Set up a SIEM HTTPS webhook feed

Supported in:

Google secops SIEM

Before you begin:

Ensure that a Google Cloud project for Google SecOps is configured and the Chronicle API is enabled for the project.
Link a Google SecOps instance to Google Cloud services.

Note: Batches of data sent through Webhook feeds may experience ingestion delays if the request size or QPS limits are set too low. The HTTPS push endpoint supports a maximum request size of 4 MB per request and a maximum throughput of 15 K QPS per Google SecOps instance.

To set up an HTTPS webhook feed, do the following:

Create an HTTPS webhook feed and copy the endpoint URL and secret key.
Create an API key that is specified with the endpoint URL. You can also reuse your existing API key to authenticate to Google SecOps.
Specify the endpoint URL in your application.

Send multiple events in a single webhook request

The following code sample shows how to format a single request body with multiple, newline-separated JSON objects after the curl --location item:

--header 'Content-Type: application/json' \
--header 'X-goog-api-key: API_KEY' \
--header 'X-Webhook-Access-Key: SECRET' \
--data '{"principal": {"asset_id": "asset 123"}, "metadata": {"event_type": "GENERIC_EVENT", "product_name": "Product Acme"}}
{"principal": {"asset_id": "asset 123"}, "metadata": {"event_type": "GENERIC_EVENT", "product_name": "Product Acme"}}'

Create an HTTPS webhook feed

In the Google SecOps menu, select Settings, and then click Feeds.
Click Add new.
In the Feed name field, enter a name for the feed.
In the Source type list, select Webhook.
Select the Log type. For example, to create a feed for Open Cybersecurity Schema Framework, select Open Cybersecurity Schema Framework (OCSF) as the Log type.
Click Next.
Optional: Specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate log lines, such as \n.
- Asset namespace: the asset namespace.
- Ingestion labels: the label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key as you cannot view this secret again. You can generate a new secret key again, but regeneration of the secret key makes the previous secret key obsolete.
From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
Optional: Click the Feed Enabled toggle to disable the feed. The feed is enabled by default.
Click Done.

Create an API key for the webhook feed

Go to the Google Cloud console Credentials page.
Click Create credentials, and then select API key.
Restrict the API key access to the Chronicle API.

Specify the endpoint URL

In your client application, specify the HTTPS endpoint, which is available in the webhook feed.
Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

X-goog-api-key = API_KEY

X-Webhook-Access-Key = SECRET

We recommend that you specify the API key as a header instead of specifying it in the URL. If your webhook client doesn't support custom headers, you can specify the API key and secret key by using query parameters in the following format:
```
  ENDPOINT_URL?key=API_KEY&secret=SECRET
```
Replace the following:
- ENDPOINT_URL: the feed endpoint URL.
- API_KEY: the API key to authenticate to Google SecOps.
- SECRET: the secret key that you generated to authenticate the feed.

Need more help? Get answers from Community members and Google SecOps professionals.