Log not receiving - Notification

Austin123

In Chronicle If I didn't log from a particular source within a timeframe of 30 minutes, will we be able to create a notification for that? Note: We are not using GCP currently.

deeshu

Well the best approach is to set up the Cloud Monitoring Notification.

If you have SOAR, you may try creating some custom job.
Else... You may try the sample code of this Dashboard and try tuning it as per your thresold.

dnehoda

In order to have Chronicle you have to be using GCP in some capacity.

However, I was thinking maybe you could setup a detection rule and use some kind of script that would run a test on that particular log source to validate its data is being sent on a regular basis.

dnehoda

Whoever messaged me on LinkedIn - let’s bring that back over here so the whole community can look at it.

Could you please post the rule and the error. Guessing the error is a tokenized error of some sort and we need to fix the format slightly. Could be something as simple as the wrong type of quotes.

Austin123

Seems not working,

rule no_log_detection {

meta:

author = "testing"

description = "Detect when logs are not receive from particular source"

severity = "High"

events:

$e.principal.hostname = $hostname

$e.metadata.log_type = "WINEVTLOG" //example source

match:

$e over 30m

condition:

!$e

}