Tool: disable_feed
Disable an active feed in Chronicle.
Stops data ingestion for a feed by setting its state to INACTIVE. The feed configuration remains but no new data will be processed.
Workflow Integration:- Use to pause ingestion for a feed. - Essential for stopping data flow during maintenance or troubleshooting.
Use Cases:- Pause a feed that is generating errors. - Stop ingestion for a retired data source.
Args: feed_id (str): The unique ID of the feed to disable. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required).
Returns: str: Raw JSON response containing the updated feed details.
Example Usage: disable_feed( feed_id="feed_12345", project_id="my-project", customer_id="my-customer", region="us" )
The following sample demonstrate how to use curl
to invoke the disable_feed
MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "disable_feed", "arguments": { // provide these details according to the tool' s MCP specification } } , "jsonrpc" : "2.0" , "id" : 1 } ' |
Input Schema
Request message for DisableFeed.
DisableFeedRequest
| JSON representation |
|---|
{ "projectId" : string , "customerId" : string , "region" : string , "feedId" : string } |
| Fields | |
|---|---|
projectId
|
Project ID of the customer. |
customerId
|
Customer ID of the customer. |
region
|
Region of the customer. |
feedId
|
The unique ID of the feed. |
Output Schema
Feed is a resource that contains feed information needed to create a feed.
Feed
| JSON representation |
|---|
{ "name" : string , "uid" : string , "displayName" : string , "details" : { object ( |
| Fields | |
|---|---|
name
|
The resource name of the feed. Format: projects/{project}/locations/{location}/instances/{instance}/feeds/{feed} |
uid
|
Output only. Unique identifier for the feed. |
displayName
|
Customer-provided feed name. |
details
|
Additional details of the feed, these details are dynamic and will be different for each of the feeds. |
state
|
Output only. State of the feed. |
failureMsg
|
Output only. Details about the most recent failure when feed state is FAILED. |
readOnly
|
Output only. Whether this feed can be updated or deleted. |
lastFeedInitiationTime
|
Output only. Latest timestamp when the transfer was successful for the feed. Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
failureDetails
|
Output only. Failure details for the feed. If the feed is in the failure state, this field will contain the details of the error cause and actions. |
referenceId
|
Output only. Reference ID, this field will contain the legacy id of the feed. |
FeedDetails
| JSON representation |
|---|
{ "feedSourceType" : enum ( |
feedSourceType
enum (
FeedSourceType
)
Source Type of the feed.
logType
string
LogType. Format: projects/{project}/locations/{location}/instances/{instance}/logTypes/{log_type}
assetNamespace
string
The asset namespace to apply to all logs ingested through this feed.
labels
map (key: string, value: string)
The ingestion metadata labels to apply to all logs ingested through this feed, and the resulting normalized data.
An object containing a list of "key": value
pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }
.
stsMigrationReadiness
enum (
STSMigrationReadiness
)
Optional. The status of the feed's migration to STS.
details
. Additional details of the feed. Depends on the feed type. details
can be only one of the following:anomaliSettings
object (
AnomaliIocSettings
)
Anomali IOC settings.
azureAdContextSettings
object (
AzureADContextSettings
)
Azure AD Context settings.
cloudPassageSettings
object (
CloudPassageSettings
)
Cloud Passage settings.
cortexXdrSettings
object (
CortexXDRSettings
)
Cortex XDR settings.
duoAuthSettings
object (
DuoAuthSettings
)
Duo Auth settings.
duoUserContextSettings
object (
DuoUserContextSettings
)
Duo User Context settings.
microsoftGraphAlertSettings
object (
MicrosoftGraphAlertSettings
)
Microsoft Graph Alert settings.
microsoftSecurityCenterAlertSettings
object (
MicrosoftSecurityCenterAlertSettings
)
Microsoft Security center alert settings.
mimecastMailSettings
object (
MimecastMailSettings
)
Mimecast mail settings.
office365Settings
object (
Office365Settings
)
Office 365 settings.
proofpointMailSettings
object (
ProofpointMailSettings
)
Proofpoint mail settings.
recordedFutureIocSettings
object (
RecordedFutureIocSettings
)
Recorded Future IOC settings.
workdaySettings
object (
WorkdaySettings
)
Workday settings.
panIocSettings
object (
PanIocSettings
)
PAN IOC settings.
oktaSettings
object (
OktaSettings
)
Okta settings.
oktaUserContextSettings
object (
OktaUserContextSettings
)
Okta user context settings.
foxItStixSettings
object (
FoxITStixSettings
)
Fox-IT STIX settings.
threatConnectIocSettings
object (
ThreatConnectIoCSettings
)
ThreatConnect IOC settings.
