add chronicle alert policy templates

alerts/google-cloud-chronicle/README.md

@@ -0,0 +1,18 @@
+# Alerts for Chronicle
+
+### Silent Forwarder
+
+This alert policy detects the absence of data for a chronicle collector with collector_id = 10479925-878c-11e7-9421-10604b7cb5c1 over a 1 hour window. These generally require further investigation and indicate an issue with the Chronicle collector.
+
+### All silent Chronicle forwarder and logtype combinations
+
+This alert policy fires an alert everytime a chronicle forwarder goes silent for a log type. Eg: If 4 forwarders are setup supplying 5 log types each, there would be 20 alerts firing (one for each combination). Similarly if a single chronicle forwarder goes down 5 alerts will be active.
+
+### All silent Chronicle forwarder and logtype combinations except few logtypes
+
+This alert policy similar to the above alert policy except it will not fire alerts for the excluded log types. In context of this template it won't fire alerts if Chronicle forwarders stop sending logs for BIND_DNS, CS_DETECTS or BRO_DNS.
+
+
+### Forwarder buffer usage threshold
+
+This alert policy sends out alerts when any Chronicle forwarder collecting logs from pcap has mean buffer usage above 1% for a 1 hour time window.

alerts/google-cloud-chronicle/all-silent-forwarder-logtype-combinations-except-few-logtypes.v1.json

@@ -0,0 +1,28 @@
+{
+ "displayName": "sample policy to detect all silent Chronicle forwarder and logtype combinations except few logtypes",
+ "conditions": [
+ {
+ "displayName": "chronicle forwarder and logtypes silent for 1 hour except few",
+ "conditionAbsent": {
+ "aggregations": [
+ {
+ "alignmentPeriod": "3600s",
+ "crossSeriesReducer": "REDUCE_MEAN",
+ "groupByFields": [
+ "resource.label.collector_id",
+ "resource.label.log_type"
+ ],
+ "perSeriesAligner": "ALIGN_DELTA"
+ }
+ ],
+ "duration": "3600s",
+ "filter": "resource.type = \"chronicle.googleapis.com/Collector\" AND resource.labels.log_type != one_of(\"BIND_DNS\", \"BRO_DNS\", \"CS_DETECTS\") AND metric.type = \"chronicle.googleapis.com/ingestion/log/record_count\"",
+ "trigger": {
+ "count": 1
+ }
+ }
+ }
+ ],
+ "combiner": "OR",
+ "enabled": true
+}

alerts/google-cloud-chronicle/all-silent-forwarder-logtype-combinations.v1.json

@@ -0,0 +1,28 @@
+{
+ "displayName": "sample policy to detect all silent Chronicle forwarder and logtype combinations",
+ "conditions": [
+ {
+ "displayName": "chronicle forwarder and logtypes silent for 1 hour",
+ "conditionAbsent": {
+ "aggregations": [
+ {
+ "alignmentPeriod": "3600s",
+ "crossSeriesReducer": "REDUCE_MEAN",
+ "groupByFields": [
+ "resource.label.collector_id",
+ "resource.label.log_type"
+ ],
+ "perSeriesAligner": "ALIGN_DELTA"
+ }
+ ],
+ "duration": "3600s",
+ "filter": "resource.type = \"chronicle.googleapis.com/Collector\" AND metric.type = \"chronicle.googleapis.com/ingestion/log/record_count\"",
+ "trigger": {
+ "count": 1
+ }
+ }
+ }
+ ],
+ "combiner": "OR",
+ "enabled": true
+}

alerts/google-cloud-chronicle/forwarder-buffer-usage-more-than-threshold-with-filters.v1.json

@@ -0,0 +1,29 @@
+{
+ "displayName": "sample policy to detect forwarder mean buffer used is more than 1% over a 1 hour window for input type pcap and buffer type memory",
+ "conditions": [
+ {
+ "displayName": "forwarder mean buffer used is more than 1% over 1 hour window",
+ "conditionThreshold": {
+ "aggregations": [
+ {
+ "alignmentPeriod": "3600s",
+ "crossSeriesReducer": "REDUCE_MEAN",
+ "groupByFields": [
+ "resource.label.project_id"
+ ],
+ "perSeriesAligner": "ALIGN_MEAN"
+ }
+ ],
+ "comparison": "COMPARISON_GT",
+ "duration": "0s",
+ "filter": "resource.type = \"chronicle.googleapis.com/Collector\" AND metric.type = \"chronicle.googleapis.com/forwarder/buffer_used\" AND (metric.labels.input_type = \"pcap\" AND metric.labels.buffer_type = \"memory\")",
+ "thresholdValue": 0.01,
+ "trigger": {
+ "count": 1
+ }
+ }
+ }
+ ],
+ "combiner": "OR",
+ "enabled": true
+}

alerts/google-cloud-chronicle/metadata.yaml

@@ -0,0 +1,17 @@
+alert_policy_templates:
+-
+ id: silent-forwarder
+ description: "sample policy to detect a single silent Chronicle forwarder using collector_id filter"
+ version: 1
+-
+ id: forwarder-buffer-usage-more-than-threshold-with-filters
+ description: "sample policy to detect forwarder mean buffer used is more than 1% over a 1 hour window for input type pcap and buffer type memory"
+ version: 1
+-
+ id: all-silent-forwarder-logtype-combinations-except-few-logtypes
+ description: "sample policy to detect all silent Chronicle forwarder and logtype combinations except few logtypes"
+ version: 1
+-
+ id: all-silent-forwarder-logtype-combinations
+ description: "sample policy to detect all silent Chronicle forwarder and logtype combinations"
+ version: 1

alerts/google-cloud-chronicle/silent-forwarder.v1.json

@@ -0,0 +1,27 @@
+{
+ "displayName": "sample policy to detect a single silent Chronicle forwarder using collector_id filter",
+ "conditions": [
+ {
+ "displayName": "chronicle forwarder silent for 1 hour",
+ "conditionAbsent": {
+ "aggregations": [
+ {
+ "alignmentPeriod": "3600s",
+ "crossSeriesReducer": "REDUCE_MEAN",
+ "groupByFields": [
+ "resource.label.project_id"
+ ],
+ "perSeriesAligner": "ALIGN_DELTA"
+ }
+ ],
+ "duration": "3600s",
+ "filter": "resource.type = \"chronicle.googleapis.com/Collector\" AND resource.labels.collector_id = \"10479925-878c-11e7-9421-10604b7cb5c1\" AND metric.type = \"chronicle.googleapis.com/ingestion/log/record_count\"",
+ "trigger": {
+ "count": 1
+ }
+ }
+ }
+ ],
+ "combiner": "OR",
+ "enabled": true
+}