We see occasionally parsing errors for some log types in the Data Ingestion dashboard. However as dashboard is not regularly monitored and doesn’t show out custom parsers, I would like to check if there is is way to create some detection for the parsing error so that we can act immediately.
Question
Is there a way to create detection for SIEM parsing error?
+1
+12- Bronze 5
What type of errors are you seeing? Do you have logs for them, etc.? My guess is that it would be possible via a detection and / or a scheduled task since you can see it on a dashboard.
+1So these are the ingestion errors I see in the default “Data Ingestion and Health” dashboard. However I don’t see related events in the chronicle audit logs. As it is default dashboard I’m unable to view the filter or logic of it.
+12- Bronze 5
For the default dashboards, you can click on “View Details” which will show you the logic for the graphs / tables:
Is this what you’re looking for?
+1Nice, thank you. I was looking at legacy dashboard. The new one does have the ability to view the query as you showed. However I’m unable to run that query in UDM or Yaral
What I’m looking for is to create a detection to alert on parsing error.
Looks like there api for list.errors is no longer there in https://cloud.google.com/chronicle/docs/administration/cli-user-guide
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.