Log in to Chronicle

bookmark_border
Chronicle is designed to work exclusively with the Google Chrome browser. If you do
not have Chrome installed, go to https://www.google.com/chrome/. We recommend
upgrading Chrome to the most current version.

Chronicle is integrated into your single sign-on solution (SSO). You can log in to
Chronicle using the credentials provided by your enterprise.

1. Launch the Google Chrome browser.

2. Ensure you have access to your corporate account.
3. To access the Chronicle application, where customer_subdomain is your
customer-specific identifier, navigate to:
https://customer_subdomain.backstory.chronicle.security.

Chronicle Landing Page

Begin your investigation by entering the domain, email, username, hostname, IP

address, file hash, or URL you want to investigate. You can also click the date and time
function, to the left, to focus your search on a specific date and time by navigating
through the pop-up calendar and clock setting. The times and dates of all recorded
events have been converted to UTC for consistency across all of your security data.

View Alerts and IOCs with Enterprise

Insights
bookmark_border
This documentation describes how to use Enterprise Insights view.
To view data in this view, make sure you can ingest and normalize data from:

• Threat intelligence Feeds which populate the IOC domain matches

• Alerts from third-party devices, such as firewalls, IDSs, etc., to populate
the Alerts pane
Note: You can navigate to the Alerts and IOCs page using the link provided at the top of the Enterprise
Insights page.

Enterprise Insights view displays the domains and assets most in need of investigation
within your enterprise. From Domain view, navigate to Enterprise Insights view by
clicking on the menu icon and selecting Enterprise Insights.

The Procedural Filtering menu is available on Enterprise Insights view. Hovering over
the header categories row displays the sorting control for each column, enabling you to
sort alphabetically or by time depending on the category.

Enterprise Insights

IOC domain matches

The indicator of compromise (IOC) domain matches lists the domains that your security
infrastructure has flagged as suspicious and have been seen recently within your
enterprise. You can adjust the dates under investigation using the date slider (between
1 and 25 days back).

Domains are sorted by the following:

 1. IOC INGEST TIME—Time the domain was first received by Chronicle.
2. FIRST SEEN—Time the domain was first seen within your enterprise.
3. LAST SEEN—Time the domain was most recently seen within your enterprise.
Assets with recent alerts

The assets and users within your enterprise with current security alerts are listed here.
You can organize this information by Asset, Alert name, or User. These assets might
require further investigation. Clicking on a user opens User view.

Clicking on an asset opens Asset view.

Using Chronicle dashboards

bookmark_border
Overview

Chronicle provides a set of default dashboards for analysis and reporting within the
Chronicle user interface. Reporting is available by converting a dashboard to a
shareable file (for example, PDF, Excel, CSV, etc.). These dashboards are built upon the
capabilities of Looker: https://cloud.google.com/looker and BigQuery:
https://cloud.google.com/bigquery (both Google Cloud products). Looker acts as a
visualization layer while BigQuery acts as a data layer.

Before you begin

Before you can access Dashboards in Chronicle, complete the following steps:

1. Launch the Google Chrome browser.

If you do not have Chrome installed, go to https://www.google.com/chrome/.
2. Ensure you have access to your corporate account.
Access Chronicle

Complete the following steps to access your Chronicle account and navigate to the
Dashboarding page:

1. Navigate to your company's Chronicle account:

https://<your-company>.backstory.chronicle.security
2. Your screen should resemble the following figure.
 Chronicle landing page
Accessing the Chronicle Dashboards

Complete the following step to navigate to the Dashboards page:

1. Click the application menu icon in the upper right corner and select
the Dashboards option.
Note: If you are unable to view the Dashboards option in the menu, check with
your account manager to ensure the feature has been enabled for your account.

Application menu
Default Dashboards

Chronicle provides a set of default dashboards. These provide various visualizations of

the data stored within your Chronicle account. These dashboards help you to
understand the state of the Chronicle data ingestion system, along with the current
threat status for your enterprise. All of the default dashboards include a time control.

