+restful_resource |
| [closedefinition.tf](./closedefinition.tf) | None | | restful_resource |
| [environments.tf](./environments.tf) | None | | restful_resource |
-| [feeds.tf](./feeds.tf) | None | | restful_operation · restful_resource |
+| [feeds.tf](./feeds.tf) | None | secops-feeds | restful_operation |
| [logtypes.tf](./logtypes.tf) | None | | restful_resource |
| [main.tf](./main.tf) | Project and IAM. | project | google_apikeys_key |
| [monitoring.tf](./monitoring.tf) | Cloud Monitoring. | | google_monitoring_alert_policy · google_monitoring_notification_channel |
@@ -269,7 +269,7 @@ This blueprint allows further tailoring of the SecOps instance to match specific
| [secrets.tf](./secrets.tf) | None | secret-manager | |
| [variables.tf](./variables.tf) | Module variables. | | |
| [versions.tf](./versions.tf) | Version pins. | | |
-| [workspace.tf](./workspace.tf) | None | iam-service-account | google_service_account_key · restful_resource |
+| [workspace.tf](./workspace.tf) | None | iam-service-account · secops-feeds | google_service_account_key |
## Variables
@@ -288,8 +288,8 @@ This blueprint allows further tailoring of the SecOps instance to match specific
| [secops_envs](variables.tf#L151) | A map of SecOps environments to provision. Optional fields fall back to these built-in defaults if omitted. | map(object({…})) | | {} | |
| [secops_group_principals](variables.tf#L166) | Groups ID in IdP assigned to SecOps admins, editors, viewers roles. | object({…}) | | {} | |
| [secops_iam](variables.tf#L176) | SecOps IAM configuration in {PRINCIPAL => {roles => [ROLES], scopes => [SCOPES]}} format. | map(object({…})) | | {} | |
-| [third_party_integration_config](variables.tf#L194) | SecOps Feeds configuration for Workspace logs and entities ingestion. | object({…}) | | {} | |
-| [webhook_feeds_config](variables.tf#L223) | SecOps Webhook feeds config. | map(object({…})) | | {} | |
+| [third_party_integration_config](variables.tf#L194) | SecOps Feeds configuration for Workspace logs and entities ingestion. | object({…}) | | {} | |
+| [webhook_feeds_config](variables.tf#L233) | SecOps Webhook feeds config. | map(object({…})) | | {} | |
## Outputs
diff --git a/blueprints/secops-instance/feeds.tf b/blueprints/secops-instance/feeds.tf
index 0dd61bd..444fb4f 100644
--- a/blueprints/secops-instance/feeds.tf
+++ b/blueprints/secops-instance/feeds.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,134 +14,119 @@
* limitations under the License.
*/
-locals {
- azure_ad_feeds = {
- azure-ad = {
- log_type = "AZURE_AD"
- feed_type = "azure_ad_settings"
- hostname = "graph.microsoft.com/v1.0/auditLogs/signIns"
- }
- azure-ad-audit = {
- log_type = "AZURE_AD_AUDIT"
- feed_type = "azure_ad_audit_settings"
- hostname = "graph.microsoft.com/v1.0/auditLogs/directoryAudits"
- }
- azure-ad-context = {
- log_type = "AZURE_AD_CONTEXT"
- feed_type = "azure_ad_context_settings"
- hostname = "graph.microsoft.com/beta"
- }
- }
- okta_feeds = {
- okta = {
- log_type = "OKTA"
- feed_type = "okta_settings"
+module "webhook_feeds" {
+ source = "../../modules/secops-feeds"
+ secops_config = merge(var.secops_tenant_config, {
+ project = module.project.project_id
+ })
+ feeds = { for key, value in var.webhook_feeds_config : key => {
+ display_name = value.display_name
+ log_type = value.log_type
+ https_push_webhook_settings = {
+ split_delimiter = value.split_delimiter
}
- okta-user-context = {
- log_type = "OKTA_USER_CONTEXT"
- feed_type = "okta_user_context_settings"
- }
- }
- secops_webhook_feeds_id = {
- for key, value in restful_resource.webhook_feeds : key =>
- [for feed in value.output.feeds : element(split("/", feed.name), length(split("/", feed.name)) - 1)
- if try(feed.displayName == lower(key), false)][0]
- }
-}
-
-resource "restful_resource" "webhook_feeds" {
- for_each = var.webhook_feeds_config
- path = local.secops_feeds_api_path
- create_method = "POST"
- delete_method = "DELETE"
- check_existance = false
- delete_path = "$query_unescape(body.name)"
- read_selector = "feeds.#(displayName==\"${lower(each.key)}\")"
- body = {
- name : lower(each.key),
- display_name : coalesce(each.value.display_name, lower(each.key)),
- details : {
- feed_source_type : "HTTPS_PUSH_WEBHOOK",
- log_type : "projects/${module.project.project_id}/locations/${var.secops_tenant_config.region}/instances/${var.secops_tenant_config.customer_id}/logTypes/${each.key}",
- httpsPushWebhookSettings : {}
- }
- }
- write_only_attrs = ["details"]
- lifecycle {
- ignore_changes = [body, output]
- }
+ } }
}
resource "restful_operation" "webhook_feeds_secret" {
for_each = var.webhook_feeds_config
- path = "${local.secops_feeds_api_path}/${local.secops_webhook_feeds_id[each.key]}:generateSecret"
+ path = "${local.secops_feeds_api_path}/${module.webhook_feeds.feeds_id[each.key]}:generateSecret"
method = "POST"
}
# Azure AD feeds
-
-resource "restful_resource" "azure_ad_feeds" {
- for_each = var.third_party_integration_config.azure_ad == null ? {} : local.azure_ad_feeds
- path = local.secops_feeds_api_path
- create_method = "POST"
- delete_method = "DELETE"
- check_existance = false
- delete_path = "$query_unescape(body.name)"
- read_selector = "feeds.#(displayName==\"${lower(each.key)}\")"
- body = {
- "name" : lower(each.key),
- "display_name" : lower(each.key),
- "details" : {
- feed_source_type : "API",
- log_type : "projects/${module.project.project_id}/locations/${var.secops_tenant_config.region}/instances/${var.secops_tenant_config.customer_id}/logTypes/${each.value.log_type}",
- (each.value.feed_type) : merge({
- authentication : {
- client_id : var.third_party_integration_config.azure_ad.oauth_credentials.client_id,
- client_secret : var.third_party_integration_config.azure_ad.oauth_credentials.client_secret,
- },
- hostname : each.value.hostname,
- auth_endpoint : "login.microsoftonline.com",
- tenant_id : var.third_party_integration_config.azure_ad.tenant_id,
- }, each.key == "azure-ad-context" ? {
- retrieve_groups : var.third_party_integration_config.azure_ad.retrieve_groups
- retrieve_devices : var.third_party_integration_config.azure_ad.retrieve_devices
- } : {})
+module "azure_ad_feeds" {
+ count = var.third_party_integration_config.azure_ad == null ? 0 : 1
+ source = "../../modules/secops-feeds"
+ secops_config = merge(var.secops_tenant_config, {
+ project = module.project.project_id
+ })
+ feeds = {
+ azure-ad = {
+ display_name = "Azure AD",
+ secret_manager_config = var.third_party_integration_config.azure_ad.secret_manager_config,
+ azure_ad_settings = {
+ auth_endpoint = "login.microsoftonline.com",
+ hostname = "graph.microsoft.com/v1.0/auditLogs/signIns",
+ tenant_id = var.third_party_integration_config.azure_ad.tenant_id,
+ authentication = {
+ client_id = var.third_party_integration_config.azure_ad.oauth_credentials.client_id
+ client_secret = var.third_party_integration_config.azure_ad.oauth_credentials.client_secret
+ }
+ }
+ log_type = "AZURE_AD"
+ }
+ azure-ad-audit = {
+ display_name = "Azure AD Audit",
+ secret_manager_config = var.third_party_integration_config.azure_ad.secret_manager_config,
+ azure_ad_audit_settings = {
+ auth_endpoint = "login.microsoftonline.com",
+ hostname = "graph.microsoft.com/v1.0/auditLogs/directoryAudits",
+ tenant_id = var.third_party_integration_config.azure_ad.tenant_id,
+ authentication = {
+ client_id = var.third_party_integration_config.azure_ad.oauth_credentials.client_id
+ client_secret = var.third_party_integration_config.azure_ad.oauth_credentials.client_secret
+ }
+ }
+ log_type = "AZURE_AD_AUDIT"
+ }
+ azure-ad-context = {
+ display_name = "Azure AD Context",
+ secret_manager_config = var.third_party_integration_config.azure_ad.secret_manager_config,
+ azure_ad_context_settings = {
+ auth_endpoint = "login.microsoftonline.com",
+ hostname = "graph.microsoft.com/beta",
+ tenant_id = var.third_party_integration_config.azure_ad.tenant_id,
+ authentication = {
+ client_id = var.third_party_integration_config.azure_ad.oauth_credentials.client_id
+ client_secret = var.third_party_integration_config.azure_ad.oauth_credentials.client_secret
+ }
+ }
+ log_type = "AZURE_AD_CONTEXT"
}
- }
- write_only_attrs = ["details"]
- lifecycle {
- ignore_changes = [body, output]
}
}
-# Okta feeds
-
-resource "restful_resource" "okta_ad_feeds" {
- for_each = var.third_party_integration_config.okta == null ? {} : local.okta_feeds
- path = local.secops_feeds_api_path
- create_method = "POST"
- delete_method = "DELETE"
- check_existance = false
- delete_path = "$query_unescape(body.name)"
- read_selector = "feeds.#(displayName==\"${lower(each.key)}\")"
- body = {
- "name" : lower(each.key),
- "display_name" : lower(each.key),
- "details" : {
- "feed_source_type" : "API",
- "log_type" : "projects/${module.project.project_id}/locations/${var.secops_tenant_config.region}/instances/${var.secops_tenant_config.customer_id}/logTypes/${each.value.log_type}",
- (each.value.feed_type) : merge({
- "authentication" : {
- "header_key_values" : [for k, v in var.third_party_integration_config.okta.auth_header_key_values : { key = k, value = v }]
+# Okta Feeds
+module "okta_feeds" {
+ count = var.third_party_integration_config.okta == null ? 0 : 1
+ source = "../../modules/secops-feeds"
+ secops_config = merge(var.secops_tenant_config, {
+ project = module.project.project_id
+ })
+ feeds = {
+ okta = {
+ display_name = "Okta",
+ secret_manager_config = var.third_party_integration_config.okta.secret_manager_config,
+ okta_settings = {
+ authentication = {
+ header_key_values = [
+ {
+ key = "Authorization"
+ value = var.third_party_integration_config.okta.api_key
+ }
+ ]
},
- "hostname" : var.third_party_integration_config.okta.hostname
- }, each.key == "okta-user-context" ? {
- "manager_id_reference_field" : var.third_party_integration_config.okta.manager_id_reference_field
- } : {})
+ hostname = var.third_party_integration_config.okta.hostname
+ }
+ log_type = "OKTA"
+ }
+ okta-user-context = {
+ display_name = "Okta User Context",
+ secret_manager_config = var.third_party_integration_config.okta.secret_manager_config,
+ okta_user_context_settings = {
+ authentication = {
+ header_key_values = [
+ {
+ key = "Authorization"
+ value = var.third_party_integration_config.okta.api_key
+ }
+ ]
+ },
+ hostname = var.third_party_integration_config.okta.hostname,
+ manager_id_reference_field = var.third_party_integration_config.okta.manager_id_reference_field
+ }
+ log_type = "OKTA_USER_CONTEXT"
}
}
- write_only_attrs = ["details"]
- lifecycle {
- ignore_changes = [body, output]
- }
-}
\ No newline at end of file
+}
diff --git a/blueprints/secops-instance/variables.tf b/blueprints/secops-instance/variables.tf
index 304fd8c..13fb1ab 100644
--- a/blueprints/secops-instance/variables.tf
+++ b/blueprints/secops-instance/variables.tf
@@ -195,18 +195,28 @@ variable "third_party_integration_config" {
description = "SecOps Feeds configuration for Workspace logs and entities ingestion."
type = object({
azure_ad = optional(object({
+ secret_manager_config = optional(object({
+ region = string
+ secret_name = string
+ version = optional(string)
+ }))
oauth_credentials = object({
client_id = string
- client_secret = string
+ client_secret = optional(string)
})
retrieve_devices = optional(bool, true)
retrieve_groups = optional(bool, true)
tenant_id = string
}))
okta = optional(object({
- auth_header_key_values = map(string)
+ api_key = string
hostname = string
manager_id_reference_field = string
+ secret_manager_config = optional(object({
+ region = string
+ secret_name = string
+ version = optional(string)
+ }))
}))
workspace = optional(object({
customer_id = string
@@ -223,8 +233,9 @@ variable "third_party_integration_config" {
variable "webhook_feeds_config" {
description = "SecOps Webhook feeds config."
type = map(object({
- display_name = optional(string)
- log_type = string
+ display_name = optional(string)
+ log_type = string
+ split_delimiter = optional(string)
}))
default = {}
nullable = false
diff --git a/blueprints/secops-instance/workspace.tf b/blueprints/secops-instance/workspace.tf
index 225b4bf..76705e3 100644
--- a/blueprints/secops-instance/workspace.tf
+++ b/blueprints/secops-instance/workspace.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2025 Google LLC
+ * Copyright 2026 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,35 +14,6 @@
* limitations under the License.
*/
-locals {
- workspace_feeds = {
- ws-users = {
- log_type = "WORKSPACE_USERS"
- feed_type = "workspace_users_settings"
- }
- ws-activity = {
- log_type = "WORKSPACE_ACTIVITY"
- feed_type = "workspace_activity_settings"
- }
- ws-alerts = {
- log_type = "WORKSPACE_ALERTS"
- feed_type = "workspace_alerts_settings"
- }
- ws-mobile = {
- log_type = "WORKSPACE_MOBILE"
- feed_type = "workspace_mobile_settings"
- }
- ws-chrome = {
- log_type = "WORKSPACE_CHROMEOS"
- feed_type = "workspace_chrome_os_settings"
- }
- ws-group = {
- log_type = "WORKSPACE_GROUPS"
- feed_type = "workspace_groups_settings"
- }
- }
-}
-
# Workspace logs integration SA
module "workspace-integration-sa" {
source = "github.com/GoogleCloudPlatform/cloud-foundation-fabric//modules/iam-service-account"
@@ -56,41 +27,122 @@ resource "google_service_account_key" "workspace_integration_key" {
service_account_id = module.workspace-integration-sa[0].email
}
-resource "restful_resource" "workspace_feeds" {
- for_each = var.third_party_integration_config.workspace == null ? {} : local.workspace_feeds
- path = local.secops_feeds_api_path
- create_method = "POST"
- delete_method = "DELETE"
- check_existance = false
- delete_path = "$query_unescape(body.name)"
- read_selector = "feeds.#(displayName==\"${each.key}\")"
- body = {
- "display_name" : each.key,
- "details" : {
- "feed_source_type" : "API",
- "log_type" : "projects/${module.project.project_id}/locations/${var.secops_tenant_config.region}/instances/${var.secops_tenant_config.customer_id}/logTypes/${each.value.log_type}",
- "asset_namespace" : "",
- "labels" : {},
- (each.value.feed_type) : merge({
- "authentication" : {
- "token_endpoint" : "https://oauth2.googleapis.com/token",
- "claims" : {
- "issuer" : module.workspace-integration-sa[0].email,
- "subject" : var.third_party_integration_config.workspace.delegated_user,
- "audience" : "https://oauth2.googleapis.com/token"
- },
- rs_credentials : {
- private_key : jsondecode(base64decode(google_service_account_key.workspace_integration_key[0].private_key)).private_key
+module "workspace-feeds" {
+ source = "../../modules/secops-feeds"
+ count = var.third_party_integration_config.workspace == null ? 0 : 1
+ secops_config = merge(var.secops_tenant_config, {
+ project = module.project.project_id
+ })
+ feeds = {
+ ws-users = {
+ display_name = "Workspace Users"
+ log_type = "WORKSPACE_USERS"
+ workspace_users_settings = {
+ workspace_customer_id = var.third_party_integration_config.workspace.customer_id
+ projection_type = "FULL_PROJECTION"
+ authentication = {
+ token_endpoint = "https://oauth2.googleapis.com/token",
+ claims = {
+ audience = "https://oauth2.googleapis.com/token",
+ issuer = module.workspace-integration-sa[0].email,
+ subject = var.third_party_integration_config.workspace.delegated_user
+ }
+ rs_credentials = {
+ private_key = jsondecode(base64decode(google_service_account_key.workspace_integration_key[0].private_key)).private_key
}
- },
- workspace_customer_id : each.key == "ws-alerts" ? trimprefix(var.third_party_integration_config.workspace.customer_id, "C") : var.third_party_integration_config.workspace.customer_id
- }, each.key == "ws-activity" ? {
- applications : var.third_party_integration_config.workspace.applications
- } : {})
+ }
+ }
+ }
+ ws-activity = {
+ display_name = "Workspace Activity"
+ log_type = "WORKSPACE_ACTIVITY"
+ workspace_activity_settings = {
+ workspace_customer_id = var.third_party_integration_config.workspace.customer_id
+ applications = var.third_party_integration_config.workspace.applications
+ authentication = {
+ token_endpoint = "https://oauth2.googleapis.com/token",
+ claims = {
+ audience = "https://oauth2.googleapis.com/token",
+ issuer = module.workspace-integration-sa[0].email,
+ subject = var.third_party_integration_config.workspace.delegated_user
+ }
+ rs_credentials = {
+ private_key = jsondecode(base64decode(google_service_account_key.workspace_integration_key[0].private_key)).private_key
+ }
+ }
+ }
+ }
+ ws-alerts = {
+ display_name = "Workspace Alerts"
+ log_type = "WORKSPACE_ALERTS"
+ workspace_alerts_settings = {
+ workspace_customer_id = var.third_party_integration_config.workspace.customer_id
+ authentication = {
+ token_endpoint = "https://oauth2.googleapis.com/token",
+ claims = {
+ audience = "https://oauth2.googleapis.com/token",
+ issuer = module.workspace-integration-sa[0].email,
+ subject = var.third_party_integration_config.workspace.delegated_user
+ }
+ rs_credentials = {
+ private_key = jsondecode(base64decode(google_service_account_key.workspace_integration_key[0].private_key)).private_key
+ }
+ }
+ }
+ }
+ ws-mobile = {
+ display_name = "Workspace Mobile"
+ log_type = "WORKSPACE_MOBILE"
+ workspace_mobile_settings = {
+ workspace_customer_id = var.third_party_integration_config.workspace.customer_id
+ authentication = {
+ token_endpoint = "https://oauth2.googleapis.com/token",
+ claims = {
+ audience = "https://oauth2.googleapis.com/token",
+ issuer = module.workspace-integration-sa[0].email,
+ subject = var.third_party_integration_config.workspace.delegated_user
+ }
+ rs_credentials = {
+ private_key = jsondecode(base64decode(google_service_account_key.workspace_integration_key[0].private_key)).private_key
+ }
+ }
+ }
+ }
+ ws-chrome = {
+ display_name = "Workspace ChromeOS"
+ log_type = "WORKSPACE_CHROMEOS"
+ workspace_chrome_os_settings = {
+ workspace_customer_id = var.third_party_integration_config.workspace.customer_id
+ authentication = {
+ token_endpoint = "https://oauth2.googleapis.com/token",
+ claims = {
+ audience = "https://oauth2.googleapis.com/token",
+ issuer = module.workspace-integration-sa[0].email,
+ subject = var.third_party_integration_config.workspace.delegated_user
+ }
+ rs_credentials = {
+ private_key = jsondecode(base64decode(google_service_account_key.workspace_integration_key[0].private_key)).private_key
+ }
+ }
+ }
+ }
+ ws-group = {
+ display_name = "Workspace Groups"
+ log_type = "WORKSPACE_GROUPS"
+ workspace_groups_settings = {
+ workspace_customer_id = var.third_party_integration_config.workspace.customer_id
+ authentication = {
+ token_endpoint = "https://oauth2.googleapis.com/token",
+ claims = {
+ audience = "https://oauth2.googleapis.com/token",
+ issuer = module.workspace-integration-sa[0].email,
+ subject = var.third_party_integration_config.workspace.delegated_user
+ }
+ rs_credentials = {
+ private_key = jsondecode(base64decode(google_service_account_key.workspace_integration_key[0].private_key)).private_key
+ }
+ }
+ }
}
- }
- write_only_attrs = ["details"]
- lifecycle {
- ignore_changes = [body, output]
}
}
diff --git a/modules/secops-feeds/README.md b/modules/secops-feeds/README.md
new file mode 100644
index 0000000..99984a2
--- /dev/null
+++ b/modules/secops-feeds/README.md
@@ -0,0 +1,119 @@
+# SecOps Feeds Terraform Module
+
+This module creates and manages SecOps Feeds using the `google_chronicle_feed` resource from the Google Provider (beta).
+
+It supports a wide variety of feed source types, and the `feed_source_type` is automatically determined based on the settings provided.
