In Chronicle If I didn't log from a particular source within a timeframe of 30 minutes, will we be able to create a notification for that? Note: We are not using GCP currently.
Log not receiving - Notification
- Bronze 2
Well the best approach is to set up the Cloud Monitoring Notification.
If you have SOAR, you may try creating some custom job.
Else... You may try the sample code of this Dashboard and try tuning it as per your thresold.
+16In order to have Chronicle you have to be using GCP in some capacity.
However, I was thinking maybe you could setup a detection rule and use some kind of script that would run a test on that particular log source to validate its data is being sent on a regular basis.
+16Whoever messaged me on LinkedIn - letβs bring that back over here so the whole community can look at it.
Could you please post the rule and the error. Guessing the error is a tokenized error of some sort and we need to fix the format slightly. Could be something as simple as the wrong type of quotes.
+4- Bronze 3
Seems not working,
rule no_log_detection {
meta:
author = "testing"
description = "Detect when logs are not receive from particular source"
severity = "High"
events:
$e.principal.hostname = $hostname
$e.metadata.log_type = "WINEVTLOG" //example source
match:
$e over 30m
condition:
!$e
}
+5- Bronze 5
I am working on a solution that will create a job to list feeds using feed management API and check their status and notify if any of them are failing using SOAR IDE. This will be limited to feeds status only, for log interruption from source and forwarders yet to figure it out.
+5- Bronze 5
I am working on a solution that will create a job to list feeds using feed management API and check their status and notify if any of them are failing using SOAR IDE. This will be limited to feeds status only, for log interruption from source and forwarders yet to figure it out.
Update: My feed monitoring job was completed, this was successful for me and now I get email notifications delivered to my mailbox directly if a feed fails. This helped me nail down intermittently failing feeds which were never noticed before with cloud monitoring.
Update: My feed monitoring job was completed, this was successful for me and now I get email notifications delivered to my mailbox directly if a feed fails. This helped me nail down intermittently failing feeds which were never noticed before with cloud monitoring.
Hello, can you sahre more about the configuration you did on SOAR?
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.