Context Aware Detections - Risk dashboard

The Context Aware Detections Risk dashboard provides insight into the current threat
status of assets and users in your enterprise. It is built using fields in the Rule
Detections Explore interface and retrieves data from the Chronicle rule_detections table in
BigQuery.

The severity and risk score values are variables defined in each rule. For an example,
see multi-event rule with outcome section. In each panel, data is sorted based on
severity first, and then risk score to identify users and assets most at risk.

Context Aware Detections

 • Assets and Devices at Risk panel: Lists the top 10 assets based on the severity.
The Severity levels are Super High, High, Large, Medium, and Low. If the
hostname value is not present in the record, the IP Address is displayed.
• Users at Risk panel: Lists the top 10 users based on the severity. The Severity
levels are Super High, High, Large, Medium, and Low. If the user name value is
not present in the record, the email is displayed.
• Aggregate Risk panel: For each date, the total risk score is aggregated and
displayed as an area graph.
• Detection Results panel: Provides the details of various detections of the
corresponding rule along with score and severity.
Data Ingestion and Health

The Data Ingestion and Health dashboard provides information about the type and
volume of data being ingested into your Chronicle account. This information must
remain relatively stable and predictable. However, a sudden drop in data ingestion can
indicate a problem either with the systems forwarding data from your enterprise or with
your Chronicle account.

The following Data Ingestion and Health dashboard shows visualizations that help you
understand the volume of ingested logs, ingestion errors, and other information.
You can view the following information in the Data Ingestion and Health dashboard:

• Ingested Events Count. The total number of events ingested.

• Ingestion Error Count. The total number of errors encountered during ingestion.

• Log Type Distribution by Events Count. A chart that shows the log types distribution
based on the number of events for each log type.

• Log Type Distribution by Throughput. A chart that shows the log types distribution based
on the throughput.

• Ingestion - Events by Status. A graph that shows the number of events based on their
status.

• Ingestion - Events by Log Type. A table that shows the number of events based on their
status and log type.

• Recently Ingested Events. A table that shows recently ingested events for each log type.

• Daily Log Information. A table that shows the numbers of logs for a day for each log
type.
 • Event count vs Size. Graphs that compare event counts and size over a period of time.

• Ingestion Throughput. Graphs that show ingestion throughput over a period of time.

IOC Matches

The Indicator of Compromise (IOC) Matches dashboard provides visibility into the IOCs
currently present in your enterprise. It includes the following IOC charts:

• IOC Matches Over Time by Category

• Top 10 Domains IOC indicators

• Top 10 IP IOC Indicators

• Top 10 Assets by IOC Matches

IOC Matches
Main

The Main dashboard displays information about the status of the Chronicle data
ingestion system. It also includes a global map highlighting the geographic location of
the IOCs detected within your enterprise.

Note: The mapping feature is unavailable in some regions of the world.

Main dashboard

Rule Detections

The Rule Detections dashboard provides insight into activity related to the detection
engine and the configured rules. Since your security analysts configure these rules to
search for specific threats, this information might be particularly relevant to your
organization.
Rule Detections

User Sign In Overview

The User Sign in Overview dashboard provides insight into where your users are logging
into your enterprise from and what applications they are signing in to. This information
can be useful for tracking attempts by malicious actors to access your enterprise. For
example, you might find that a particular user has attempted to access your enterprise
from a country where you do not have an office or that a user in administration appears
to be repeatedly accessing an accounting application.
User Sign in Overview

Copying a Default Dashboard

The Chronicle default dashboards cannot be modified. However, you can make a copy
of any of the default dashboards and add it to either the Personal or Shared dashboards
sections. The copies can be modified, enabling you to customize these dashboards for
your enterprise as needed.