+
+
+
+
object({…}) | ✓ | |
+| [feeds](variables.tf#L17) | A map of Chronicle feeds to create. | map(object({…})) | | {} |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [feeds_id](outputs.tf#L17) | A map of Chronicle feeds to create. | |
+
diff --git a/modules/secops-feeds/images/diagram.png b/modules/secops-feeds/images/diagram.png
new file mode 100644
index 0000000..be77b28
Binary files /dev/null and b/modules/secops-feeds/images/diagram.png differ
diff --git a/modules/secops-feeds/main.tf b/modules/secops-feeds/main.tf
new file mode 100644
index 0000000..9c8ae3d
--- /dev/null
+++ b/modules/secops-feeds/main.tf
@@ -0,0 +1,1448 @@
+/**
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+ source_type_mapping = {
+ amazon_s3_settings = "AMAZON_S3"
+ amazon_s3_v2_settings = "AMAZON_S3_V2"
+ amazon_sqs_settings = "AMAZON_SQS"
+ amazon_sqs_v2_settings = "AMAZON_SQS_V2"
+ anomali_settings = "API"
+ aws_ec2_hosts_settings = "API"
+ aws_ec2_instances_settings = "API"
+ aws_ec2_vpcs_settings = "API"
+ aws_iam_settings = "API"
+ azure_ad_audit_settings = "API"
+ azure_ad_context_settings = "API"
+ azure_ad_settings = "API"
+ azure_blob_store_settings = "AZURE_BLOBSTORE"
+ azure_blob_store_v2_settings = "AZURE_BLOBSTORE_V2"
+ azure_event_hub_settings = "AZURE_EVENT_HUB"
+ azure_mdm_intune_settings = "API"
+ cloud_passage_settings = "API"
+ cortex_xdr_settings = "API"
+ crowdstrike_alerts_settings = "API"
+ crowdstrike_detects_settings = "API"
+ dummy_log_type_settings = "API"
+ duo_auth_settings = "API"
+ duo_user_context_settings = "API"
+ fox_it_stix_settings = "API"
+ gcs_settings = "GOOGLE_CLOUD_STORAGE"
+ gcs_v2_settings = "GOOGLE_CLOUD_STORAGE_V2"
+ google_cloud_identity_device_users_settings = "API"
+ google_cloud_identity_devices_settings = "API"
+ google_cloud_storage_event_driven_settings = "GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN"
+ http_settings = "HTTP"
+ https_push_amazon_kinesis_firehose_settings = "HTTPS_PUSH_AMAZON_KINESIS_FIREHOSE"
+ https_push_google_cloud_pubsub_settings = "HTTPS_PUSH_GOOGLE_CLOUD_PUBSUB"
+ https_push_webhook_settings = "HTTPS_PUSH_WEBHOOK"
+ imperva_waf_settings = "API"
+ mandiant_ioc_settings = "API"
+ microsoft_graph_alert_settings = "API"
+ microsoft_security_center_alert_settings = "API"
+ mimecast_mail_settings = "API"
+ mimecast_mail_v2_settings = "API"
+ netskope_alert_settings = "API"
+ netskope_alert_v2_settings = "API"
+ office365_settings = "API"
+ okta_settings = "API"
+ okta_user_context_settings = "API"
+ pan_ioc_settings = "API"
+ pan_prisma_cloud_settings = "API"
+ proofpoint_mail_settings = "API"
+ proofpoint_on_demand_settings = "API"
+ pubsub_settings = "PUBSUB"
+ qualys_scan_settings = "API"
+ qualys_vm_settings = "API"
+ rapid7_insight_settings = "API"
+ recorded_future_ioc_settings = "API"
+ rh_isac_ioc_settings = "API"
+ salesforce_settings = "API"
+ sentinelone_alert_settings = "API"
+ service_now_cmdb_settings = "API"
+ sftp_settings = "SFTP"
+ symantec_event_export_settings = "API"
+ thinkst_canary_settings = "API"
+ threat_connect_ioc_settings = "API"
+ threat_connect_ioc_v3_settings = "API"
+ trellix_hx_alerts_settings = "API"
+ trellix_hx_bulk_acqs_settings = "API"
+ trellix_hx_hosts_settings = "API"
+ webhook_settings = "WEBHOOK"
+ workday_settings = "API"
+ workspace_activity_settings = "API"
+ workspace_alerts_settings = "API"
+ workspace_chrome_os_settings = "API"
+ workspace_groups_settings = "API"
+ workspace_mobile_settings = "API"
+ workspace_privileges_settings = "API"
+ workspace_users_settings = "API"
+ }
+}
+
+data "google_secret_manager_regional_secret_version" "secops_secrets" {
+ for_each = { for k, v in var.feeds : k => v if v.secret_manager_config != null }
+ secret = each.value.secret_manager_config.secret_name
+ project = var.secops_config.project
+ location = each.value.secret_manager_config.region
+ version = each.value.secret_manager_config.version
+}
+
+resource "google_chronicle_feed" "feeds" {
+ provider = google-beta
+ for_each = var.feeds
+
+ project = var.secops_config.project
+ location = var.secops_config.region
+ instance = var.secops_config.customer_id
+ display_name = each.value.display_name
+
+ details {
+ log_type = "projects/${var.secops_config.project}/locations/${var.secops_config.region}/instances/${var.secops_config.customer_id}/logTypes/${each.value.log_type}"
+ feed_source_type = one([
+ for setting_name, source_type in local.source_type_mapping : source_type if lookup(each.value, setting_name, null) != null
+ ])
+ asset_namespace = each.value.asset_namespace
+ labels = each.value.labels
+
+ dynamic "amazon_s3_settings" {
+ for_each = lookup(each.value, "amazon_s3_settings", null) != null ? [each.value.amazon_s3_settings] : []
+ content {
+ s3_uri = amazon_s3_settings.value.s3_uri
+ source_deletion_option = amazon_s3_settings.value.source_deletion_option
+ source_type = amazon_s3_settings.value.source_type
+ dynamic "authentication" {
+ for_each = lookup(amazon_s3_settings.value, "authentication", null) != null ? [amazon_s3_settings.value.authentication] : []
+ content {
+ region = authentication.value.region
+ access_key_id = lookup(authentication.value, "access_key_id", null)
+ secret_access_key = lookup(authentication.value, "secret_access_key", null)
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = lookup(authentication.value, "client_secret", null)
+ refresh_uri = lookup(authentication.value, "refresh_uri", null)
+ }
+ }
+ }
+ }
+
+ dynamic "amazon_s3_v2_settings" {
+ for_each = lookup(each.value, "amazon_s3_v2_settings", null) != null ? [each.value.amazon_s3_v2_settings] : []
+ content {
+ s3_uri = amazon_s3_v2_settings.value.s3_uri
+ source_deletion_option = lookup(amazon_s3_v2_settings.value, "source_deletion_option", null)
+ max_lookback_days = lookup(amazon_s3_v2_settings.value, "max_lookback_days", null)
+ dynamic "authentication" {
+ for_each = lookup(amazon_s3_v2_settings.value, "authentication", null) != null ? [amazon_s3_v2_settings.value.authentication] : []
+ content {
+ dynamic "access_key_secret_auth" {
+ for_each = lookup(authentication.value, "access_key_secret_auth", null) != null ? [authentication.value.access_key_secret_auth] : []
+ content {
+ access_key_id = access_key_secret_auth.value.access_key_id
+ secret_access_key = access_key_secret_auth.value.secret_access_key
+ }
+ }
+ dynamic "aws_iam_role_auth" {
+ for_each = lookup(authentication.value, "aws_iam_role_auth", null) != null ? [authentication.value.aws_iam_role_auth] : []
+ content {
+ aws_iam_role_arn = lookup(aws_iam_role_auth.value, "aws_iam_role_arn", null)
+ subject_id = lookup(aws_iam_role_auth.value, "subject_id", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "amazon_sqs_settings" {
+ for_each = lookup(each.value, "amazon_sqs_settings", null) != null ? [each.value.amazon_sqs_settings] : []
+ content {
+ account_number = lookup(amazon_sqs_settings.value, "account_number", null)
+ queue = lookup(amazon_sqs_settings.value, "queue", null)
+ region = lookup(amazon_sqs_settings.value, "region", null)
+ source_deletion_option = lookup(amazon_sqs_settings.value, "source_deletion_option", null)
+ dynamic "authentication" {
+ for_each = lookup(amazon_sqs_settings.value, "authentication", null) != null ? [amazon_sqs_settings.value.authentication] : []
+ content {
+ dynamic "additional_s3_access_key_secret_auth" {
+ for_each = lookup(authentication.value, "additional_s3_access_key_secret_auth", null) != null ? [authentication.value.additional_s3_access_key_secret_auth] : []
+ content {
+ access_key_id = lookup(additional_s3_access_key_secret_auth.value, "access_key_id", null)
+ secret_access_key = lookup(additional_s3_access_key_secret_auth.value, "secret_access_key", null)
+ }
+ }
+ dynamic "sqs_access_key_secret_auth" {
+ for_each = lookup(authentication.value, "sqs_access_key_secret_auth", null) != null ? [authentication.value.sqs_access_key_secret_auth] : []
+ content {
+ access_key_id = lookup(sqs_access_key_secret_auth.value, "access_key_id", null)
+ secret_access_key = lookup(sqs_access_key_secret_auth.value, "secret_access_key", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "amazon_sqs_v2_settings" {
+ for_each = lookup(each.value, "amazon_sqs_v2_settings", null) != null ? [each.value.amazon_sqs_v2_settings] : []
+ content {
+ queue = amazon_sqs_v2_settings.value.queue
+ s3_uri = amazon_sqs_v2_settings.value.s3_uri
+ source_deletion_option = lookup(amazon_sqs_v2_settings.value, "source_deletion_option", null)
+ max_lookback_days = lookup(amazon_sqs_v2_settings.value, "max_lookback_days", null)
+ dynamic "authentication" {
+ for_each = lookup(amazon_sqs_v2_settings.value, "authentication", null) != null ? [amazon_sqs_v2_settings.value.authentication] : []
+ content {
+ dynamic "aws_iam_role_auth" {
+ for_each = lookup(authentication.value, "aws_iam_role_auth", null) != null ? [authentication.value.aws_iam_role_auth] : []
+ content {
+ aws_iam_role_arn = lookup(aws_iam_role_auth.value, "aws_iam_role_arn", null)
+ subject_id = lookup(aws_iam_role_auth.value, "subject_id", null)
+ }
+ }
+ dynamic "sqs_v2_access_key_secret_auth" {
+ for_each = lookup(authentication.value, "sqs_v2_access_key_secret_auth", null) != null ? [authentication.value.sqs_v2_access_key_secret_auth] : []
+ content {
+ access_key_id = lookup(sqs_v2_access_key_secret_auth.value, "access_key_id", null)
+ secret_access_key = lookup(sqs_v2_access_key_secret_auth.value, "secret_access_key", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "anomali_settings" {
+ for_each = lookup(each.value, "anomali_settings", null) != null ? [each.value.anomali_settings] : []
+ content {
+ dynamic "authentication" {
+ for_each = lookup(anomali_settings.value, "authentication", null) != null ? [anomali_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "aws_ec2_hosts_settings" {
+ for_each = lookup(each.value, "aws_ec2_hosts_settings", null) != null ? [each.value.aws_ec2_hosts_settings] : []
+ content {
+ dynamic "authentication" {
+ for_each = lookup(aws_ec2_hosts_settings.value, "authentication", null) != null ? [aws_ec2_hosts_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "aws_ec2_instances_settings" {
+ for_each = lookup(each.value, "aws_ec2_instances_settings", null) != null ? [each.value.aws_ec2_instances_settings] : []
+ content {
+ dynamic "authentication" {
+ for_each = lookup(aws_ec2_instances_settings.value, "authentication", null) != null ? [aws_ec2_instances_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "aws_ec2_vpcs_settings" {
+ for_each = lookup(each.value, "aws_ec2_vpcs_settings", null) != null ? [each.value.aws_ec2_vpcs_settings] : []
+ content {
+ dynamic "authentication" {
+ for_each = lookup(aws_ec2_vpcs_settings.value, "authentication", null) != null ? [aws_ec2_vpcs_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "aws_iam_settings" {
+ for_each = lookup(each.value, "aws_iam_settings", null) != null ? [each.value.aws_iam_settings] : []
+ content {
+ api_type = lookup(aws_iam_settings.value, "api_type", null)
+ dynamic "authentication" {
+ for_each = lookup(aws_iam_settings.value, "authentication", null) != null ? [aws_iam_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "azure_ad_audit_settings" {
+ for_each = lookup(each.value, "azure_ad_audit_settings", null) != null ? [each.value.azure_ad_audit_settings] : []
+ content {
+ auth_endpoint = lookup(azure_ad_audit_settings.value, "auth_endpoint", null)
+ hostname = lookup(azure_ad_audit_settings.value, "hostname", null)
+ tenant_id = lookup(azure_ad_audit_settings.value, "tenant_id", null)
+ dynamic "authentication" {
+ for_each = lookup(azure_ad_audit_settings.value, "authentication", null) != null ? [azure_ad_audit_settings.value.authentication] : []
+ content {
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = try(data.google_secret_manager_regional_secret_version.secops_secrets[each.key].secret_data, lookup(authentication.value, "client_secret", null))
+ }
+ }
+ }
+ }
+
+ dynamic "azure_ad_context_settings" {
+ for_each = lookup(each.value, "azure_ad_context_settings", null) != null ? [each.value.azure_ad_context_settings] : []
+ content {
+ auth_endpoint = lookup(azure_ad_context_settings.value, "auth_endpoint", null)
+ hostname = lookup(azure_ad_context_settings.value, "hostname", null)
+ tenant_id = lookup(azure_ad_context_settings.value, "tenant_id", null)
+ retrieve_devices = lookup(azure_ad_context_settings.value, "retrieve_devices", null)
+ retrieve_groups = lookup(azure_ad_context_settings.value, "retrieve_groups", null)
+ dynamic "authentication" {
+ for_each = lookup(azure_ad_context_settings.value, "authentication", null) != null ? [azure_ad_context_settings.value.authentication] : []
+ content {
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = try(data.google_secret_manager_regional_secret_version.secops_secrets[each.key].secret_data, lookup(authentication.value, "client_secret", null))
+ }
+ }
+ }
+ }
+
+ dynamic "azure_ad_settings" {
+ for_each = lookup(each.value, "azure_ad_settings", null) != null ? [each.value.azure_ad_settings] : []
+ content {
+ auth_endpoint = lookup(azure_ad_settings.value, "auth_endpoint", null)
+ hostname = lookup(azure_ad_settings.value, "hostname", null)
+ tenant_id = lookup(azure_ad_settings.value, "tenant_id", null)
+ dynamic "authentication" {
+ for_each = lookup(azure_ad_settings.value, "authentication", null) != null ? [azure_ad_settings.value.authentication] : []
+ content {
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = try(data.google_secret_manager_regional_secret_version.secops_secrets[each.key].secret_data, lookup(authentication.value, "client_secret", null))
+ }
+ }
+ }
+ }
+
+ dynamic "azure_blob_store_settings" {
+ for_each = lookup(each.value, "azure_blob_store_settings", null) != null ? [each.value.azure_blob_store_settings] : []
+ content {
+ azure_uri = lookup(azure_blob_store_settings.value, "azure_uri", null)
+ source_deletion_option = lookup(azure_blob_store_settings.value, "source_deletion_option", null)
+ source_type = lookup(azure_blob_store_settings.value, "source_type", null)
+ dynamic "authentication" {
+ for_each = lookup(azure_blob_store_settings.value, "authentication", null) != null ? [azure_blob_store_settings.value.authentication] : []
+ content {
+ sas_token = lookup(authentication.value, "sas_token", null)
+ shared_key = lookup(authentication.value, "shared_key", null)
+ }
+ }
+ }
+ }
+
+ dynamic "azure_blob_store_v2_settings" {
+ for_each = lookup(each.value, "azure_blob_store_v2_settings", null) != null ? [each.value.azure_blob_store_v2_settings] : []
+ content {
+ azure_uri = azure_blob_store_v2_settings.value.azure_uri
+ source_deletion_option = lookup(azure_blob_store_v2_settings.value, "source_deletion_option", null)
+ max_lookback_days = lookup(azure_blob_store_v2_settings.value, "max_lookback_days", null)
+ dynamic "authentication" {
+ for_each = lookup(azure_blob_store_v2_settings.value, "authentication", null) != null ? [azure_blob_store_v2_settings.value.authentication] : []
+ content {
+ access_key = authentication.value.access_key
+ sas_token = authentication.value.sas_token
+ dynamic "azure_v2_workload_identity_federation" {
+ for_each = lookup(authentication.value, "azure_v2_workload_identity_federation", null) != null ? [authentication.value.azure_v2_workload_identity_federation] : []
+ content {
+ client_id = azure_v2_workload_identity_federation.value.client_id
+ subject_id = azure_v2_workload_identity_federation.value.subject_id
+ tenant_id = azure_v2_workload_identity_federation.value.tenant_id
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "azure_event_hub_settings" {
+ for_each = lookup(each.value, "azure_event_hub_settings", null) != null ? [each.value.azure_event_hub_settings] : []
+ content {
+ consumer_group = azure_event_hub_settings.value.consumer_group
+ event_hub_connection_string = azure_event_hub_settings.value.event_hub_connection_string
+ name = azure_event_hub_settings.value.name
+ azure_sas_token = lookup(azure_event_hub_settings.value, "azure_sas_token", null)
+ azure_storage_connection_string = lookup(azure_event_hub_settings.value, "azure_storage_connection_string", null)
+ azure_storage_container = lookup(azure_event_hub_settings.value, "azure_storage_container", null)
+ }
+ }
+
+ dynamic "azure_mdm_intune_settings" {
+ for_each = lookup(each.value, "azure_mdm_intune_settings", null) != null ? [each.value.azure_mdm_intune_settings] : []
+ content {
+ auth_endpoint = lookup(azure_mdm_intune_settings.value, "auth_endpoint", null)
+ hostname = lookup(azure_mdm_intune_settings.value, "hostname", null)
+ tenant_id = lookup(azure_mdm_intune_settings.value, "tenant_id", null)
+ dynamic "authentication" {
+ for_each = lookup(azure_mdm_intune_settings.value, "authentication", null) != null ? [azure_mdm_intune_settings.value.authentication] : []
+ content {
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = lookup(authentication.value, "client_secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "cloud_passage_settings" {
+ for_each = lookup(each.value, "cloud_passage_settings", null) != null ? [each.value.cloud_passage_settings] : []
+ content {
+ event_types = lookup(cloud_passage_settings.value, "event_types", null)
+ dynamic "authentication" {
+ for_each = lookup(cloud_passage_settings.value, "authentication", null) != null ? [cloud_passage_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "cortex_xdr_settings" {
+ for_each = lookup(each.value, "cortex_xdr_settings", null) != null ? [each.value.cortex_xdr_settings] : []
+ content {
+ endpoint = lookup(cortex_xdr_settings.value, "endpoint", null)
+ hostname = lookup(cortex_xdr_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(cortex_xdr_settings.value, "authentication", null) != null ? [cortex_xdr_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "crowdstrike_alerts_settings" {
+ for_each = lookup(each.value, "crowdstrike_alerts_settings", null) != null ? [each.value.crowdstrike_alerts_settings] : []
+ content {
+ hostname = crowdstrike_alerts_settings.value.hostname
+ ingestion_type = lookup(crowdstrike_alerts_settings.value, "ingestion_type", null)
+ dynamic "authentication" {
+ for_each = lookup(crowdstrike_alerts_settings.value, "authentication", null) != null ? [crowdstrike_alerts_settings.value.authentication] : []
+ content {
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = lookup(authentication.value, "client_secret", null)
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ }
+ }
+ }
+ }
+
+ dynamic "crowdstrike_detects_settings" {
+ for_each = lookup(each.value, "crowdstrike_detects_settings", null) != null ? [each.value.crowdstrike_detects_settings] : []
+ content {
+ hostname = lookup(crowdstrike_detects_settings.value, "hostname", null)
+ ingestion_type = lookup(crowdstrike_detects_settings.value, "ingestion_type", null)
+ dynamic "authentication" {
+ for_each = lookup(crowdstrike_detects_settings.value, "authentication", null) != null ? [crowdstrike_detects_settings.value.authentication] : []
+ content {
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = lookup(authentication.value, "client_secret", null)
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ }
+ }
+ }
+ }
+
+ dynamic "dummy_log_type_settings" {
+ for_each = lookup(each.value, "dummy_log_type_settings", null) != null ? [each.value.dummy_log_type_settings] : []
+ content {
+ api_endpoint = lookup(dummy_log_type_settings.value, "api_endpoint", null)
+ dynamic "authentication" {
+ for_each = lookup(dummy_log_type_settings.value, "authentication", null) != null ? [dummy_log_type_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "duo_auth_settings" {
+ for_each = lookup(each.value, "duo_auth_settings", null) != null ? [each.value.duo_auth_settings] : []
+ content {
+ hostname = lookup(duo_auth_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(duo_auth_settings.value, "authentication", null) != null ? [duo_auth_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "duo_user_context_settings" {
+ for_each = lookup(each.value, "duo_user_context_settings", null) != null ? [each.value.duo_user_context_settings] : []
+ content {
+ hostname = lookup(duo_user_context_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(duo_user_context_settings.value, "authentication", null) != null ? [duo_user_context_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "fox_it_stix_settings" {
+ for_each = lookup(each.value, "fox_it_stix_settings", null) != null ? [each.value.fox_it_stix_settings] : []
+ content {
+ collection = lookup(fox_it_stix_settings.value, "collection", null)
+ poll_service_uri = lookup(fox_it_stix_settings.value, "poll_service_uri", null)
+ dynamic "authentication" {
+ for_each = lookup(fox_it_stix_settings.value, "authentication", null) != null ? [fox_it_stix_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ dynamic "ssl" {
+ for_each = lookup(fox_it_stix_settings.value, "ssl", null) != null ? [fox_it_stix_settings.value.ssl] : []
+ content {
+ encoded_private_key = lookup(ssl.value, "encoded_private_key", null)
+ ssl_certificate = lookup(ssl.value, "ssl_certificate", null)
+ }
+ }
+ }
+ }
+
+ dynamic "gcs_settings" {
+ for_each = lookup(each.value, "gcs_settings", null) != null ? [each.value.gcs_settings] : []
+ content {
+ bucket_uri = lookup(gcs_settings.value, "bucket_uri", null)
+ source_deletion_option = lookup(gcs_settings.value, "source_deletion_option", null)
+ source_type = lookup(gcs_settings.value, "source_type", null)
+ }
+ }
+
+ dynamic "gcs_v2_settings" {
+ for_each = lookup(each.value, "gcs_v2_settings", null) != null ? [each.value.gcs_v2_settings] : []
+ content {
+ bucket_uri = gcs_v2_settings.value.bucket_uri
+ source_deletion_option = lookup(gcs_v2_settings.value, "source_deletion_option", null)
+ max_lookback_days = lookup(gcs_v2_settings.value, "max_lookback_days", null)
+ }
+ }
+
+ dynamic "google_cloud_identity_device_users_settings" {
+ for_each = lookup(each.value, "google_cloud_identity_device_users_settings", null) != null ? [each.value.google_cloud_identity_device_users_settings] : []
+ content {
+ dynamic "authentication" {
+ for_each = lookup(google_cloud_identity_device_users_settings.value, "authentication", null) != null ? [google_cloud_identity_device_users_settings.value.authentication] : []
+ content {
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ dynamic "claims" {
+ for_each = lookup(authentication.value, "claims", null) != null ? [authentication.value.claims] : []
+ content {
+ audience = lookup(claims.value, "audience", null)
+ issuer = lookup(claims.value, "issuer", null)
+ subject = lookup(claims.value, "subject", null)
+ }
+ }
+ dynamic "rs_credentials" {
+ for_each = lookup(authentication.value, "rs_credentials", null) != null ? [authentication.value.rs_credentials] : []
+ content {
+ private_key = lookup(rs_credentials.value, "private_key", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "google_cloud_identity_devices_settings" {
+ for_each = lookup(each.value, "google_cloud_identity_devices_settings", null) != null ? [each.value.google_cloud_identity_devices_settings] : []
+ content {
+ api_version = lookup(google_cloud_identity_devices_settings.value, "api_version", null)
+ dynamic "authentication" {
+ for_each = lookup(google_cloud_identity_devices_settings.value, "authentication", null) != null ? [google_cloud_identity_devices_settings.value.authentication] : []
+ content {
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ dynamic "claims" {
+ for_each = lookup(authentication.value, "claims", null) != null ? [authentication.value.claims] : []
+ content {
+ audience = lookup(claims.value, "audience", null)
+ issuer = lookup(claims.value, "issuer", null)
+ subject = lookup(claims.value, "subject", null)
+ }
+ }
