I was checking information about monitoring of silent log sources and came across few previous posts and these official documentation:
Silent-host monitoring | Google Security Operations | Google Cloud Documentation
Use Cloud Monitoring for ingestion insights | Google Security Operations | Google Cloud Documentation
However from what I’ve seen previously, it seems to mention individual “hosts” specifically. If I wanted to monitor and alert on a specific log type (e.g. ZSCALER_WEBPROXY) going silent, does this fall under similar circumstance? And to that point, is there any way currently to alert (either through scheduled UDM search or YARA-L detection) for this activity?
It’s a complicated situation where we do not actually have access to Cloud Monitoring so if there is a way to do this via SecOps that would be really helpful.
Silent Log Source Alerting
+3- Bronze 2
+12Currently all the different SHM solutions like Bindplane and Health Hub either directly or indirectly use Cloud Monitoring. You could talk with your sales team or support about filing a feature request around improving native monitoring within Google SecOps.
+3- Bronze 2
Thanks for the information! Not the answer I was hoping for but thought it was worth asking
+3Hello @EP0,
As mentioned by kentphelps, Sadly it is not yet possible to perform silent log monitoring directly in Secops.
Personally, after a lot of testing in rules, we decided to leverage GCP Alert monitoring. It is working really well, if you are able to do it, I personally recommend it (unfortunately not yet possible to have a log in Secops when the alert fire, but you can configure emails being sent).
If it is not an option for you, I can recommend to leverage the native dashboard.
On our side, I built a dashboard to monitor the health of our log sources to send us on a daily basis to have %change compared to our “normal” baseline. (different ingestion state to see the log count and log volume per log source, per day).
To have your own “silent log” in a reasonable time:
- You can do a per hour view using the ingestion data source.
- Fetch on a frequent basis the output of your dashboard chart, through the API,
- Do the silent monitoring logic on your own based on the amount of logs received each hour.
It will not be a perfect one hour silent, but in a 2 hours delay, you will get warned.
+3- Bronze 2
Hello @EP0,
As mentioned by kentphelps, Sadly it is not yet possible to perform silent log monitoring directly in Secops.
Personally, after a lot of testing in rules, we decided to leverage GCP Alert monitoring. It is working really well, if you are able to do it, I personally recommend it (unfortunately not yet possible to have a log in Secops when the alert fire, but you can configure emails being sent).
If it is not an option for you, I can recommend to leverage the native dashboard.
On our side, I built a dashboard to monitor the health of our log sources to send us on a daily basis to have %change compared to our “normal” baseline. (different ingestion state to see the log count and log volume per log source, per day).
To have your own “silent log” in a reasonable time:
- You can do a per hour view using the ingestion data source.
- Fetch on a frequent basis the output of your dashboard chart, through the API,
- Do the silent monitoring logic on your own based on the amount of logs received each hour.
It will not be a perfect one hour silent, but in a 2 hours delay, you will get warned.
Unfortunately this is with an MSSP client where we haven’t set up API access yet as well. I appreciate the suggestion!
+3Oh okay, then sorry I do not have other ideas.
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.