The awesome blog by Chris Martin has a great write-up on how you can achieve this with Cloud Monitoring in GCP: https://medium.com/@thatsiemguy/chronicle-forwarder-telemetry-via-google-cloud-monitoring-39ccb32b38...

As noted, a YARA-L rule is not the best spot to do this type of monitoring today.

-mike

Hi,

Use of YARA-L for ingestion monitoring is indeed not recommended as use of event missing (!$event) is not for this use case and can result on the rule being limited and then paused.

For monitoring purpose, as you should have your instance linked to a specific project on your GCP instance, metrics from SIEM module of Google SecOps will be usable on your project. You can leverage those metrics to create Alerting Policies (Monitoring > Alerting in GCP) for your use case (use of metric absense).

In addition to the great article from Chris, you can find official documentation on this topic here: https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics

As said by Mike, the best way to keep tabs on ingestion metrics is by using Monitoring directly on GCP. 

Thanks for the feedback all. I already knew the answer but wanted to double check whether there was a way via YARA-L which i had missed.

Thanks.