Hopefully this is the right place - looking for some insight on what you all are doing for log source monitoring in Chronicle SIEM?
Looking for some insight on the log source monitoring in Chronicle SIEM?
+3We use silent log alerting from Chronicle. You will get an email if a log type stops sending data to Chronicle.
+4How do you enable log alerting within Chronicle?
+4Thanks!
+3
I was trying to find the details about it and came across the new way to do it.
https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics
+3For the current way, IIRC, the data type has to be silent for several hours before you’re notified.
+11if you have integrated your Chronicle SIEM instance with GCP you can use GCP Metrics for Forwarder, and Feed Management notifications, e.g., silent log source, or else abnormal deviation from baseline
+11and the official docs - https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics
+1I also have some questions about this: log type is nice for single sources on a log source type, but what with sysmon for example? Losing sight of one host may warrant an alert (domain controllers), but will never trigger on logtype alone. Any way to do that?
+4- Bronze 4
Is there any other way to detect log source / log source type outages without BigQuery?
We don´t have GCP integration within our Chronicle tentans, but we need to detect if a log source stops sending events.
I get that because of sliding windows a detection rule with YARAL is not sufficient (https://medium.com/@thatsiemguy/silent-asset-detection-47ad34fdab55)
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.