Skip to main content

I’m currently leveraging curated Dashboard: Data Ingestion and Health to get insight on our daily volume ingestion. I modified a few queries there to make it suitable for our case.

It occurred to me to leverage some of these data and create a simple daily/ weekly alert check if we have exceeded our daily ingestion allowance.

example:

events:
 $event.ingestion.component = "Ingestion API"
 //$Log_Type = $event.ingestion.log_type
 //$Log_Type != ""
 $date = timestamp.get_date($event.ingestion.end_time)

match:
 $event,$date over 24h

outcome:
 $Total_Size_Bytes = sum(if($event.ingestion.component = "Ingestion API", $event.ingestion.log_volume, 0))
 $Total_Logs = sum(if($event.ingestion.component = "Ingestion API", $event.ingestion.log_count, 0))

condition:
 $Total_Size_Bytes >= [removed by moderator]

It turns out that the Yara-L rule editor complains the field ingestion does not exits.

parsing: getting field descriptors: accessing field "udm.ingestion": field "ingestion" does not exist, valid fields are: "metadata", "additional", "principal", "src", "target", "intermediary", "observer", "about", "security_result", "network", "extensions", "extracted"
line: 12 
column: 4-29

Are these tables and data not exposed to us to use beyond the Dashboards?

I’m aware there are other ways to do so, like using Cloud monitoring etc. I though this could be a simple way to avoid using a different platform + having to integrate outside of our SOAR and having to maintain another piece.

Any help or insight will be greatly appreciated.

Thanks!

Our colleague Chris has published a blog post that details license utilization and includes examples. A downloadable JSON file is also available. Please review this resource to see if it assists with your current situation.
links: https://medium.com/@thatsiemguy/monitoring-your-google-secops-license-utilization-revisited-ef2d067a9c16

json file : https://github.com/goog-cmmartin/thatsiemguy/blob/main/dashboards/native_dashboards/secops_license_utilisation/%5BGUS%5D%20SecOps%20_%20License%20Utilisation.json

Thanks Jay for the pointer here,  this  will definitely help. I did created my own dashboard and got a clear picture of my daily ingestion volumes,  but this will definitely complement further with a lot more granular information as well.  Yet,  I was looking for a pro-active approach, alerting..  

 

I guess my question is more towards how I could use the   ingestion table to create a detections rule  It seem  to me that the  “ingestion table” is not exposed for creating a detection rule.

 

is there plans for such? or am i missing something.

 

Thanks,

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.