To copy a default dashboard, click the three-dot menu icon. The following options are
available:

• Copy to Personal

• Copy to Shared

The personal dashboards are only visible by you based on your username. The shared
dashboards are visible to all members of your organization Chronicle account.
Options - Copy to Personal or Shared

Once you have made a copy of a default dashboard, you can select it from the Personal
or Shared Dashboards section. Click the three dot menu in the upper right corner and
select Edit dashboard. You can then edit any of the dashboard elements by selecting
the three dot menu on the element and selecting Edit. This opens the Looker popup
window, enabling you to modify the element further.

Example: Creating a New Dashboard, for an example of how to create a new dashboard.
Creating a new dashboard is much like editing an existing dashboard.

Note: The Chronicle dashboards are built with Looker. For detailed information on all of
the features and capabilities of Looker dashboards, see the Looker documentation.
Edit dashboard

Example: Creating a New Dashboard

You can create a new dashboard either within the Personal or Shared Dashboards
sections. Personal dashboards are only visible within your own Chronicle account. The
shared dashboards are visible to all members of your team who also have access to
your Chronicle account.

Note: This feature is built on Looker. For detailed information on all of the features and
capabilities of Looker dashboards, see the Looker documentation.

The following example illustrates how to create a dashboard for monitoring the top 25
IOCs in your enterprise:

1. Click NEW to create a new dashboard.

2. Click Edit Dashboard.
3. Click Add Tile. The options available in the following steps mirror what is also
available from a Looker account.
4. Choose an Explore from the following list. Explores are the classes of data within
your Chronicle account you can use to create a data visualization for your new
dashboard.
• Ingestion Stats

• IOC Matches

• Rule Detections

Choose an Explore
5. Select Ioc Matches (Ioc - Indicator of Compromise).
 IOC Matches
6. For Dimensions, select Asset Hostname and Confidence Score from the left
navigation panel. You typically need to select at least two dimensions to create a
new visualization.
Set the Ioc Matches Confidence Score control from highest to lowest and set
the Row Limit to 25 as shown in the figure.
7. Select the Table icon and click Run to test the visualization against your
Chronicle data.
 Dimensions
8. The following table is displayed with the Top 25 IOCs by Confidence against
Assets within your enterprise. Give the Explore a title (Top 25 IOCs in this
example) in the upper left corner of the pop-up window. Click Save to save the
Explore and return to the Dashboards window.
 Top 25 IOCs
9. Give the new dashboard a name (Check First in this example). Click Save.
The Dashboards page is displayed with the added new dashboard.
 New dashboard displaying the Top 25 IOCs

Investigate an asset
bookmark_border
This page shows you how to investigate an asset.

To view data in this view, make sure you are ingesting and normalizing data from
devices on your network, such as EDR, firewall, web proxy, etc.

Chronicle allows you to investigate alerts from other security products. You can
investigate assets to determine whether any have been compromised, determine the
nature of the compromise, and begin remediating issues.

To investigate an asset in Chronicle:

1. Enter the hostname, client IP address, or MAC address for the asset you want to
investigate:
• Hostname—Either short (for example, mattu) or fully qualified (for example,
mattu.ads.altostrat.com).
 • Internal IP address—Internal IP address for the client (for example,
10.120.89.92). Both IPv4 and IPv6 are supported.

• MAC address—MAC address for any device within your enterprise (for example,
00:53:00:4a:56:07).

Note: If you enter an IP or MAC address, Chronicle automatically pivots to the machine
that is associated with that IP or MAC address at the specified search time.
2. Enter a timestamp for the asset (current UTC time and date are default).
3. Click Search.
Asset view

You can adjust the Asset view to hide benign activity and help highlight the data
relevant to an investigation. The following descriptions refer to the Asset view figure.

