Hi everyone,
can someone please help me write rule for below scenario?
if any logsource which is placed in on prem is not streaming to chronicle SIEM in last 24 hours, it should trigger an alert.
I read somewhere to use cloud monitoring for that but how does that work, as in if my device is on prem or on azure and i have used forwarder how will cloud monitoring identify the not reporting part. Can someone help me with this?
Hi @rahul7514,
Are you using the Google SecOps forwarder? Have you seen this documentation that explains how to create a Google Cloud Monitoring policy to detect silent Google SecOps forwarders? https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics#forwardermetricandfilters
You may also find the following blog posts helpful when thinking about monitoring your logging/data pipeline for issues:
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.