Data source UUIDs - Data source UUIDs - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2026-04-10
Category
Administrator Guide
Abstract

Data source UUIDs

This table lists the Cribl catalog for the the specific collectors supported. If a dedicated collector does not exist, use the generic UUID collector.

Note

Any data source can be ingested using the generic UUID collector with the correct vendor and product fields. Yet, while parsing and modeling rules can be applied to any source, out-of-the-box (OOTB) analytics are only available for data sources using dedicated UUIDs.

Vendor

Product

UUID

Datasets

Collection Method

Indicate specific vendor name as not listed below (Generic)

Indicate specific product name as not listed below (Generic)

af01292940d7426594d3d3e55ae17ee0

Note

Do not use this generic UUID when your data source is listed in this table.

<Vendor>_<Product>_raw

Amazon

AWS audit logs

c19f87b6262f48259b3d5d2a2c691802

aws_s3_raw

These AWS logs are collected via Amazon S3. To ensure compatibility, see Ingest audit logs from AWS Cloud Trail.

AWS EKS

fb8a9d4922cb4095b76d71e921d2d999

amazon_eks_raw

These AWS logs are collected via Amazon CloudWatch. To ensure collector compatibility, see Ingest logs from Amazon CloudWatch.

AWS flow logs

667083aa68544eee8b67cdd2d4cc327b

amazon_aws_raw

These logs are collected via Amazon S3. To ensure collector compatibility, see Ingest network flow logs from Amazon S3.

AWS generic logs

0498f8a24de04b3e85102e742f6783f8

amazon_aws_raw

These logs are collected via Amazon S3. To ensure collector compatibility, see Ingest generic logs from Amazon S3.

AWS prompt logs

a53edad7ef0c46ffb5037fb2e21520cb

amazon_aws_raw

For setup details, see Prompt log collection in AWS.

AWS Route 53 logs

d57ae82c1e2a4d138fc34084d159b09e

amazon_route53_raw

These logs are collected via Amazon S3. To ensure collector compatibility, see Ingest Network Route 53 Logs from Amazon S3.

Box

Box

3ef05d14ae9349f8bbd48c8a4797334a

  • Events (admin_logs): box_admin_logs_raw

  • Box Shield Alerts: box_shield_alerts_raw

  • Users: box_users_raw

  • Groups: box_groups_raw

The BOX_DIRECTORIES connector queries the following Box API endpoints:

  • Users

    • Endpoint: https://api.box.com/2.0/users

    • Purpose: To fetch the list of users in Box enterprise.

  • Groups

    • Endpoint: https://api.box.com/2.0/groups

    • Purpose: To fetch the list of groups in Box enterprise.

For setup details, see Ingest Logs and Data from Box.

CrowdStrike

Falcon incident

230b2b0233bf4327806af72e6e5769f3

crowdstrike_falcon_incident_raw

Currently not supported by Cribl

CrowdStrike Streaming API

Base URL: https://api.crowdstrike.com (or `api.us-2.crowdstrike.com`, `api.eu-1.crowdstrike.com`, etc.)

GET /sensors/entities/datafeed/v2

For setup details, see Ingest alerts and metadata from CrowdStrike APIs.

Hosts

8b673ac8e2f34b4a8dc14c22f0e6063b

crowdstrike_hosts_raw

CrowdStrike Devices API

GET /devices/queries/devices-scroll/v1

POST /devices/entities/devices/v2

For setup details, see Ingest alerts and metadata from CrowdStrike APIs.

Dropbox

Directory

e8d2c52bc9594621924fab0507264586

  • dropbox_members_devices_raw

  • dropbox_users_raw

  • dropbox_groups_raw

Base URL: https://api.dropboxapi.com

  • Users (dropbox_users_raw)

    • Endpoint: /2/team/members/list_v2

  • Groups (dropbox_groups_raw)

    • Endpoint: /2/team/groups/list

  • Devices (dropbox_member_devices_raw)

    • Endpoint: /2/team/devices/list_members_devices

For setup details, see Ingest Logs and Data from Dropbox.

Events

a6322b2fd9e545e0a4223ba754c48fb9

dropbox_events_raw

Base URL: https://api.dropboxapi.com

Endpoint: /2/team_log/get_events

For setup details, see Ingest Logs and Data from Dropbox.

Google

Cloud Logging (audit logs/flow logs)

00a8322c85e14beabfa7ad5f3d62db73

google_cloud_logging_raw

For setup details, see Ingest Logs and Data from a GCP Pub/Sub.

Google

Gmail

8607490288d1407ba82b5c5ad9dc64a0

google_gmail_raw

GET https://gmail.googleapis.com/gmail/v1/users/{userId}/messages

For setup details, see Ingest Logs and Data from Google Workspace.

Google

Workspace alerts

4f263650cd29475c81f2ff953cf19827

google_workspace_alerts_raw

Description: Ingests security and system alerts from the Google Workspace Alert Center.

  • API Details

    • API Name: Google Alert Center API

    • Version: `v1beta1`

    • Base URL: `https://alertcenter.googleapis.com`

    • Endpoint: `/v1beta1/alerts`

    • Method: `GET` (List)

    • OAuth Scope: `https://www.googleapis.com/auth/apps.alerts`

  • Request Parameters

    • filter: Used for incremental ingestion based on `createTime`.

    • Format: `createTime >= "[TIMESTAMP_START]" AND createTime < "[TIMESTAMP_END]"`

    • orderBy: `createTime asc`

    • pageToken: Used for pagination.

  • Data Mapping

    • Source: The full JSON response object from the `alerts` list.

    • Destination: Each alert object is ingested as a single record.

For setup details, see Ingest Logs and Data from Google Workspace.

Google

Workspace ChromeOS devices

e82ae276e6b9442fa80920a03d2a38d6

google_workspace_chrome_raw

GET https://admin.googleapis.com/admin/directory/v1/customer/{customer}/devices/chromeos

For setup details, see Ingest Logs and Data from Google Workspace.

Google

Workspace groups

689ae8ef14e848e3855b81e91d8af9bc

google_workspace_enterprise_groups_raw

GET https://admin.googleapis.com/admin/directory/v1/groups

For setup details, see Ingest Logs and Data from Google Workspace.

Google

Workspace rules

2621aaf3334a4147ae727afe84db31a9

google_workspace_rules_raw

GET https://gmail.googleapis.com/gmail/v1/users/{userId}/settings/filters

For setup details, see Ingest Logs and Data from Google Workspace.

Google

Workspace users

359ecd845fa54caab6ddb4b7c7a2764d

google_workspace_user_acounts_raw

GET https://admin.googleapis.com/admin/directory/v1/users/{userKey}

For setup details, see Ingest Logs and Data from Google Workspace.

Microsoft

Azure

fce13a1d51294f84bae4a37851503060

msft_azure_raw

Azure Event Hubs SDK (AMQP): For setup details, see Ingest Logs from Microsoft Azure Event Hub.

Microsoft

Azure AD

c00d6d52e5b141a8baa8db9d9345423d

msft_azure_ad_raw

For set up details, see Ingest Logs from Microsoft Office 365.

Microsoft

Azure AD audit

0e076d5abe864bf78e8145ea9e0d749e

msft_azure_ad_audit_raw

Microsoft Graph API: GET /v1.0/auditLogs/directoryaudits

For set up details, see Ingest Logs from Microsoft Office 365.

Microsoft

Azure AD sign-ins

f56dcfdf6bca43e793a4b6e9290e7b12

msft_azure_ad_raw

Microsoft Graph API: GET /v1.0/auditLogs/signIns

For set up details, see Ingest Logs from Microsoft Office 365.

Microsoft

Defender

ce9e8cf36e0742c38aa89787a256855f

msft_defender_raw

Azure Event Hubs SDK (AMQP): For setup details, see Ingest raw EDR events from Microsoft Defender for Endpoint.

Note

To enable analytics, contact Customer Support.

Microsoft

DHCP

b55819e8959c49728d5d98a6d87eafb6

msft_dhcp_raw

File Collection: C:\Windows\System32\dhcp\DhcpSrvLog-*.log

For set up details, see Ingest logs from Windows DHCP using Elasticsearch Filebeat.

Microsoft

Graph security alerts

5619f2f691fc46c4b202587fdaa031c3

msft_graph_security_alerts_raw

Microsoft Graph API: /v1.0/security/alerts_v2

For set up details, see Ingest Logs from Microsoft Office 365.