+ dynamic "rs_credentials" {
+ for_each = lookup(authentication.value, "rs_credentials", null) != null ? [authentication.value.rs_credentials] : []
+ content {
+ private_key = lookup(rs_credentials.value, "private_key", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "google_cloud_storage_event_driven_settings" {
+ for_each = lookup(each.value, "google_cloud_storage_event_driven_settings", null) != null ? [each.value.google_cloud_storage_event_driven_settings] : []
+ content {
+ bucket_uri = google_cloud_storage_event_driven_settings.value.bucket_uri
+ pubsub_subscription = google_cloud_storage_event_driven_settings.value.pubsub_subscription
+ max_lookback_days = lookup(google_cloud_storage_event_driven_settings.value, "max_lookback_days", null)
+ source_deletion_option = lookup(google_cloud_storage_event_driven_settings.value, "source_deletion_option", null)
+ }
+ }
+
+ dynamic "http_settings" {
+ for_each = lookup(each.value, "http_settings", null) != null ? [each.value.http_settings] : []
+ content {
+ uri = lookup(http_settings.value, "uri", null)
+ source_deletion_option = lookup(http_settings.value, "source_deletion_option", null)
+ source_type = lookup(http_settings.value, "source_type", null)
+ }
+ }
+
+ dynamic "https_push_amazon_kinesis_firehose_settings" {
+ for_each = lookup(each.value, "https_push_amazon_kinesis_firehose_settings", null) != null ? [each.value.https_push_amazon_kinesis_firehose_settings] : []
+ content {
+ split_delimiter = lookup(https_push_amazon_kinesis_firehose_settings.value, "split_delimiter", null)
+ }
+ }
+
+ dynamic "https_push_google_cloud_pubsub_settings" {
+ for_each = lookup(each.value, "https_push_google_cloud_pubsub_settings", null) != null ? [each.value.https_push_google_cloud_pubsub_settings] : []
+ content {
+ split_delimiter = lookup(https_push_google_cloud_pubsub_settings.value, "split_delimiter", null)
+ }
+ }
+
+ dynamic "https_push_webhook_settings" {
+ for_each = lookup(each.value, "https_push_webhook_settings", null) != null ? [each.value.https_push_webhook_settings] : []
+ content {
+ split_delimiter = lookup(https_push_webhook_settings.value, "split_delimiter", null)
+ }
+ }
+
+ dynamic "imperva_waf_settings" {
+ for_each = lookup(each.value, "imperva_waf_settings", null) != null ? [each.value.imperva_waf_settings] : []
+ content {
+ dynamic "authentication" {
+ for_each = lookup(imperva_waf_settings.value, "authentication", null) != null ? [imperva_waf_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "mandiant_ioc_settings" {
+ for_each = lookup(each.value, "mandiant_ioc_settings", null) != null ? [each.value.mandiant_ioc_settings] : []
+ content {
+ start_time = lookup(mandiant_ioc_settings.value, "start_time", null)
+ dynamic "authentication" {
+ for_each = lookup(mandiant_ioc_settings.value, "authentication", null) != null ? [mandiant_ioc_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "microsoft_graph_alert_settings" {
+ for_each = lookup(each.value, "microsoft_graph_alert_settings", null) != null ? [each.value.microsoft_graph_alert_settings] : []
+ content {
+ auth_endpoint = lookup(microsoft_graph_alert_settings.value, "auth_endpoint", null)
+ hostname = lookup(microsoft_graph_alert_settings.value, "hostname", null)
+ tenant_id = lookup(microsoft_graph_alert_settings.value, "tenant_id", null)
+ dynamic "authentication" {
+ for_each = lookup(microsoft_graph_alert_settings.value, "authentication", null) != null ? [microsoft_graph_alert_settings.value.authentication] : []
+ content {
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = lookup(authentication.value, "client_secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "microsoft_security_center_alert_settings" {
+ for_each = lookup(each.value, "microsoft_security_center_alert_settings", null) != null ? [each.value.microsoft_security_center_alert_settings] : []
+ content {
+ auth_endpoint = lookup(microsoft_security_center_alert_settings.value, "auth_endpoint", null)
+ hostname = lookup(microsoft_security_center_alert_settings.value, "hostname", null)
+ subscription_id = lookup(microsoft_security_center_alert_settings.value, "subscription_id", null)
+ tenant_id = lookup(microsoft_security_center_alert_settings.value, "tenant_id", null)
+ dynamic "authentication" {
+ for_each = lookup(microsoft_security_center_alert_settings.value, "authentication", null) != null ? [microsoft_security_center_alert_settings.value.authentication] : []
+ content {
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = lookup(authentication.value, "client_secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "mimecast_mail_settings" {
+ for_each = lookup(each.value, "mimecast_mail_settings", null) != null ? [each.value.mimecast_mail_settings] : []
+ content {
+ hostname = lookup(mimecast_mail_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(mimecast_mail_settings.value, "authentication", null) != null ? [mimecast_mail_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "mimecast_mail_v2_settings" {
+ for_each = lookup(each.value, "mimecast_mail_v2_settings", null) != null ? [each.value.mimecast_mail_v2_settings] : []
+ content {
+ dynamic "auth_credentials" {
+ for_each = lookup(mimecast_mail_v2_settings.value, "auth_credentials", null) != null ? [mimecast_mail_v2_settings.value.auth_credentials] : []
+ content {
+ client_id = lookup(auth_credentials.value, "client_id", null)
+ client_secret = lookup(auth_credentials.value, "client_secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "netskope_alert_settings" {
+ for_each = lookup(each.value, "netskope_alert_settings", null) != null ? [each.value.netskope_alert_settings] : []
+ content {
+ content_type = lookup(netskope_alert_settings.value, "content_type", null)
+ feedname = lookup(netskope_alert_settings.value, "feedname", null)
+ hostname = lookup(netskope_alert_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(netskope_alert_settings.value, "authentication", null) != null ? [netskope_alert_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "netskope_alert_v2_settings" {
+ for_each = lookup(each.value, "netskope_alert_v2_settings", null) != null ? [each.value.netskope_alert_v2_settings] : []
+ content {
+ content_category = lookup(netskope_alert_v2_settings.value, "content_category", null)
+ content_types = lookup(netskope_alert_v2_settings.value, "content_types", null)
+ hostname = lookup(netskope_alert_v2_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(netskope_alert_v2_settings.value, "authentication", null) != null ? [netskope_alert_v2_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "office365_settings" {
+ for_each = lookup(each.value, "office365_settings", null) != null ? [each.value.office365_settings] : []
+ content {
+ auth_endpoint = lookup(office365_settings.value, "auth_endpoint", null)
+ hostname = lookup(office365_settings.value, "hostname", null)
+ tenant_id = lookup(office365_settings.value, "tenant_id", null)
+ content_type = lookup(office365_settings.value, "content_type", null)
+ dynamic "authentication" {
+ for_each = lookup(office365_settings.value, "authentication", null) != null ? [office365_settings.value.authentication] : []
+ content {
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = lookup(authentication.value, "client_secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "okta_settings" {
+ for_each = lookup(each.value, "okta_settings", null) != null ? [each.value.okta_settings] : []
+ content {
+ hostname = lookup(okta_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(okta_settings.value, "authentication", null) != null ? [okta_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "okta_user_context_settings" {
+ for_each = lookup(each.value, "okta_user_context_settings", null) != null ? [each.value.okta_user_context_settings] : []
+ content {
+ hostname = lookup(okta_user_context_settings.value, "hostname", null)
+ manager_id_reference_field = lookup(okta_user_context_settings.value, "manager_id_reference_field", null)
+ dynamic "authentication" {
+ for_each = lookup(okta_user_context_settings.value, "authentication", null) != null ? [okta_user_context_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "pan_ioc_settings" {
+ for_each = lookup(each.value, "pan_ioc_settings", null) != null ? [each.value.pan_ioc_settings] : []
+ content {
+ feed = lookup(pan_ioc_settings.value, "feed", null)
+ feed_id = lookup(pan_ioc_settings.value, "feed_id", null)
+ dynamic "authentication" {
+ for_each = lookup(pan_ioc_settings.value, "authentication", null) != null ? [pan_ioc_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "pan_prisma_cloud_settings" {
+ for_each = lookup(each.value, "pan_prisma_cloud_settings", null) != null ? [each.value.pan_prisma_cloud_settings] : []
+ content {
+ hostname = lookup(pan_prisma_cloud_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(pan_prisma_cloud_settings.value, "authentication", null) != null ? [pan_prisma_cloud_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ password = lookup(authentication.value, "password", null)
+ }
+ }
+ }
+ }
+
+ dynamic "proofpoint_mail_settings" {
+ for_each = lookup(each.value, "proofpoint_mail_settings", null) != null ? [each.value.proofpoint_mail_settings] : []
+ content {
+ dynamic "authentication" {
+ for_each = lookup(proofpoint_mail_settings.value, "authentication", null) != null ? [proofpoint_mail_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "proofpoint_on_demand_settings" {
+ for_each = lookup(each.value, "proofpoint_on_demand_settings", null) != null ? [each.value.proofpoint_on_demand_settings] : []
+ content {
+ cluster_id = lookup(proofpoint_on_demand_settings.value, "cluster_id", null)
+ dynamic "authentication" {
+ for_each = lookup(proofpoint_on_demand_settings.value, "authentication", null) != null ? [proofpoint_on_demand_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "pubsub_settings" {
+ for_each = lookup(each.value, "pubsub_settings", null) != null ? [each.value.pubsub_settings] : []
+ content {
+ google_service_account_email = lookup(pubsub_settings.value, "google_service_account_email", null)
+ }
+ }
+
+ dynamic "qualys_scan_settings" {
+ for_each = lookup(each.value, "qualys_scan_settings", null) != null ? [each.value.qualys_scan_settings] : []
+ content {
+ api_type = lookup(qualys_scan_settings.value, "api_type", null)
+ hostname = lookup(qualys_scan_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(qualys_scan_settings.value, "authentication", null) != null ? [qualys_scan_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "qualys_vm_settings" {
+ for_each = lookup(each.value, "qualys_vm_settings", null) != null ? [each.value.qualys_vm_settings] : []
+ content {
+ hostname = lookup(qualys_vm_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(qualys_vm_settings.value, "authentication", null) != null ? [qualys_vm_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "rapid7_insight_settings" {
+ for_each = lookup(each.value, "rapid7_insight_settings", null) != null ? [each.value.rapid7_insight_settings] : []
+ content {
+ endpoint = lookup(rapid7_insight_settings.value, "endpoint", null)
+ hostname = lookup(rapid7_insight_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(rapid7_insight_settings.value, "authentication", null) != null ? [rapid7_insight_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "recorded_future_ioc_settings" {
+ for_each = lookup(each.value, "recorded_future_ioc_settings", null) != null ? [each.value.recorded_future_ioc_settings] : []
+ content {
+ dynamic "authentication" {
+ for_each = lookup(recorded_future_ioc_settings.value, "authentication", null) != null ? [recorded_future_ioc_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "rh_isac_ioc_settings" {
+ for_each = lookup(each.value, "rh_isac_ioc_settings", null) != null ? [each.value.rh_isac_ioc_settings] : []
+ content {
+ dynamic "authentication" {
+ for_each = lookup(rh_isac_ioc_settings.value, "authentication", null) != null ? [rh_isac_ioc_settings.value.authentication] : []
+ content {
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = lookup(authentication.value, "client_secret", null)
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ }
+ }
+ }
+ }
+
+ dynamic "salesforce_settings" {
+ for_each = lookup(each.value, "salesforce_settings", null) != null ? [each.value.salesforce_settings] : []
+ content {
+ hostname = lookup(salesforce_settings.value, "hostname", null)
+ dynamic "oauth_jwt_credentials" {
+ for_each = lookup(salesforce_settings.value, "oauth_jwt_credentials", null) != null ? [salesforce_settings.value.oauth_jwt_credentials] : []
+ content {
+ token_endpoint = lookup(oauth_jwt_credentials.value, "token_endpoint", null)
+ dynamic "claims" {
+ for_each = lookup(oauth_jwt_credentials.value, "claims", null) != null ? [oauth_jwt_credentials.value.claims] : []
+ content {
+ audience = lookup(claims.value, "audience", null)
+ issuer = lookup(claims.value, "issuer", null)
+ subject = lookup(claims.value, "subject", null)
+ }
+ }
+ dynamic "rs_credentials" {
+ for_each = lookup(oauth_jwt_credentials.value, "rs_credentials", null) != null ? [oauth_jwt_credentials.value.rs_credentials] : []
+ content {
+ private_key = lookup(rs_credentials.value, "private_key", null)
+ }
+ }
+ }
+ }
+ dynamic "oauth_password_grant_auth" {
+ for_each = lookup(salesforce_settings.value, "oauth_password_grant_auth", null) != null ? [salesforce_settings.value.oauth_password_grant_auth] : []
+ content {
+ token_endpoint = lookup(oauth_password_grant_auth.value, "token_endpoint", null)
+ client_id = lookup(oauth_password_grant_auth.value, "client_id", null)
+ client_secret = lookup(oauth_password_grant_auth.value, "client_secret", null)
+ user = lookup(oauth_password_grant_auth.value, "user", null)
+ password = lookup(oauth_password_grant_auth.value, "password", null)
+ }
+ }
+ }
+ }
+
+ dynamic "sentinelone_alert_settings" {
+ for_each = lookup(each.value, "sentinelone_alert_settings", null) != null ? [each.value.sentinelone_alert_settings] : []
+ content {
+ hostname = lookup(sentinelone_alert_settings.value, "hostname", null)
+ initial_start_time = lookup(sentinelone_alert_settings.value, "initial_start_time", null)
+ is_alert_api_subscribed = lookup(sentinelone_alert_settings.value, "is_alert_api_subscribed", null)
+ dynamic "authentication" {
+ for_each = lookup(sentinelone_alert_settings.value, "authentication", null) != null ? [sentinelone_alert_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "service_now_cmdb_settings" {
+ for_each = lookup(each.value, "service_now_cmdb_settings", null) != null ? [each.value.service_now_cmdb_settings] : []
+ content {
+ feedname = lookup(service_now_cmdb_settings.value, "feedname", null)
+ hostname = lookup(service_now_cmdb_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(service_now_cmdb_settings.value, "authentication", null) != null ? [service_now_cmdb_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "sftp_settings" {
+ for_each = lookup(each.value, "sftp_settings", null) != null ? [each.value.sftp_settings] : []
+ content {
+ uri = lookup(sftp_settings.value, "uri", null)
+ source_deletion_option = lookup(sftp_settings.value, "source_deletion_option", null)
+ source_type = lookup(sftp_settings.value, "source_type", null)
+ dynamic "authentication" {
+ for_each = lookup(sftp_settings.value, "authentication", null) != null ? [sftp_settings.value.authentication] : []
+ content {
+ username = lookup(authentication.value, "username", null)
+ password = lookup(authentication.value, "password", null)
+ private_key = lookup(authentication.value, "private_key", null)
+ private_key_passphrase = lookup(authentication.value, "private_key_passphrase", null)
+ }
+ }
+ }
+ }
+
+ dynamic "symantec_event_export_settings" {
+ for_each = lookup(each.value, "symantec_event_export_settings", null) != null ? [each.value.symantec_event_export_settings] : []
+ content {
+ dynamic "authentication" {
+ for_each = lookup(symantec_event_export_settings.value, "authentication", null) != null ? [symantec_event_export_settings.value.authentication] : []
+ content {
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = lookup(authentication.value, "client_secret", null)
+ refresh_token = lookup(authentication.value, "refresh_token", null)
+ }
+ }
+ }
+ }
+
+ dynamic "thinkst_canary_settings" {
+ for_each = lookup(each.value, "thinkst_canary_settings", null) != null ? [each.value.thinkst_canary_settings] : []
+ content {
+ hostname = lookup(thinkst_canary_settings.value, "hostname", null)
+ dynamic "authentication" {
+ for_each = lookup(thinkst_canary_settings.value, "authentication", null) != null ? [thinkst_canary_settings.value.authentication] : []
+ content {
+ dynamic "header_key_values" {
+ for_each = lookup(authentication.value, "header_key_values", [])
+ content {
+ key = lookup(header_key_values.value, "key", null)
+ value = lookup(header_key_values.value, "value", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "threat_connect_ioc_settings" {
+ for_each = lookup(each.value, "threat_connect_ioc_settings", null) != null ? [each.value.threat_connect_ioc_settings] : []
+ content {
+ hostname = lookup(threat_connect_ioc_settings.value, "hostname", null)
+ owners = lookup(threat_connect_ioc_settings.value, "owners", null)
+ dynamic "authentication" {
+ for_each = lookup(threat_connect_ioc_settings.value, "authentication", null) != null ? [threat_connect_ioc_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "threat_connect_ioc_v3_settings" {
+ for_each = lookup(each.value, "threat_connect_ioc_v3_settings", null) != null ? [each.value.threat_connect_ioc_v3_settings] : []
+ content {
+ hostname = lookup(threat_connect_ioc_v3_settings.value, "hostname", null)
+ owners = lookup(threat_connect_ioc_v3_settings.value, "owners", null)
+ fields = lookup(threat_connect_ioc_v3_settings.value, "fields", null)
+ schedule = lookup(threat_connect_ioc_v3_settings.value, "schedule", null)
+ tql_query = lookup(threat_connect_ioc_v3_settings.value, "tql_query", null)
+ dynamic "authentication" {
+ for_each = lookup(threat_connect_ioc_v3_settings.value, "authentication", null) != null ? [threat_connect_ioc_v3_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ }
+ }
+ }
+ }
+
+ dynamic "trellix_hx_alerts_settings" {
+ for_each = lookup(each.value, "trellix_hx_alerts_settings", null) != null ? [each.value.trellix_hx_alerts_settings] : []
+ content {
+ endpoint = lookup(trellix_hx_alerts_settings.value, "endpoint", null)
+ dynamic "authentication" {
+ for_each = lookup(trellix_hx_alerts_settings.value, "authentication", null) != null ? [trellix_hx_alerts_settings.value.authentication] : []
+ content {
+ dynamic "msso" {
+ for_each = lookup(authentication.value, "msso", null) != null ? [authentication.value.msso] : []
+ content {
+ api_endpoint = lookup(msso.value, "api_endpoint", null)
+ username = lookup(msso.value, "username", null)
+ password = lookup(msso.value, "password", null)
+ }
+ }
+ dynamic "trellix_iam" {
+ for_each = lookup(authentication.value, "trellix_iam", null) != null ? [authentication.value.trellix_iam] : []
+ content {
+ client_id = lookup(trellix_iam.value, "client_id", null)
+ client_secret = lookup(trellix_iam.value, "client_secret", null)
+ scope = lookup(trellix_iam.value, "scope", null)
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "trellix_hx_bulk_acqs_settings" {
+ for_each = lookup(each.value, "trellix_hx_bulk_acqs_settings", null) != null ? [each.value.trellix_hx_bulk_acqs_settings] : []
+ content {
+ endpoint = trellix_hx_bulk_acqs_settings.value.endpoint
+ dynamic "authentication" {
+ for_each = lookup(trellix_hx_bulk_acqs_settings.value, "authentication", null) != null ? [trellix_hx_bulk_acqs_settings.value.authentication] : []
+ content {
+ dynamic "msso" {
+ for_each = lookup(authentication.value, "msso", null) != null ? [authentication.value.msso] : []
+ content {
+ api_endpoint = msso.value.api_endpoint
+ username = msso.value.username
+ password = msso.value.password
+ }
+ }
+ dynamic "trellix_iam" {
+ for_each = lookup(authentication.value, "trellix_iam", null) != null ? [authentication.value.trellix_iam] : []
+ content {
+ client_id = trellix_iam.value.client_id
+ client_secret = trellix_iam.value.client_secret
+ scope = trellix_iam.value.scope
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "trellix_hx_hosts_settings" {
+ for_each = lookup(each.value, "trellix_hx_hosts_settings", null) != null ? [each.value.trellix_hx_hosts_settings] : []
+ content {
+ endpoint = trellix_hx_hosts_settings.value.endpoint
+ dynamic "authentication" {
+ for_each = lookup(trellix_hx_hosts_settings.value, "authentication", null) != null ? [trellix_hx_hosts_settings.value.authentication] : []
+ content {
+ dynamic "msso" {
+ for_each = lookup(authentication.value, "msso", null) != null ? [authentication.value.msso] : []
+ content {
+ api_endpoint = msso.value.api_endpoint
+ username = msso.value.username
+ password = msso.value.password
+ }
+ }
+ dynamic "trellix_iam" {
+ for_each = lookup(authentication.value, "trellix_iam", null) != null ? [authentication.value.trellix_iam] : []
+ content {
+ client_id = trellix_iam.value.client_id
+ client_secret = trellix_iam.value.client_secret
+ scope = trellix_iam.value.scope
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "webhook_settings" {
+ for_each = lookup(each.value, "webhook_settings", null) != null ? [each.value.webhook_settings] : []
+ content {
+ }
+ }
+
+ dynamic "workday_settings" {
+ for_each = lookup(each.value, "workday_settings", null) != null ? [each.value.workday_settings] : []
+ content {
+ hostname = lookup(workday_settings.value, "hostname", null)
+ tenant_id = lookup(workday_settings.value, "tenant_id", null)
+ dynamic "authentication" {
+ for_each = lookup(workday_settings.value, "authentication", null) != null ? [workday_settings.value.authentication] : []
+ content {
+ user = lookup(authentication.value, "user", null)
+ secret = lookup(authentication.value, "secret", null)
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ client_id = lookup(authentication.value, "client_id", null)
+ client_secret = lookup(authentication.value, "client_secret", null)
+ refresh_token = lookup(authentication.value, "refresh_token", null)
+ }
+ }
+ }
+ }
+
+ dynamic "workspace_activity_settings" {
+ for_each = lookup(each.value, "workspace_activity_settings", null) != null ? [each.value.workspace_activity_settings] : []
+ content {
+ workspace_customer_id = lookup(workspace_activity_settings.value, "workspace_customer_id", null)
+ applications = lookup(workspace_activity_settings.value, "applications", null)
+ dynamic "authentication" {
+ for_each = lookup(workspace_activity_settings.value, "authentication", null) != null ? [workspace_activity_settings.value.authentication] : []
+ content {
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ dynamic "claims" {
+ for_each = lookup(authentication.value, "claims", null) != null ? [authentication.value.claims] : []
+ content {
+ audience = lookup(claims.value, "audience", null)
+ issuer = lookup(claims.value, "issuer", null)
+ subject = lookup(claims.value, "subject", null)
+ }
+ }
+ rs_credentials {
+ private_key = try(data.google_secret_manager_regional_secret_version.secops_secrets[each.key].secret_data, lookup(authentication.value.rs_credentials, "private_key", null))
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "workspace_alerts_settings" {
+ for_each = lookup(each.value, "workspace_alerts_settings", null) != null ? [each.value.workspace_alerts_settings] : []
+ content {
+ workspace_customer_id = lookup(workspace_alerts_settings.value, "workspace_customer_id", null)
+ dynamic "authentication" {
+ for_each = lookup(workspace_alerts_settings.value, "authentication", null) != null ? [workspace_alerts_settings.value.authentication] : []