serviceNowCmdbSettings
object (
ServiceNowCMDBSettings
)
ServiceNow CMDB settings.
impervaWafSettings
object (
ImpervaWAFSettings
)
Imperva WAF settings.
thinkstCanarySettings
object (
ThinkstCanarySettings
)
Thinkst Canary settings.
rhIsacIocSettings
object (
RHIsacIocSettings
)
RH-ISAC IOC settings.
rapid7InsightSettings
object (
Rapid7InsightSettings
)
Rapid7 Insight settings.
salesforceSettings
object (
SalesforceSettings
)
Salesforce settings.
netskopeAlertSettings
object (
NetskopeAlertSettings
)
Netskope alert settings.
azureMdmIntuneSettings
object (
AzureMDMIntuneSettings
)
Azure MDM Intune settings.
azureAdSettings
object (
AzureADSettings
)
Azure AD settings.
proofpointOnDemandSettings
object (
ProofpointOnDemandSettings
)
Proofpoint On-Demand settings.
workspaceUsersSettings
object (
WorkspaceUsersSettings
)
Workspace users settings.
workspaceActivitySettings
object (
WorkspaceActivitySettings
)
Workspace activity settings.
workspaceAlertsSettings
object (
WorkspaceAlertsSettings
)
Workspace alerts settings.
workspacePrivilegesSettings
object (
WorkspacePrivilegesSettings
)
Workspace privileges settings.
workspaceMobileSettings
object (
WorkspaceMobileSettings
)
Workspace mobile settings.
workspaceChromeOsSettings
object (
WorkspaceChromeOSSettings
)
Workspace ChromeOS settings.
workspaceGroupsSettings
object (
WorkspaceGroupsSettings
)
Workspace Groups settings.
azureAdAuditSettings
object (
AzureADAuditSettings
)
Azure AD Audit settings.
symantecEventExportSettings
object (
SymantecEventExportSettings
)
Symantec Event Export settings.
qualysVmSettings
object (
QualysVMSettings
)
Qualys VM settings
panPrismaCloudSettings
object (
PanPrismaCloudSettings
)
PAN Prisma Cloud settings.
gcsSettings
object (
GoogleCloudStorageSettings
)
Google Cloud Storage settings.
httpSettings
object (
HttpSettings
)
HTTP settings.
sftpSettings
object (
SftpSettings
)
SFTP settings.
amazonS3Settings
object (
AmazonS3Settings
)
Amazon S3 settings.
azureBlobStoreSettings
object (
AzureBlobStoreSettings
)
Azure Blob Storage settings.
amazonSqsSettings
object (
AmazonSQSSettings
)
Amazon SQS settings.
googleCloudIdentityDevicesSettings
object (
GoogleCloudIdentityDevicesSettings
)
Google Cloud Identity Devices settings.
googleCloudIdentityDeviceUsersSettings
object (
GoogleCloudIdentityDeviceUsersSettings
)
Google Cloud Identity Device Users settings.
crowdstrikeDetectsSettings
object (
CrowdStrikeDetectsSettings
)
CrowdStrike Detects API settings.
mandiantIocSettings
object (
MandiantIoCSettings
)
Mandiant IOC settings.
sentineloneAlertSettings
object (
SentineloneAlertSettings
)
SentinelOne Alert settings.
qualysScanSettings
object (
QualysScanSettings
)
Qualys Scan Settings
pubsubSettings
object (
PubsubSettings
)
Pub/Sub settings.
amazonKinesisFirehoseSettings
object (
AmazonKinesisFirehoseSettings
)
Amazon Kinesis Firehose settings.
webhookSettings
object (
WebhookSettings
)
Webhook settings.
dummyLogTypeSettings
object (
DummyLogTypeSettings
)
DummyLogType Settings.
httpsPushGoogleCloudPubsubSettings
object (
HttpsPushGoogleCloudPubSubSettings
)
Https push Google Pub/Sub settings.
httpsPushAmazonKinesisFirehoseSettings
object (
HttpsPushAmazonKinesisFirehoseSettings
)
Https push Amazon Kinesis Firehose settings.
httpsPushWebhookSettings
object (
HttpsPushWebhookSettings
)
Https push Webhook settings.
awsEc2HostsSettings
object (
AWSEC2HostsSettings
)
AWS EC2 Hosts settings.
awsEc2InstancesSettings
object (
AWSEC2InstancesSettings
)
AWS EC2 Instances settings.
awsEc2VpcsSettings
object (
AWSEC2VpcsSettings
)
AWS EC2 Vpcs settings.
