Collect Aware Signals logs

Supported in:

Google secops SIEM

This document explains how to configure Aware to push Signal event logs to Google Security Operations using webhooks.

Aware (by Mimecast) is a collaboration security and insider risk platform that monitors content across enterprise communication tools such as Slack, Microsoft Teams, Zoom, Cisco Webex, and Workvivo. The Aware Signal application uses AI models, keyword matching, regular expressions, and sentiment analysis to detect policy violations and generate events. These Signal events can be forwarded to a SIEM destination for centralized security monitoring and correlation.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
An Aware platform subscription with the Signal module enabled
An Aware administrator account with access to System Settings
At least one collaboration platform (Slack, Microsoft Teams, Zoom, Webex, or Workvivo) connected and ingesting content in Aware
At least one Signal policy and rule configured to generate events
Access to Google Cloud Console (for API key creation)

Create a webhook feed in Google SecOps

Create the feed

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed namefield, enter a name for the feed (for example, Aware Signal Events ).
Select Webhookas the Source type.
Select Aware Signalsas the Log type.
Click Next.
Specify values for the following input parameters:
- Split delimiter: Enter \n (newline delimiter for NDJSON payloads)
- Asset namespace: The asset namespace
- Ingestion labels: The label to be applied to the events from this feed
Click Next.
Review your new feed configuration in the Finalizescreen, and then click Submit.

Generate and save the secret key

After creating the feed, you must generate a secret key for authentication:

On the feed details page, click Generate Secret Key.
A dialog displays the secret key.
Copy and savethe secret key securely.

Get the feed endpoint URL

Go to the Detailstab of the feed.
In the Endpoint Informationsection, copy the Feed endpoint URL.

The URL format is:

 https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate

 https://<REGION>-malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate

Save this URL for the next steps.
Click Done.

Create a Google Cloud API key

Google SecOps requires an API key for authentication. Create a restricted API key in the Google Cloud Console.

Create the API key

Go to the Google Cloud Console Credentials page .
Select your project (the project associated with your Google SecOps instance).
Click Create credentials > API key.
An API key is created and displayed in a dialog.
Click Edit API keyto restrict the key.

Restrict the API key

In the API keysettings page:
- Name: Enter a descriptive name (for example, Chronicle Webhook API Key )
Under API restrictions:
1. Select Restrict key.
2. In the Select APIsdropdown, search for and select Google SecOps API(or Chronicle API).
Click Save.
Copythe API key value from the API keyfield at the top of the page.
Save the API key securely.

Note: Restricting the API key ensures it can only be used with the Google SecOps API, reducing security risk if the key is compromised.

Obtain the Aware API key

Aware uses an API key for authenticating external integrations. To obtain the key:

Sign in to Awareat https://aware.work with an administrator account.
Click System Settingsin the lower left corner.
Navigate to the Integrationstab.
Copy the API Keydisplayed on the page.

Note: All Aware API methods are protected by a customer-specific access token provided through the HTTP X-Aware-Api-Key header. Only Aware administrators can access the API key from System Settings.
Save the API key securely for use in the next steps.

Configure Aware Signal webhook forwarding

Construct the webhook URL

Combine the Google SecOps endpoint URL, API key, and secret key:
```
 <ENDPOINT_URL>?key=<API_KEY>&secret=<SECRET_KEY> 
```

Example:

 https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...&secret=abcd1234...

Configure event forwarding in Aware

Configure Aware to forward Signal events to the Google SecOps webhook endpoint. The exact steps may vary depending on your Aware platform version.

Sign in to Awareat https://aware.work with an administrator account.
Click System Settingsin the lower left corner.
Navigate to the Integrationstab.
Configure a new webhook destination with the following details:
- Destination URL: Paste the complete webhook URL with API key and secret key appended as query parameters:
```
 https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY&secret=YOUR_SECRET_KEY 
```
- Content Type: Select application/json
- Authentication Header(if supported by your Aware version): Set the header name to X-Aware-Api-Key and the value to your Aware API key
Select the event types to forward. For comprehensive security monitoring, enable forwarding of all Signal events:
- Policy violation events
- Keyword match events
- AI/sentiment detection events
- Toxic behavior detection events
Click Saveto activate the webhook destination.