+ content {
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ dynamic "claims" {
+ for_each = lookup(authentication.value, "claims", null) != null ? [authentication.value.claims] : []
+ content {
+ audience = lookup(claims.value, "audience", null)
+ issuer = lookup(claims.value, "issuer", null)
+ subject = lookup(claims.value, "subject", null)
+ }
+ }
+ rs_credentials {
+ private_key = try(data.google_secret_manager_regional_secret_version.secops_secrets[each.key].secret_data, lookup(authentication.value.rs_credentials, "private_key", null))
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "workspace_chrome_os_settings" {
+ for_each = lookup(each.value, "workspace_chrome_os_settings", null) != null ? [each.value.workspace_chrome_os_settings] : []
+ content {
+ workspace_customer_id = lookup(workspace_chrome_os_settings.value, "workspace_customer_id", null)
+ dynamic "authentication" {
+ for_each = lookup(workspace_chrome_os_settings.value, "authentication", null) != null ? [workspace_chrome_os_settings.value.authentication] : []
+ content {
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ dynamic "claims" {
+ for_each = lookup(authentication.value, "claims", null) != null ? [authentication.value.claims] : []
+ content {
+ audience = lookup(claims.value, "audience", null)
+ issuer = lookup(claims.value, "issuer", null)
+ subject = lookup(claims.value, "subject", null)
+ }
+ }
+ rs_credentials {
+ private_key = try(data.google_secret_manager_regional_secret_version.secops_secrets[each.key].secret_data, lookup(authentication.value.rs_credentials, "private_key", null))
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "workspace_groups_settings" {
+ for_each = lookup(each.value, "workspace_groups_settings", null) != null ? [each.value.workspace_groups_settings] : []
+ content {
+ workspace_customer_id = lookup(workspace_groups_settings.value, "workspace_customer_id", null)
+ dynamic "authentication" {
+ for_each = lookup(workspace_groups_settings.value, "authentication", null) != null ? [workspace_groups_settings.value.authentication] : []
+ content {
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ dynamic "claims" {
+ for_each = lookup(authentication.value, "claims", null) != null ? [authentication.value.claims] : []
+ content {
+ audience = lookup(claims.value, "audience", null)
+ issuer = lookup(claims.value, "issuer", null)
+ subject = lookup(claims.value, "subject", null)
+ }
+ }
+ rs_credentials {
+ private_key = try(data.google_secret_manager_regional_secret_version.secops_secrets[each.key].secret_data, lookup(authentication.value.rs_credentials, "private_key", null))
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "workspace_mobile_settings" {
+ for_each = lookup(each.value, "workspace_mobile_settings", null) != null ? [each.value.workspace_mobile_settings] : []
+ content {
+ workspace_customer_id = lookup(workspace_mobile_settings.value, "workspace_customer_id", null)
+ dynamic "authentication" {
+ for_each = lookup(workspace_mobile_settings.value, "authentication", null) != null ? [workspace_mobile_settings.value.authentication] : []
+ content {
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ dynamic "claims" {
+ for_each = lookup(authentication.value, "claims", null) != null ? [authentication.value.claims] : []
+ content {
+ audience = lookup(claims.value, "audience", null)
+ issuer = lookup(claims.value, "issuer", null)
+ subject = lookup(claims.value, "subject", null)
+ }
+ }
+ rs_credentials {
+ private_key = try(data.google_secret_manager_regional_secret_version.secops_secrets[each.key].secret_data, lookup(authentication.value.rs_credentials, "private_key", null))
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "workspace_privileges_settings" {
+ for_each = lookup(each.value, "workspace_privileges_settings", null) != null ? [each.value.workspace_privileges_settings] : []
+ content {
+ workspace_customer_id = lookup(workspace_privileges_settings.value, "workspace_customer_id", null)
+ dynamic "authentication" {
+ for_each = lookup(workspace_privileges_settings.value, "authentication", null) != null ? [workspace_privileges_settings.value.authentication] : []
+ content {
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ dynamic "claims" {
+ for_each = lookup(authentication.value, "claims", null) != null ? [authentication.value.claims] : []
+ content {
+ audience = lookup(claims.value, "audience", null)
+ issuer = lookup(claims.value, "issuer", null)
+ subject = lookup(claims.value, "subject", null)
+ }
+ }
+ rs_credentials {
+ private_key = try(data.google_secret_manager_regional_secret_version.secops_secrets[each.key].secret_data, lookup(authentication.value.rs_credentials, "private_key", null))
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "workspace_users_settings" {
+ for_each = lookup(each.value, "workspace_users_settings", null) != null ? [each.value.workspace_users_settings] : []
+ content {
+ workspace_customer_id = lookup(workspace_users_settings.value, "workspace_customer_id", null)
+ projection_type = lookup(workspace_users_settings.value, "projection_type", null)
+ dynamic "authentication" {
+ for_each = lookup(workspace_users_settings.value, "authentication", null) != null ? [workspace_users_settings.value.authentication] : []
+ content {
+ token_endpoint = lookup(authentication.value, "token_endpoint", null)
+ dynamic "claims" {
+ for_each = lookup(authentication.value, "claims", null) != null ? [authentication.value.claims] : []
+ content {
+ audience = lookup(claims.value, "audience", null)
+ issuer = lookup(claims.value, "issuer", null)
+ subject = lookup(claims.value, "subject", null)
+ }
+ }
+ rs_credentials {
+ private_key = try(data.google_secret_manager_regional_secret_version.secops_secrets[each.key].secret_data, lookup(authentication.value.rs_credentials, "private_key", null))
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/modules/secops-feeds/outputs.tf b/modules/secops-feeds/outputs.tf
new file mode 100644
index 0000000..793c7e6
--- /dev/null
+++ b/modules/secops-feeds/outputs.tf
@@ -0,0 +1,22 @@
+/**
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "feeds_id" {
+ description = "A map of Chronicle feeds to create."
+ value = {
+ for key, value in google_chronicle_feed.feeds : key => element(split("/", value.id), length(split("/", value.id)) - 1)
+ }
+}
\ No newline at end of file
diff --git a/modules/secops-feeds/variables.tf b/modules/secops-feeds/variables.tf
new file mode 100644
index 0000000..9ba7d3e
--- /dev/null
+++ b/modules/secops-feeds/variables.tf
@@ -0,0 +1,826 @@
+/**
+ * Copyright 2026 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "feeds" {
+ description = "A map of Chronicle feeds to create."
+ type = map(object({
+ display_name = string
+ log_type = string
+ enabled = optional(bool, true)
+ asset_namespace = optional(string)
+ labels = optional(map(string))
+
+ secret_manager_config = optional(object({
+ region = string
+ secret_name = string
+ version = optional(string)
+ }))
+
+ amazon_s3_settings = optional(object({
+ s3_uri = string
+ source_deletion_option = string
+ source_type = string
+ authentication = optional(object({
+ region = string
+ access_key_id = optional(string)
+ secret_access_key = optional(string)
+ client_id = optional(string)
+ client_secret = optional(string)
+ refresh_uri = optional(string)
+ }))
+ }))
+
+ amazon_s3_v2_settings = optional(object({
+ s3_uri = string
+ source_deletion_option = optional(string)
+ max_lookback_days = optional(number)
+ authentication = object({
+ access_key_secret_auth = optional(object({
+ access_key_id = string
+ secret_access_key = string
+ }))
+ aws_iam_role_auth = optional(object({
+ aws_iam_role_arn = optional(string)
+ subject_id = optional(string)
+ }))
+ })
+ }))
+
+ amazon_sqs_settings = optional(object({
+ account_number = optional(string)
+ queue = optional(string)
+ region = optional(string)
+ source_deletion_option = optional(string)
+ authentication = optional(object({
+ additional_s3_access_key_secret_auth = optional(object({
+ access_key_id = optional(string)
+ secret_access_key = optional(string)
+ }))
+ sqs_access_key_secret_auth = optional(object({
+ access_key_id = optional(string)
+ secret_access_key = optional(string)
+ }))
+ }))
+ }))
+
+ amazon_sqs_v2_settings = optional(object({
+ queue = string
+ s3_uri = string
+ source_deletion_option = optional(string)
+ max_lookback_days = optional(number)
+ authentication = object({
+ aws_iam_role_auth = object({
+ aws_iam_role_arn = optional(string)
+ subject_id = optional(string)
+ })
+ sqs_v2_access_key_secret_auth = object({
+ access_key_id = optional(string)
+ secret_access_key = optional(string)
+ })
+ })
+ }))
+
+ anomali_settings = optional(object({
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ aws_ec2_hosts_settings = optional(object({
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ aws_ec2_instances_settings = optional(object({
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ aws_ec2_vpcs_settings = optional(object({
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ aws_iam_settings = optional(object({
+ api_type = optional(string)
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ azure_ad_audit_settings = optional(object({
+ auth_endpoint = optional(string)
+ hostname = optional(string)
+ tenant_id = optional(string)
+ authentication = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ }))
+ }))
+
+ azure_ad_context_settings = optional(object({
+ auth_endpoint = optional(string)
+ hostname = optional(string)
+ tenant_id = optional(string)
+ retrieve_devices = optional(bool)
+ retrieve_groups = optional(bool)
+ authentication = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ }))
+ }))
+
+ azure_ad_settings = optional(object({
+ auth_endpoint = optional(string)
+ hostname = optional(string)
+ tenant_id = optional(string)
+ authentication = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ }))
+ }))
+
+ azure_blob_store_settings = optional(object({
+ azure_uri = optional(string)
+ source_deletion_option = optional(string)
+ source_type = optional(string)
+ authentication = optional(object({
+ sas_token = optional(string)
+ shared_key = optional(string)
+ }))
+ }))
+
+ azure_blob_store_v2_settings = optional(object({
+ azure_uri = string
+ source_deletion_option = optional(string)
+ max_lookback_days = optional(number)
+ authentication = object({
+ access_key = string
+ sas_token = string
+ azure_v2_workload_identity_federation = object({
+ client_id = string
+ subject_id = string
+ tenant_id = string
+ })
+ })
+ }))
+
+ azure_event_hub_settings = optional(object({
+ consumer_group = string
+ event_hub_connection_string = string
+ name = string
+ azure_sas_token = optional(string)
+ azure_storage_connection_string = optional(string)
+ azure_storage_container = optional(string)
+ }))
+
+ azure_mdm_intune_settings = optional(object({
+ auth_endpoint = optional(string)
+ hostname = optional(string)
+ tenant_id = optional(string)
+ authentication = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ }))
+ }))
+
+ cloud_passage_settings = optional(object({
+ event_types = optional(list(string))
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ cortex_xdr_settings = optional(object({
+ endpoint = optional(string)
+ hostname = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ crowdstrike_alerts_settings = optional(object({
+ hostname = string
+ ingestion_type = optional(string)
+ authentication = object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ token_endpoint = optional(string)
+ })
+ }))
+
+ crowdstrike_detects_settings = optional(object({
+ hostname = optional(string)
+ ingestion_type = optional(string)
+ authentication = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ token_endpoint = optional(string)
+ }))
+ }))
+
+ dummy_log_type_settings = optional(object({
+ api_endpoint = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ duo_auth_settings = optional(object({
+ hostname = optional(string)
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ duo_user_context_settings = optional(object({
+ hostname = optional(string)
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ fox_it_stix_settings = optional(object({
+ collection = optional(string)
+ poll_service_uri = optional(string)
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ ssl = optional(object({
+ encoded_private_key = optional(string)
+ ssl_certificate = optional(string)
+ }))
+ }))
+
+ gcs_settings = optional(object({
+ bucket_uri = optional(string)
+ source_deletion_option = optional(string)
+ source_type = optional(string)
+ }))
+
+ gcs_v2_settings = optional(object({
+ bucket_uri = string
+ source_deletion_option = optional(string)
+ max_lookback_days = optional(number)
+ }))
+
+ google_cloud_identity_device_users_settings = optional(object({
+ authentication = optional(object({
+ token_endpoint = optional(string)
+ claims = optional(object({
+ audience = optional(string)
+ issuer = optional(string)
+ subject = optional(string)
+ }))
+ rs_credentials = optional(object({
+ private_key = optional(string)
+ }))
+ }))
+ }))
+
+ google_cloud_identity_devices_settings = optional(object({
+ api_version = optional(string)
+ authentication = optional(object({
+ token_endpoint = optional(string)
+ claims = optional(object({
+ audience = optional(string)
+ issuer = optional(string)
+ subject = optional(string)
+ }))
+ rs_credentials = optional(object({
+ private_key = optional(string)
+ }))
+ }))
+ }))
+
+ google_cloud_storage_event_driven_settings = optional(object({
+ bucket_uri = string
+ pubsub_subscription = string
+ max_lookback_days = optional(number)
+ source_deletion_option = optional(string)
+ }))
+
+ http_settings = optional(object({
+ uri = optional(string)
+ source_deletion_option = optional(string)
+ source_type = optional(string)
+ }))
+
+ https_push_amazon_kinesis_firehose_settings = optional(object({
+ split_delimiter = optional(string)
+ }))
+
+ https_push_google_cloud_pubsub_settings = optional(object({
+ split_delimiter = optional(string)
+ }))
+
+ https_push_webhook_settings = optional(object({
+ split_delimiter = optional(string)
+ }))
+
+ imperva_waf_settings = optional(object({
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ mandiant_ioc_settings = optional(object({
+ start_time = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ microsoft_graph_alert_settings = optional(object({
+ auth_endpoint = optional(string)
+ hostname = optional(string)
+ tenant_id = optional(string)
+ authentication = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ }))
+ }))
+
+ microsoft_security_center_alert_settings = optional(object({
+ auth_endpoint = optional(string)
+ hostname = optional(string)
+ subscription_id = optional(string)
+ tenant_id = optional(string)
+ authentication = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ }))
+ }))
+
+ mimecast_mail_settings = optional(object({
+ hostname = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ mimecast_mail_v2_settings = optional(object({
+ auth_credentials = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ }))
+ }))
+
+ netskope_alert_settings = optional(object({
+ content_type = optional(string)
+ feedname = optional(string)
+ hostname = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ netskope_alert_v2_settings = optional(object({
+ content_category = optional(string)
+ content_types = optional(list(string))
+ hostname = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ office365_settings = optional(object({
+ auth_endpoint = optional(string)
+ hostname = optional(string)
+ tenant_id = optional(string)
+ content_type = optional(string)
+ authentication = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ }))
+ }))
+
+ okta_settings = optional(object({
+ hostname = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ okta_user_context_settings = optional(object({
+ hostname = optional(string)
+ manager_id_reference_field = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ pan_ioc_settings = optional(object({
+ feed = optional(string)
+ feed_id = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ pan_prisma_cloud_settings = optional(object({
+ hostname = optional(string)
+ authentication = optional(object({
+ user = optional(string)
+ password = optional(string)
+ }))
+ }))
+
+ proofpoint_mail_settings = optional(object({
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ proofpoint_on_demand_settings = optional(object({
+ cluster_id = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ pubsub_settings = optional(object({
+ google_service_account_email = optional(string)
+ }))
+
+ qualys_scan_settings = optional(object({
+ api_type = optional(string)
+ hostname = optional(string)
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ qualys_vm_settings = optional(object({
+ hostname = optional(string)
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ rapid7_insight_settings = optional(object({
+ endpoint = optional(string)
+ hostname = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ recorded_future_ioc_settings = optional(object({
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ rh_isac_ioc_settings = optional(object({
+ authentication = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ token_endpoint = optional(string)
+ }))
+ }))
+
+ salesforce_settings = optional(object({
+ hostname = optional(string)
+ oauth_jwt_credentials = optional(object({
+ token_endpoint = optional(string)
+ claims = optional(object({
+ audience = optional(string)
+ issuer = optional(string)
+ subject = optional(string)
+ }))
+ rs_credentials = optional(object({
+ private_key = optional(string)
+ }))
+ }))
+ oauth_password_grant_auth = optional(object({
+ token_endpoint = optional(string)
+ client_id = optional(string)
+ client_secret = optional(string)
+ user = optional(string)
+ password = optional(string)
+ }))
+ }))
+
+ sentinelone_alert_settings = optional(object({
+ hostname = optional(string)
+ initial_start_time = optional(string)
+ is_alert_api_subscribed = optional(bool)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ service_now_cmdb_settings = optional(object({
+ feedname = optional(string)
+ hostname = optional(string)
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ sftp_settings = optional(object({
+ uri = optional(string)
+ source_deletion_option = optional(string)
+ source_type = optional(string)
+ authentication = optional(object({
+ username = optional(string)
+ password = optional(string)
+ private_key = optional(string)
+ private_key_passphrase = optional(string)
+ }))
+ }))
+
+ symantec_event_export_settings = optional(object({
+ authentication = optional(object({
+ token_endpoint = optional(string)
+ client_id = optional(string)
+ client_secret = optional(string)
+ refresh_token = optional(string)
+ }))
+ }))
+
+ thinkst_canary_settings = optional(object({
+ hostname = optional(string)
+ authentication = optional(object({
+ header_key_values = optional(list(object({
+ key = optional(string)
+ value = optional(string)
+ })))
+ }))
+ }))
+
+ threat_connect_ioc_settings = optional(object({
+ hostname = optional(string)
+ owners = optional(list(string))
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ threat_connect_ioc_v3_settings = optional(object({
+ hostname = optional(string)
+ owners = optional(list(string))
+ fields = optional(list(string))
+ schedule = optional(string)
+ tql_query = optional(string)
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ }))
+ }))
+
+ trellix_hx_alerts_settings = optional(object({
+ endpoint = optional(string)
+ authentication = optional(object({
+ msso = optional(object({
+ api_endpoint = optional(string)
+ username = optional(string)
+ password = optional(string)
+ }))
+ trellix_iam = optional(object({
+ client_id = optional(string)
+ client_secret = optional(string)
+ scope = optional(string)
+ }))
+ }))
+ }))
+
+ trellix_hx_bulk_acqs_settings = optional(object({
+ endpoint = string
+ authentication = optional(object({
+ msso = optional(object({
+ api_endpoint = string
+ username = string
+ password = string
+ }))
+ trellix_iam = optional(object({
+ client_id = string
+ client_secret = string
+ scope = string
+ }))
+ }))
+ }))
+
+ trellix_hx_hosts_settings = optional(object({
+ endpoint = string
+ authentication = optional(object({
+ msso = optional(object({
+ api_endpoint = string
+ username = string
+ password = string
+ }))
+ trellix_iam = optional(object({
+ client_id = string
+ client_secret = string
+ scope = string
+ }))
+ }))
+ }))
+
+ webhook_settings = optional(object({
+ }))
+
+ workday_settings = optional(object({
+ hostname = optional(string)
+ tenant_id = optional(string)
+ authentication = optional(object({
+ user = optional(string)
+ secret = optional(string)
+ token_endpoint = optional(string)
+ client_id = optional(string)
+ client_secret = optional(string)
+ refresh_token = optional(string)
+ }))
+ }))
+
+ workspace_activity_settings = optional(object({
+ workspace_customer_id = optional(string)
+ applications = optional(list(string))
+ authentication = optional(object({
+ token_endpoint = optional(string)
+ claims = optional(object({
+ audience = optional(string)
+ issuer = optional(string)
+ subject = optional(string)
+ }))
+ rs_credentials = optional(object({
+ private_key = optional(string)
+ }))
+ }))
+ }))
+
+ workspace_alerts_settings = optional(object({
+ workspace_customer_id = optional(string)
+ authentication = optional(object({
+ token_endpoint = optional(string)
+ claims = optional(object({
+ audience = optional(string)
+ issuer = optional(string)
+ subject = optional(string)
+ }))
+ rs_credentials = optional(object({
+ private_key = optional(string)
+ }))
+ }))
+ }))
+
+ workspace_chrome_os_settings = optional(object({
+ workspace_customer_id = optional(string)
+ authentication = optional(object({
+ token_endpoint = optional(string)
+ claims = optional(object({
+ audience = optional(string)
+ issuer = optional(string)
+ subject = optional(string)
+ }))
+ rs_credentials = optional(object({
+ private_key = optional(string)
+ }))
+ }))
+ }))
+
+ workspace_groups_settings = optional(object({
+ workspace_customer_id = optional(string)
+ authentication = optional(object({
+ token_endpoint = optional(string)
+ claims = optional(object({
+ audience = optional(string)
+ issuer = optional(string)
+ subject = optional(string)
+ }))
+ rs_credentials = optional(object({
+ private_key = optional(string)
+ }))
+ }))
+ }))
+
+ workspace_mobile_settings = optional(object({
+ workspace_customer_id = optional(string)
+ authentication = optional(object({
+ token_endpoint = optional(string)
+ claims = optional(object({
+ audience = optional(string)
+ issuer = optional(string)
+ subject = optional(string)
+ }))
+ rs_credentials = optional(object({
+ private_key = optional(string)
+ }))
+ }))
+ }))
+
+ workspace_privileges_settings = optional(object({
+ workspace_customer_id = optional(string)
+ authentication = optional(object({
+ token_endpoint = optional(string)
+ claims = optional(object({
+ audience = optional(string)
+ issuer = optional(string)
+ subject = optional(string)
+ }))
+ rs_credentials = optional(object({
+ private_key = optional(string)
+ }))
+ }))
+ }))
+
+ workspace_users_settings = optional(object({
+ workspace_customer_id = optional(string)
+ projection_type = optional(string)
+ authentication = optional(object({
+ token_endpoint = optional(string)
+ claims = optional(object({
+ audience = optional(string)
+ issuer = optional(string)
+ subject = optional(string)
+ }))
+ rs_credentials = optional(object({
+ private_key = optional(string)
+ }))
+ }))
+ }))
+ }))
+ default = {}
+}
+
+variable "secops_config" {
+ description = "SecOps configuration."