awsIamSettings
object (
AWSIAMSettings
)
AWS IAM settings.
netskopeAlertV2Settings
object (
NetskopeAlertV2Settings
)
Netskope alert V2 settings.
gcsV2Settings
object (
GoogleCloudStorageV2Settings
)
Settings for Google Cloud Storage Omniflow feeds.
amazonS3V2Settings
object (
AmazonS3V2Settings
)
Settings for S3 Omniflow feeds.
amazonSqsV2Settings
object (
AmazonSQSV2Settings
)
Settings for SQS Omniflow feeds.
azureEventHubSettings
object (
AzureEventHubSettings
)
Settings for Omniflow based native ingestion from azure event hub.
trellixHxHostsSettings
object (
TrellixHxHostsSettings
)
Settings for Trellix HX Host Metadata.
azureBlobStoreV2Settings
object (
AzureBlobStoreV2Settings
)
Settings for Azure Blobstore Omniflow feeds.
trellixHxAlertsSettings
object (
TrellixHxAlertsSettings
)
Settings for Trellix HX Alerts Metadata.
googleCloudStorageEventDrivenSettings
object (
GoogleCloudStorageEventDrivenSettings
)
Settings for Omniflow based Google Cloud Storage event driven feeds.
crowdstrikeAlertsSettings
object (
CrowdStrikeAlertsSettings
)
CrowdStrike Alerts API settings.
trellixHxBulkAcqsSettings
object (
TrellixHxBulkAcqsSettings
)
Settings for Trellix HX Bulk Acquisitions Metadata.
mimecastMailV2Settings
object (
MimecastMailV2Settings
)
Required. Mimecast mail v2 settings.
threatConnectIocV3Settings
object (
ThreatConnectIoCV3Settings
)
Threat Connect IOC V3 settings.
AnomaliIocSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
UsernameSecretAuth
| JSON representation |
|---|
{ "user" : string , "secret" : string } |
| Fields | |
|---|---|
user
|
Username of an identity used for authentication. |
secret
|
Secret of the account identified by user_name. |
AzureADContextSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
retrieveDevices
|
Whether to retrieve device information in user context. |
retrieveGroups
|
Whether to retrieve group information in user context. |
tenantId
|
Tenant ID. |
hostname
|
API Hostname. |
authEndpoint
|
API Auth Endpoint. |
MicrosoftOAuthClientCredentials
| JSON representation |
|---|
{ "clientId" : string , "clientSecret" : string } |
| Fields | |
|---|---|
clientId
|
Client ID. |
clientSecret
|
Client secret. |
CloudPassageSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
eventTypes[]
|
Event types filter for the events API. |
CortexXDRSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
endpoint
|
API Endpoint. |
HttpHeaderAuth
| JSON representation |
|---|
{
"headerKeyValues"
:
[
{
object (
|
| Fields | |
|---|---|
headerKeyValues[]
|
Header key-value pairs. |
HeaderKeyValue
| JSON representation |
|---|
{ "key" : string , "value" : string } |
| Fields | |
|---|---|
key
|
Key. |
value
|
Value. |
DuoAuthSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
DuoUserContextSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API hostname. |
MicrosoftGraphAlertSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
tenantId
|
Tenant ID. |
hostname
|
API Hostname. |
authEndpoint
|
API Auth Endpoint. |
MicrosoftSecurityCenterAlertSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
subscriptionId
|
Subscription ID of the Microsoft security center alert settings alert. |
tenantId
|
Tenant ID. |
hostname
|
API Hostname. |
authEndpoint
|
API Auth Endpoint. |
MimecastMailSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
Office365Settings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
tenantId
|
Tenant ID. |
contentType
|
Supported office 365 content type. |
hostname
|
API Hostname. |
authEndpoint
|
API Auth Endpoint. |
ProofpointMailSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
RecordedFutureIocSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
WorkdaySettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
tenantId
|
Tenant ID. |
WorkdayAuth
| JSON representation |
|---|
{ "user" : string , "secret" : string , "tokenEndpoint" : string , "clientId" : string , "clientSecret" : string , "refreshToken" : string } |
| Fields | |
|---|---|
user
|
Username. This is unused: Workday feeds were originally configured using a username and secret authentication method, but only the secret field was used, and it was used to supply the OAuth access token. |
secret
|
The access token used to authenticate against Workday. This field is called "secret" to maintain backwards compatibility. Workday was (only) configured using username (which was unused) and secret (which is used as the access token). Either this field or all of the other OAuth fields below must be specified. |
tokenEndpoint
|
Token endpoint to get the OAuth token from. |
clientId
|
Client ID. |
clientSecret
|
Client Secret. |
refreshToken
|
Refresh Token. |
PanIocSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
