You can send macOS Security data to Google SecOps by creating an ingestion feed that uses a webhook.
- Administrator access to your organization's Google Security Operations instance.
A Google Cloud project configured in your Google SecOps and the Chronicle API enabled for the project.
For more information, see Configure a Google Cloud project for Google SecOps in the Google Security Operations documentation.
A connection between Google Cloud services and your Google SecOps instance.
For more information, see Link a Google Security Operations instance to Google Cloud services in the Google Security Operations documentation.
Batches of data sent through webhook feeds may experience ingestion delays if the request size or QPS limits are set too low. When calling the HTTPS push endpoint, the maximum request size is 4MB, and the maximum QPS is 15K.
- For step-by-step instructions to create the feed, see the Set up an ingestion feed in Google SecOps using a webhook from the Google Security Operations documentation.Note:
When setting up a feed for telemetry data, Jamf recommends choosing from the Log Type pop-up menu.
For step-by-step instructions to create an API key for the feed, see Create an API key for a webhook feed from the Google Security Operations documentation.
When the feed is is created, make sure you copy these values for use with an action configuration in the macOS Security portal:
Secret key
Feed endpoint URL
API key