Events Streaming
Set up Opal to stream Events to your logging destination in near real-time.
The Events Streaming feature is not enabled by default, so you'll need to reach out to Opal Support to request it.
Events Streaming allows administrators set up a near real-time stream of Opal Events to a configured URL destination of choice (e.g. SIEM/logging sink). You can easily and flexibly integrate rich access data from Opal into your existing security logging stack for further auditing, notification, or detection purposes.
Configuration
Use the following steps to set up event streaming in Opal.
1. Add Event Streaming Connection
Go to Settings > Event Streaming and select + Event Streaming Connection.
2. Fill in connection details
- Provide a Name for the Event Stream Connection.
- Enter a URL webhook endpoint you would like Opal to send the Events payloads to.
- Select your Authorization Type.
- Click Add Connection.
Test message
Opal will send a test
POSTmessage to the end system to ensure that the endpoint can be reached before allowing for the Connection to be successfully configured.
Authorization Types
1. API Key
Add a Key , Value pair via:
Header(recommended)Query Parameter(not recommended for secrets)
2. HMAC
Verify that requests originated from Opal by checking signatures against a shared signing secret.
Opal adds X-Opal-Signature HTTP header on each request sent. The signature is created by combining the signing secret with the body of the request sent using a standard HMAC-SHA256 keyed hash.
A connection may have a max of 2 HMAC secrets to facilitate key rotation without any downtime. In this case, the value of X-Opal-Signature will be comma delimited (e.g., X-Opal-Signature: <signature 1>, <signature 2>), with each signature corresponding to one of the HMAC secrets.
How to: Verify HMAC Signature
const timestamp = request.header('X-Opal-Request-Timestamp')
const signingSecret = 'SIGNING_SECRET'
const sigBaseString = 'v0:' + timestamp + ':' + JSON.stringify(request.body)
const hmac = crypto.createHmac('sha256', signingSecret);
hmac.write(sigBaseString)
const actualSignature = hmac.digest('hex'))
const expectedSignature = request.header('X-Opal-Signature')
console.log("Are equal?", actualSignature === expectedSignature)
Events payload
All Event Streaming payloads have the same structure. Fields that are bespoke to the event_type will be nested under the data field, as in the following example object.
{
"id": "cb8318b9-5719-4e5f-9740-a345650e22ca",
"transaction_id": "491a0ece-5f7c-4227-957e-932977aca70b",
"event_type": "EVENT_STREAM_CONNECTIONS_TESTED",
"severity": "INFO",
"timestamp": "2024-10-22T18:20:31.62251Z",
"actor_email": "[email protected]",
"actor_ip_address": "127.0.0.1",
"actor_name": "Tester tester",
"actor_user_id": "23b48b0e-db20-45ac-bb0c-7520e978d655",
"actor_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36",
"data": {
"connection_type": "WEBHOOK",
"message": "This is a test message to validate the event stream connection"
}
}
Fields
| Name | Description |
|---|---|
id | The unique identifier for this event |
transaction_id | An identifier to group related events |
event_type | The event that took place |
severity | The severity level of the event. Possible values are INFO, WARNING, ALERT |
timestamp | The time the event happened |
actor_email | Email of the user that triggered the event |
actor_ip_address | IP address of the user that triggered the event |
actor_name | The name of the user that triggered the event |
actor_user_id | The identifier of the user that triggered the event |
actor_user_agent | The agent used by the user that triggered the event |
data | Fields that are bespoke to the event_type |
Limitations
You can set up at most three connections.
Enable and disable connections
New Event Stream Connections are Enabled by default.
If you need to Disable the connection—e.g. you need to rotate an API Key or change query parameters—edit the connection, then disable the Connection Enabled toggle. This pauses streaming of events to the endpoint. If the connection is disabled for 7+ days, the next time it is re-enabled, it will stream from the latest events, instead of the time at which it was paused.
Errors and notifications
Errors and delivery failures
Admins can see a list of failed event deliveries from the last 30 days.
Notifications sent to admins
Notifications are sent to admins in the following cases:
- If messages for any connection failed to be delivered (daily notification)
- Connection has been auto-disabled by Opal due to an abnormally high failure rate (non- 200 Status Code, frequent timeouts, etc)
Example end systems to receive events
Datadog
To configure your Event Stream to point to directly to Datadog:
- Get the Logs API URL that corresponds to your Datadog Site.
- In Opal, go to event streaming (
/settings#event-streaming), and create a new connection:- Name the connection
- URL should be the one copied in the previous step
- Select
API Key- Key:
DD-API-KEY - Value:
- Select
Header
- Key:
- [Optional] To include metadata, specify a second API Key for the Log API's
ddtagquery string parameter. - Click
Add Connection.
Sumologic
To configure your Event Stream to point directly to Sumologic:
- Generate an Access Key in Sumo Logic.
- Base64 encode the Access Key.
- In Sumo Logic, create an HTTP source for a hosted Collector. If a hosted Collector doesn’t already exist, then create a new hosted Collector
- Copy the HTTP source URL.
- In Opal, go to event streaming (
/settings#event-streaming), and create a new connection:- Name the connection.
- URL should be the one copied in the previous step.
- Select
API Keyand set the following values.- Key:
Authorization - Value:
Basic <base64 encoded Access Key from step 2> - Select
Header
- Key:
- Click
Add Connection.
Updated 16 days ago