feedId
|
PAN IOC feed ID. |
feed
|
PAN IOC feed name. |
OktaSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
OktaUserContextSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
managerIdReferenceField
|
Manager id reference field. |
FoxITStixSettings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
ssl
|
SSL client key pair. |
pollServiceUri
|
TAXII poll service URI. |
collection
|
Collection available at the poll service. |
SSLClientKeypair
| JSON representation |
|---|
{ "encodedPrivateKey" : string , "sslCertificate" : string } |
| Fields | |
|---|---|
encodedPrivateKey
|
The encoded private key. The string should be a private key in PEM format, and should include the begin header and end footer lines. It may also include newlines. Example: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,F23074E02CF47304 |
sslCertificate
|
The encoded SSL certificate. The string should be an SSL certificate in PEM format, and should include the begin header and end footer lines. It may also include newlines. Example: -----BEGIN CERTIFICATE----- |
ThreatConnectIoCSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
owners[]
|
Owners. |
ServiceNowCMDBSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
feedname
|
Feedname. |
ImpervaWAFSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
ThinkstCanarySettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
RHIsacIocSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
OAuthClientCredentials
| JSON representation |
|---|
{ "tokenEndpoint" : string , "clientId" : string , "clientSecret" : string } |
| Fields | |
|---|---|
tokenEndpoint
|
Token endpoint. |
clientId
|
Client ID. |
clientSecret
|
Client secret. |
Rapid7InsightSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
endpoint
|
Rapid7 API endpoint. Should be "vulnerabilities" or "assets". |
hostname
|
API Hostname. |
SalesforceSettings
| JSON representation |
|---|
{ "hostname" : string , // Union field |
hostname
string
API hostname.
authentication
. Possible types of authentication. authentication
can be only one of the following:oauthPasswordGrantAuth
object (
OAuthPasswordGrantCredentials
)
Input only. OAuthPasswordGrantCredentials auth.
oauthJwtCredentials
object (
OAuthJWTCredentials
)
Input only. OAuthJWTCredentials auth.
OAuthPasswordGrantCredentials
| JSON representation |
|---|
{ "tokenEndpoint" : string , "clientId" : string , "clientSecret" : string , "user" : string , "password" : string } |
| Fields | |
|---|---|
tokenEndpoint
|
Token endpoint to get the OAuth token from. |
clientId
|
Client ID. |
clientSecret
|
Client secret. |
user
|
Username. |
password
|
Password. |
OAuthJWTCredentials
| JSON representation |
|---|
{ "tokenEndpoint" : string , "claims" : { object ( |
tokenEndpoint
string
Token endpoint to get the OAuth token from.
claims
object (
Claims
)
Claims.
credentials
. Credentials. credentials
can be only one of the following:rsCredentials
object (
RSCredentials
)
RS credentials.
RSCredentials
| JSON representation |
|---|
{ "privateKey" : string } |
| Fields | |
|---|---|
privateKey
|
Private key in PEM format. |
Claims
| JSON representation |
|---|
{ "issuer" : string , "subject" : string , "audience" : string } |
| Fields | |
|---|---|
issuer
|
Issuer. Usually the client_id. |
subject
|
Subject. Usually the email. |
audience
|
Audience. |
NetskopeAlertSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
feedname
|
Feedname. |
contentType
|
Content type. |
AzureMDMIntuneSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
tenantId
|
Tenant ID. |
hostname
|
API Hostname. |
authEndpoint
|
API Auth Endpoint. |
AzureADSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
tenantId
|
Tenant ID. |
hostname
|
API Hostname. |
authEndpoint
|
API Auth Endpoint. |
ProofpointOnDemandSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
clusterId
|
Cluster ID. |
WorkspaceUsersSettings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
workspaceCustomerId
|
Customer ID. |
projectionType
|
Optional. Projection Type. |
WorkspaceActivitySettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
workspaceCustomerId
|
Customer ID. |
applications[]
|
Applications. |
WorkspaceAlertsSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
workspaceCustomerId
|
Customer ID. |
WorkspacePrivilegesSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
workspaceCustomerId
|
Customer ID. |
WorkspaceMobileSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
workspaceCustomerId
|
Customer ID. |
WorkspaceChromeOSSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
workspaceCustomerId
|
Customer ID. |
WorkspaceGroupsSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
workspaceCustomerId
