Comprehensive and Detailed Explanation
The correct solution is Option D. This approach correctly uses the integrated Google Cloud-native tools for both monitoring and alerting.
Google Security Operations (SecOps) automatically streams all ingestion metrics to Google Cloud Monitoring. This includes metrics for throughput (e.g., chronicle.googleapis.com/ingestion/event_count, chronicle.googleapis.com/ingestion/byte_count), parsing errors (e.g., chronicle.googleapis.com/ingestion/parse_error_count), and the health of collection agents (e.g., chronicle.googleapis.com/ingestion/last_seen_timestamp).
Receive a notification (15 minutes): The Data Ingestion and Health dashboard (Option A) is for visualization, and its "reports" are scheduled summaries, not real-time alerts. The only way to get a 15-minute notification is to use Cloud Monitoring. An alerting policy can be configured to trigger when a "metric absence" is detected for a specific collection agent's last_seen_timestamp, fulfilling the "silent source" requirement.
Visualize metrics: Cloud Monitoring also provides a powerful dashboarding service. A Cloud Monitoring dashboard can be built to graph all the necessary metrics—throughput, parsing errors, and agent status—in one place.
Option C is incorrect because it suggests using the Bindplane Observability Pipeline, which is a separate product. Option B is incorrect as Risk Analytics is for threat detection (UEBA), not platform health.
Exact Extract from Google Security Operations Documents:
Use Cloud Monitoring for ingestion insights: Google SecOps uses Cloud Monitoring to send the ingestion notifications. Use this feature for ingestion notifications and ingestion volume viewing.
Set up a sample policy to detect silent Google SecOps collection agents:
In the Google Cloud console, select Monitoring.
Click Create Policy.
On the Select a metric page, select Chronicle Collector > Ingestion > Total ingested log count.
In the Transform data section, set the Time series group by to collector_id.
Click Next.
Select Metric absence and set the Trigger absence time (e.g., 15 minutes).
In the Notifications and name section, select a notification channel.
You can also create custom dashboards in Cloud Monitoring to visualize any of the exported metrics, such as Total ingested log size or Total record count (for parsing).
[References:, Google Cloud Documentation: Google Security Operations > Documentation > Ingestion > Use Cloud Monitoring for ingestion insights, Google Cloud Documentation: Google Security Operations > Documentation > Ingestion > Silent-host monitoring > Use Google Cloud Monitoring with ingestion labels for SHM, , ]
Submit