search
WebsiteBlogLogin

Threats

hashtag
Overview

Returns the audit events matching security requests.

hashtag
Configuration

hashtag
Parameters

  • Domain (domain)

hashtag
Secrets

  • Client Id (client_id)

  • Client Secret (client_secret)

Open the Secret fields and click New secret to create a new one:

  • Give the secret a Name.

  • Turn off the Expiration date option.

  • Click Add new value and paste the secret corresponding to the value.

  • Click Save.

circle-info

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the fields, or simply paste the given YAML.

hashtag
Configure as YAML

hashtag
Manually configure

All parameters are the same, except the URLs in the request fields, which you change according to the type

Events - https://${parameters.domain}/threats/v1/events

SIEM Events - https://${parameters.domain}/siem/v1/events/cg

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

  • Duration - 1 minute

  • Offset - initial offset should be 1m

  • Format - 2006-01-02T15:04:05Z

Authentication Phase

Toggle ON to set the Authentication settings.

  • Type* - token

  • Request Method* - POST

  • URL* - https://${parameters.domain}/oauth/token

  • Headers

    • Name - Content-type

    • Value - application/x-www-form-urlencoded

    • Name - Accept

    • Value - application/json

  • BodyType* - UrlEncoded

    • Body params

      • Name - client_id

      • Value -${secrets.client_id}

      • Name - client_secret

      • Value -${secrets.client_secret}

      • Name - grant type

      • Value - client_credentials

  • Token Path* - .access_token

  • Auth Injection

    • In* - header

    • Name* - authorization

    • Prefix - Bearer

    • Suffix - ''

Enumeration Phase

OFF

Collection Phase

  • Pagination Type* - cursor

  • Cursor Selector* - .meta.nextPage

  • Initial Request

    • Method* - GET

    • URL* - INSERT URL HERE

    • Headers -

      • Name - Accept

      • Value - application/json

      • Name - Content-Type

      • Value - application/json

    • Query Params

      • Name - timestampRangeStartsAt

      • Value - ${temporalWindow.from}

      • Name - timestampRangeEndsAt

      • Value - ${temporalWindow.to}

      • Name - pageSize

      • Value - 50

  • Next Request

    • Method* - GET

    • URL* - INSERT URL HERE

    • Headers -

      • Name - Accept

        • Value - application/json

        • Name - Content-Type

        • Value - application/json

    • Query Params

      • Name - timestampRangeStartsAt

        • Value - ${temporalWindow.from}

        • Name - timestampRangeEndsAt

        • Value - ${temporalWindow.to}

        • Name - pageSize

        • Value - 50

        • Name - pageToken

        • Value - ${pagination.cursor}

  • Output

    • Select - .value

    • Map - .

    • Output Mode - element

This HTTP Pull Listener now uses the data export API to extract audit events.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousSecurityNextCollect data from Netskope

Last updated

Was this helpful?