[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# Silent-host monitoring\n======================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains the methods of how Google Security Operations *silent-host monitoring* (*SHM*) lets you identify hosts in your environment that have gone silent.\n\nA *silent* host can signal potential collector stoppages.\n\nUse a detection rule for SHM\n----------------------------\n\nWe recommend that you configure a detection rule for SHM.\n\nThis method monitors UDM fields (such as `hostname`, `ip`, or `mac`) and triggers an alert when expected values have not been received within a specified time period.\n| **Note:** This method uses *event time* , not ingestion time. Detection rule limits apply. For more information, see [Detection limits](/chronicle/docs/detection/detection-limits).\n\n### Example detection rules for SHM\n\nThis section contains example detection rules for SHM, which you can use or adapt for your specific needs. For example, you can modify the time period, use other fields (such as `ip`), or split up the rule in other ways.\n\n#### Detect silent hosts by hostname\n\nThe following example detects silent hosts by `hostname`:\n\n- Scans 20-minute windows.\n- Tracks hosts using `ip`, `hostname`, and `mac`.\n- Alerts if no events have been received for a host in the last 10 minutes, but not *silent* in the last 20 minutes.\n\n rule shm_using_hostname {\n meta:\n\n events:\n $event.metadata.event_timestamp.seconds \u003e timestamp.current_seconds() - 1200\n // $identifier_hash = hash.sha256(strings.concat($event.principal.ip[0], $event.principal.hostname, $event.principal.mac[0]))\n $silent_hostname = $event.principal.hostname\n match:\n $silent_hostname over 10m\n outcome:\n $max_event_time = max($event.metadata.event_timestamp.seconds)\n $max_diff = timestamp.current_seconds() - $max_event_time\n condition:\n $event and $max_diff \u003e 600\n }\n\n#### Detect silent collectors using ingestion labels\n\nThe following example detection rule for SHM:\n\n- Scans 20-minute windows.\n- Identifies silence using the `ingestion_source` ingestion label.\n- Identifies values from a specified timezone (in this example, Asia/Calcutta) that have been *silent* for the last 10 minutes, but *not* silent in the last 20 minutes.\n\n rule shm_using_ingestion_label {\n meta:\n\n events:\n $event.metadata.event_timestamp.seconds \u003e timestamp.current_seconds() - 1200\n $event.metadata.ingestion_labels.key = \"ingestion_source\"\n $silent_ingestion_source = $event.metadata.ingestion_labels.value\n match:\n $silent_ingestion_source over 20m\n outcome:\n $max_time_seconds = max($event.metadata.event_timestamp.seconds)\n $max_diff_seconds = timestamp.current_seconds() - $max_time_seconds\n $max_timestamp = timestamp.get_timestamp($max_time_seconds, \"SECOND\", \"Asia/Calcutta\")\n $current_timestamp = timestamp.get_timestamp(timestamp.current_seconds(), \"SECOND\", \"Asia/Calcutta\")\n condition:\n $event and $max_diff_seconds \u003e 600\n }\n\nUse Google Cloud Monitoring with ingestion labels for SHM\n---------------------------------------------------------\n\nThis method uses Google Cloud Monitoring to monitor log ingestion rates based on ingestion labels for SHM.\n| **Note:** Ingestion labels identify the parser that normalizes raw log data to structured UDM format. Essentially, any method that you use to send data to Google SecOps supports ingestion labels (such as Bindplane) and is compatible.\n\nThis section describes how to set up this method using [Bindplane](https://bindplane.com/docs/getting-started/quickstart-guide), which includes the following steps:\n\n1. [Configure Bindplane for SHM with Google Cloud Monitoring](#bp-shm)\n2. [Configure the Google Cloud Monitoring threshold for SHM](#google-cloud-monitoring-threshold-shm)\n\nAfter you set up a logs pipeline that applies ingestion labels for SHM, you can set up Google Cloud Monitoring alerts per collector---for when the ingestion rate falls below a specified threshold. You can configure the alerts to go to a variety of places outside of Google SecOps and integrate the alerts into a workflow.\n\nBenefits of this method:\n\n- Monitors ingestion time, not event time.\n- Leverages Cloud Monitoring's advanced alerting capabilities.\n\nDownsides of this method:\n\n- Requires a separate configuration outside of Google SecOps.\n- Limited by the number of [ingestion labels](/chronicle/docs/reference/ingestion-metrics-schema#ingestion_api_schema).\n\n### Configure Bindplane for SHM with Google Cloud Monitoring\n\nThe prerequisites to configure Bindplane for SHM with Google Cloud Monitoring are as follows:\n\n- A deployed [Bindplane server](https://bindplane.com/docs/getting-started/quickstart-guide) that is configured with a [**Google SecOps Standardization** *processor*](https://bindplane.com/docs/resources/processors/google-secops-standardization).\n- The Google SecOps Standardization processor is configured to add a supported `log_type` and an ingestion label (for example, `ingestion_source`).\n\nTo configure Bindplane for SHM with Google Cloud Monitoring, complete the following steps:\n\n1. Send the hostname of the collector server as an attribute in each log entry.\n2. On the **Log** tab, select **Processors** \\\u003e **Add Processors** \\\u003e **Copy Field**.\n3. Configure the **Copy Field** processor:\n - Enter a short description for the resource.\n - Choose the `Logs` telemetry type.\n - Set the `Copy From` field to `Resources`.\n - Set the `Resource field` field to `host.name`.\n - Set the `Copy To field` field to `Attributes`.\n - Set the `Attributes Field` field, for example, to `chronicle_ingestion_label[\"ingestion_source\"]`.\n\n### Configure the Google Cloud Monitoring threshold for SHM\n\nDefine a threshold based on your expected ingestion rate. Lower thresholds detect collector outages; higher thresholds detect upstream log gaps.\n\nAfter you configure the Google Cloud Monitoring threshold for SHM, we recommend that you monitor the **Chronicle Collector** \\\u003e **Ingestion** \\\u003e **Total Ingestion Log Count** metric. For detailed sample-setup instructions, go to [Set up a sample policy to detect silent Google SecOps collection agents](/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics#detect-collect-agents).\n\nUse a Google SecOps dashboard for SHM\n-------------------------------------\n\nUse a Google SecOps dashboard to view daily counts for monitoring hosts that have gone silent.\n\nThis method is great for high-level daily overviews, but this method does not support alerts, and the results have a latency of up to 6 hours.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
