We use silent log alerting from Chronicle. You will get an email if a log type stops sending data to Chronicle.

How do you enable log alerting within Chronicle?

Chronicle support has to do it

Thanks!

I was trying to find the details about it and came across the new way to do it.


https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics

For the current way, IIRC, the data type has to be silent for several hours before you’re notified.

https://medium.com/@thatsiemguy/chronicle-forwarder-telemetry-via-google-cloud-monitoring-39ccb32b3853

if you have integrated your Chronicle SIEM instance with GCP you can use GCP Metrics for Forwarder, and Feed Management notifications, e.g., silent log source, or else abnormal deviation from baseline

and the official docs -
https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics

I also have some questions about this: log type is nice for single sources on a log source type, but what with sysmon for example? Losing sight of one host may warrant an alert (domain controllers), but will never trigger on logtype alone. Any way to do that?

Is there any other way to detect log source / log source type outages without BigQuery?
We don´t have GCP integration within our Chronicle tentans, but we need to detect if a log source stops sending events. 
I get that because of sliding windows a detection rule with YARAL is not sufficient (https://medium.com/@thatsiemguy/silent-asset-detection-47ad34fdab55)