Hey all,
Long-time SIEM user here. Just open-sourced something and would love eyes on it.
The problem I keep running into is feed health. Feeds go silent, and nobody notices in time. SecOps shows feed state in the GUI (Active, Archived, Error), but a feed can remain Active even when no events are being ingested. Cloud Monitoring metrics are more reliable but have their own gaps. And manually putting it together every time - detect, restart, ticket, and notify the owner- is just too much work.
I read the existing threads here, plus David French's two-part series and thatsiemguy's forwarder telemetry walkthrough. All useful, and they confirmed a lot of us are struggling with the same thing. So, I built something to automate it.
What it does: a Cloud Run Job runs on a schedule and applies three independent checks per feed. First, Chronicle's feed state. Second, an ingestion anomaly check using the median and MAD, so that one quiet day doesn't drag the baseline. Third, a real UDM search to confirm events are actually ingested and parsed. If a check fails, the tool attempts an auto-restart. If that fails, it opens a single Jira ticket (deduped per outage), emails the owner, and has Gemini perform an initial investigation and recommend fixes, all attached to the ticket.
There's also a project-wide ingestion guardrail for the contract conversation ("alert me at 1 TB a day so we don't blow the license").
Sensitive IDs are redacted before anything goes to Vertex. Event content never leaves the project. YAML config, no agent framework, cheap to run.
Writeup: https://blueaisecurity.com/secops-feed-health
Repo (MIT, v1): https://github.com/blueaisecurity/secops-feed-health-monitoring
This is v1. Next on the list is per-feed owner routing, tougher restart logic with proper cooldowns, ticket lifecycle (auto-comment and auto-close on recovery), and a second backend besides Jira.
If you've solved this differently, I'd love to hear what worked. If you try it, issues and PRs welcome. If anyone from the SecOps team is reading, I'll make this obsolete the day the same capabilities ship natively.