Asset view

1 TIMELINE sidebar list

When you search for an asset, activity returns a default time window of 2 hours.
Hovering over the header categories row displays the sorting control for each column,
enabling you to sort alphabetically or by time depending on the category. Adjust the
time window using the time slider or by scrolling the mouse wheel while the cursor is
over the Prevalence Graph. See also the Time Slider and Prevalence Graph.
2 DOMAINS sidebar list

Use this list to see the first lookup of each distinct domain within a given time window,
helping to hide noise caused by assets frequently connecting to domains.

Domains list

3 Time slider

The Time Slider lets you adjust the time period under examination. You can adjust the
slider to view between one minute and one day of events (you can also adjust this using
the scroll wheel of your mouse over the Prevalence Graph).

4 Asset information section

This section provides additional information about the asset, including the client IP and
MAC address associated with a given hostname for the specified time period. It also
provides information on when the asset was first observed in your enterprise and the
time data was last collected.

5 Prevalence graph

The Prevalence graph shows the the maximum number of assets in the enterprise that
have recently connected to the displayed network domain. Large gray circles indicate
first connections to domains. Small gray circles indicate subsequent connections to the
same domain. Frequently accessed domains fall to the bottom of the graph while
infrequently accessed domains rise to the top. The red triangles displayed on the graph
are associated with security alerts at the time specified under the prevalence graph.
6 Asset insight blocks

The Asset Insight blocks highlight the domains and alerts that you might want to
investigate further. They provide additional context as to what might have triggered an
alert and can help you determine if a device is compromised. The Asset Insight blocks
are a reflection of the currently displayed events and vary depending on their threat
relevance.

Forwarded alerts block

Alerts from your existing security infrastructure. These alerts are labeled with a red
triangle in Chronicle and might warrant further investigation.

Newly registered domains block

• Leverages WHOIS registration metadata to determine if the asset queried domains that
have been recently registered (in the past 30 days from the start of the search time
window).

• Recently registered domains typically have a higher threat relevance since they might
have been explicitly created to avoid existing security filters. Appears for the Fully
Qualified Domain Name (FQDN) at the current view's timestamp. For example:

• John's asset connected to bar.example.com on May 29, 2018.

• example.com was registered on May 4, 2018.

• bar.example.com appears as a newly registered domain when you investigate

John's asset on May 29, 2018.

Domains new to the enterprise block

• Examines your company's DNS data to determine whether an asset queried domains
that have never been visited before by anyone at your company. For example:

• Jane's asset connected to bad.altostrat.com on May 25, 2018.

• A few other assets visited phishing.altostrat.com on May 10, 2018, but there is
no other activity for altostrat.com or any of its subdomains in your organization
before May 10, 2018.

• bad.altostrat.com is displayed under the Domains New to the Enterprise insights

block when investigating Jane's asset on May 25, 2018.

Low prevalence domains block

• Summary of the domains a particular asset queried having low prevalence.

 • Insight for a Fully Qualified Domain Name is based on the prevalence of its Top Private
Domain (TPD) where prevalence is less than or equal to 10. The TPD takes into account
the public suffix list. For example:

• Mike's asset connected test.sandbox.altostrat.com on May 26, 2018.

• Since sandbox.altostrat.com has a prevalence of 5, test.sandbox.altostrat.com is

displayed under the Low Prevalence Domain insight block.

ET Intelligence Rep List block

• Proofpoint, Inc. publishes the Emerging Threats (ET) Intelligence Rep List composed of
suspicious IP addresses and domains.

• Domains are matched against the asset-to-indicator lists for the current time range.

US DHS AIS block

• United States (US) Department of Homeland Security (DHS) Automated Indicator

Sharing (AIS).

• Cyber threat indicators compiled by DHS, including malicious IP addresses and the
sender addresses of phishing emails.

