Chronicle has begun fetching data for this feed. |
SUCCEEDED |
Feed is enabled and has recently successfully ingested data. A feed will transition to this state from RUNNING or FAILED once a fetch has completed successfully. |
FAILED |
Feed is enabled, but has recently failed to ingest data. A feed will transition to this state only from RUNNING once a fetch has failed. It will remain in this state until a subsequent fetch has succeeded. |
FeedFailureDetails
FeedFailureDetails contains details about the errors thrown by chronicle for the feeds. These are user visible details. These details help user identify the root cause and take appropriate action for the feed errors. NEXT TAG: 5
JSON representation |
---|
{ "error_code": string, "http_error_code": integer, "error_cause": string, "error_action": string } |
Fields | |
---|---|
error_ |
Output only. error_code contains the error code for the feed. The field is populated for the feeds with failed status. |
http_ |
Output only. http_error_code contains the HTTP error code for the feed failure. feed transfer failure may or may not result in http error code. |
error_ |
Output only. error_cause contains the information regarding the failure cause. |
error_ |
Output only. error_action contains the user action prescribed for remediation of feed error. |
Methods |
|
---|---|
|
Creates a feed. |
|
Deletes a feed. |
|
Disable feed for ingestion. |
|
Enable feed for ingestion. |
|
Generates a new secret for https push feeds which do not support jwt tokens. |
|
Gets a feed. |
|
Import logs coming from https push feeds. |
|
Lists all feeds for the customer. |
|
Updates the full feed. |