Hi,
Has anyone got any experience with creating a YARA-L rule that detects when a log source drops ingesting? I was hoping for a possible quick win here instead of using a dashboard.
Thanks
YARA-L rule to detect ingestion drop
+6- Bronze 1
Hi,
I Think that is not possible because you cannot search for a nullable log. Maybe you can use the search API and create a custom cloud function to ingest the metric in the SIEM and create a related rule.
+10The awesome blog by Chris Martin has a great write-up on how you can achieve this with Cloud Monitoring in GCP: https://medium.com/@thatsiemguy/chronicle-forwarder-telemetry-via-google-cloud-monitoring-39ccb32b3853
As noted, a YARA-L rule is not the best spot to do this type of monitoring today.
-mike
+2- Bronze 1
Hi,
Use of YARA-L for ingestion monitoring is indeed not recommended as use of event missing (!$event) is not for this use case and can result on the rule being limited and then paused.
For monitoring purpose, as you should have your instance linked to a specific project on your GCP instance, metrics from SIEM module of Google SecOps will be usable on your project. You can leverage those metrics to create Alerting Policies (Monitoring > Alerting in GCP) for your use case (use of metric absense).
In addition to the great article from Chris, you can find official documentation on this topic here: https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics
+1- Bronze 1
As said by Mike, the best way to keep tabs on ingestion metrics is by using Monitoring directly on GCP.
+4- Bronze 2
Thanks for the feedback all. I already knew the answer but wanted to double check whether there was a way via YARA-L which i had missed.
Thanks.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.