+ type = object({
+ customer_id = string
+ project = string
+ region = string
+ })
+}
diff --git a/modules/secops-feeds/versions.tf b/modules/secops-feeds/versions.tf
new file mode 100644
index 0000000..e4f408a
--- /dev/null
+++ b/modules/secops-feeds/versions.tf
@@ -0,0 +1,27 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+ required_version = ">= 1.3.0"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = ">= 7.0.0, < 8.0.0"
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = ">= 7.0.0, < 8.0.0"
+ }
+ }
+}
diff --git a/tests/blueprints/bindplane-gke/basic.yaml b/tests/blueprints/bindplane-gke/basic.yaml
index 2c0e727..fcb41f0 100644
--- a/tests/blueprints/bindplane-gke/basic.yaml
+++ b/tests/blueprints/bindplane-gke/basic.yaml
@@ -59,7 +59,7 @@ values:
values:
- null
verify: false
- version: 1.33.2
+ version: 1.34.0
wait: true
wait_for_jobs: false
module.addresses.google_compute_address.internal["ingress"]:
diff --git a/tests/blueprints/secops-instance/basic.tfvars b/tests/blueprints/secops-instance/basic.tfvars
index 5b028b0..5ff1398 100644
--- a/tests/blueprints/secops-instance/basic.tfvars
+++ b/tests/blueprints/secops-instance/basic.tfvars
@@ -45,9 +45,7 @@ third_party_integration_config = {
customer_id = "CXXXXXXXX"
}
okta = {
- auth_header_key_values = {
- "Authorization" : "XXXXXXXXXXXXX"
- }
+ api_key = "XXXXXXXXXXXXX"
hostname = "xxxxx.okta.com"
manager_id_reference_field = "managerId"
}
diff --git a/tests/blueprints/secops-instance/basic.yaml b/tests/blueprints/secops-instance/basic.yaml
index 4df2b0f..0adfd8f 100644
--- a/tests/blueprints/secops-instance/basic.yaml
+++ b/tests/blueprints/secops-instance/basic.yaml
@@ -159,2121 +159,314 @@ values:
public_key_data: null
public_key_type: TYPE_X509_PEM_FILE
service_account_id: workspace-integration@test-project.iam.gserviceaccount.com
- module.project.google_org_policy_policy.default["iam.disableServiceAccountKeyCreation"]:
- dry_run_spec: []
- name: projects/test-project/policies/iam.disableServiceAccountKeyCreation
- parent: projects/test-project
- spec:
- - inherit_from_parent: null
- reset: null
- rules:
- - allow_all: null
- condition: []
- deny_all: null
- enforce: 'FALSE'
- parameters: null
- values: []
- timeouts: null
- module.project.google_project.project[0]:
- auto_create_network: false
- billing_account: 12345-ABCDEF-12345
- deletion_policy: DELETE
- effective_labels:
- goog-terraform-provisioned: 'true'
- folder_id: '2345678901'
- labels: null
- name: test-project
- org_id: null
- project_id: test-project
- tags: null
- terraform_labels:
- goog-terraform-provisioned: 'true'
- timeouts: null
- module.project.google_project_iam_binding.authoritative["roles/chronicle.viewer"]:
- condition: []
- members:
- - group:gcp-secops-admins@example.com
- project: test-project
- role: roles/chronicle.viewer
- module.project.google_project_iam_custom_role.roles["SecOpsDetectionEngineer"]:
- description: Terraform-managed.
- permissions:
- - chronicle.ais.createFeedback
- - chronicle.ais.translateUdmQuery
- - chronicle.ais.translateYlRule
- - chronicle.conversations.get
- - chronicle.conversations.list
- - chronicle.conversations.update
- - chronicle.curatedRuleSetCategories.countAllCuratedRuleSetDetections
- - chronicle.curatedRuleSetCategories.get
- - chronicle.curatedRuleSetCategories.list
- - chronicle.curatedRuleSetDeployments.batchUpdate
- - chronicle.curatedRuleSetDeployments.get
- - chronicle.curatedRuleSetDeployments.list
- - chronicle.curatedRuleSetDeployments.update
- - chronicle.curatedRuleSets.countCuratedRuleSetDetections
- - chronicle.curatedRuleSets.get
- - chronicle.curatedRuleSets.list
- - chronicle.curatedRules.get
- - chronicle.curatedRules.list
- - chronicle.dashboardCharts.get
- - chronicle.dashboardCharts.list
- - chronicle.dashboardQueries.execute
- - chronicle.dashboardQueries.get
- - chronicle.dashboardQueries.list
- - chronicle.dashboards.copy
- - chronicle.dashboards.create
- - chronicle.dashboards.delete
- - chronicle.dashboards.edit
- - chronicle.dashboards.get
- - chronicle.dashboards.list
- - chronicle.dashboards.schedule
- - chronicle.dataAccessLabels.get
- - chronicle.dataAccessLabels.list
- - chronicle.dataAccessLabels.update
- - chronicle.dataAccessScopes.get
- - chronicle.dataAccessScopes.list
- - chronicle.dataAccessScopes.permit
- - chronicle.dataAccessScopes.update
- - chronicle.dataTableOperationErrors.get
- - chronicle.dataTableRows.asyncBulkCreate
- - chronicle.dataTableRows.asyncBulkReplace
- - chronicle.dataTableRows.asyncBulkUpdate
- - chronicle.dataTableRows.bulkCreate
- - chronicle.dataTableRows.bulkReplace
- - chronicle.dataTableRows.bulkUpdate
- - chronicle.dataTableRows.create
- - chronicle.dataTableRows.delete
- - chronicle.dataTableRows.get
- - chronicle.dataTableRows.list
- - chronicle.dataTableRows.update
- - chronicle.dataTables.bulkCreateDataTableAsync
- - chronicle.dataTables.create
- - chronicle.dataTables.delete
- - chronicle.dataTables.get
- - chronicle.dataTables.list
- - chronicle.dataTables.update
- - chronicle.enrichmentControls.create
- - chronicle.enrichmentControls.delete
- - chronicle.enrichmentControls.get
- - chronicle.enrichmentControls.list
- - chronicle.entities.batchCreate
- - chronicle.entities.batchDelete
- - chronicle.entities.batchValidate
- - chronicle.entities.create
- - chronicle.entities.delete
- - chronicle.entities.find
- - chronicle.entities.findRelatedEntities
- - chronicle.entities.get
- - chronicle.entities.import
- - chronicle.entities.list
- - chronicle.entities.modifyEntityRiskScore
- - chronicle.entities.queryEntityRiskScoreModifications
- - chronicle.entities.searchEntities
- - chronicle.entities.summarize
- - chronicle.entities.summarizeFromQuery
- - chronicle.events.batchGet
- - chronicle.events.findUdmFieldValues
- - chronicle.events.get
- - chronicle.events.import
- - chronicle.events.queryProductSourceStats
- - chronicle.events.searchRawLogs
- - chronicle.events.udmSearch
- - chronicle.events.validateQuery
- - chronicle.featuredContentRules.list
- - chronicle.findingsGraphs.exploreNode
- - chronicle.findingsGraphs.initializeGraph
- - chronicle.findingsRefinementDeployments.get
- - chronicle.findingsRefinementDeployments.list
- - chronicle.findingsRefinementDeployments.update
- - chronicle.findingsRefinements.computeActivity
- - chronicle.findingsRefinements.computeAllActivities
- - chronicle.findingsRefinements.create
- - chronicle.findingsRefinements.get
- - chronicle.findingsRefinements.list
- - chronicle.findingsRefinements.test
- - chronicle.findingsRefinements.update
- - chronicle.globalDataAccessScopes.permit
- - chronicle.instances.generateCollectionAgentAuth
- - chronicle.instances.generateSoarAuthJwt
- - chronicle.instances.generateWorkspaceConnectionToken
- - chronicle.instances.get
- - chronicle.instances.graduatePocInstance
- - chronicle.instances.logTypeClassifier
- - chronicle.instances.report
- - chronicle.instances.update
- - chronicle.instances.verifyNonce
- - chronicle.iocMatches.get
- - chronicle.iocMatches.list
- - chronicle.iocState.get
- - chronicle.iocState.update
- - chronicle.iocs.batchGet
- - chronicle.iocs.findFirstAndLastSeen
- - chronicle.iocs.get
- - chronicle.iocs.searchCuratedDetectionsForIoc
- - chronicle.legacies.legacyBatchGetCollections
- - chronicle.legacies.legacyFetchAlertsView
- - chronicle.legacies.legacyFetchUdmSearchCsv
- - chronicle.legacies.legacyFetchUdmSearchView
- - chronicle.legacies.legacyFindAssetEvents
- - chronicle.legacies.legacyFindRawLogs
- - chronicle.legacies.legacyFindUdmEvents
- - chronicle.legacies.legacyGetAlert
- - chronicle.legacies.legacyGetCuratedRulesTrends
- - chronicle.legacies.legacyGetDetection
- - chronicle.legacies.legacyGetEventForDetection
- - chronicle.legacies.legacyGetRuleCounts
- - chronicle.legacies.legacyGetRulesTrends
- - chronicle.legacies.legacyRunTestRule
- - chronicle.legacies.legacySearchArtifactEvents
- - chronicle.legacies.legacySearchArtifactIoCDetails
- - chronicle.legacies.legacySearchAssetEvents
- - chronicle.legacies.legacySearchCuratedDetections
- - chronicle.legacies.legacySearchCustomerStats
- - chronicle.legacies.legacySearchDetections
- - chronicle.legacies.legacySearchDomainsRecentlyRegistered
- - chronicle.legacies.legacySearchDomainsTimingStats
- - chronicle.legacies.legacySearchEnterpriseWideAlerts
- - chronicle.legacies.legacySearchEnterpriseWideIoCs
- - chronicle.legacies.legacySearchFindings
- - chronicle.legacies.legacySearchIngestionStats
- - chronicle.legacies.legacySearchIoCInsights
- - chronicle.legacies.legacySearchRawLogs
- - chronicle.legacies.legacySearchRuleDetectionCountBuckets
- - chronicle.legacies.legacySearchRuleDetectionEvents
- - chronicle.legacies.legacySearchRuleResults
- - chronicle.legacies.legacySearchRulesAlerts
- - chronicle.legacies.legacySearchUserEvents
- - chronicle.legacies.legacyStreamDetectionAlerts
- - chronicle.legacies.legacyTestRuleStreaming
- - chronicle.messages.get
- - chronicle.messages.list
- - chronicle.messages.update
- - chronicle.nativeDashboards.create
- - chronicle.nativeDashboards.delete
- - chronicle.nativeDashboards.duplicate
- - chronicle.nativeDashboards.get
- - chronicle.nativeDashboards.list
- - chronicle.nativeDashboards.update
- - chronicle.operations.cancel
- - chronicle.operations.delete
- - chronicle.operations.get
- - chronicle.operations.list
- - chronicle.operations.streamSearch
- - chronicle.operations.wait
- - chronicle.preferenceSets.get
- - chronicle.preferenceSets.update
- - chronicle.referenceLists.create
- - chronicle.referenceLists.get
- - chronicle.referenceLists.list
- - chronicle.referenceLists.update
- - chronicle.referenceLists.verifyReferenceList
- - chronicle.retrohunts.create
- - chronicle.retrohunts.get
- - chronicle.retrohunts.list
- - chronicle.riskConfigs.get
- - chronicle.riskConfigs.update
- - chronicle.ruleDeployments.get
- - chronicle.ruleDeployments.list
- - chronicle.ruleDeployments.update
- - chronicle.ruleExecutionErrors.list
- - chronicle.rules.create
- - chronicle.rules.delete
- - chronicle.rules.get
- - chronicle.rules.list
- - chronicle.rules.listRevisions
- - chronicle.rules.update
- - chronicle.rules.verifyRuleText
- - chronicle.searchQueries.get
- - chronicle.searchQueries.list
- - chronicle.searchQueries.update
- - chronicle.threatCollections.fetchIocMatchMetadata
- - chronicle.threatCollections.fetchRuleMetadata
- - chronicle.threatCollections.get
- - chronicle.threatCollections.list
- - chronicle.watchlists.create
- - chronicle.watchlists.delete
- - chronicle.watchlists.get
- - chronicle.watchlists.list
- - chronicle.watchlists.update
- - resourcemanager.projects.get
- project: test-project
- role_id: SecOpsDetectionEngineer
- stage: GA
- title: Custom role SecOpsDetectionEngineer
- module.project.google_project_iam_custom_role.roles["SecOpsIngestionAPI"]:
- description: Terraform-managed.
- permissions:
- - chronicle.entities.import
- - chronicle.events.import
- - chronicle.logs.import
- project: test-project
- role_id: SecOpsIngestionAPI
- stage: GA
- title: Custom role SecOpsIngestionAPI
- module.project.google_project_iam_custom_role.roles["SecOpsOnboardingEngineer"]:
- description: Terraform-managed.
- permissions:
- - chronicle.ais.createFeedback
- - chronicle.ais.translateUdmQuery
- - chronicle.ais.translateYlRule
- - chronicle.collectors.create
- - chronicle.collectors.delete
- - chronicle.collectors.get
- - chronicle.collectors.list
- - chronicle.collectors.update
- - chronicle.conversations.get
- - chronicle.conversations.list
- - chronicle.conversations.update
- - chronicle.dashboardCharts.get
- - chronicle.dashboardCharts.list
- - chronicle.dashboardQueries.execute
- - chronicle.dashboardQueries.get
- - chronicle.dashboardQueries.list
- - chronicle.dashboards.copy
- - chronicle.dashboards.create
- - chronicle.dashboards.delete
- - chronicle.dashboards.edit
- - chronicle.dashboards.get
- - chronicle.dashboards.list
- - chronicle.dashboards.schedule
- - chronicle.dataAccessLabels.get
- - chronicle.dataAccessLabels.list
- - chronicle.dataAccessLabels.update
- - chronicle.dataAccessScopes.get
- - chronicle.dataAccessScopes.list
- - chronicle.dataAccessScopes.permit
- - chronicle.dataAccessScopes.update
- - chronicle.enrichmentControls.get
- - chronicle.enrichmentControls.list
- - chronicle.entities.batchCreate
- - chronicle.entities.batchDelete
- - chronicle.entities.batchValidate
- - chronicle.entities.find
- - chronicle.entities.findRelatedEntities
- - chronicle.entities.get
- - chronicle.entities.import
- - chronicle.entities.list
- - chronicle.entities.modifyEntityRiskScore
- - chronicle.entities.queryEntityRiskScoreModifications
- - chronicle.entities.searchEntities
- - chronicle.entities.summarize
- - chronicle.entities.summarizeFromQuery
- - chronicle.events.batchGet
- - chronicle.events.findUdmFieldValues
- - chronicle.events.get
- - chronicle.events.import
- - chronicle.events.queryProductSourceStats
- - chronicle.events.searchRawLogs
- - chronicle.events.udmSearch
- - chronicle.events.validateQuery
- - chronicle.extensionValidationReports.get
- - chronicle.extensionValidationReports.list
- - chronicle.feedPacks.get
- - chronicle.feedPacks.list
- - chronicle.feedServiceAccounts.fetch
- - chronicle.feedSourceTypeSchemas.list
- - chronicle.feeds.create
- - chronicle.feeds.delete
- - chronicle.feeds.disable
- - chronicle.feeds.enable
- - chronicle.feeds.generateSecret
- - chronicle.feeds.get
- - chronicle.feeds.list
- - chronicle.feeds.update
- - chronicle.findingsGraphs.exploreNode
- - chronicle.findingsGraphs.initializeGraph
- - chronicle.forwarders.create
- - chronicle.forwarders.delete
- - chronicle.forwarders.generate
- - chronicle.forwarders.get
- - chronicle.forwarders.list
- - chronicle.forwarders.update
- - chronicle.globalDataAccessScopes.permit
- - chronicle.ingestionLogLabels.get
- - chronicle.ingestionLogLabels.list
- - chronicle.ingestionLogNamespaces.get
- - chronicle.ingestionLogNamespaces.list
- - chronicle.instances.generateCollectionAgentAuth
- - chronicle.instances.generateSoarAuthJwt
- - chronicle.instances.generateWorkspaceConnectionToken
- - chronicle.instances.get
- - chronicle.instances.graduatePocInstance
- - chronicle.instances.logTypeClassifier
- - chronicle.instances.report
- - chronicle.instances.update
- - chronicle.instances.verifyNonce
- - chronicle.legacies.legacyFetchUdmSearchCsv
- - chronicle.legacies.legacyFetchUdmSearchView
- - chronicle.legacies.legacyFindAssetEvents
- - chronicle.legacies.legacyFindRawLogs
- - chronicle.legacies.legacyFindUdmEvents
- - chronicle.legacies.legacySearchArtifactEvents
- - chronicle.legacies.legacySearchArtifactIoCDetails
- - chronicle.legacies.legacySearchAssetEvents
- - chronicle.legacies.legacySearchCustomerStats
- - chronicle.legacies.legacySearchEnterpriseWideIoCs
- - chronicle.legacies.legacySearchIngestionStats
- - chronicle.legacies.legacySearchIoCInsights
- - chronicle.legacies.legacySearchRawLogs
- - chronicle.legacies.legacySearchUserEvents
- - chronicle.logTypeSchemas.list
- - chronicle.logTypeSettings.get
- - chronicle.logTypeSettings.list
- - chronicle.logTypeSettings.update
- - chronicle.logTypes.create
- - chronicle.logTypes.get
- - chronicle.logTypes.list
- - chronicle.logTypes.update
- - chronicle.logs.get
- - chronicle.logs.list
- - chronicle.messages.get
- - chronicle.messages.list
- - chronicle.messages.update
- - chronicle.nativeDashboards.create
- - chronicle.nativeDashboards.delete
- - chronicle.nativeDashboards.duplicate
- - chronicle.nativeDashboards.get
- - chronicle.nativeDashboards.list
- - chronicle.nativeDashboards.update
- - chronicle.operations.cancel
- - chronicle.operations.delete
- - chronicle.operations.get
- - chronicle.operations.list
- - chronicle.operations.streamSearch
- - chronicle.operations.wait
- - chronicle.parserExtensions.activate
- - chronicle.parserExtensions.create
- - chronicle.parserExtensions.delete
- - chronicle.parserExtensions.generateKeyValueMappings
- - chronicle.parserExtensions.get
- - chronicle.parserExtensions.legacySubmitParserExtension
- - chronicle.parserExtensions.list
- - chronicle.parserExtensions.removeSyslog
- - chronicle.parsers.activate
- - chronicle.parsers.activateReleaseCandidate
- - chronicle.parsers.copyPrebuiltParser
- - chronicle.parsers.create
- - chronicle.parsers.deactivate
- - chronicle.parsers.delete
- - chronicle.parsers.generateEventTypesSuggestions
- - chronicle.parsers.get
- - chronicle.parsers.list
- - chronicle.parsers.runParser
- - chronicle.parsingErrors.list
- - chronicle.preferenceSets.get
- - chronicle.preferenceSets.update
- - chronicle.riskConfigs.get
- - chronicle.riskConfigs.update
- - chronicle.searchQueries.get
- - chronicle.searchQueries.list
- - chronicle.searchQueries.update
- - chronicle.validationErrors.list
- - chronicle.validationReports.get
- - chronicle.watchlists.get
- - chronicle.watchlists.list
- - chronicle.watchlists.update
- - resourcemanager.projects.get
- project: test-project
- role_id: SecOpsOnboardingEngineer
- stage: GA
- title: Custom role SecOpsOnboardingEngineer
- module.project.google_project_iam_custom_role.roles["SecOpsSOCAnalyst"]:
- description: Terraform-managed.
