Skip to main content
Solved

Alert no ingestion from feeds

  • January 30, 2026
  • 3 replies
  • 26 views
Bernaldo
Forum|alt.badge.img+1

Hi,

I’m triying to create an alert that indicates when there’s a lack of logs from a feed source.

 

Basically my idea was:

rule DEV_FEED_LACK_OF_DATA {
  meta:

    author = 
    description = 
    severity = "Critical"


  events:

    $e.metadata.log_type = "Office_365"
    $Type = $e.metadata.log_type

  match:
    $Type over 4h

  outcome:
    $risk_score = 90


  condition:
    !$e 
}

But following the docs i have that:

https://docs.cloud.google.com/chronicle/docs/yara-l/condition-syntax#requirements_for_non-existence_queries

For a non-existence query to compile, it must satisfy the following requirements:

  • At least one UDM event must have a bounded condition (that is, at least one UDM event must exist).
  • If a placeholder has an unbounded condition, it must be associated with at least one bounded UDM event.
  • If an entity has an unbounded condition, it must be associated with at least one bounded UDM event.

So from my basic idea i suppouse i have to get another event with the same $TYPE that exists to do in the condition something like $e and !$e1

Can someone have an idea of how to solve this issue?

 

Best regards

Best answer by hzmndt

To sharing a preview feature “health hub”  to monitor the ingestion status

https://docs.cloud.google.com/chronicle/docs/reports/data-health-monitoring-and-troubleshooting-dashboard

 

For proactive alerting, still need to use cloud monitoring today 

https://docs.cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics

 

 

3 replies

Eoved
Forum|alt.badge.img+8
  • EovedBronze 2
  • Bronze 2
  • January 30, 2026

Hello,

The way to create alerts for “no ingestion” from feeds is by using Cloud Monitoring in GCP.

It’s also recommended because it provides a more advanced way to identify spikes in your logs.

References:

https://docs.cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics

In addition, you can review the following reference, it’s similar to the approach we’re aiming for:

https://security.googlecloudcommunity.com/community-blog-42/the-coming-flood-how-to-detect-and-alert-on-log-ingestion-spikes-using-google-security-operations-5940
 

hzmndt
Staff
Forum|alt.badge.img+9
  • hzmndt
  • Staff
  • Answer
  • January 30, 2026

To sharing a preview feature “health hub”  to monitor the ingestion status

https://docs.cloud.google.com/chronicle/docs/reports/data-health-monitoring-and-troubleshooting-dashboard

 

For proactive alerting, still need to use cloud monitoring today 

https://docs.cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics

 

 

Bernaldo
Forum|alt.badge.img+1
  • BernaldoBronze 1
  • Author
  • Bronze 1
  • February 3, 2026

To sharing a preview feature “health hub”  to monitor the ingestion status

https://docs.cloud.google.com/chronicle/docs/reports/data-health-monitoring-and-troubleshooting-dashboard

 

For proactive alerting, still need to use cloud monitoring today 

https://docs.cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics

 

 

Thanks for the explanation

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.