Alerts

The following figure shows third-party alerts that are correlated to the asset under
investigation. These alerts can come from popular security products (anti-virus,
intrusion detection, firewall, etc.). They provide you with additional context when
investigating an asset.
Alert interaction in Asset view

Filtering the data

To open the Procedural Filtering menu, click the icon in the top-right corner of the
Chronicle user interface.
Procedural Filtering menu

The Procedural Filtering menu, shown in the following figure, enables you to further
filter information pertaining to an asset, including:

• Prevalence

• Event type

• Log source

• Network connection status

• Top Level Domain (TLD)

Prevalence measures the number of assets within your enterprise connected to a

specific domain over the past seven days. More assets connecting to a domain means
that the domain has greater prevalence within your enterprise. High prevalence
domains, such as google.com, are unlikely to require investigation.

You can use the Prevalence slider to filter out the high prevalence domains and focus
on the domains which fewer assets across your enterprise have accessed. The
minimum Prevalence value is 1, meaning you could focus on the domains which are
linked to a single asset within your enterprise. The maximum value varies depending on
the number of assets you have within your enterprise.

Hovering over an item brings up controls that enable you to include, exclude, or view
only the data relevant to that item. As shown in the following figure, you can set the
control to view only the top-level domains (TLDs) by clicking the O icon.
Procedural filtering on a single TLD.

The Procedural Filtering menu is also available from Enterprise Insights view.

Viewing security vendor data in the timeline

You can use procedural filtering to view events from specific security vendors for an
asset in Asset view. For example, you can use the Log Source filter to focus on events
from a security vendor such as Tanium.

You can then view the Tanium events from the TIMELINE sidebar as shown in this
figure.
Filtering Zscaler events

You will see the namespace attached to your assets throughout the Chronicle UI,
especially whenever there is a list of assets, including the following:

• UDM Search

• Raw Log Scan

• Enterprise Insights

• Detection views

Note: The following sections illustrate some of the places that namespaces appear in the UI. They also
appear in many of the other views used for investigation.
Search bar

When using the search bar, the namespaces associated with each asset are displayed.
Selecting an asset within a specific namespace opens it in Asset view, showing the
other activities associated with the same namespace. If you want to see the activity of a
specific asset across all namespaces, you can select the last entry [all namespaces].

Any asset not associated with a namespace is assigned to the default namespace.
However, the default namespace is not displayed in lists such as the one shown below
for the Chronicle search bar.
Search bar

Asset view

In Asset view, the namespace is indicated in the title of the asset at the top of the page.
If you select the drop down menu by clicking on the down arrow, you can select the
other namespaces associated with the asset.

Asset view with namespaces

IP Address, Domain, and Hash views

Throughout the Chronicle user interface, namespaces are shown anywhere an asset is
referenced (except for the default or untagged namespace), including within the IP
address, Domain, and Hash views.

For example, in IP Address view (as shown below), namespaces are included in both the
asset tab and in the prevalence graph.

IP Address view with namespaces

Ingestion labels

To further narrow your search, you can use ingestion labels to set up separate feeds.
For a full list of supported ingestion labels, see Supported default parsers.

Examples: three ways to add a namespace to logs

The following examples illustrate three different ways you can add a namespace to the
logs you ingest to your Chronicle account.

Assign a namespace using the Chronicle Forwarder.

You can configure a namespace by adding it to the Chronicle Forwarder configuration

file as a forwarder specific namespace, or a collector specific namespace. The
following example forwarder configuration illustrates both types:
metadata:
namespace: FORWARDER
collectors:
- syslog:
common:
metadata:
namespace: CORPORATE
batch_n_bytes: 1048576
batch_n_seconds: 10
data_hint: null
data_type: NIX_SYSTEM
enabled: true
tcp_address: 0.0.0.0:30000
connection_timeout_sec: 60
- syslog:
common:
batch_n_bytes: 1048576
batch_n_seconds: 10
data_hint: null
data_type: WINEVTLOG
enabled: true
tcp_address: 0.0.0.0:30001
connection_timeout_sec: 60

As shown in this example, the logs originating from WINEVTLOG include the namespace
tag FORWARDER. The logs originating from NIX_SYSTEM include the namespace
tag CORPORATE.