- permissions:
- - chronicle.ais.createFeedback
- - chronicle.ais.translateUdmQuery
- - chronicle.ais.translateYlRule
- - chronicle.conversations.get
- - chronicle.conversations.list
- - chronicle.conversations.update
- - chronicle.curatedRuleSetCategories.countAllCuratedRuleSetDetections
- - chronicle.curatedRuleSetCategories.get
- - chronicle.curatedRuleSetCategories.list
- - chronicle.curatedRuleSetDeployments.batchUpdate
- - chronicle.curatedRuleSetDeployments.get
- - chronicle.curatedRuleSetDeployments.list
- - chronicle.curatedRuleSetDeployments.update
- - chronicle.curatedRuleSets.countCuratedRuleSetDetections
- - chronicle.curatedRuleSets.get
- - chronicle.curatedRuleSets.list
- - chronicle.curatedRules.get
- - chronicle.curatedRules.list
- - chronicle.dashboardCharts.get
- - chronicle.dashboardCharts.list
- - chronicle.dashboardQueries.execute
- - chronicle.dashboardQueries.get
- - chronicle.dashboardQueries.list
- - chronicle.dashboards.copy
- - chronicle.dashboards.edit
- - chronicle.dashboards.get
- - chronicle.dashboards.list
- - chronicle.dashboards.schedule
- - chronicle.dataAccessLabels.get
- - chronicle.dataAccessLabels.list
- - chronicle.dataAccessLabels.update
- - chronicle.dataAccessScopes.get
- - chronicle.dataAccessScopes.list
- - chronicle.dataAccessScopes.permit
- - chronicle.dataAccessScopes.update
- - chronicle.dataTableOperationErrors.get
- - chronicle.dataTableRows.asyncBulkCreate
- - chronicle.dataTableRows.asyncBulkReplace
- - chronicle.dataTableRows.asyncBulkUpdate
- - chronicle.dataTableRows.bulkCreate
- - chronicle.dataTableRows.bulkReplace
- - chronicle.dataTableRows.bulkUpdate
- - chronicle.dataTableRows.get
- - chronicle.dataTableRows.list
- - chronicle.dataTableRows.update
- - chronicle.dataTables.bulkCreateDataTableAsync
- - chronicle.dataTables.get
- - chronicle.dataTables.list
- - chronicle.dataTables.update
- - chronicle.enrichmentControls.get
- - chronicle.enrichmentControls.list
- - chronicle.entities.batchCreate
- - chronicle.entities.batchDelete
- - chronicle.entities.batchValidate
- - chronicle.entities.find
- - chronicle.entities.findRelatedEntities
- - chronicle.entities.get
- - chronicle.entities.import
- - chronicle.entities.list
- - chronicle.entities.modifyEntityRiskScore
- - chronicle.entities.queryEntityRiskScoreModifications
- - chronicle.entities.searchEntities
- - chronicle.entities.summarize
- - chronicle.entities.summarizeFromQuery
- - chronicle.events.batchGet
- - chronicle.events.findUdmFieldValues
- - chronicle.events.get
- - chronicle.events.import
- - chronicle.events.queryProductSourceStats
- - chronicle.events.searchRawLogs
- - chronicle.events.udmSearch
- - chronicle.events.validateQuery
- - chronicle.featuredContentRules.list
- - chronicle.findingsGraphs.exploreNode
- - chronicle.findingsGraphs.initializeGraph
- - chronicle.findingsRefinementDeployments.get
- - chronicle.findingsRefinementDeployments.list
- - chronicle.findingsRefinementDeployments.update
- - chronicle.findingsRefinements.computeActivity
- - chronicle.findingsRefinements.computeAllActivities
- - chronicle.findingsRefinements.get
- - chronicle.findingsRefinements.list
- - chronicle.findingsRefinements.test
- - chronicle.findingsRefinements.update
- - chronicle.globalDataAccessScopes.permit
- - chronicle.instances.generateCollectionAgentAuth
- - chronicle.instances.generateSoarAuthJwt
- - chronicle.instances.generateWorkspaceConnectionToken
- - chronicle.instances.get
- - chronicle.instances.graduatePocInstance
- - chronicle.instances.logTypeClassifier
- - chronicle.instances.report
- - chronicle.instances.update
- - chronicle.instances.verifyNonce
- - chronicle.iocMatches.get
- - chronicle.iocMatches.list
- - chronicle.iocState.get
- - chronicle.iocState.update
- - chronicle.iocs.batchGet
- - chronicle.iocs.findFirstAndLastSeen
- - chronicle.iocs.get
- - chronicle.iocs.searchCuratedDetectionsForIoc
- - chronicle.legacies.legacyBatchGetCollections
- - chronicle.legacies.legacyFetchAlertsView
- - chronicle.legacies.legacyFetchUdmSearchCsv
- - chronicle.legacies.legacyFetchUdmSearchView
- - chronicle.legacies.legacyFindAssetEvents
- - chronicle.legacies.legacyFindRawLogs
- - chronicle.legacies.legacyFindUdmEvents
- - chronicle.legacies.legacyGetAlert
- - chronicle.legacies.legacyGetCuratedRulesTrends
- - chronicle.legacies.legacyGetDetection
- - chronicle.legacies.legacyGetEventForDetection
- - chronicle.legacies.legacyGetRuleCounts
- - chronicle.legacies.legacyGetRulesTrends
- - chronicle.legacies.legacyRunTestRule
- - chronicle.legacies.legacySearchArtifactEvents
- - chronicle.legacies.legacySearchArtifactIoCDetails
- - chronicle.legacies.legacySearchAssetEvents
- - chronicle.legacies.legacySearchCuratedDetections
- - chronicle.legacies.legacySearchCustomerStats
- - chronicle.legacies.legacySearchDetections
- - chronicle.legacies.legacySearchDomainsRecentlyRegistered
- - chronicle.legacies.legacySearchDomainsTimingStats
- - chronicle.legacies.legacySearchEnterpriseWideAlerts
- - chronicle.legacies.legacySearchEnterpriseWideIoCs
- - chronicle.legacies.legacySearchFindings
- - chronicle.legacies.legacySearchIngestionStats
- - chronicle.legacies.legacySearchIoCInsights
- - chronicle.legacies.legacySearchRawLogs
- - chronicle.legacies.legacySearchRuleDetectionCountBuckets
- - chronicle.legacies.legacySearchRuleDetectionEvents
- - chronicle.legacies.legacySearchRuleResults
- - chronicle.legacies.legacySearchRulesAlerts
- - chronicle.legacies.legacySearchUserEvents
- - chronicle.legacies.legacyStreamDetectionAlerts
- - chronicle.legacies.legacyTestRuleStreaming
- - chronicle.messages.get
- - chronicle.messages.list
- - chronicle.messages.update
- - chronicle.nativeDashboards.duplicate
- - chronicle.nativeDashboards.get
- - chronicle.nativeDashboards.list
- - chronicle.nativeDashboards.update
- - chronicle.operations.cancel
- - chronicle.operations.get
- - chronicle.operations.list
- - chronicle.operations.streamSearch
- - chronicle.operations.wait
- - chronicle.preferenceSets.get
- - chronicle.preferenceSets.update
- - chronicle.referenceLists.get
- - chronicle.referenceLists.list
- - chronicle.referenceLists.update
- - chronicle.referenceLists.verifyReferenceList
- - chronicle.retrohunts.get
- - chronicle.retrohunts.list
- - chronicle.riskConfigs.get
- - chronicle.riskConfigs.update
- - chronicle.ruleDeployments.get
- - chronicle.ruleDeployments.list
- - chronicle.ruleDeployments.update
- - chronicle.ruleExecutionErrors.list
- - chronicle.rules.get
- - chronicle.rules.list
- - chronicle.rules.listRevisions
- - chronicle.rules.update
- - chronicle.rules.verifyRuleText
- - chronicle.searchQueries.get
- - chronicle.searchQueries.list
- - chronicle.searchQueries.update
- - chronicle.threatCollections.fetchIocMatchMetadata
- - chronicle.threatCollections.fetchRuleMetadata
- - chronicle.threatCollections.get
- - chronicle.threatCollections.list
- - chronicle.watchlists.get
- - chronicle.watchlists.list
- - chronicle.watchlists.update
- - resourcemanager.projects.get
- project: test-project
- role_id: SecOpsSOCAnalyst
- stage: GA
- title: Custom role SecOpsSOCAnalyst
- module.project.google_project_iam_custom_role.roles["SecOpsScopedDetectionEngineer"]:
- description: Terraform-managed.
- permissions:
- - chronicle.ais.createFeedback
- - chronicle.ais.translateUdmQuery
- - chronicle.ais.translateYlRule
- - chronicle.conversations.get
- - chronicle.conversations.list
- - chronicle.conversations.update
- - chronicle.curatedRuleSetCategories.countAllCuratedRuleSetDetections
- - chronicle.curatedRuleSetCategories.get
- - chronicle.curatedRuleSetCategories.list
- - chronicle.curatedRuleSetDeployments.batchUpdate
- - chronicle.curatedRuleSetDeployments.get
- - chronicle.curatedRuleSetDeployments.list
- - chronicle.curatedRuleSetDeployments.update
- - chronicle.curatedRuleSets.countCuratedRuleSetDetections
- - chronicle.curatedRuleSets.get
- - chronicle.curatedRuleSets.list
- - chronicle.curatedRules.get
- - chronicle.curatedRules.list
- - chronicle.dashboardCharts.get
- - chronicle.dashboardCharts.list
- - chronicle.dashboardQueries.execute
- - chronicle.dashboardQueries.get
- - chronicle.dashboardQueries.list
- - chronicle.dashboards.copy
- - chronicle.dashboards.create
- - chronicle.dashboards.delete
- - chronicle.dashboards.edit
- - chronicle.dashboards.get
- - chronicle.dashboards.list
- - chronicle.dashboards.schedule
- - chronicle.dataAccessLabels.get
- - chronicle.dataAccessLabels.list
- - chronicle.dataAccessLabels.update
- - chronicle.dataAccessScopes.get
- - chronicle.dataAccessScopes.list
- - chronicle.dataAccessScopes.permit
- - chronicle.dataAccessScopes.update
- - chronicle.dataTableOperationErrors.get
- - chronicle.dataTableRows.asyncBulkCreate
- - chronicle.dataTableRows.asyncBulkReplace
- - chronicle.dataTableRows.asyncBulkUpdate
- - chronicle.dataTableRows.bulkCreate
- - chronicle.dataTableRows.bulkReplace
- - chronicle.dataTableRows.bulkUpdate
- - chronicle.dataTableRows.create
- - chronicle.dataTableRows.delete
- - chronicle.dataTableRows.get
- - chronicle.dataTableRows.list
- - chronicle.dataTableRows.update
- - chronicle.dataTables.bulkCreateDataTableAsync
- - chronicle.dataTables.create
- - chronicle.dataTables.delete
- - chronicle.dataTables.get
- - chronicle.dataTables.list
- - chronicle.dataTables.update
- - chronicle.enrichmentControls.create
- - chronicle.enrichmentControls.delete
- - chronicle.enrichmentControls.get
- - chronicle.enrichmentControls.list
- - chronicle.entities.batchCreate
- - chronicle.entities.batchDelete
- - chronicle.entities.batchValidate
- - chronicle.entities.create
- - chronicle.entities.delete
- - chronicle.entities.find
- - chronicle.entities.findRelatedEntities
- - chronicle.entities.get
- - chronicle.entities.import
- - chronicle.entities.list
- - chronicle.entities.modifyEntityRiskScore
- - chronicle.entities.queryEntityRiskScoreModifications
- - chronicle.entities.searchEntities
- - chronicle.entities.summarize
- - chronicle.entities.summarizeFromQuery
- - chronicle.events.batchGet
- - chronicle.events.findUdmFieldValues
- - chronicle.events.get
- - chronicle.events.import
- - chronicle.events.queryProductSourceStats
- - chronicle.events.searchRawLogs
- - chronicle.events.udmSearch
- - chronicle.events.validateQuery
- - chronicle.featuredContentRules.list
- - chronicle.findingsGraphs.exploreNode
- - chronicle.findingsGraphs.initializeGraph
- - chronicle.findingsRefinementDeployments.get
- - chronicle.findingsRefinementDeployments.list
- - chronicle.findingsRefinementDeployments.update
- - chronicle.findingsRefinements.computeActivity
- - chronicle.findingsRefinements.computeAllActivities
- - chronicle.findingsRefinements.create
- - chronicle.findingsRefinements.get
- - chronicle.findingsRefinements.list
- - chronicle.findingsRefinements.test
- - chronicle.findingsRefinements.update
- - chronicle.instances.generateCollectionAgentAuth
- - chronicle.instances.generateSoarAuthJwt
- - chronicle.instances.generateWorkspaceConnectionToken
- - chronicle.instances.get
- - chronicle.instances.graduatePocInstance
- - chronicle.instances.logTypeClassifier
- - chronicle.instances.report
- - chronicle.instances.update
- - chronicle.instances.verifyNonce
- - chronicle.iocMatches.get
- - chronicle.iocMatches.list
- - chronicle.iocState.get
- - chronicle.iocState.update
- - chronicle.iocs.batchGet
- - chronicle.iocs.findFirstAndLastSeen
- - chronicle.iocs.get
- - chronicle.iocs.searchCuratedDetectionsForIoc
- - chronicle.legacies.legacyBatchGetCollections
- - chronicle.legacies.legacyFetchAlertsView
- - chronicle.legacies.legacyFetchUdmSearchCsv
- - chronicle.legacies.legacyFetchUdmSearchView
- - chronicle.legacies.legacyFindAssetEvents
- - chronicle.legacies.legacyFindRawLogs
- - chronicle.legacies.legacyFindUdmEvents
- - chronicle.legacies.legacyGetAlert
- - chronicle.legacies.legacyGetCuratedRulesTrends
- - chronicle.legacies.legacyGetDetection
- - chronicle.legacies.legacyGetEventForDetection
- - chronicle.legacies.legacyGetRuleCounts
- - chronicle.legacies.legacyGetRulesTrends
- - chronicle.legacies.legacyRunTestRule
- - chronicle.legacies.legacySearchArtifactEvents
- - chronicle.legacies.legacySearchArtifactIoCDetails
- - chronicle.legacies.legacySearchAssetEvents
- - chronicle.legacies.legacySearchCuratedDetections
- - chronicle.legacies.legacySearchCustomerStats
- - chronicle.legacies.legacySearchDetections
- - chronicle.legacies.legacySearchDomainsRecentlyRegistered
- - chronicle.legacies.legacySearchDomainsTimingStats
- - chronicle.legacies.legacySearchEnterpriseWideAlerts
- - chronicle.legacies.legacySearchEnterpriseWideIoCs
- - chronicle.legacies.legacySearchFindings
- - chronicle.legacies.legacySearchIngestionStats
- - chronicle.legacies.legacySearchIoCInsights
- - chronicle.legacies.legacySearchRawLogs
- - chronicle.legacies.legacySearchRuleDetectionCountBuckets
- - chronicle.legacies.legacySearchRuleDetectionEvents
- - chronicle.legacies.legacySearchRuleResults
- - chronicle.legacies.legacySearchRulesAlerts
- - chronicle.legacies.legacySearchUserEvents
- - chronicle.legacies.legacyStreamDetectionAlerts
- - chronicle.legacies.legacyTestRuleStreaming
- - chronicle.messages.get
- - chronicle.messages.list
- - chronicle.messages.update
- - chronicle.nativeDashboards.create
- - chronicle.nativeDashboards.delete
- - chronicle.nativeDashboards.duplicate
- - chronicle.nativeDashboards.get
- - chronicle.nativeDashboards.list
- - chronicle.nativeDashboards.update
- - chronicle.operations.cancel
- - chronicle.operations.delete
- - chronicle.operations.get
- - chronicle.operations.list
- - chronicle.operations.streamSearch
- - chronicle.operations.wait
- - chronicle.preferenceSets.get
- - chronicle.preferenceSets.update
- - chronicle.referenceLists.create
- - chronicle.referenceLists.get
- - chronicle.referenceLists.list
- - chronicle.referenceLists.update
- - chronicle.referenceLists.verifyReferenceList
- - chronicle.retrohunts.create
- - chronicle.retrohunts.get
- - chronicle.retrohunts.list
- - chronicle.riskConfigs.get
- - chronicle.riskConfigs.update
- - chronicle.ruleDeployments.get
- - chronicle.ruleDeployments.list
- - chronicle.ruleDeployments.update
- - chronicle.ruleExecutionErrors.list
- - chronicle.rules.create
- - chronicle.rules.delete
- - chronicle.rules.get
- - chronicle.rules.list
- - chronicle.rules.listRevisions
- - chronicle.rules.update
- - chronicle.rules.verifyRuleText
- - chronicle.searchQueries.get
- - chronicle.searchQueries.list
- - chronicle.searchQueries.update
- - chronicle.threatCollections.fetchIocMatchMetadata
- - chronicle.threatCollections.fetchRuleMetadata
- - chronicle.threatCollections.get
- - chronicle.threatCollections.list
- - chronicle.watchlists.create
- - chronicle.watchlists.delete
- - chronicle.watchlists.get
- - chronicle.watchlists.list
- - chronicle.watchlists.update
- - resourcemanager.projects.get
- project: test-project
- role_id: SecOpsScopedDetectionEngineer
- stage: GA
- title: Custom role SecOpsScopedDetectionEngineer
- module.project.google_project_iam_custom_role.roles["SecOpsScopedOnboardingEngineer"]:
- description: Terraform-managed.
- permissions:
- - chronicle.ais.createFeedback
- - chronicle.ais.translateUdmQuery
- - chronicle.ais.translateYlRule
- - chronicle.collectors.create
- - chronicle.collectors.delete
- - chronicle.collectors.get
- - chronicle.collectors.list
- - chronicle.collectors.update
- - chronicle.conversations.get
- - chronicle.conversations.list
- - chronicle.conversations.update
- - chronicle.dashboardCharts.get
- - chronicle.dashboardCharts.list
- - chronicle.dashboardQueries.execute
- - chronicle.dashboardQueries.get
- - chronicle.dashboardQueries.list
- - chronicle.dashboards.copy
- - chronicle.dashboards.create
- - chronicle.dashboards.delete
- - chronicle.dashboards.edit
- - chronicle.dashboards.get
- - chronicle.dashboards.list
- - chronicle.dashboards.schedule
- - chronicle.dataAccessLabels.get
- - chronicle.dataAccessLabels.list
- - chronicle.dataAccessLabels.update
- - chronicle.dataAccessScopes.get
- - chronicle.dataAccessScopes.list
- - chronicle.dataAccessScopes.permit
- - chronicle.dataAccessScopes.update
- - chronicle.enrichmentControls.get
- - chronicle.enrichmentControls.list
- - chronicle.entities.batchCreate
- - chronicle.entities.batchDelete
- - chronicle.entities.batchValidate
- - chronicle.entities.find
- - chronicle.entities.findRelatedEntities
- - chronicle.entities.get
- - chronicle.entities.import
- - chronicle.entities.list
- - chronicle.entities.modifyEntityRiskScore
- - chronicle.entities.queryEntityRiskScoreModifications
- - chronicle.entities.searchEntities
- - chronicle.entities.summarize
- - chronicle.entities.summarizeFromQuery
- - chronicle.events.batchGet
- - chronicle.events.findUdmFieldValues
- - chronicle.events.get
- - chronicle.events.import
- - chronicle.events.queryProductSourceStats
- - chronicle.events.searchRawLogs
- - chronicle.events.udmSearch
- - chronicle.events.validateQuery
- - chronicle.extensionValidationReports.get
- - chronicle.extensionValidationReports.list
- - chronicle.feedPacks.get
- - chronicle.feedPacks.list
- - chronicle.feedServiceAccounts.fetch
- - chronicle.feedSourceTypeSchemas.list
- - chronicle.feeds.create
- - chronicle.feeds.delete
- - chronicle.feeds.disable
- - chronicle.feeds.enable
- - chronicle.feeds.generateSecret
- - chronicle.feeds.get
- - chronicle.feeds.list
- - chronicle.feeds.update
- - chronicle.findingsGraphs.exploreNode
- - chronicle.findingsGraphs.initializeGraph
- - chronicle.forwarders.create
- - chronicle.forwarders.delete
- - chronicle.forwarders.generate
- - chronicle.forwarders.get
- - chronicle.forwarders.list
- - chronicle.forwarders.update
- - chronicle.ingestionLogLabels.get
- - chronicle.ingestionLogLabels.list
- - chronicle.ingestionLogNamespaces.get
- - chronicle.ingestionLogNamespaces.list
- - chronicle.instances.generateCollectionAgentAuth
- - chronicle.instances.generateSoarAuthJwt
- - chronicle.instances.generateWorkspaceConnectionToken
- - chronicle.instances.get
- - chronicle.instances.graduatePocInstance
- - chronicle.instances.logTypeClassifier
- - chronicle.instances.report
- - chronicle.instances.update
- - chronicle.instances.verifyNonce
- - chronicle.legacies.legacyFetchUdmSearchCsv
- - chronicle.legacies.legacyFetchUdmSearchView
- - chronicle.legacies.legacyFindAssetEvents
- - chronicle.legacies.legacyFindRawLogs
- - chronicle.legacies.legacyFindUdmEvents
- - chronicle.legacies.legacySearchArtifactEvents
- - chronicle.legacies.legacySearchArtifactIoCDetails
- - chronicle.legacies.legacySearchAssetEvents
- - chronicle.legacies.legacySearchCustomerStats
- - chronicle.legacies.legacySearchEnterpriseWideIoCs
- - chronicle.legacies.legacySearchIngestionStats
- - chronicle.legacies.legacySearchIoCInsights
- - chronicle.legacies.legacySearchRawLogs
- - chronicle.legacies.legacySearchUserEvents
- - chronicle.logTypeSchemas.list
- - chronicle.logTypeSettings.get
- - chronicle.logTypeSettings.list
- - chronicle.logTypeSettings.update
- - chronicle.logTypes.create
- - chronicle.logTypes.get
- - chronicle.logTypes.list
- - chronicle.logTypes.update
- - chronicle.logs.get
- - chronicle.logs.list
- - chronicle.messages.get
- - chronicle.messages.list
- - chronicle.messages.update
- - chronicle.nativeDashboards.create
- - chronicle.nativeDashboards.delete
- - chronicle.nativeDashboards.duplicate
- - chronicle.nativeDashboards.get
- - chronicle.nativeDashboards.list
- - chronicle.nativeDashboards.update
- - chronicle.operations.cancel
- - chronicle.operations.delete
- - chronicle.operations.get
- - chronicle.operations.list
- - chronicle.operations.streamSearch
- - chronicle.operations.wait
- - chronicle.parserExtensions.activate
- - chronicle.parserExtensions.create
- - chronicle.parserExtensions.delete
- - chronicle.parserExtensions.generateKeyValueMappings
- - chronicle.parserExtensions.get
- - chronicle.parserExtensions.legacySubmitParserExtension
- - chronicle.parserExtensions.list
- - chronicle.parserExtensions.removeSyslog
- - chronicle.parsers.activate
- - chronicle.parsers.activateReleaseCandidate
- - chronicle.parsers.copyPrebuiltParser
- - chronicle.parsers.create
- - chronicle.parsers.deactivate
- - chronicle.parsers.delete
- - chronicle.parsers.generateEventTypesSuggestions
- - chronicle.parsers.get
- - chronicle.parsers.list
- - chronicle.parsers.runParser
- - chronicle.parsingErrors.list
- - chronicle.preferenceSets.get
- - chronicle.preferenceSets.update
- - chronicle.riskConfigs.get
- - chronicle.riskConfigs.update
- - chronicle.searchQueries.get
- - chronicle.searchQueries.list
- - chronicle.searchQueries.update
- - chronicle.validationErrors.list
- - chronicle.validationReports.get
- - chronicle.watchlists.get
- - chronicle.watchlists.list
- - chronicle.watchlists.update
- - resourcemanager.projects.get
- project: test-project
- role_id: SecOpsScopedOnboardingEngineer
- stage: GA
- title: Custom role SecOpsScopedOnboardingEngineer
- module.project.google_project_iam_custom_role.roles["SecOpsScopedSOCAnalyst"]:
- description: Terraform-managed.
