From 31480afa78fe5425bdc305e922fc2719caa55e3c Mon Sep 17 00:00:00 2001 From: Shourabh Payal Date: Tue, 1 Aug 2023 11:33:25 +0000 Subject: [PATCH] add chronicle alert policy templates --- alerts/google-cloud-chronicle/README.md | 18 ++++++++++++ ...e-combinations-except-few-logtypes.v1.json | 28 ++++++++++++++++++ ...ent-forwarder-logtype-combinations.v1.json | 28 ++++++++++++++++++ ...e-more-than-threshold-with-filters.v1.json | 29 +++++++++++++++++++ alerts/google-cloud-chronicle/metadata.yaml | 17 +++++++++++ .../silent-forwarder.v1.json | 27 +++++++++++++++++ 6 files changed, 147 insertions(+) create mode 100644 alerts/google-cloud-chronicle/README.md create mode 100644 alerts/google-cloud-chronicle/all-silent-forwarder-logtype-combinations-except-few-logtypes.v1.json create mode 100644 alerts/google-cloud-chronicle/all-silent-forwarder-logtype-combinations.v1.json create mode 100644 alerts/google-cloud-chronicle/forwarder-buffer-usage-more-than-threshold-with-filters.v1.json create mode 100644 alerts/google-cloud-chronicle/metadata.yaml create mode 100644 alerts/google-cloud-chronicle/silent-forwarder.v1.json diff --git a/alerts/google-cloud-chronicle/README.md b/alerts/google-cloud-chronicle/README.md new file mode 100644 index 0000000000..c47f6f1bf8 --- /dev/null +++ b/alerts/google-cloud-chronicle/README.md @@ -0,0 +1,18 @@ +# Alerts for Chronicle + +### Silent Forwarder + +This alert policy detects the absence of data for a chronicle collector with collector_id = 10479925-878c-11e7-9421-10604b7cb5c1 over a 1 hour window. These generally require further investigation and indicate an issue with the Chronicle collector. + +### All silent Chronicle forwarder and logtype combinations + +This alert policy fires an alert everytime a chronicle forwarder goes silent for a log type. Eg: If 4 forwarders are setup supplying 5 log types each, there would be 20 alerts firing (one for each combination). Similarly if a single chronicle forwarder goes down 5 alerts will be active. + +### All silent Chronicle forwarder and logtype combinations except few logtypes + +This alert policy similar to the above alert policy except it will not fire alerts for the excluded log types. In context of this template it won't fire alerts if Chronicle forwarders stop sending logs for BIND_DNS, CS_DETECTS or BRO_DNS. + + +### Forwarder buffer usage threshold + +This alert policy sends out alerts when any Chronicle forwarder collecting logs from pcap has mean buffer usage above 1% for a 1 hour time window. diff --git a/alerts/google-cloud-chronicle/all-silent-forwarder-logtype-combinations-except-few-logtypes.v1.json b/alerts/google-cloud-chronicle/all-silent-forwarder-logtype-combinations-except-few-logtypes.v1.json new file mode 100644 index 0000000000..42eae030a8 --- /dev/null +++ b/alerts/google-cloud-chronicle/all-silent-forwarder-logtype-combinations-except-few-logtypes.v1.json @@ -0,0 +1,28 @@ +{ + "displayName": "sample policy to detect all silent Chronicle forwarder and logtype combinations except few logtypes", + "conditions": [ + { + "displayName": "chronicle forwarder and logtypes silent for 1 hour except few", + "conditionAbsent": { + "aggregations": [ + { + "alignmentPeriod": "3600s", + "crossSeriesReducer": "REDUCE_MEAN", + "groupByFields": [ + "resource.label.collector_id", + "resource.label.log_type" + ], + "perSeriesAligner": "ALIGN_DELTA" + } + ], + "duration": "3600s", + "filter": "resource.type = \"chronicle.googleapis.com/Collector\" AND resource.labels.log_type != one_of(\"BIND_DNS\", \"BRO_DNS\", \"CS_DETECTS\") AND metric.type = \"chronicle.googleapis.com/ingestion/log/record_count\"", + "trigger": { + "count": 1 + } + } + } + ], + "combiner": "OR", + "enabled": true +} \ No newline at end of file diff --git a/alerts/google-cloud-chronicle/all-silent-forwarder-logtype-combinations.v1.json b/alerts/google-cloud-chronicle/all-silent-forwarder-logtype-combinations.v1.json new file mode 100644 index 0000000000..bd481207bd --- /dev/null +++ b/alerts/google-cloud-chronicle/all-silent-forwarder-logtype-combinations.v1.json @@ -0,0 +1,28 @@ +{ + "displayName": "sample policy to detect all silent Chronicle forwarder and logtype combinations", + "conditions": [ + { + "displayName": "chronicle forwarder and logtypes silent for 1 hour", + "conditionAbsent": { + "aggregations": [ + { + "alignmentPeriod": "3600s", + "crossSeriesReducer": "REDUCE_MEAN", + "groupByFields": [ + "resource.label.collector_id", + "resource.label.log_type" + ], + "perSeriesAligner": "ALIGN_DELTA" + } + ], + "duration": "3600s", + "filter": "resource.type = \"chronicle.googleapis.com/Collector\" AND metric.type = \"chronicle.googleapis.com/ingestion/log/record_count\"", + "trigger": { + "count": 1 + } + } + } + ], + "combiner": "OR", + "enabled": true +} \ No newline at end of file diff --git a/alerts/google-cloud-chronicle/forwarder-buffer-usage-more-than-threshold-with-filters.v1.json b/alerts/google-cloud-chronicle/forwarder-buffer-usage-more-than-threshold-with-filters.v1.json new file mode 100644 index 0000000000..820b2f6cfb --- /dev/null +++ b/alerts/google-cloud-chronicle/forwarder-buffer-usage-more-than-threshold-with-filters.v1.json @@ -0,0 +1,29 @@ +{ + "displayName": "sample policy to detect forwarder mean buffer used is more than 1% over a 1 hour window for input type pcap and buffer type memory", + "conditions": [ + { + "displayName": "forwarder mean buffer used is more than 1% over 1 hour window", + "conditionThreshold": { + "aggregations": [ + { + "alignmentPeriod": "3600s", + "crossSeriesReducer": "REDUCE_MEAN", + "groupByFields": [ + "resource.label.project_id" + ], + "perSeriesAligner": "ALIGN_MEAN" + } + ], + "comparison": "COMPARISON_GT", + "duration": "0s", + "filter": "resource.type = \"chronicle.googleapis.com/Collector\" AND metric.type = \"chronicle.googleapis.com/forwarder/buffer_used\" AND (metric.labels.input_type = \"pcap\" AND metric.labels.buffer_type = \"memory\")", + "thresholdValue": 0.01, + "trigger": { + "count": 1 + } + } + } + ], + "combiner": "OR", + "enabled": true +} \ No newline at end of file diff --git a/alerts/google-cloud-chronicle/metadata.yaml b/alerts/google-cloud-chronicle/metadata.yaml new file mode 100644 index 0000000000..75d5bada7d --- /dev/null +++ b/alerts/google-cloud-chronicle/metadata.yaml @@ -0,0 +1,17 @@ +alert_policy_templates: +- + id: silent-forwarder + description: "sample policy to detect a single silent Chronicle forwarder using collector_id filter" + version: 1 +- + id: forwarder-buffer-usage-more-than-threshold-with-filters + description: "sample policy to detect forwarder mean buffer used is more than 1% over a 1 hour window for input type pcap and buffer type memory" + version: 1 +- + id: all-silent-forwarder-logtype-combinations-except-few-logtypes + description: "sample policy to detect all silent Chronicle forwarder and logtype combinations except few logtypes" + version: 1 +- + id: all-silent-forwarder-logtype-combinations + description: "sample policy to detect all silent Chronicle forwarder and logtype combinations" + version: 1 \ No newline at end of file diff --git a/alerts/google-cloud-chronicle/silent-forwarder.v1.json b/alerts/google-cloud-chronicle/silent-forwarder.v1.json new file mode 100644 index 0000000000..986b37df2e --- /dev/null +++ b/alerts/google-cloud-chronicle/silent-forwarder.v1.json @@ -0,0 +1,27 @@ +{ + "displayName": "sample policy to detect a single silent Chronicle forwarder using collector_id filter", + "conditions": [ + { + "displayName": "chronicle forwarder silent for 1 hour", + "conditionAbsent": { + "aggregations": [ + { + "alignmentPeriod": "3600s", + "crossSeriesReducer": "REDUCE_MEAN", + "groupByFields": [ + "resource.label.project_id" + ], + "perSeriesAligner": "ALIGN_DELTA" + } + ], + "duration": "3600s", + "filter": "resource.type = \"chronicle.googleapis.com/Collector\" AND resource.labels.collector_id = \"10479925-878c-11e7-9421-10604b7cb5c1\" AND metric.type = \"chronicle.googleapis.com/ingestion/log/record_count\"", + "trigger": { + "count": 1 + } + } + } + ], + "combiner": "OR", + "enabled": true +} \ No newline at end of file