Stay organized with collections Save and categorize content based on your preferences.

Verify log data ingestion using test rules

Chronicle Rules include a set of test rule sets that help verify that data required for each policy is in the correct format.

These rule sets are under the Managed Detection Testing category. Each rule set validates that data received by the test device is in a format expected by rules for that specified policy.

Rule set name Description
GCP Managed Detection Testing Verifies that data is successfully ingested from devices supported by the Cloud Threats Category.
Windows Managed Detection Testing Verifies that data is successfully ingested from devices supported by the Windows Threats category.

Managed detections testing

Follow the steps in this document to test and verify that incoming data is ingested correctly and is in the correct format.

Verify data ingestion for Windows Threats category

The Windows Echo Test Rule verifies that Windows logging is working correctly for Chronicle Rules. The test involves using the command prompt in a Windows environment, to run the echo command with an expected and unique string.

Running the test is straightforward and can be accomplished by any user that has access to the Windows Command Prompt.

Step 1. Enable the test rules

  1. Log in to Chronicle.
  2. Open the Chronicle Rules page.
  3. Enable both Status and Alerting for the Windows Managed Detection Testing rules.

    Enable Windows Managed Detection Testing

Step 2. Send test data from a Windows device

To trigger the Windows Echo Test Rule, perform the following steps:

  1. Access any device where data is being sent to Chronicle.
  2. Open a new Windows Command Prompt window as any user.
  3. Enter the following case-insensitive command, and then press Enter:

    cmd.exe /c "echo hello_chronicle_world!"

  4. Close the Command Prompt window.

Step 3. Verify that an alert was triggered in Chronicle

Verify that the command triggered the tst_Windows_Echo rule in Chronicle. This indicates that Windows logging is sending data as expected. To verify the alert in Chronicle, perform the following steps:

  1. Log in to Chronicle.
  2. Open the Chronicle Rules page.
  3. Click Dashboard.
  4. Verify that the tst_Windows_Echo rule has been triggered in the detection list.

Step 4. Disable the test rules

When you are finished, disable the Windows Managed Detection Testing rules.

  1. Log in to Chronicle.
  2. Open the Chronicle Rules page.
  3. Disable both Status and Alerting for the Windows Managed Detection Testing rules.

Verify data ingestion for Cloud Threats category

These rules help verify whether Cloud Audit Logs and Cloud DNS log data is being ingested as expected for Chronicle Rules.

The following section describes how test data using the:

  • Cloud Audit Metadata test rule: To trigger this rule, add a unique and expected Custom Metadata key to any Cloud Compute Engine VM that is sending data to Chronicle.

  • Cloud DNS test rule: To trigger this rule, perform a DNS lookup to the domain ("chronicle.security") within any VM that has access to the internet and is sending log data to Chronicle.

Step 1. Enable the test rules

  1. Log in to Chronicle.
  2. Open the Chronicle Rules page.
  3. Enable both Status and Alerting for the Cloud Managed Detection Testing rules.

    Enable Cloud Managed Detection Testing

Step 2. Send Cloud Audit Metadata test data

To trigger the test, complete the following steps:

  1. Choose a project within your organization.
  2. Go to Compute Engine, and then choose a VM within the project.
  3. Within the VM, click "Edit" and then add the following details under the Custom MetaData section as shown below:

    • Click Add Item.
    • Enter the following information: Key: GCTI_ALERT_VALIDATION_TEST_KEY Value: works
    • Click Save.

    Set metadata key

Step 3. Send Cloud DNS test data

The following steps must be performed as an IAM user in the chosen project that has access to a Compute Engine VM.

To trigger the test, complete the following steps:

  1. Choose a project within your organization.
  2. Go to Compute Engine, then choose a VM within the project.

    • If it is a Linux VM, make sure you have SSH access.
    • If it is a Windows VM, make sure you have RDP access.

    List of VMs

  3. Click SSH (Linux) or RDP (Windows) to access the VM.

  4. Send test data using one of the following steps:

    • Linux VM: After accessing the VM via SSH, run one of the following commands: nslookup chronicle.security or host chronicle.security

      If the command fails, install dnsutils on the VM using one of the following commands:

      • sudo apt-get install dnsutils (for Debian/Ubuntu VM)
      • dnf install bind-utils (for RedHat/CentOS)
      • yum install bind-utils
    • Windows VM: After accessing the VM via RDP, go to any installed browser and browse to the following URL: https://chronicle.security

Step 4. Verify that alerts were triggered in Chronicle

After performing the tasks in the previous step, verify that both the GCP Cloud Audit and GCP Cloud DNS test rules are triggered. This indicates that both Cloud Audit logging and Cloud DNS logging are working correctly.

Following these steps to verify the alert:

  1. Log in to Chronicle.
  2. Open the Chronicle Rules page.
  3. Click Dashboard.
  4. Check that the tst_GCP_Cloud_Audit_Metadata rule has been triggered in the detection list.

    GCP Cloud Audit Metadata test rule

  5. Check that the tst_GCP_Cloud_DNS_Test_Rule rule has been triggered in the detection list.

    GCP Cloud DNS Metadata test rule

Step 5. Disable the test rules

When you are finished, disable the GCP Managed Detection test rules.

  1. Log in to Chronicle.
  2. Open the Chronicle Rules page.
  3. Disable both Status and Alerting for the GCP Managed Detection Testing rules.