I am using the API search-post endpoint to fetch audit logs and identities for ingestion in Google SecOps (SIEM). This post helped me setting up the audit log parts.
But the identity information cannot be parsed by Google SecOps. My contact at Google sent me a snippet of the JSON with XML in it that they expect when getting identity information from you:
Do you recognise the format in the image, which endpoint can produce it?
Which endpoint/filter would you recommend using when fetching up-to-date identity information? I have noticed that in addition to the Search endpoint there is also list identities.
Do you have any other recommendations or best practices when integrating ISC with Google SecOps or other SIEM?
Hi by looking at the image I felt you just need identity attributes details instead of which source, access the identity has. So, you can use just list identities
I also observed in the screenshot it says previousIdentity. If you are looking for identity history snapshot then you have use this endpoint Get latest snapshot of identity
Hi, thanks for your prompt answer. Both the endpoints you mentioned will give me back JSON though. Is there some old version if the API that include xml in the body maybe?