- permissions:
- - chronicle.ais.createFeedback
- - chronicle.ais.translateUdmQuery
- - chronicle.ais.translateYlRule
- - chronicle.conversations.get
- - chronicle.conversations.list
- - chronicle.curatedRuleSetCategories.countAllCuratedRuleSetDetections
- - chronicle.curatedRuleSetCategories.get
- - chronicle.curatedRuleSetCategories.list
- - chronicle.curatedRuleSetDeployments.batchUpdate
- - chronicle.curatedRuleSetDeployments.get
- - chronicle.curatedRuleSetDeployments.list
- - chronicle.curatedRuleSets.countCuratedRuleSetDetections
- - chronicle.curatedRuleSets.get
- - chronicle.curatedRuleSets.list
- - chronicle.curatedRules.get
- - chronicle.curatedRules.list
- - chronicle.dashboardCharts.get
- - chronicle.dashboardCharts.list
- - chronicle.dashboardQueries.execute
- - chronicle.dashboardQueries.get
- - chronicle.dashboardQueries.list
- - chronicle.dashboards.copy
- - chronicle.dashboards.edit
- - chronicle.dashboards.get
- - chronicle.dashboards.list
- - chronicle.dashboards.schedule
- - chronicle.dataAccessLabels.get
- - chronicle.dataAccessLabels.list
- - chronicle.dataAccessScopes.get
- - chronicle.dataAccessScopes.list
- - chronicle.dataAccessScopes.permit
- - chronicle.dataTableOperationErrors.get
- - chronicle.dataTableRows.asyncBulkCreate
- - chronicle.dataTableRows.asyncBulkReplace
- - chronicle.dataTableRows.asyncBulkUpdate
- - chronicle.dataTableRows.bulkCreate
- - chronicle.dataTableRows.bulkReplace
- - chronicle.dataTableRows.bulkUpdate
- - chronicle.dataTableRows.get
- - chronicle.dataTableRows.list
- - chronicle.dataTables.bulkCreateDataTableAsync
- - chronicle.dataTables.get
- - chronicle.dataTables.list
- - chronicle.enrichmentControls.get
- - chronicle.enrichmentControls.list
- - chronicle.entities.batchCreate
- - chronicle.entities.batchDelete
- - chronicle.entities.batchValidate
- - chronicle.entities.find
- - chronicle.entities.findRelatedEntities
- - chronicle.entities.get
- - chronicle.entities.import
- - chronicle.entities.list
- - chronicle.entities.modifyEntityRiskScore
- - chronicle.entities.queryEntityRiskScoreModifications
- - chronicle.entities.searchEntities
- - chronicle.entities.summarize
- - chronicle.entities.summarizeFromQuery
- - chronicle.events.batchGet
- - chronicle.events.findUdmFieldValues
- - chronicle.events.get
- - chronicle.events.import
- - chronicle.events.queryProductSourceStats
- - chronicle.events.searchRawLogs
- - chronicle.events.udmSearch
- - chronicle.events.validateQuery
- - chronicle.featuredContentRules.list
- - chronicle.findingsGraphs.exploreNode
- - chronicle.findingsGraphs.initializeGraph
- - chronicle.findingsRefinementDeployments.get
- - chronicle.findingsRefinementDeployments.list
- - chronicle.findingsRefinements.computeActivity
- - chronicle.findingsRefinements.computeAllActivities
- - chronicle.findingsRefinements.get
- - chronicle.findingsRefinements.list
- - chronicle.findingsRefinements.test
- - chronicle.instances.generateCollectionAgentAuth
- - chronicle.instances.generateSoarAuthJwt
- - chronicle.instances.generateWorkspaceConnectionToken
- - chronicle.instances.get
- - chronicle.instances.graduatePocInstance
- - chronicle.instances.logTypeClassifier
- - chronicle.instances.report
- - chronicle.instances.verifyNonce
- - chronicle.iocMatches.get
- - chronicle.iocMatches.list
- - chronicle.iocState.get
- - chronicle.iocs.batchGet
- - chronicle.iocs.findFirstAndLastSeen
- - chronicle.iocs.get
- - chronicle.iocs.searchCuratedDetectionsForIoc
- - chronicle.legacies.legacyBatchGetCollections
- - chronicle.legacies.legacyFetchAlertsView
- - chronicle.legacies.legacyFetchUdmSearchCsv
- - chronicle.legacies.legacyFetchUdmSearchView
- - chronicle.legacies.legacyFindAssetEvents
- - chronicle.legacies.legacyFindRawLogs
- - chronicle.legacies.legacyFindUdmEvents
- - chronicle.legacies.legacyGetAlert
- - chronicle.legacies.legacyGetCuratedRulesTrends
- - chronicle.legacies.legacyGetDetection
- - chronicle.legacies.legacyGetEventForDetection
- - chronicle.legacies.legacyGetRuleCounts
- - chronicle.legacies.legacyGetRulesTrends
- - chronicle.legacies.legacyRunTestRule
- - chronicle.legacies.legacySearchArtifactEvents
- - chronicle.legacies.legacySearchArtifactIoCDetails
- - chronicle.legacies.legacySearchAssetEvents
- - chronicle.legacies.legacySearchCuratedDetections
- - chronicle.legacies.legacySearchCustomerStats
- - chronicle.legacies.legacySearchDetections
- - chronicle.legacies.legacySearchDomainsRecentlyRegistered
- - chronicle.legacies.legacySearchDomainsTimingStats
- - chronicle.legacies.legacySearchEnterpriseWideAlerts
- - chronicle.legacies.legacySearchEnterpriseWideIoCs
- - chronicle.legacies.legacySearchFindings
- - chronicle.legacies.legacySearchIngestionStats
- - chronicle.legacies.legacySearchIoCInsights
- - chronicle.legacies.legacySearchRawLogs
- - chronicle.legacies.legacySearchRuleDetectionCountBuckets
- - chronicle.legacies.legacySearchRuleDetectionEvents
- - chronicle.legacies.legacySearchRuleResults
- - chronicle.legacies.legacySearchRulesAlerts
- - chronicle.legacies.legacySearchUserEvents
- - chronicle.legacies.legacyStreamDetectionAlerts
- - chronicle.legacies.legacyTestRuleStreaming
- - chronicle.messages.get
- - chronicle.messages.list
- - chronicle.nativeDashboards.duplicate
- - chronicle.nativeDashboards.get
- - chronicle.nativeDashboards.list
- - chronicle.operations.cancel
- - chronicle.operations.get
- - chronicle.operations.list
- - chronicle.operations.streamSearch
- - chronicle.operations.wait
- - chronicle.preferenceSets.get
- - chronicle.referenceLists.get
- - chronicle.referenceLists.list
- - chronicle.referenceLists.verifyReferenceList
- - chronicle.retrohunts.get
- - chronicle.retrohunts.list
- - chronicle.riskConfigs.get
- - chronicle.ruleDeployments.get
- - chronicle.ruleDeployments.list
- - chronicle.ruleExecutionErrors.list
- - chronicle.rules.get
- - chronicle.rules.list
- - chronicle.rules.listRevisions
- - chronicle.rules.verifyRuleText
- - chronicle.searchQueries.get
- - chronicle.searchQueries.list
- - chronicle.threatCollections.fetchIocMatchMetadata
- - chronicle.threatCollections.fetchRuleMetadata
- - chronicle.threatCollections.get
- - chronicle.threatCollections.list
- - chronicle.watchlists.get
- - chronicle.watchlists.list
- - resourcemanager.projects.get
- project: test-project
- role_id: SecOpsScopedSOCAnalyst
- stage: GA
- title: Custom role SecOpsScopedSOCAnalyst
- module.project.google_project_iam_member.bindings["iam-bpa:user:bruzzechesse@google.com-roles/chronicle.editor"]:
- condition: []
- member: user:bruzzechesse@google.com
- project: test-project
- role: roles/chronicle.editor
- module.project.google_project_iam_member.bindings["user:bruzzechesse@google.com"]:
- condition:
- - description: datarbac
- expression: resource.name.endsWith('/gscope')
- title: datarbac
- member: user:bruzzechesse@google.com
- project: test-project
- role: roles/chronicle.restrictedDataAccess
- module.project.google_project_iam_member.service_agents["compute-system"]:
- condition: []
- project: test-project
- role: roles/compute.serviceAgent
- module.project.google_project_iam_member.service_agents["gcf-admin-robot"]:
- condition: []
- project: test-project
- role: roles/cloudfunctions.serviceAgent
- module.project.google_project_iam_member.service_agents["pubsub"]:
- condition: []
- project: test-project
- role: roles/pubsub.serviceAgent
- module.project.google_project_service.project_services["admin.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: test-project
- service: admin.googleapis.com
- timeouts: null
- module.project.google_project_service.project_services["alertcenter.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: test-project
- service: alertcenter.googleapis.com
- timeouts: null
- module.project.google_project_service.project_services["apikeys.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: test-project
- service: apikeys.googleapis.com
- timeouts: null
- module.project.google_project_service.project_services["cloudfunctions.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: test-project
- service: cloudfunctions.googleapis.com
- timeouts: null
- module.project.google_project_service.project_services["compute.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: test-project
- service: compute.googleapis.com
- timeouts: null
- module.project.google_project_service.project_services["iap.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: test-project
- service: iap.googleapis.com
- timeouts: null
- module.project.google_project_service.project_services["pubsub.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: test-project
- service: pubsub.googleapis.com
- timeouts: null
- module.project.google_project_service.project_services["secretmanager.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: test-project
- service: secretmanager.googleapis.com
- timeouts: null
- module.project.google_project_service.project_services["stackdriver.googleapis.com"]:
- disable_dependent_services: false
- disable_on_destroy: false
- project: test-project
- service: stackdriver.googleapis.com
- timeouts: null
- module.project.google_project_service_identity.default["apikeys.googleapis.com"]:
- project: test-project
- service: apikeys.googleapis.com
- timeouts: null
- module.project.google_project_service_identity.default["cloudfunctions.googleapis.com"]:
- project: test-project
- service: cloudfunctions.googleapis.com
- timeouts: null
- module.project.google_project_service_identity.default["iap.googleapis.com"]:
- project: test-project
- service: iap.googleapis.com
- timeouts: null
- module.project.google_project_service_identity.default["pubsub.googleapis.com"]:
- project: test-project
- service: pubsub.googleapis.com
- timeouts: null
- module.project.google_project_service_identity.default["secretmanager.googleapis.com"]:
- project: test-project
- service: secretmanager.googleapis.com
- timeouts: null
- module.secops-data-rbac.google_chronicle_data_access_label.labels["google"]:
- data_access_label_id: google
- description: Google logs
- instance: xxxxxxx-xxxxx-xxxxxx-xxxxxxx
- location: europe
- project: test-project
- timeouts: null
- udm_query: principal.hostname="google.com"
- module.secops-data-rbac.google_chronicle_data_access_scope.scopes["google"]:
- allow_all: false
- allowed_data_access_labels:
- - asset_namespace: null
- data_access_label: google
- ingestion_label: []
- log_type: null
- data_access_scope_id: gscope
- denied_data_access_labels: []
- description: Google logs
- instance: xxxxxxx-xxxxx-xxxxxx-xxxxxxx
- location: europe
- project: test-project
- timeouts: null
- module.secops-rules.google_chronicle_reference_list.default["test_2"]:
- description: Private CIDR ranges
- entries:
- - value: 10.0.0.0/8
- - value: 172.16.0.0/12
- - value: 192.168.0.0/16
- - value: 127.0.0.1/32
- - value: ::1/128
- - value: fc00::/7
- - value: fe80::/10
+ module.azure_ad_feeds[0].google_chronicle_feed.feeds["azure-ad"]:
+ details:
+ - amazon_kinesis_firehose_settings: []
+ amazon_s3_settings: []
+ amazon_s3_v2_settings: []
+ amazon_sqs_settings: []
+ amazon_sqs_v2_settings: []
+ anomali_settings: []
+ asset_namespace: null
+ aws_ec2_hosts_settings: []
+ aws_ec2_instances_settings: []
+ aws_ec2_vpcs_settings: []
+ aws_iam_settings: []
+ azure_ad_audit_settings: []
+ azure_ad_context_settings: []
+ azure_ad_settings:
+ - auth_endpoint: login.microsoftonline.com
+ authentication:
+ - client_id: xxxxxxx-xxxxx-xxxxx-xxxxxxx
+ client_secret: xxxxxxxxxxxxxxxxxxxxxxxxx
+ hostname: graph.microsoft.com/v1.0/auditLogs/signIns
+ tenant_id: xxxxxx-xxxxx-xxxxx-xxxxxxx
+ azure_blob_store_settings: []
+ azure_blob_store_v2_settings: []
+ azure_event_hub_settings: []
+ azure_mdm_intune_settings: []
+ cloud_passage_settings: []
+ cortex_xdr_settings: []
+ crowdstrike_alerts_settings: []
+ crowdstrike_detects_settings: []
+ dummy_log_type_settings: []
+ duo_auth_settings: []
+ duo_user_context_settings: []
+ feed_source_type: API
+ fox_it_stix_settings: []
+ gcs_settings: []
+ gcs_v2_settings: []
+ google_cloud_identity_device_users_settings: []
+ google_cloud_identity_devices_settings: []
+ google_cloud_storage_event_driven_settings: []
+ http_settings: []
+ https_push_amazon_kinesis_firehose_settings: []
+ https_push_google_cloud_pubsub_settings: []
+ https_push_webhook_settings: []
+ imperva_waf_settings: []
+ labels: null
+ log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/AZURE_AD
+ mandiant_ioc_settings: []
+ microsoft_graph_alert_settings: []
+ microsoft_security_center_alert_settings: []
+ mimecast_mail_settings: []
+ mimecast_mail_v2_settings: []
+ netskope_alert_settings: []
+ netskope_alert_v2_settings: []
+ office365_settings: []
+ okta_settings: []
+ okta_user_context_settings: []
+ pan_ioc_settings: []
+ pan_prisma_cloud_settings: []
+ proofpoint_mail_settings: []
+ proofpoint_on_demand_settings: []
+ pubsub_settings: []
+ qualys_scan_settings: []
+ qualys_vm_settings: []
+ rapid7_insight_settings: []
+ recorded_future_ioc_settings: []
+ rh_isac_ioc_settings: []
+ salesforce_settings: []
+ sentinelone_alert_settings: []
+ service_now_cmdb_settings: []
+ sftp_settings: []
+ symantec_event_export_settings: []
+ thinkst_canary_settings: []
+ threat_connect_ioc_settings: []
+ threat_connect_ioc_v3_settings: []
+ trellix_hx_alerts_settings: []
+ trellix_hx_bulk_acqs_settings: []
+ trellix_hx_hosts_settings: []
+ webhook_settings: []
+ workday_settings: []
+ workspace_activity_settings: []
+ workspace_alerts_settings: []
+ workspace_chrome_os_settings: []
+ workspace_groups_settings: []
+ workspace_mobile_settings: []
+ workspace_privileges_settings: []
+ workspace_users_settings: []
+ display_name: Azure AD
+ enabled: null
+ failure_details: []
instance: xxxxxxx-xxxxx-xxxxxx-xxxxxxx
location: europe
project: test-project
- reference_list_id: test_2
- scope_info: []
- syntax_type: REFERENCE_LIST_SYNTAX_TYPE_CIDR
timeouts: null
- module.secops-rules.google_chronicle_rule.default["network_traffic_to_specific_country"]:
- deletion_policy: FORCE
+ module.azure_ad_feeds[0].google_chronicle_feed.feeds["azure-ad-audit"]:
+ details:
+ - amazon_kinesis_firehose_settings: []
+ amazon_s3_settings: []
+ amazon_s3_v2_settings: []
+ amazon_sqs_settings: []
+ amazon_sqs_v2_settings: []
+ anomali_settings: []
+ asset_namespace: null
+ aws_ec2_hosts_settings: []
+ aws_ec2_instances_settings: []
+ aws_ec2_vpcs_settings: []
+ aws_iam_settings: []
+ azure_ad_audit_settings:
+ - auth_endpoint: login.microsoftonline.com
+ authentication:
+ - client_id: xxxxxxx-xxxxx-xxxxx-xxxxxxx
+ client_secret: xxxxxxxxxxxxxxxxxxxxxxxxx
+ hostname: graph.microsoft.com/v1.0/auditLogs/directoryAudits
+ tenant_id: xxxxxx-xxxxx-xxxxx-xxxxxxx
+ azure_ad_context_settings: []
+ azure_ad_settings: []
+ azure_blob_store_settings: []
+ azure_blob_store_v2_settings: []
+ azure_event_hub_settings: []
+ azure_mdm_intune_settings: []
+ cloud_passage_settings: []
+ cortex_xdr_settings: []
+ crowdstrike_alerts_settings: []
+ crowdstrike_detects_settings: []
+ dummy_log_type_settings: []
+ duo_auth_settings: []
+ duo_user_context_settings: []
+ feed_source_type: API
+ fox_it_stix_settings: []
+ gcs_settings: []
+ gcs_v2_settings: []
+ google_cloud_identity_device_users_settings: []
+ google_cloud_identity_devices_settings: []
+ google_cloud_storage_event_driven_settings: []
+ http_settings: []
+ https_push_amazon_kinesis_firehose_settings: []
+ https_push_google_cloud_pubsub_settings: []
+ https_push_webhook_settings: []
+ imperva_waf_settings: []
+ labels: null
+ log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/AZURE_AD_AUDIT
+ mandiant_ioc_settings: []
+ microsoft_graph_alert_settings: []
+ microsoft_security_center_alert_settings: []
+ mimecast_mail_settings: []
+ mimecast_mail_v2_settings: []
+ netskope_alert_settings: []
+ netskope_alert_v2_settings: []
+ office365_settings: []
+ okta_settings: []
+ okta_user_context_settings: []
+ pan_ioc_settings: []
+ pan_prisma_cloud_settings: []
+ proofpoint_mail_settings: []
+ proofpoint_on_demand_settings: []
+ pubsub_settings: []
+ qualys_scan_settings: []
+ qualys_vm_settings: []
+ rapid7_insight_settings: []
+ recorded_future_ioc_settings: []
+ rh_isac_ioc_settings: []
+ salesforce_settings: []
+ sentinelone_alert_settings: []
+ service_now_cmdb_settings: []
+ sftp_settings: []
+ symantec_event_export_settings: []
+ thinkst_canary_settings: []
+ threat_connect_ioc_settings: []
+ threat_connect_ioc_v3_settings: []
+ trellix_hx_alerts_settings: []
+ trellix_hx_bulk_acqs_settings: []
+ trellix_hx_hosts_settings: []
+ webhook_settings: []
+ workday_settings: []
+ workspace_activity_settings: []
+ workspace_alerts_settings: []
+ workspace_chrome_os_settings: []
+ workspace_groups_settings: []
+ workspace_mobile_settings: []
+ workspace_privileges_settings: []
+ workspace_users_settings: []
+ display_name: Azure AD Audit
+ enabled: null
+ failure_details: []
instance: xxxxxxx-xxxxx-xxxxxx-xxxxxxx
location: europe
project: test-project
- scope: null
- text: "rule network_traffic_to_specific_country {\n\n meta:\n author = \"\
- Google Cloud Security\"\n description = \"Identify network traffic based\
- \ on target country\"\n type = \"alert\"\n tags = \"geoip enrichment\"\
- \n data_source = \"microsoft windows events\"\n severity = \"Low\"\n \
- \ priority = \"Low\"\n\n events:\n $network.metadata.event_type = \"NETWORK_CONNECTION\"\
- \n //Specify a country of interest to monitor or add additional countries\
- \ using an or statement\n $network.target.ip_geo_artifact.location.country_or_region\
- \ = \"France\" nocase\n $network.target.ip = $ip\n\n match:\n $ip over\
- \ 30m\n\n outcome:\n $risk_score = max(35)\n $event_count = count_distinct($network.metadata.id)\n\
- \n // added to populate alert graph with additional context\n $principal_ip\
- \ = array_distinct($network.principal.ip)\n\n // Commented out target.ip\
- \ because it is already represented in graph as match variable. If match changes,\
- \ can uncomment to add to results\n //$target_ip = array_distinct($network.target.ip)\n\
- \ $principal_process_pid = array_distinct($network.principal.process.pid)\n\
- \ $principal_process_command_line = array_distinct($network.principal.process.command_line)\n\
- \ $principal_process_file_sha256 = array_distinct($network.principal.process.file.sha256)\n\
- \ $principal_process_file_full_path = array_distinct($network.principal.process.file.full_path)\n\
- \ $principal_process_product_specfic_process_id = array_distinct($network.principal.process.product_specific_process_id)\n\
- \ $principal_process_parent_process_product_specfic_process_id = array_distinct($network.principal.process.parent_process.product_specific_process_id)\n\
- \ $target_process_pid = array_distinct($network.target.process.pid)\n \
- \ $target_process_command_line = array_distinct($network.target.process.command_line)\n\
- \ $target_process_file_sha256 = array_distinct($network.target.process.file.sha256)\n\
- \ $target_process_file_full_path = array_distinct($network.target.process.file.full_path)\n\
- \ $target_process_product_specfic_process_id = array_distinct($network.target.process.product_specific_process_id)\n\
- \ $target_process_parent_process_product_specfic_process_id = array_distinct($network.target.process.parent_process.product_specific_process_id)\n\
- \ $principal_user_userid = array_distinct($network.principal.user.userid)\n\
- \ $target_user_userid = array_distinct($network.target.user.userid)\n\n \
- \ condition:\n $network\n}\n"
timeouts: null
- module.secops-rules.google_chronicle_rule_deployment.default["network_traffic_to_specific_country"]:
- alerting: true
- archived: false
