This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Log not receiving - Notification

Posted on 04-08-2024 05:19 AM
Austin123
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

In Chronicle If I didn't log from a particular source within a timeframe of 30 minutes, will we be able to create a notification for that? Note: We are not using GCP currently.

0 7 540
Topic Labels
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Well the best approach is to set up the Cloud Monitoring Notification.

If you have SOAR, you may try creating some custom job. 
Else... You may try the sample code of this Dashboard and try tuning it as per your thresold. 

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

In order to have Chronicle you have to be using GCP in some capacity.  

However, I was thinking maybe you could setup a detection rule and use some kind of script that would run a test on that particular log source to validate its data is being sent on a regular basis.  

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Whoever messaged me on LinkedIn - letโ€™s bring that back over here so the whole community can look at it.  

Could you please post the rule and the error.  Guessing the error is a tokenized error of some sort and we need to fix the format slightly.  Could be something as simple as the wrong type of quotes. 

 

Posted on --/--/---- --:-- AM
Austin123
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM
Seems not working, 
 
rule no_log_detection {
meta:
 author = "testing"
 description = "Detect when logs are not receive from particular source"
 severity = "High"

 events:
 $e.principal.hostname = $hostname
 $e.metadata.log_type = "WINEVTLOG" //example source

 match:
 $e over 30m

condition:
 !$e
}

Posted on --/--/---- --:-- AM
ankitsynx
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I am working on a solution that will create a job to list feeds using feed management API and check their status and notify if any of them are failing using SOAR IDE. This will be limited to feeds status only, for log interruption from source and forwarders yet to figure it out.

Posted on --/--/---- --:-- AM
ankitsynx
Bronze 5
Bronze 5
In response to ankitsynx
Reply posted on --/--/---- --:-- AM

Update: My feed monitoring job was completed, this was successful for me and now I get email notifications delivered to my mailbox directly if a feed fails. This helped me nail down intermittently failing feeds which were never noticed before with cloud monitoring.

0 Likes

Posted on --/--/---- --:-- AM
Daxter1928
Bronze 1
Bronze 1
In response to ankitsynx
Reply posted on --/--/---- --:-- AM

Hello, can you sahre more about the configuration you did on SOAR?

0 Likes
Top Solution Authors
View all