|
Customer ID. |
AzureADAuditSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
tenantId
|
Tenant ID. |
hostname
|
API Hostname. |
authEndpoint
|
API Auth Endpoint. |
SymantecEventExportSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
OAuthRefreshToken
| JSON representation |
|---|
{ "tokenEndpoint" : string , "clientId" : string , "clientSecret" : string , "refreshToken" : string } |
| Fields | |
|---|---|
tokenEndpoint
|
Token endpoint to get the OAuth token from. |
clientId
|
Client ID. |
clientSecret
|
Client secret. |
refreshToken
|
Refresh token. |
QualysVMSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
PanPrismaCloudSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
PanPrismaAuth
| JSON representation |
|---|
{ "user" : string , "password" : string } |
| Fields | |
|---|---|
user
|
Username. |
password
|
Password. |
GoogleCloudStorageSettings
| JSON representation |
|---|
{ "bucketUri" : string , "sourceType" : enum ( |
| Fields | |
|---|---|
bucketUri
|
Bucket URI. |
sourceType
|
The URI source type. |
sourceDeletionOption
|
Source deletion option. |
chronicleServiceAccount
|
Output only. Service Account Chronicle will be using to pull data. |
HttpSettings
| JSON representation |
|---|
{ "uri" : string , "sourceType" : enum ( |
| Fields | |
|---|---|
uri
|
HTTP URI. |
sourceType
|
The URI source type. |
sourceDeletionOption
|
Source deletion option. |
SftpSettings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
uri
|
SFTP URI. |
sourceType
|
The URI source type. |
sourceDeletionOption
|
Source deletion option. |
SftpAuth
| JSON representation |
|---|
{ "username" : string , "password" : string , "privateKey" : string , "privateKeyPassphrase" : string } |
| Fields | |
|---|---|
username
|
Username. Used for username and password authentication. |
password
|
Password. Used for username and password authentication. |
privateKey
|
Private key. Used for private key authentication. |
privateKeyPassphrase
|
Private key passphrase. Used for private key authentication. |
AmazonS3Settings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
s3Uri
|
S3 URI. |
sourceType
|
The URI source type. |
sourceDeletionOption
|
Source deletion option. |
S3Auth
| JSON representation |
|---|
{
"accessKeyId"
:
string
,
"secretAccessKey"
:
string
,
"clientId"
:
string
,
"clientSecret"
:
string
,
"refreshUri"
:
string
,
"region"
:
enum (
|
| Fields | |
|---|---|
accessKeyId
|
Access key ID. Used when using access key auth. |
secretAccessKey
|
Secret access key. Used when using access key auth. |
clientId
|
Client ID. Used when using OAuth auth. |
clientSecret
|
Client secret. Used when using OAuth auth. |
refreshUri
|
Refresh URI. Used when using OAuth auth. |
region
|
S3 Region. |
AzureBlobStoreSettings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
azureUri
|
Azure URI. |
sourceType
|
The URI source type. |
sourceDeletionOption
|
Source deletion option. |
AzureAuth
| JSON representation |
|---|
{ // Union field |
auth_type
. Type of auth used with Azure. auth_type
can be only one of the following:sharedKey
string
Shared Key.
sasToken
string
SAS Token.
AmazonSQSSettings
| JSON representation |
|---|
{ "region" : enum ( |
| Fields | |
|---|---|
region
|
S3 Region. |
queue
|
Name of the queue. |
accountNumber
|
Account number of the owner of the queue. |
authentication
|
Input only. Authentication. |
sourceDeletionOption
|
Source deletion option. |
SQSAuth
| JSON representation |
|---|
{ "sqsAccessKeySecretAuth" : { object ( |
| Fields | |
|---|---|
sqsAccessKeySecretAuth
|
SQS access key secret auth. |
additionalS3AccessKeySecretAuth
|
Authentication for the S3 bucket referred to by the items in the SQS queue. This is only required if it is different from the authentication for the queue. |
SQSAccessKeySecretAuth
| JSON representation |
|---|
{ "accessKeyId" : string , "secretAccessKey" : string } |
| Fields | |
|---|---|
accessKeyId
|
Access key ID. |
secretAccessKey
|
Secret access key. |
AdditionalS3AccessKeySecretAuth
| JSON representation |
|---|
{ "accessKeyId" : string , "secretAccessKey" : string } |
| Fields | |
|---|---|
accessKeyId
|
Access key ID. |
secretAccessKey
|
Secret access key. |
GoogleCloudIdentityDevicesSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication |
apiVersion
|
API Version |
GoogleCloudIdentityDeviceUsersSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
CrowdStrikeDetectsSettings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Input only. OAuthClientCredentials. |
hostname
|
API Hostname. |
ingestionType
|
Optional. Ingestion Type. |
MandiantIoCSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
startTime
|