Note: If webhook-based event forwarding is not available in your Aware platform version, contact your Mimecast account representative to request the feature or explore the alternative approach described in the next section. For more information, see Aware documentation .

Alternative: Forward events using a Cloud Run function

If your Aware version does not support native webhook push for Signal events, you can use a Cloud Run function to poll the Aware API and forward events to the Google SecOps webhook endpoint.

Create a Cloud Run function(Python 3.12 or later) with a Pub/Sub trigger.
Configure the function to:
1. Authenticate to the Aware API using the X-Aware-Api-Key header.
2. Query Signal events from the Aware API endpoint.
3. Forward each event as a JSON payload to the Google SecOps webhook endpoint URL.

Use Cloud Schedulerto invoke the function at regular intervals (for example, every 5 minutes).

Example request to forward events:

 curl  
-X  
POST  
 "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY&secret=YOUR_SECRET_KEY" 
  
 \ 
  
-H  
 "Content-Type: application/json" 
  
 \ 
  
-d  
 '{"signal_id":"12345","event_type":"policy_violation","timestamp":"2026-01-15T10:30:00Z","user":"user@example.com","platform":"slack","policy":"Data Loss Prevention","rule":"Credit Card Numbers","message_snippet":"detected content"}'

Verify event delivery

In Google SecOps, go to SIEM Settings > Feeds.
Click on the Aware Signal Eventsfeed.
Go to the Statustab.
Verify that events are being received.
Alternatively, trigger a test Signal event in Aware:
1. In Aware, navigate to Signal > Events.
2. Verify that new events are being generated by your policies.
3. Wait a few minutes for the events to appear in Google SecOps.
Note: Events may take a few minutes to appear depending on the delivery method and event volume.

Aware Signal event types

Aware Signal detects events across connected collaboration platforms using a combination of AI models, keyword matching, regular expressions, and sentiment analysis. The following event categories are commonly generated:

Category	Description	Examples
Policy violation	Events triggered by defined policy rules	Keyword detection, regex pattern match, sensitive data
AI/Sentiment	Events detected by AI and sentiment models	Toxic language, negative sentiment, harassment
Data loss	Events related to potential data exfiltration	File sharing violations, external sharing, credential exposure
Insider risk	Events indicating potential insider threats	Unusual behavior patterns, access anomalies, departing employee risk
Compliance	Events related to regulatory compliance	PII exposure, financial data sharing, HIPAA violations

Authentication methods reference

Google SecOps webhook feeds support multiple authentication methods. Choose the method that your vendor supports.

Method 1: Query parameters

Append credentials to the webhook URL.

URL format:

 <ENDPOINT_URL>?key=<API_KEY>&secret=<SECRET_KEY>

Example:

 https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...&secret=abcd1234...

Method 2: Custom headers

If your configuration supports custom HTTP headers, use this method for improved security.

Headers:

 x-goog-chronicle-auth: <API_KEY>
x-chronicle-auth: <SECRET_KEY>

Advantages:

API key and secret not visible in URL
More secure (headers not logged in web server access logs)

Webhook limits and best practices

Request limits

Limit	Value
Max request size	4 MB
Max QPS (queries per second)	15,000
Request timeout	30 seconds
Retry behavior	Automatic with exponential backoff

Best practices

Enable forwarding for all Signal event types to ensure comprehensive security coverage
Monitor the webhook delivery status regularly for failures or delays
Use the \n split delimiter in the Google SecOps feed configuration to handle NDJSON payloads
Test the integration with a known policy violation before deploying to production
Review Aware Signal policies periodically to ensure relevant events are being captured

Troubleshooting

Events not appearing in Google SecOps

Cause:Events are being generated in Aware but not ingested

Solution:

Go to SIEM Settings > Feedsin Google SecOps.
Click on your Aware Signal Events feed.
Go to the Statustab.
Check for ingestion errors.
Verify the log type is set to Aware Signals.
Verify the API key and secret key in the webhook URL are correct.

Authentication errors

Cause:Invalid API key or secret key

Solution:

Verify the Google SecOps API key is valid and has the correct API restriction.
Verify the secret key matches the one generated during feed creation.

