Set up a SIEM webhook
Before you begin
- Ensure that a Google Cloud project for Google SecOps is configured and the Chronicle API is enabled for the project.
Using the command-line examples
This document includes curl
command examples to help you set up and test your webhook feed. These examples use editable placeholder variables. To use them effectively:
-
Edit the variables:As you follow the setup steps, you will obtain values for the webhook endpoint, an API key, and a secret. Click the placeholder variables in the sample code and replace them with your actual values:
-
ENDPOINT_URL: The feed endpoint URL obtained when you Create an HTTPS webhook feed . -
API_KEY: The API key you Create for the webhook feed to authenticate to Google SecOps. -
SECRET: The secret key generated when you Create an HTTPS webhook feed .
Editing a variable in one code sample will update it across all examples on this page.
-
-
Copy the command:Click the Copy the code sampleicon on the code block.
-
Run the command:Paste the copied command into your terminal environment and execute it.
Make sure that the
curlcommand includes the--fail(or-f) flag. This ensures thatcurlreturns a non-zero exit code if the HTTP request fails, and an exit code of0to indicate success. This is needed for the next step. -
Verify success:A successful
curlcommand returns no output. To confirm success do the following:If the
curlcommand included the--fail(or-f) flag, then check the exit code by running the following command immediately after:echo $?An exit code of
0indicates success.
Set up an HTTPS webhook feed
To set up an HTTPS webhook feed, do the following:
- Create an HTTPS webhook feed and copy the endpoint URL and secret key.
- Create an API key to use with the endpoint URL. You can also reuse your existing API key to authenticate to Google SecOps.
- Specify the endpoint URL in your application.
Send multiple events in a single webhook request
The following code sample shows how to format a single request body with multiple newline-separated JSON objects:
curl
--location
' ENDPOINT_URL
'
\
--header
'Content-Type: application/json'
\
--header
'X-goog-api-key: API_KEY
'
\
--header
'X-Webhook-Access-Key: SECRET
'
\
--data
$'{"principal": {"asset_id": "asset 123"}, "metadata": {"event_type": "GENERIC_EVENT", "product_name": "Product Acme"}}\n{"principal": {"asset_id": "asset 123"}, "metadata": {"event_type": "GENERIC_EVENT", "product_name": "Product Acme"}}'
\
--fail
Create an HTTPS webhook feed
- In the Google SecOps menu, select Settings, and then click Feeds.
- Click Add new.
- In the Feed namefield, enter a name for the feed.
- In the Source typelist, select Webhook.
- Select the Log type. For example, to create a feed for Open Cybersecurity Schema Framework, select Open Cybersecurity Schema Framework (OCSF)as the Log type.
- Click Next.
- Optional: Specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate log lines, such as
\n. - Asset namespace: the asset namespace .
- Ingestion labels: the label to be applied to the events from this feed.
- Split delimiter: the delimiter that is used to separate log lines, such as
- Click Next.
- Review your new feed configuration in the Finalizescreen, and then click Submit.
- Click Generate Secret Keyto generate a secret key to authenticate this feed.
- Copy and store the secret key as you cannot view this secret again. You can generate a new secret key, but doing so makes the previous secret key obsolete.
- From the Detailstab, copy the feed endpoint URL from the Endpoint Informationfield. You need to specify this endpoint URL in your client application.
- Optional: Click the Feed Enabledtoggle to disable the feed. The feed is enabled by default.
- Click Done.
Create an API key for the webhook feed
- Go to the Google Cloud console Credentials page.
- Click Create credentials, and then select API key.
- Restrict the API key access to the Chronicle API.
Specify the endpoint URL
- In your client application, specify the HTTPS endpoint available in the webhook feed.
-
Enable authentication by specifying the API key and secret key as custom headers in the following format:
X-goog-api-key: API_KEY X-Webhook-Access-Key: SECRET-
We recommend that you specify the API key as a header instead of specifying it in the URL.
curl --location ' ENDPOINT_URL ' \ --header 'Content-Type: application/json' \ --header 'X-goog-api-key: API_KEY ' \ --header 'X-Webhook-Access-Key: SECRET ' \ --data '{"principal": {"asset_id": "asset 123"}, "metadata": {"event_type": "GENERIC_EVENT", "product_name": "Product Acme"}}' \ --fail -
If your webhook client doesn't support custom headers, you can specify the API key and secret key by using query parameters in the following format:
ENDPOINT_URL ?key = API_KEY &secret = SECRET
-
Need more help? Get answers from Community members and Google SecOps professionals.