time since when to start fetching the IOCs Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
Timestamp
| JSON representation |
|---|
{ "seconds" : string , "nanos" : integer } |
| Fields | |
|---|---|
seconds
|
Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). |
nanos
|
Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive. |
SentineloneAlertSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
Hostname of SentinelOne alert settings. |
initialStartTime
|
initialStartTime from when to fetch the alerts |
isAlertApiSubscribed
|
Is the customer subscribed to Alerts Api |
QualysScanSettings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Input only. Authentication |
hostname
|
Hostname. |
apiType
|
Supported Qualys Scan api type. |
PubsubSettings
| JSON representation |
|---|
{ "googleServiceAccountEmail" : string } |
| Fields | |
|---|---|
googleServiceAccountEmail
|
Google Service Account Email. |
DummyLogTypeSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
apiEndpoint
|
Full API Endpoint. |
HttpsPushGoogleCloudPubSubSettings
| JSON representation |
|---|
{ "splitDelimiter" : string } |
| Fields | |
|---|---|
splitDelimiter
|
Optional. Delimiter to split on for the feed. |
HttpsPushAmazonKinesisFirehoseSettings
| JSON representation |
|---|
{ "splitDelimiter" : string } |
| Fields | |
|---|---|
splitDelimiter
|
Optional. Delimiter to split on for the feed. |
HttpsPushWebhookSettings
| JSON representation |
|---|
{ "splitDelimiter" : string } |
| Fields | |
|---|---|
splitDelimiter
|
Optional. Delimiter to split on for the feed. |
AWSEC2HostsSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. UsernameSecretAuth. |
AWSEC2InstancesSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. UsernameSecretAuth. |
AWSEC2VpcsSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. UsernameSecretAuth. |
AWSIAMSettings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Input only. Authentication |
apiType
|
Supported AWS IAM api type. |
NetskopeAlertV2Settings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Input only. Authentication. |
hostname
|
API Hostname. |
contentCategory
|
Content Category. |
contentTypes[]
|
Content type. |
GoogleCloudStorageV2Settings
| JSON representation |
|---|
{
"bucketUri"
:
string
,
"sourceDeletionOption"
:
enum (
|
| Fields | |
|---|---|
bucketUri
|
Required. Google Cloud Storage Bucket URI for the feed. |
sourceDeletionOption
|
Optional. Source deletion option determines if the data from the source is to be deleted after ingestion. |
chronicleServiceAccount
|
Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project. |
maxLookbackDays
|
Optional. Maximum File Age to ingest in days. |
AmazonS3V2Settings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Required. Authentication. |
s3Uri
|
Required. S3 URI. |
sourceDeletionOption
|
Optional. Source deletion option. |
maxLookbackDays
|
Optional. Maximum File Age to ingest in days. |
chronicleServiceAccount
|
Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project. |
S3AuthV2
| JSON representation |
|---|
{ // Union field |
auth_type
. auth type for S3. auth_type
can be only one of the following:accessKeySecretAuth
object (
S3V2AccessKeySecretAuth
)
Access Key ID and Secret Access Key for an AWS account.
awsIamRoleAuth
object (
S3V2AwsIamRoleAuth
)
AWS IAM Role Auth for Identity Federation.
S3V2AccessKeySecretAuth
| JSON representation |
|---|
{ "accessKeyId" : string , "secretAccessKey" : string } |
| Fields | |
|---|---|
accessKeyId
|
Required. Access Key ID for an AWS account (a 20-character, alphanumeric string). |
secretAccessKey
|
Required. Secret Access Key for an AWS account (a 40-character string). |
S3V2AwsIamRoleAuth
| JSON representation |
|---|
{ "awsIamRoleArn" : string , "subjectId" : string } |
| Fields | |
|---|---|
awsIamRoleArn
|
AWS IAM Role for Identity Federation. |
subjectId
|
Subject ID to use for S3. |
AmazonSQSV2Settings
| JSON representation |
|---|
{ "queue" : string , "s3Uri" : string , "authentication" : { object ( |
| Fields | |
|---|---|
queue
|
Required. Amazon Resource Name(ARN) of the queue. |
s3Uri
|
Required. S3 URI. |
authentication
|
Required. Authentication. |
sourceDeletionOption
|
Optional. Source deletion option. |
maxLookbackDays
|
Optional. Maximum File Age to ingest in days. |
chronicleServiceAccount
|
Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project. |
SQSAuthV2
| JSON representation |
|---|
{ // Union field |
auth_type
. auth tyoe for the SQS queue. auth_type
can be only one of the following:sqsV2AccessKeySecretAuth
object (
SQSV2AccessKeySecretAuth
)
Required. Auth key and secret for the SQS queue.
awsIamRoleAuth
object (
SQSV2AwsIamRoleAuth
)
Required. AWS IAM Role for Identity Federation.