Test the endpoint manually:

 curl  
-X  
POST  
 "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY&secret=YOUR_SECRET_KEY" 
  
 \ 
  
-H  
 "Content-Type: application/json" 
  
 \ 
  
-d  
 '{"test": "event"}'

If the test fails, regenerate the API key or secret key and update the webhook configuration in Aware.

Payload exceeds maximum size

Cause:Event payloads exceed the 4 MB limit

Solution:

Reduce the number of event types being forwarded.
Contact Aware support to configure payload size limits.
If using the Cloud Run function approach, implement batching to split large payloads into multiple requests.

UDM mapping table

Log Field	UDM Mapping	Logic
`has_principal`	`metadata.event_type`	Mapped: `true` → `NETWORK_CONNECTION` , `true` → `STATUS_UPDATE`
`has_user`	`metadata.event_type`	Mapped: `true` → `USER_UNCATEGORIZED`
`signalEventDetails.eventStatus`	`security_result.action_details`	Directly mapped
`contentObjectDetails_contentObjectIsChat_label`	`security_result.detection_fields`	Merged
`contentObjectDetails_contentObjectIsThread_label`	`security_result.detection_fields`	Merged
`detectionLength_label`	`security_result.detection_fields`	Merged
`detectionStart_label`	`security_result.detection_fields`	Merged
`ruleConditionMatches_label`	`security_result.detection_fields`	Merged
`search_label`	`security_result.detection_fields`	Merged
`signalEventDetails_createdTime_label`	`security_result.detection_fields`	Merged
`signalEventDetails_deletedTime_label`	`security_result.detection_fields`	Merged
`signalEventDetails_inspectionRequestId_label`	`security_result.detection_fields`	Merged
`signalEventDetails_isQuarantined_label`	`security_result.detection_fields`	Merged
`signalEventDetails_policyDetails_createdTime_label`	`security_result.detection_fields`	Merged
`signalEventDetails_policyDetails_policyId_label`	`security_result.detection_fields`	Merged
`signalEventDetails_policyDetails_policyName_label`	`security_result.detection_fields`	Merged
`signalEventDetails_ruleBehavior_label`	`security_result.detection_fields`	Merged
`signalEventDetails_ruleFamilyId_label`	`security_result.detection_fields`	Merged
`signalEventDetails_tenantId_label`	`security_result.detection_fields`	Merged
`signalEventId_label`	`security_result.detection_fields`	Merged
`signal_EventDetails_policyDetails_deletedTime_label`	`security_result.detection_fields`	Merged
`snippetContent_label`	`security_result.detection_fields`	Merged
`snippetLength_label`	`security_result.detection_fields`	Merged
`snippetStart_label`	`security_result.detection_fields`	Merged
`signalEventDetails_ruleId`	`security_result.rule_id`	Directly mapped
`signalEventDetails_ruleName`	`security_result.rule_name`	Directly mapped
`contentGroupDetails.contentGroupScope_label`	`target.group.attribute.labels`	Merged
`contentObjectDetails_contentGroupDetails_contentGroupTag_label`	`target.group.attribute.labels`	Merged
`contentGroupDetails_contentGroupName`	`target.group.group_display_name`	Directly mapped
`contentObjectDetails_contentPlatformId_label`	`target.resource.attribute.labels`	Merged
`contentObjectDetails_contentTime_label`	`target.resource.attribute.labels`	Merged
`contentObjectDetails_contentObjectId`	`target.resource.product_object_id`	Directly mapped
`contentObjectDetails_contentObjectType`	`target.resource.resource_subtype`	Directly mapped
`contentAuthorDetails_contentAuthorEmail`	`target.user.email_addresses`	Merged
`contentAuthorDetails_contentAuthorName`	`target.user.user_display_name`	Directly mapped
`contentAuthorDetails_contentAuthorId`	`target.user.userid`	Directly mapped
N/A	`metadata.event_type`	Constant: `NETWORK_CONNECTION`
N/A	`metadata.product_name`	Constant: `AWARE SIGNALS`
N/A	`metadata.vendor_name`	Constant: `AWARE SIGNALS`

Change Log

View the Change Log for this parser

Need more help? Get answers from Community members and Google SecOps professionals.