Set up a SIEM webhook

Supported in:

Before you begin

Using the command-line examples

This document includes curl command examples to help you set up and test your webhook feed. These examples use editable placeholder variables. To use them effectively:

  1. Edit the variables:As you follow the setup steps, you will obtain values for the webhook endpoint, an API key, and a secret. Click the placeholder variables in the sample code and replace them with your actual values:

    Editing a variable in one code sample will update it across all examples on this page.

  2. Copy the command:Click the Copy the code sampleicon on the code block.

  3. Run the command:Paste the copied command into your terminal environment and execute it.

    Make sure that the curl command includes the --fail (or -f ) flag. This ensures that curl returns a non-zero exit code if the HTTP request fails, and an exit code of 0 to indicate success. This is needed for the next step.

  4. Verify success:A successful curl command returns no output. To confirm success do the following:

    If the curl command included the --fail (or -f ) flag, then check the exit code by running the following command immediately after:

      echo 
      
     $? 
     
    

    An exit code of 0 indicates success.

Set up an HTTPS webhook feed

To set up an HTTPS webhook feed, do the following:

  1. Create an HTTPS webhook feed and copy the endpoint URL and secret key.
  2. Create an API key to use with the endpoint URL. You can also reuse your existing API key to authenticate to Google SecOps.
  3. Specify the endpoint URL in your application.

Send multiple events in a single webhook request

The following code sample shows how to format a single request body with multiple newline-separated JSON objects:

 curl  
--location  
 ' ENDPOINT_URL 
' 
  
 \ 
  
--header  
 'Content-Type: application/json' 
  
 \ 
  
--header  
 'X-goog-api-key: API_KEY 
' 
  
 \ 
  
--header  
 'X-Webhook-Access-Key: SECRET 
' 
  
 \ 
  
--data  
 $'{"principal": {"asset_id": "asset 123"}, "metadata": {"event_type": "GENERIC_EVENT", "product_name": "Product Acme"}}\n{"principal": {"asset_id": "asset 123"}, "metadata": {"event_type": "GENERIC_EVENT", "product_name": "Product Acme"}}' 
  
 \ 
  
--fail 

Create an HTTPS webhook feed

  1. In the Google SecOps menu, select Settings, and then click Feeds.
  2. Click Add new.
  3. In the Feed namefield, enter a name for the feed.
  4. In the Source typelist, select Webhook.
  5. Select the Log type. For example, to create a feed for Open Cybersecurity Schema Framework, select Open Cybersecurity Schema Framework (OCSF)as the Log type.
  6. Click Next.
  7. Optional: Specify values for the following input parameters:
    • Split delimiter: the delimiter that is used to separate log lines, such as \n .
    • Asset namespace: the asset namespace .
    • Ingestion labels: the label to be applied to the events from this feed.
  8. Click Next.
  9. Review your new feed configuration in the Finalizescreen, and then click Submit.
  10. Click Generate Secret Keyto generate a secret key to authenticate this feed.
  11. Copy and store the secret key as you cannot view this secret again. You can generate a new secret key, but doing so makes the previous secret key obsolete.
  12. From the Detailstab, copy the feed endpoint URL from the Endpoint Informationfield. You need to specify this endpoint URL in your client application.
  13. Optional: Click the Feed Enabledtoggle to disable the feed. The feed is enabled by default.
  14. Click Done.

Create an API key for the webhook feed

  1. Go to the Google Cloud console Credentials page.
  2. Click Create credentials, and then select API key.
  3. Restrict the API key access to the Chronicle API.

Specify the endpoint URL

  1. In your client application, specify the HTTPS endpoint available in the webhook feed.
  2. Enable authentication by specifying the API key and secret key as custom headers in the following format:

     X-goog-api-key:  
     API_KEY 
    X-Webhook-Access-Key:  
     SECRET 
     
    
    • We recommend that you specify the API key as a header instead of specifying it in the URL.

       curl  
      --location  
       ' ENDPOINT_URL 
      ' 
        
       \ 
        
      --header  
       'Content-Type: application/json' 
        
       \ 
        
      --header  
       'X-goog-api-key: API_KEY 
      ' 
        
       \ 
        
      --header  
       'X-Webhook-Access-Key: SECRET 
      ' 
        
       \ 
        
      --data  
       '{"principal": {"asset_id": "asset 123"}, "metadata": {"event_type": "GENERIC_EVENT", "product_name": "Product Acme"}}' 
        
       \ 
        
      --fail 
      
    • If your webhook client doesn't support custom headers, you can specify the API key and secret key by using query parameters in the following format:

        ENDPOINT_URL 
      ?key = 
        API_KEY 
       
      &secret = 
       SECRET 
       
      

Need more help? Get answers from Community members and Google SecOps professionals.

Create a Mobile Website
View Site in Mobile | Classic
Share by: