Solved: Usage of Webhooks in SIEM

Aswin_Asokan

Hi All,

We are utilizing Webhooks to ingest alerts from various sources into SIEM and it's working fine.

Can we also utilize it to ingest raw logs in json format into SIEM. w.r.t alerts, there will be only 20-30 events per day but in case of raw logs, the volume is high. Is it recommended to use webhooks for the same?

JeremyLand

Webhooks should scale just fine for high volume log sources. It'll max out at 900k requests per minute with a max of 4mb per request. Your current utilization should be visible from the Chronicle API management quota page in your cloud console as 'Feed Import Push Logs requests per minute' https://console.cloud.google.com/apis/api/chronicle.googleapis.com/quotas

The Webhooks can work for almost all logtypes, but depending on where your logs are now and what options are available on the log source it may be easier to ingest via one of the other ingest methods https://cloud.google.com/chronicle/docs/secops/secops-ingestion

View solution in original post

JeremyLand

Webhooks should scale just fine for high volume log sources. It'll max out at 900k requests per minute with a max of 4mb per request. Your current utilization should be visible from the Chronicle API management quota page in your cloud console as 'Feed Import Push Logs requests per minute' https://console.cloud.google.com/apis/api/chronicle.googleapis.com/quotas

The Webhooks can work for almost all logtypes, but depending on where your logs are now and what options are available on the log source it may be easier to ingest via one of the other ingest methods https://cloud.google.com/chronicle/docs/secops/secops-ingestion