The aim of this website is to provide informations, links and resources to provide Customers and Partners some tools and utilities for their Chronicle SecOps environment
Our security Partners and Customers requested multiple times to get notifications about silent servers not ingesting logs anymore into Chronicle. This is still today not possible in Chronicle since silent log notification through Cloud Monitoring is able to provide only DATA_LABELS of the ingestion sources, not entity details such as hostnames or ip.
As a Partner Engineer, I come across the idea to build a way to easily get a list of systems that are not sending logs anymore to Chronicle SIEM since some specified amount of time.
Here you'll find a cloud function that can check and generate an updated list of servers that are not sending logs anymore since a certain number of seconds (number of seconds is provided as a parameter while calling the function). The trigger to launch cloud function is a simple HTTP connection to a specific endpoint.
New version released! 31/may/2024
NEW! - Code cleanup and new SQL parameter: chronicle_tla
This allows selecting target bigquery instance by providing 'chronicle_tla' parameter in the URL.
Oreste Dimaggio - Global Partner Engineer - Security
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Google Cloud project.
Enable the Cloud Functions, Cloud Build, and Artifact Registry APIs.
Enable the APIs
Create a new service account. Send it to your Chronicle Customer Engineer/Partner Engineer (Standalone/Non-BYOP) asking to provide access to your bigquery instances (there is one instance/TLA for each Chronicle tenant)
6. Install the Google Cloud CLI.
7. To initialize the gcloud CLI, run the following command:
8. gcloud init
9. If you already have the gcloud CLI installed, update it by running the following command:
10. gcloud components update
Allow constraints/iam.allowedPolicyMemberDomains in your organization policy
Download the function as a zip file and extract it.
Change to the directory that contains the Cloud Functions sample code:
cd chronicle-silent-entities-cf
To deploy the function with an HTTP trigger, run the following command in the directory that contains the sample code:
gcloud functions deploy nodejs-chronicle-silent-entities-cf --gen2 --runtime=nodejs20 --region=REGION --source=. --entry-point=chronicleSilentEntities --trigger-http --allow-unauthenticated
Ensure to select desired region (--region parameter) before deployment.
When the function has been deployed, take note of the uri property or find it using the following command:
gcloud functions describe nodejs-chronicle-silent-entities-cf --gen2 --region=REGION --format="value(serviceConfig.uri)"
Visit this URI in your browser. You can specify parameters to the URL:
Number of seconds since last event (sec_late)
Maximum number of hosts (limit_count)
Chronicle Instance Code TLA (chronicle_tla)
orestedimaggio@bypo:~/source/chronicle-notifier$ cd chronicle-silent-entities-cf/
orestedimaggio@bypo:~/source/chronicle-notifier/chronicle-silent-entities-cf$ gcloud functions deploy nodejs-chronicle-silent-entities-cf --gen2 --runtime=nodejs20 --region=europe-west8 --source=. --entry-point=chronicleSilentEntities --trigger-http --allow-unauthenticated
Preparing function...done.
X Updating function (may take a while)...
[Build] Logs are available at [https://console.cloud.google.com/cloud-build/builds;region=europe-west8/47ffa593-ad32-48b9-8433-9776d72bde5a?project=654707583637]
[Service]
. [ArtifactRegistry]
. [Healthcheck]
. [Triggercheck]
Completed with warnings:
[WARNING] *** Improve build performance by generating and committing package-lock.json.
[INFO] A new revision will be deployed serving with 100% traffic.
You can view your function in the Cloud Console here: https://console.cloud.google.com/functions/details/europe-west8/nodejs-chronicle-silent-entities-cf?project=chronicle-orestedimaggio
buildConfig:
build: projects/654707583637/locations/europe-west8/builds/47ffa593-ad32-48b9-8433-9776d72bde5a
dockerRegistry: ARTIFACT_REGISTRY
entryPoint: chronicleSilentEntities
runtime: nodejs20
source:
storageSource:
bucket: gcf-v2-sources-654707583637-europe-west8
generation: '1700206955111880'
object: nodejs-chronicle-silent-entities-cf/function-source.zip
sourceProvenance:
resolvedStorageSource:
bucket: gcf-v2-sources-654707583637-europe-west8
generation: '1700206955111880'
object: nodejs-chronicle-silent-entities-cf/function-source.zip
environment: GEN_2
labels:
deployment-tool: cli-gcloud
name: projects/chronicle-orestedimaggio/locations/europe-west8/functions/nodejs-chronicle-silent-entities-cf
serviceConfig:
allTrafficOnLatestRevision: true
availableCpu: '0.1666'
availableMemory: 256M
ingressSettings: ALLOW_ALL
maxInstanceCount: 100
maxInstanceRequestConcurrency: 1
revision: nodejs-chronicle-silent-entities-cf-00007-bom
service: projects/chronicle-orestedimaggio/locations/europe-west8/services/nodejs-chronicle-silent-entities-cf
serviceAccountEmail: chronicle-bigquery@chronicle-orestedimaggio.iam.gserviceaccount.com
timeoutSeconds: 60
uri: https://nodejs-chronicle-silent-entities-cf-onmbsqrwka-oc.a.run.app
state: ACTIVE
updateTime: '2023-11-17T07:43:42.369032120Z'
url: https://europe-west8-chronicle-orestedimaggio.cloudfunctions.net/nodejs-chronicle-silent-entities-cf
Http Parameters:
sec_late - Number of seconds since the last log line in the platform
limit_count - Maximum number of results in the results
chronicle_tla - Chronicle instance code to query (if you don't know, ask your customer or partner engineer)
# curl -X POST https://europe-west8-chronicle-orestedimaggio.cloudfunctions.net/nodejs-chronicle-silent-entities-cf -d "sec_late=300&limit_count=100&chronicle_tla=something"
Output:
<host1>
<host2>
<host3>
<host4>
<host5>
....etc....