SQSV2AccessKeySecretAuth
| JSON representation |
|---|
{ "accessKeyId" : string , "secretAccessKey" : string } |
| Fields | |
|---|---|
accessKeyId
|
Access key ID of the S3 bucket. Ex: AKIABCDEFGHIJKL. |
secretAccessKey
|
Secret access key to access the S3 bucket. |
SQSV2AwsIamRoleAuth
| JSON representation |
|---|
{ "awsIamRoleArn" : string , "subjectId" : string } |
| Fields | |
|---|---|
awsIamRoleArn
|
AWS IAM Role for Identity Federation. |
subjectId
|
Subject ID to use for SQS. |
AzureEventHubSettings
| JSON representation |
|---|
{ "name" : string , "consumerGroup" : string , "eventHubConnectionString" : string , "azureStorageConnectionString" : string , "azureStorageContainer" : string , "azureSasToken" : string , "eventHubNamespace" : string } |
| Fields | |
|---|---|
name
|
Required. Event hub to read from. |
consumerGroup
|
Required. Event hub consumer group to read from. |
eventHubConnectionString
|
Required. Event hub connection string for authentication. |
azureStorageConnectionString
|
Optional. Blob store connection string for authentication. |
azureStorageContainer
|
Optional. Blob storage container name. |
azureSasToken
|
Optional. SAS token |
eventHubNamespace
|
Output only. Event hub namespace |
TrellixHxHostsSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Required. Authentication. |
endpoint
|
Required. Trellix HX Device URL. This must be a valid URL with an http or https scheme. It has no default. Usually a device URL is in the form of either: https://xxx.trellix.com/hx/id/
|
TrellixStarXAuthentication
| JSON representation |
|---|
{ // Union field |
auth_type
. One of multiple potential auth types. auth_type
can be only one of the following:msso
object (
MssoAuthentication
)
Input only. MssoAuthentication auth type.
trellixIam
object (
TrellixIAMAuthentication
)
Input only. TrellixIAMAuthentication auth type.
trellixLocal
object (
TrellixLocalAuthentication
)
Input only. TrellixLocalAuthentication auth type.
MssoAuthentication
| JSON representation |
|---|
{ "username" : string , "password" : string , "apiEndpoint" : string } |
| Fields | |
|---|---|
username
|
Required. Username for MSSO authentication. There are no restrictions on the format of the username. It has no default, specifically enforced min / max length or character set. The username will have been provided by an MSSO administrator and it is assumed that they have provided a username that is internally consistent with MSSO authentication requirements / validation. |
password
|
Required. Password of the account identified by username. There are no restrictions on the format of the password. It has no default, specifically enforced min / max length or character set. The password will have been provided by an MSSO administrator and it is assumed that they have provided a password that is internally consistent with MSSO authentication requirements / validation. |
apiEndpoint
|
Required. The login api endpoint url. This must be a valid URL with an http or https scheme. It has no default. |
TrellixIAMAuthentication
| JSON representation |
|---|
{ "clientId" : string , "clientSecret" : string , "scope" : string } |
| Fields | |
|---|---|
clientId
|
Required. Client ID generated in Trellix IAM. This is a unique identifier for the user that is generated in Trellix IAM. It has no default, specifically enforced min / max length or character set. It is assumed that the Client ID generated in Trellix IAM is internally consistent with Trellix IAM authentication requirements / validation. |
clientSecret
|
Required. Secret associated with the Client ID. This is the secret generated in Trellix IAM for the Client ID. It has no default, specifically enforced min / max length or character set. It is assumed that the secret generated in Trellix IAM is internally consistent with Trellix IAM authentication requirements / validation. |
scope
|
Required. OAUTH 2 scope to request for the authentication token. This is the OAUTH 2 scope to request for the authentication token. It has no default, specifically enforced min / max length or character set. It is assumed that the scope provided is internally consistent with Trellix IAM authentication requirements / validation. |
TrellixLocalAuthentication
| JSON representation |
|---|
{ "username" : string , "password" : string , "tokenEndpoint" : string , "tokenHeader" : string } |
| Fields | |
|---|---|
username
|
Required. Username for Trellix Local authentication. This is a unique username for the user that is generated on a Trellix device. It has no default, specifically enforced min / max length, or character set. |
password
|
Required. Password of the account identified by username. There are no restrictions on the format of the password. It has no default, specifically enforced min / max length or character set. The password will have been provided by the Trellix administrator. |
tokenEndpoint
|
Required. The endpoint to fetch the token from. This must be a valid URL with an http or https scheme. It has no default. |
tokenHeader
|
Required. The HTTP header name to use for the token for authentcated requests. It varies per Trellix product. Refer to the Trellix API documentation for the correct value. It has no default. |
AzureBlobStoreV2Settings
| JSON representation |
|---|
{ "azureUri" : string , "authentication" : { object ( |
| Fields | |
|---|---|
azureUri
|
Required. Azure URI. |
authentication
|
Required. Authentication. |
sourceDeletionOption
|
Optional. Source deletion option. |
maxLookbackDays
|
Optional. Maximum File Age to ingest in days. |
chronicleServiceAccount
|
Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project. |
AzureAuthV2
| JSON representation |
|---|
{ // Union field |
auth_type
. Possible types of authentication. auth_type
can be only one of the following:accessKey
string
Required. Access Key also known as shared key.
sasToken
string
Required. SAS Token.
azureV2WorkloadIdentityFederation
object (
AzureV2WorkloadIdentityFederation
)
Required. Azure V2 Workload Identity Federation.
AzureV2WorkloadIdentityFederation
| JSON representation |
|---|
{ "clientId" : string , "tenantId" : string , "subjectId" : string } |
| Fields | |
|---|---|
clientId
|
Required. OAuth client ID. |
tenantId
|
Required. Tenant ID. |
subjectId
|
Required. Subject ID of the Azure subscription. |
TrellixHxAlertsSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Required. Authentication. |
endpoint
|
Required. Trellix HX Device URL. This must be a valid URL with an http or https scheme. It has no default. Usually a device URL is in the form of either: https://xxx.trellix.com/hx/id/
|
GoogleCloudStorageEventDrivenSettings
| JSON representation |
|---|
{
"bucketUri"
:
string
,
"pubsubSubscription"
:
string
,
"sourceDeletionOption"
:
enum (
|
| Fields | |
|---|---|
bucketUri
|
Required. Google Cloud Storage Bucket URI for the feed. |
pubsubSubscription
|
Required. Subscription name for pubsub topic. |
sourceDeletionOption
|
Optional. Source deletion option determines if the data from the source is to be deleted after ingestion. |
chronicleServiceAccount
|
Output only. SA that will read data, this is Storage Transfer Service SA of Customer's Tenancy Project. |
maxLookbackDays
|
Optional. Maximum File Age to ingest in days. |
CrowdStrikeAlertsSettings
| JSON representation |
|---|
{ "authentication" : { object ( |
| Fields | |
|---|---|
authentication
|
Required. OAuthClientCredentials. |
hostname
|
Required. API Hostname. |
ingestionType
|
Optional. Ingestion Type. |
TrellixHxBulkAcqsSettings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Required. Authentication. |
endpoint
|
Required. Trellix HX Device URL. This must be a valid URL with an http or https scheme. It has no default. Usually a device URL is in the form of either: https://xxx.trellix.com/hx/id/
|
MimecastMailV2Settings
| JSON representation |
|---|
{
"authCredentials"
:
{
object (
|
| Fields | |
|---|---|
authCredentials
|
Required. Mimecast OAuthClientCredentials. |
MimecastV2OAuthClientCredentials
| JSON representation |
|---|
{ "clientId" : string , "clientSecret" : string } |
| Fields | |
|---|---|
clientId
|
Required. Client ID. |
clientSecret
|
Required. Client Secret. |
ThreatConnectIoCV3Settings
| JSON representation |
|---|
{
"authentication"
:
{
object (
|
| Fields | |
|---|---|
authentication
|
Required. Input only. UsernameSecretAuth. |
hostname
|
Required. hostname. |
owners[]
|
Required. Owners. |
tqlQuery
|
Optional. ThreatConnect Query Language filter. |
fields[]
|
Optional. Fields |
schedule
|
Optional. Schedule |
LabelsEntry
| JSON representation |
|---|
{ "key" : string , "value" : string } |
| Fields | |
|---|---|
key
|
|
value
|
|
FeedFailureDetails
| JSON representation |
|---|
{ "errorCode" : string , "httpErrorCode" : integer , "errorCause" : string , "errorAction" : string } |
| Fields | |
|---|---|
errorCode
|
Output only. error_code contains the error code for the feed. The field is populated for the feeds with failed status. |
httpErrorCode
|
Output only. http_error_code contains the HTTP error code for the feed failure. feed transfer failure may or may not result in http error code. |
errorCause
|
Output only. error_cause contains the information regarding the failure cause. |
errorAction
|
Output only. error_action contains the user action prescribed for remediation of feed error. |
Tool Annotations
Destructive Hint: ✅ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌
