Google SecOps Silent Host Monitoring

Overview

Using Silent Host Monitoring for Google SecOps allows you to create alerts for changes in ingestion rates through Google Cloud Monitoring. Alerts are generated on a per-collector basis. If the ingestion rate drops below the threshold you define, such as when a collector stops collecting for any reason, you will receive an alert accordingly.

Bindplane Configuration

This article assumes you are already using a SecOps Standardization Processor in your workflow. To enable the Silent Host Monitoring, we will need to send the collector servers hostname in the log entry as an attribute. First configure the 'Copy Field' processor. The first values it will ask for is 'Copy From' which will be a 'Resources' The 'Resource field' will be 'host.name'.

The next value it will ask for is 'Copy To' which will be 'Attributes' The last value it will be asking for is 'Attributes Field'. The value to that should be 'chronicle_ingestion_label["ingestion_source"]'

Google Cloud Monitoring Configuration

Setting up the threshold will need to be done at your discretion. If you set it very small, it will alert you when the collector may be down. If you make the threshold larger, that would let you know if potentially a source is not collecting.
The metric you will want to alert on is: 'Chronicle Collector' - 'Ingestion' - 'Total Ingestion Log Count'. Google already has a comprehensive page covering this located at this page.

Here are some basic reference images to aid in configuration: