+4Hi Team,
I have configured a Silent Log Alert based on the log type (Palo Alto Firewall). Currently, the firewall is ingesting logs from 10 different devices. I need assistance in setting up an alert that will trigger if even a single device stops sending logs.
Please let me know how if this can be achieved.
Thank you!
Best answer by rajukg11
There are no metrics available for device level monitoring. If you have access to BigQuery then you can run this (example that you will customize for your needs):
SELECT principal.hostname as device, MAX(metadata.event_timestamp.seconds) as maxtime, count(*)
FROM `datalake.events` as events
WHERE DATE(hour_time_bucket) > DATE_SUB(CURRENT_DATE(), INTERVAL 1 DAY)
AND metadata.vendor_name = "Microsoft"
group by 1
having count(*) > 1000
and (unix_seconds(current_timestamp()) - maxtime ) > 60*60
ORDER BY device
LIMIT 100;
+6There are no metrics available for device level monitoring. If you have access to BigQuery then you can run this (example that you will customize for your needs):
SELECT principal.hostname as device, MAX(metadata.event_timestamp.seconds) as maxtime, count(*)
FROM `datalake.events` as events
WHERE DATE(hour_time_bucket) > DATE_SUB(CURRENT_DATE(), INTERVAL 1 DAY)
AND metadata.vendor_name = "Microsoft"
group by 1
having count(*) > 1000
and (unix_seconds(current_timestamp()) - maxtime ) > 60*60
ORDER BY device
LIMIT 100;
+4Hi Raju,
Can this be achieved by Writing YARA L rules?
Can it be done using Sliding window
https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#sliding_window
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.