Microsoft

Office 365 Azure AD

e1f109f886ea42fbb96be6ec0cc597a9

msft_o365_azure_ad_raw

The Base URLs for the APIs are (depending on the environment):

Worldwide: `https://manage.office.com`

GCC: `https://manage-gcc.office.com`

GCC High: `https://manage.office365.us`

DoD: `https://manage.protection.apps.mil`

Endpoints:

Start Subscription: /api/v1.0/{tenantID}/activity/feed/subscriptions/start?contentType={type}

List Available Content: /api/v1.0/{tenantID}/activity/feed/subscriptions/content?contentType={type}

Fetch Content Blob: Dynamic URI returned from the “List Available Content” call.

Content Types: `audit.exchange`, `audit.sharepoint`, `audit.general`, `audit.azureactivedirectory`, `dlp.all`.

For set up details, see Ingest Logs from Microsoft Office 365.

Microsoft

Office 365 DLP

8f052782739d4b8389644cca23b994ac

msft_o365_dlp_raw

See Office 365 Azure AD.

For set up details, see Ingest Logs from Microsoft Office 365.

Microsoft

Office 365 domains

cae29fd87b554bd9a5694afb225e8dc9

msft_o365_domains_raw

Microsoft Graph API: GET /v1.0/domains

Microsoft

Office 365 Exchange Online

dee8e85ce7db4573a8bc21b807e1d73a

msft_o365_exchange_online_raw

See Office 365 Azure AD.

For set up details, see Ingest Logs from Microsoft Office 365.

Microsoft

Office 365 General

c7655e83805b4a058e66043a6715156c

msft_o365_general_raw

See Office 365 Azure AD.

For set up details, see Ingest Logs from Microsoft Office 365.

Microsoft

Office 365 Sharepoint Online

3a37f519e9094a3f8c4185fa572cd111

msft_o365_sharepoint_online_raw

See Office 365 Azure AD.

For set up details, see Ingest Logs from Microsoft Office 365.

Microsoft

Office 365 contacts (email)

de1b694a6c8341958bc08c4b7c140874

msft_o365_contacts_raw

Microsoft Graph API: GET /v1.0/users/{id}/mailFolders/inbox/messageRules

For set up details, see Ingest logs and data from Microsoft 365.

Microsoft

Office 365 devices (email)

de229685f708413fad46289657ea09de

msft_o365_devices_raw

Microsoft Graph API: GET /v1.0/users/{id}/registeredDevices

For set up details, see Ingest logs and data from Microsoft 365.

Microsoft

Office 365 groups (email)

0b0499ac0d984145b201c6d674771dbf

msft_o365_groups_raw

Microsoft Graph API: GET /v1.0/groups

For set up details, see Ingest logs and data from Microsoft 365.

Microsoft

Office 365 mailboxes (email)

9855a03559ce4263b568671e695d1fa8

msft_o365_mailboxes_raw

The Base URLs for the APIs are (depending on the environment): https://graph.microsoft.com` (or `https://graph.microsoft.us` for FedRAMP)

Incoming Messages: GET /v1.0/users/{id}/messages

Outgoing Messages: GET /v1.0/users/{id}/mailFolders/sentitems/messages/delta

For set up details, see Ingest logs and data from Microsoft 365.

Microsoft

Office 365 rules (email)

6b925df8923d4038bf78998d1ffde77c

msft_o365_rules_raw

Microsoft Graph API: /users/{id}/mailFolders/inbox/messageRules

For set up details, see Ingest logs and data from Microsoft 365.

Microsoft

Office 365 users (email)

dcfb7a412e654efd868de0b8cf81766a

msft_o365_users_raw

Microsoft Graph API: GET /v1.0/users

For set up details, see Ingest logs and data from Microsoft 365.

Okta

SSO

5faf4c1fdb8443d9920d6a54815432c1

okta_sso_raw

Okta System Log API

Base URL: https://{your-okta-domain}.okta.com

GET /api/v1/logs

For set up details, see Ingest Logs and Data from Okta.

OneLogin

Events

22b23a3f9f1e49998645b683d5dc3a6f

onelogin_events_raw

Base URL: https://<subdomain>.onelogin.com

Endpoint: /api/1/events`

For set up details, see Ingest Logs and Data from OneLogin.

OneLogin

88cfbd3e7b974d999b10edac83995b8a

  • onelogin_users_raw

  • onelogin_groups_raw

  • onelogin_apps_raw

Base URL: https://<subdomain>.onelogin.com

Endpoints: /api/1/users/api/1/groups/api/2/apps

For set up details, see Ingest Logs and Data from OneLogin.

PingID

PingONE

924951a8394b4605b1725f943292ab4f

pingid_pingone_raw

PingOne API:

Base URL: https://admin-api.pingone.com

Endpoint: /v3/reports/{account_id}/poll-subscriptions/{subscription_id}/events

For set up details, see Ingest Authentication Logs and Data from PingOne.

Proofpoint

TAP

3eefce0f791e4391a3643b8cf860a361

proofpoint_tap_raw

API Base URL: https://tap-api-v2.proofpoint.com

Resource Path: `/v2/siem/all`

For set up details, see Ingest Logs from Proofpoint Targeted Attack Protection.

Salesforce

Salesforce logs

ab109687acd24978aabcb7ad8b5742e3

  • salesforce_login_raw

  • salesforce_audit_raw

  • salesforce_eventlogfile_raw

The data schema for salesforce_eventlogfile_raw is dynamic and not hardcoded in the data collector's source code.

Here's how it works:

Dynamic Field Discovery: The collector calls the Salesforce describe endpoint (/services/data/v56.0/sobjects/EventLogFile/describe) to retrieve the list of all available fields for the EventLogFile object.

Query Construction: It constructs a SOQL query selecting all these discovered fields, such as SELECT Id, LogFile, LogDate,.... FROM EventLogFile).

CSV to JSON: The downloaded log files are in CSV format. The collector converts each CSV row into a JSON object where the keys are the CSV headers (which correspond to the fields discovered in the Dynamic Field Discovery explained above).

For set up details, see Ingest logs and data from Salesforce.com.

Salesforce snapshots

addbf31a6372491e88d45934dff5b5b0

The data fetched by this data collector is written to datasets based on the Salesforce object being retrieved. The data collector dynamically sets the Product field in the response to the name of the Salesforce object. Assuming the standard naming convention <vendor>_<product>_raw (where Vendor is salesforce); the data will be written to the following datasets (corresponding to the objects defined in consts.go):

  • salesforce_ConnectedApplication_raw

  • salesforce_PermissionSet_raw

  • salesforce_Profile_raw

  • salesforce_GroupMember_raw

  • salesforce_Group_raw

  • salesforce_User_raw

  • salesforce_UserRole_raw

  • salesforce_TenantSecurityLogin_raw

  • salesforce_UserAccountTeamMember_raw

  • salesforce_TenantSecurityUserPerm_raw

Authentication:

Path: /services/oauth2/token

Purpose: Used for obtaining and refreshing access tokens.

Data Query:

Path: /services/data/v56.0/queryAll

Purpose: Used to execute SOQL queries to fetch records for the snapshot objects, such as User, Profile, and Group.

Object Description:

Path: /services/data/v56.0/sobjects/{object}/describe

Purpose: Used to dynamically retrieve the list of fields for a specific object before querying it.

All endpoints are relative to the base URL: https://{domain}.my.salesforce.com.

For set up details, see Ingest logs and data from Salesforce.com.

SentinelOne

Deep Visibility

b9fa55e6fa564c709358425ce0f61517

sentinelone_deep_visibility_raw

For set up details, see Ingest raw EDR events from SentinelOne DeepVisibility.

Note

To enable analytics, contact Customer Support.

ServiceNow

CMDB

8b3e767247e44471a95e563378d0b9be

servicenow_cmdb_<table name>_raw

ServiceNow Table API

Base URL: https://{instance}.service-now.com

GET /api/now/table/{table_name}

For set up details, see Ingest Data from ServiceNow CMDB.

Workday

Workday

00d4e740702d4eb2939a87c2318513dd

workday_workday_raw

Workday Report-as-a-Service (RaaS)

Endpoint: Configurable Report URL

For set up details, see Ingest Report Data from Workday.