Collect FingerprintJS logs

This document explains how to configure FingerprintJS to push logs to Google Security Operations using webhooks.

FingerprintJS is a device intelligence platform that provides visitor identification and fraud detection capabilities. It generates unique visitor identifiers and provides smart signals including bot detection, VPN detection, incognito mode detection, and other device intelligence insights. When a visitor is identified through the FingerprintJS JavaScript agent, webhooks can send the identification event data to Google Security Operations in real time.

Before you begin

Ensure that you have the following prerequisites:

• A Google SecOps instance
• FingerprintJS account with webhook support
• Access to Google Cloud console (for API key creation)
• FingerprintJS JavaScript agent installed on your website or application

Create webhook feed in Google SecOps

Create the feed

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, FingerprintJS Identification Events).
5. Select Webhook as the Source type.
6. Select FingerprintJS as the Log type.
7. Click Next.
8. Specify values for the following input parameters:
   • Split delimiter (optional): Leave empty. Each webhook request contains a single identification event.
   • Asset namespace: The asset namespace.
   • Ingestion labels: The label to be applied to the events from this feed.
9. Click Next.
10. Review your new feed configuration in the Finalize screen, and then click Submit.

Generate and save secret key

After creating the feed, you must generate a secret key for authentication:

1. On the feed details page, click Generate Secret Key.
2. A dialog displays the secret key.

3. Copy and save the secret key securely.

Get the feed endpoint URL

1. Go to the Details tab of the feed.
2. In the Endpoint Information section, copy the Feed endpoint URL.

3. The URL format is:

   https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate
   

   or

   https://<REGION>-malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate
   

4. Save this URL for the next steps.

5. Click Done.

Create Google Cloud API key

Chronicle requires an API key for authentication. Create a restricted API key in the Google Cloud console.

Create the API key

1. Go to the Google Cloud console Credentials page
2. Select your project (the project associated with your Chronicle instance).
3. Click Create credentials > API key.
4. An API key is created and displayed in a dialog.
5. Click Edit API key to restrict the key.

Restrict the API key

1. In the API key settings page:
   • Name: Enter a descriptive name (for example, Chronicle FingerprintJS Webhook API Key).
2. Under API restrictions:
   • Select Restrict key.
   • In the Select APIs dropdown, search for and select Google SecOps API (or Chronicle API).
3. Click Save.
4. Copy the API key value from the API key field at the top of the page.

5. Save the API key securely.

Configure FingerprintJS webhook

Construct the webhook URL

Combine the Chronicle endpoint URL and API key: <ENDPOINT_URL>?key=<API_KEY>

Example: https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...

Create webhook in FingerprintJS Dashboard

1. Sign in to the FingerprintJS Dashboard.
2. Go to Dashboard > Webhooks.
3. Click Add webhook.
4. Provide the following configuration details:
   • URL: Paste the complete endpoint URL with API key from above.
   • Environment (optional): If you select an environment, your webhook will only report on events from a matching environment. Leave empty to receive events from all environments.
   • Basic authentication (optional): Expand Basic authentication if you want to add additional authentication. For Chronicle integration, you can leave this empty as authentication is handled via the API key and secret key.
5. Click Create Webhook.
6. A success modal displays Webhooks created.
7. Important: If you are using webhook signatures (Enterprise plan only), copy and save the encryption key shown in the success modal. The key is displayed only once.

Add Chronicle secret key to webhook

FingerprintJS does not support custom HTTP headers during webhook creation. You must add the Chronicle secret key as a query parameter in the webhook URL.

Update the webhook URL to include the secret key: <ENDPOINT_URL>?key=<API_KEY>&secret=<SECRET_KEY>

Example: https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...&secret=abcd1234...

To update the webhook URL:

1. In the FingerprintJS Dashboard, go to Dashboard > Webhooks.
2. Find your webhook in the table and click the Edit icon.
3. Update the URL field with the complete URL including both API key and secret key.
4. Click Edit webhook.

Test the webhook

1. In the FingerprintJS Dashboard, go to Dashboard > Webhooks.
2. Find your webhook in the table.
3. Click Send test event.
4. Wait for confirmation that the test event was sent successfully.

5. Verify the webhook shows a successful delivery status.

Authentication methods reference

Chronicle webhook feeds support multiple authentication methods. FingerprintJS webhooks use query parameters for authentication.

Query parameters method

FingerprintJS does not support custom HTTP headers during webhook creation, so credentials must be appended to the URL.

URL format: <ENDPOINT_URL>?key=<API_KEY>&secret=<SECRET_KEY>

Example: https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...&secret=abcd1234...

Request format:

POST <ENDPOINT_URL>?key=<API_KEY>&secret=<SECRET_KEY> HTTP/1.1
Content-Type: application/json

{
  "visitorId": "3HNey93AkBW6CRbxV6xP",
  "requestId": "1708102555327.NLOjmg",
  "timestamp": 1582299576512
}

Note: Credentials are visible in the URL and may be logged in web server access logs. This is the only authentication method supported by FingerprintJS webhooks.

UDM mapping table

Need more help? Get answers from Community members and Google SecOps professionals.