- enabled: true
+ module.azure_ad_feeds[0].google_chronicle_feed.feeds["azure-ad-context"]:
+ details:
+ - amazon_kinesis_firehose_settings: []
+ amazon_s3_settings: []
+ amazon_s3_v2_settings: []
+ amazon_sqs_settings: []
+ amazon_sqs_v2_settings: []
+ anomali_settings: []
+ asset_namespace: null
+ aws_ec2_hosts_settings: []
+ aws_ec2_instances_settings: []
+ aws_ec2_vpcs_settings: []
+ aws_iam_settings: []
+ azure_ad_audit_settings: []
+ azure_ad_context_settings:
+ - auth_endpoint: login.microsoftonline.com
+ authentication:
+ - client_id: xxxxxxx-xxxxx-xxxxx-xxxxxxx
+ client_secret: xxxxxxxxxxxxxxxxxxxxxxxxx
+ hostname: graph.microsoft.com/beta
+ retrieve_devices: null
+ retrieve_groups: null
+ tenant_id: xxxxxx-xxxxx-xxxxx-xxxxxxx
+ azure_ad_settings: []
+ azure_blob_store_settings: []
+ azure_blob_store_v2_settings: []
+ azure_event_hub_settings: []
+ azure_mdm_intune_settings: []
+ cloud_passage_settings: []
+ cortex_xdr_settings: []
+ crowdstrike_alerts_settings: []
+ crowdstrike_detects_settings: []
+ dummy_log_type_settings: []
+ duo_auth_settings: []
+ duo_user_context_settings: []
+ feed_source_type: API
+ fox_it_stix_settings: []
+ gcs_settings: []
+ gcs_v2_settings: []
+ google_cloud_identity_device_users_settings: []
+ google_cloud_identity_devices_settings: []
+ google_cloud_storage_event_driven_settings: []
+ http_settings: []
+ https_push_amazon_kinesis_firehose_settings: []
+ https_push_google_cloud_pubsub_settings: []
+ https_push_webhook_settings: []
+ imperva_waf_settings: []
+ labels: null
+ log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/AZURE_AD_CONTEXT
+ mandiant_ioc_settings: []
+ microsoft_graph_alert_settings: []
+ microsoft_security_center_alert_settings: []
+ mimecast_mail_settings: []
+ mimecast_mail_v2_settings: []
+ netskope_alert_settings: []
+ netskope_alert_v2_settings: []
+ office365_settings: []
+ okta_settings: []
+ okta_user_context_settings: []
+ pan_ioc_settings: []
+ pan_prisma_cloud_settings: []
+ proofpoint_mail_settings: []
+ proofpoint_on_demand_settings: []
+ pubsub_settings: []
+ qualys_scan_settings: []
+ qualys_vm_settings: []
+ rapid7_insight_settings: []
+ recorded_future_ioc_settings: []
+ rh_isac_ioc_settings: []
+ salesforce_settings: []
+ sentinelone_alert_settings: []
+ service_now_cmdb_settings: []
+ sftp_settings: []
+ symantec_event_export_settings: []
+ thinkst_canary_settings: []
+ threat_connect_ioc_settings: []
+ threat_connect_ioc_v3_settings: []
+ trellix_hx_alerts_settings: []
+ trellix_hx_bulk_acqs_settings: []
+ trellix_hx_hosts_settings: []
+ webhook_settings: []
+ workday_settings: []
+ workspace_activity_settings: []
+ workspace_alerts_settings: []
+ workspace_chrome_os_settings: []
+ workspace_groups_settings: []
+ workspace_mobile_settings: []
+ workspace_privileges_settings: []
+ workspace_users_settings: []
+ display_name: Azure AD Context
+ enabled: null
+ failure_details: []
instance: xxxxxxx-xxxxx-xxxxxx-xxxxxxx
location: europe
project: test-project
- run_frequency: LIVE
- timeouts: null
- module.secops-tenant-secrets.google_secret_manager_secret.default["secops-feeds-api-key"]:
- annotations: null
- deletion_protection: false
- effective_labels:
- goog-terraform-provisioned: 'true'
- labels: null
- project: test-project
- replication:
- - auto:
- - customer_managed_encryption: []
- user_managed: []
- rotation: []
- secret_id: secops-feeds-api-key
- tags: null
- terraform_labels:
- goog-terraform-provisioned: 'true'
timeouts: null
- topics: []
- ttl: null
- version_aliases: null
- version_destroy_ttl: null
- module.secops-tenant-secrets.google_secret_manager_secret.default["secops-workspace-ing-sa-key"]:
- annotations: null
- deletion_protection: false
- effective_labels:
- goog-terraform-provisioned: 'true'
- labels: null
- project: test-project
- replication:
- - auto:
- - customer_managed_encryption: []
- user_managed: []
- rotation: []
- secret_id: secops-workspace-ing-sa-key
- tags: null
- terraform_labels:
- goog-terraform-provisioned: 'true'
- timeouts: null
- topics: []
- ttl: null
- version_aliases: null
- version_destroy_ttl: null
- module.secops-tenant-secrets.google_secret_manager_secret_version.default["secops-feeds-api-key/latest"]:
- deletion_policy: DELETE
- enabled: true
- is_secret_data_base64: false
- secret_data_wo: null
- secret_data_wo_version: 0
- timeouts: null
- module.secops-tenant-secrets.google_secret_manager_secret_version.default["secops-workspace-ing-sa-key/latest"]:
- deletion_policy: DELETE
- enabled: true
- is_secret_data_base64: false
- secret_data_wo: null
- secret_data_wo_version: 0
- timeouts: null
- module.secops_data_tables.google_chronicle_data_table.default["sample_data_table_domains"]:
- column_info:
- - column_index: 0
- column_type: STRING
- key_column: null
- mapped_column_path: null
- original_column: rank
- repeated_values: null
- - column_index: 1
- column_type: STRING
- key_column: null
- mapped_column_path: null
- original_column: domain
- repeated_values: null
- data_table_id: sample_data_table_domains
- deletion_policy: DEFAULT
- description: Sample Data Table for domains
- instance: xxxxxxx-xxxxx-xxxxxx-xxxxxxx
- location: europe
- project: test-project
- row_time_to_live: null
- scope_info: []
- timeouts: null
- module.secops_data_tables.google_chronicle_data_table_row.default["sample_data_table_domains_0"]:
- data_table_id: sample_data_table_domains
- instance: xxxxxxx-xxxxx-xxxxxx-xxxxxxx
- location: europe
- project: test-project
- row_time_to_live: null
- timeouts: null
- values:
- - '1'
- - google.com
- module.secops_data_tables.google_chronicle_data_table_row.default["sample_data_table_domains_1"]:
- data_table_id: sample_data_table_domains
- instance: xxxxxxx-xxxxx-xxxxxx-xxxxxxx
- location: europe
- project: test-project
- row_time_to_live: null
- timeouts: null
- values:
- - '2'
- - www.google.com
- module.workspace-integration-sa[0].google_service_account.service_account[0]:
- account_id: workspace-integration
- create_ignore_already_exists: null
- description: null
- disabled: false
- display_name: Terraform-managed.
- email: workspace-integration@test-project.iam.gserviceaccount.com
- member: serviceAccount:workspace-integration@test-project.iam.gserviceaccount.com
- project: test-project
- timeouts: null
- restful_operation.webhook_feeds_secret["okta"]:
- body: null
- delete_body: null
- delete_header: null
- delete_method: null
- delete_path: null
- delete_query: null
- ephemeral_body: null
- header: null
- id_builder: null
- method: POST
- operation_header: null
- operation_query: null
- output_attrs: null
- poll: null
- poll_delete: null
- precheck: null
- precheck_delete: null
- query: null
- restful_resource.azure_ad_feeds["azure-ad"]:
- body:
- details:
- azure_ad_settings:
- auth_endpoint: login.microsoftonline.com
- authentication:
- client_id: xxxxxxx-xxxxx-xxxxx-xxxxxxx
- client_secret: xxxxxxxxxxxxxxxxxxxxxxxxx
- hostname: graph.microsoft.com/v1.0/auditLogs/signIns
- tenant_id: xxxxxx-xxxxx-xxxxx-xxxxxxx
- feed_source_type: API
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/AZURE_AD
- display_name: azure-ad
- name: azure-ad
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="azure-ad")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.azure_ad_feeds["azure-ad-audit"]:
- body:
- details:
- azure_ad_audit_settings:
- auth_endpoint: login.microsoftonline.com
- authentication:
- client_id: xxxxxxx-xxxxx-xxxxx-xxxxxxx
- client_secret: xxxxxxxxxxxxxxxxxxxxxxxxx
- hostname: graph.microsoft.com/v1.0/auditLogs/directoryAudits
- tenant_id: xxxxxx-xxxxx-xxxxx-xxxxxxx
- feed_source_type: API
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/AZURE_AD_AUDIT
- display_name: azure-ad-audit
- name: azure-ad-audit
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="azure-ad-audit")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.azure_ad_feeds["azure-ad-context"]:
- body:
- details:
- azure_ad_context_settings:
- auth_endpoint: login.microsoftonline.com
- authentication:
- client_id: xxxxxxx-xxxxx-xxxxx-xxxxxxx
- client_secret: xxxxxxxxxxxxxxxxxxxxxxxxx
- hostname: graph.microsoft.com/beta
- retrieve_devices: true
- retrieve_groups: true
- tenant_id: xxxxxx-xxxxx-xxxxx-xxxxxxx
- feed_source_type: API
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/AZURE_AD_CONTEXT
- display_name: azure-ad-context
- name: azure-ad-context
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="azure-ad-context")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.okta_ad_feeds["okta"]:
- body:
- details:
- feed_source_type: API
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/OKTA
- okta_settings:
- authentication:
- header_key_values:
- - key: Authorization
- value: XXXXXXXXXXXXX
- hostname: xxxxx.okta.com
- display_name: okta
- name: okta
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="okta")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.okta_ad_feeds["okta-user-context"]:
- body:
- details:
- feed_source_type: API
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/OKTA_USER_CONTEXT
- okta_user_context_settings:
- authentication:
- header_key_values:
- - key: Authorization
- value: XXXXXXXXXXXXX
- hostname: xxxxx.okta.com
- manager_id_reference_field: managerId
- display_name: okta-user-context
- name: okta-user-context
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="okta-user-context")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.webhook_feeds["okta"]:
- body:
- details:
- feed_source_type: HTTPS_PUSH_WEBHOOK
- httpsPushWebhookSettings: {}
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/okta
- display_name: webhook-okta
- name: okta
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="okta")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.workspace_feeds["ws-activity"]:
- body:
- details:
- asset_namespace: ''
- feed_source_type: API
- labels: {}
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/WORKSPACE_ACTIVITY
- workspace_activity_settings:
- applications:
- - access_transparency
- - admin
- - calendar
- - chat
- - drive
- - gcp
- - gplus
- - groups
- - groups_enterprise
- - jamboard
- - login
- - meet
- - mobile
- - rules
- - saml
- - token
- - user_accounts
- - context_aware_access
- - chrome
- - data_studio
- - keep
- authentication:
- claims:
- audience: https://oauth2.googleapis.com/token
- issuer: workspace-integration@test-project.iam.gserviceaccount.com
- subject: secops-feed@example.com
- rs_credentials: {}
- token_endpoint: https://oauth2.googleapis.com/token
- workspace_customer_id: CXXXXXXXX
- display_name: ws-activity
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="ws-activity")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.workspace_feeds["ws-alerts"]:
- body:
- details:
- asset_namespace: ''
- feed_source_type: API
- labels: {}
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/WORKSPACE_ALERTS
- workspace_alerts_settings:
- authentication:
- claims:
- audience: https://oauth2.googleapis.com/token
- issuer: workspace-integration@test-project.iam.gserviceaccount.com
- subject: secops-feed@example.com
- rs_credentials: {}
- token_endpoint: https://oauth2.googleapis.com/token
- workspace_customer_id: XXXXXXXX
- display_name: ws-alerts
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="ws-alerts")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.workspace_feeds["ws-chrome"]:
- body:
- details:
- asset_namespace: ''
- feed_source_type: API
- labels: {}
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/WORKSPACE_CHROMEOS
- workspace_chrome_os_settings:
- authentication:
- claims:
- audience: https://oauth2.googleapis.com/token
- issuer: workspace-integration@test-project.iam.gserviceaccount.com
- subject: secops-feed@example.com
- rs_credentials: {}
- token_endpoint: https://oauth2.googleapis.com/token
- workspace_customer_id: CXXXXXXXX
- display_name: ws-chrome
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="ws-chrome")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.workspace_feeds["ws-group"]:
- body:
- details:
- asset_namespace: ''
- feed_source_type: API
- labels: {}
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/WORKSPACE_GROUPS
- workspace_groups_settings:
- authentication:
- claims:
- audience: https://oauth2.googleapis.com/token
- issuer: workspace-integration@test-project.iam.gserviceaccount.com
- subject: secops-feed@example.com
- rs_credentials: {}
- token_endpoint: https://oauth2.googleapis.com/token
- workspace_customer_id: CXXXXXXXX
- display_name: ws-group
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="ws-group")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.workspace_feeds["ws-mobile"]:
- body:
- details:
- asset_namespace: ''
- feed_source_type: API
- labels: {}
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/WORKSPACE_MOBILE
- workspace_mobile_settings:
- authentication:
- claims:
- audience: https://oauth2.googleapis.com/token
- issuer: workspace-integration@test-project.iam.gserviceaccount.com
- subject: secops-feed@example.com
- rs_credentials: {}
- token_endpoint: https://oauth2.googleapis.com/token
- workspace_customer_id: CXXXXXXXX
- display_name: ws-mobile
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="ws-mobile")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
- restful_resource.workspace_feeds["ws-users"]:
- body:
- details:
- asset_namespace: ''
- feed_source_type: API
- labels: {}
- log_type: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/logTypes/WORKSPACE_USERS
- workspace_users_settings:
- authentication:
- claims:
- audience: https://oauth2.googleapis.com/token
- issuer: workspace-integration@test-project.iam.gserviceaccount.com
- subject: secops-feed@example.com
- rs_credentials: {}
- token_endpoint: https://oauth2.googleapis.com/token
- workspace_customer_id: CXXXXXXXX
- display_name: ws-users
- check_existance: false
- create_header: null
- create_method: POST
- create_query: null
- create_selector: null
- delete_body: null
- delete_body_raw: null
- delete_header: null
- delete_method: DELETE
- delete_path: $query_unescape(body.name)
- delete_query: null
- ephemeral_body: null
- force_new_attrs: null
- header: null
- merge_patch_disabled: null
- output_attrs: null
- path: projects/test-project/locations/europe/instances/xxxxxxx-xxxxx-xxxxxx-xxxxxxx/feeds
- poll_create: null
- poll_delete: null
- poll_update: null
- precheck_create: null
- precheck_delete: null
- precheck_update: null
- query: null
- read_header: null
- read_path: null
- read_query: null
- read_response_template: null
- read_selector: feeds.#(displayName=="ws-users")
- update_body_patches: null
- update_header: null
- update_method: null
- update_path: null
- update_query: null
- write_only_attrs:
- - details
-
-counts:
- google_apikeys_key: 1
- google_chronicle_data_access_label: 1
- google_chronicle_data_access_scope: 1
- google_chronicle_data_table: 1
- google_chronicle_data_table_row: 2
- google_chronicle_reference_list: 1
- google_chronicle_rule: 1
- google_chronicle_rule_deployment: 1
- google_monitoring_alert_policy: 3
- google_monitoring_notification_channel: 1
- google_org_policy_policy: 1
- google_project: 1
- google_project_iam_binding: 1
- google_project_iam_custom_role: 7
- google_project_iam_member: 5
- google_project_service: 9
- google_project_service_identity: 5
- google_secret_manager_secret: 2
- google_secret_manager_secret_version: 2
- google_service_account: 1
- google_service_account_key: 1
- modules: 6
- resources: 61
- restful_operation: 1
- restful_resource: 12
-
-outputs:
- project_id: test-project
-
+ module.okta_feeds[0].google_chronicle_feed.feeds["okta"]:
+ details:
+ - amazon_kinesis_firehose_settings: []
+ amazon_s3_settings: []
+ amazon_s3_v2_settings: []
+ amazon_sqs_settings: []
+ amazon_sqs_v2_settings: []
+ anomali_settings: []
+ asset_namespace: null
+ aws_ec2_hosts_settings: []
+ aws_ec2_instances_settings: []
+ aws_ec2_vpcs_settings: []
+ aws_iam_settings: []
+ azure_ad_audit_settings: []
+ azure_ad_context_settings: []
+ azure_ad_settings: []
+ azure_blob_store_settings: []
+ azure_blob_store_v2_settings: []
+ azure_event_hub_settings: []
+ azure_mdm_intune_settings: []
+ cloud_passage_settings: []
+ cortex_xdr_settings: []
+ crowdstrike_alerts_settings: []
+ crowdstrike_detects_settings: []
+ dummy_log_type_settings: []
+ duo_auth_settings: []
+ duo_user_context_settings: []
\ No newline at end of file
diff --git a/tests/modules/secops_feeds/examples/basic.yaml b/tests/modules/secops_feeds/examples/basic.yaml
new file mode 100644
index 0000000..25e5a29
--- /dev/null
+++ b/tests/modules/secops_feeds/examples/basic.yaml
@@ -0,0 +1,116 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.secops.google_chronicle_feed.feeds["azure-ad"]:
+ details:
+ - amazon_kinesis_firehose_settings: []
+ amazon_s3_settings: []
+ amazon_s3_v2_settings: []
+ amazon_sqs_settings: []
+ amazon_sqs_v2_settings: []
+ anomali_settings: []
+ asset_namespace: null
+ aws_ec2_hosts_settings: []
+ aws_ec2_instances_settings: []
+ aws_ec2_vpcs_settings: []
+ aws_iam_settings: []
+ azure_ad_audit_settings: []
+ azure_ad_context_settings: []
+ azure_ad_settings:
+ - auth_endpoint: login.microsoftonline.com
+ authentication:
+ - client_id: xxxxxxxxxxxxxxxx
+ client_secret: xxxxxxxxxxxxxxxx
+ hostname: graph.microsoft.com/v1.0/auditLogs/signIns
+ tenant_id: xxxxxxxxxxxxxxxx
+ azure_blob_store_settings: []
+ azure_blob_store_v2_settings: []
+ azure_event_hub_settings: []
+ azure_mdm_intune_settings: []
+ cloud_passage_settings: []
+ cortex_xdr_settings: []
+ crowdstrike_alerts_settings: []
+ crowdstrike_detects_settings: []
+ dummy_log_type_settings: []
+ duo_auth_settings: []
+ duo_user_context_settings: []
+ feed_source_type: API
+ fox_it_stix_settings: []
+ gcs_settings: []
+ gcs_v2_settings: []
+ google_cloud_identity_device_users_settings: []
+ google_cloud_identity_devices_settings: []
+ google_cloud_storage_event_driven_settings: []
+ http_settings: []
+ https_push_amazon_kinesis_firehose_settings: []
+ https_push_google_cloud_pubsub_settings: []
+ https_push_webhook_settings: []
+ imperva_waf_settings: []
+ labels: null
+ log_type: projects/project-id/locations/europe/instances/xxxxxxxxxxxxx/logTypes/AZURE_AD
+ mandiant_ioc_settings: []
+ microsoft_graph_alert_settings: []
+ microsoft_security_center_alert_settings: []
+ mimecast_mail_settings: []
+ mimecast_mail_v2_settings: []
+ netskope_alert_settings: []
+ netskope_alert_v2_settings: []
+ office365_settings: []
+ okta_settings: []
+ okta_user_context_settings: []
+ pan_ioc_settings: []
+ pan_prisma_cloud_settings: []
+ proofpoint_mail_settings: []
+ proofpoint_on_demand_settings: []
+ pubsub_settings: []
+ qualys_scan_settings: []
+ qualys_vm_settings: []
+ rapid7_insight_settings: []
+ recorded_future_ioc_settings: []
+ rh_isac_ioc_settings: []
+ salesforce_settings: []
+ sentinelone_alert_settings: []
+ service_now_cmdb_settings: []
+ sftp_settings: []
+ symantec_event_export_settings: []
+ thinkst_canary_settings: []
+ threat_connect_ioc_settings: []
+ threat_connect_ioc_v3_settings: []
+ trellix_hx_alerts_settings: []
+ trellix_hx_bulk_acqs_settings: []
+ trellix_hx_hosts_settings: []
+ webhook_settings: []
+ workday_settings: []
+ workspace_activity_settings: []
+ workspace_alerts_settings: []
+ workspace_chrome_os_settings: []
+ workspace_groups_settings: []
+ workspace_mobile_settings: []
+ workspace_privileges_settings: []
+ workspace_users_settings: []
+ display_name: Azure AD
+ enabled: null
+ failure_details: []
+ instance: xxxxxxxxxxxxx
+ location: europe
+ project: project-id
+ timeouts: null
+
+counts:
+ google_chronicle_feed: 1
+ modules: 1
+ resources: 1
+
+outputs: {}
\ No newline at end of file