This sets an overall namespace to the log collector. If your environment contains a mix
of logs that belong to multiple namespaces and you are unable to segment these
machines (or this is by design), Google recommends creating multiple collectors for the
same log source that is filtering the logs to their respective namespace using regular
expressions.

Assign a namespace using the Ingestion API

You can also configure a namespace when you send your logs through
the unstructuredlogentries endpoint within the Chronicle ingestion API as shown in the
following example:

{
"customer_id": "c8c65bfa-5f2c-42d4-9189-64bb7b939f2c",
"log_type": "BIND_DNS",
"namespace": "FORWARDER"
 "entries": [
{
"log_text": "26-Feb-2019 13:35:02.187 client 10.120.20.32#4238:
query: altostrat.com IN A + (203.0.113.102)",
"ts_epoch_microseconds": 1551188102187000
},
{
"log_text": "26-Feb-2019 13:37:04.523 client 10.50.100.33#1116:
query: examplepetstore.com IN A + (203.0.113.102)",
"ts_rfc3339": "2019-26-02T13:37:04.523-08:00"
},
{
"log_text": "26-Feb-2019 13:39:01.115 client 10.1.2.3#3333: query:
www.example.com IN A + (203.0.113.102)"
},
]
}

In this example, the namespace is a body parameter of the API POST call. Logs
from BIND\_DNS forward their log data with the FORWARDER namespace tag.

Assign a namespace using Chronicle Feeds Management

As stated in the Feed management user guide, Chronicle Feeds Management enables
you to set up and manage various log streams within your Chronicle tenant.

In the following example, Office 365 Logs will be ingested with

the FORWARDER namespace tag:
Figure 1: Feed Management configuration with the FORWARDER namespace tag

Investigate an IP address
bookmark_border
Chronicle enables you to investigate specific IP addresses to determine if any are
present within your enterprise and what impact these outside systems might have had
on your assets. The Chronicle IP Address view is derived from the same security
information and data forwarded from your enterprise and can examine using Asset
view. Make sure you are ingesting and normalizing data from devices on your network,
such as EDR, firewall, web proxy, etc.

From Asset view, you begin your investigation from within your enterprise and look
outward. From IP Address view, you begin your investigation from outside your
enterprise and look in.

To access IP Address view in Chronicle, complete the following steps:

 1. Enter the IP address you need to investigate in the search bar at the top of the Chronicle
user interface.

2. Click SEARCH. You are taken to IP Address view.

IP Address context

IP Address view

1 Prevalence

Chronicle provides a graphical representation of the historical prevalence of a given IP

address. This graph can be used to determine whether the IP address has been
accessed from within the enterprise before, and can provide an indication of whether
the IP address is associated with a particular campaign targeting the enterprise.

Typically, less prevalent IP addresses, ones that fewer assets have connected to, might
represent a greater threat to your enterprise. Unlike the Prevalence graph in Asset view,
the graph this figure shows a high prevalence access at the top of the graph, and low
prevalence access at the bottom.
When you hold the pointer over a bar in the Prevalence graph, the graph lists the assets
that accessed the IP address. Due to the high prevalence of DNS servers, they aren't
listed. If all of the assets are DNS servers, no assets are listed.

2 Slider for Prevalence graph

Adjust the slider to focus on events tied to a specific range of dates as shown in the
Prevalence graph.

3 IP Address insights

IP address insights provide you with more context about the IP address under
investigation. You can use them to determine whether an IP address is benign or
malicious. They also provide you with the ability to further investigate an indicator to
determine if there is a broader compromise.

• ET Intelligence Rep List: Checks against ProofPoint's Emerging Threats (ET)

Intelligence Rep List. Lists known threats tied to specific IP addresses and
domains.
• ESET Threat Intelligence: Checks against ESET's threat intelligence service.

4 VT Context

Click VT Context to view the VirusTotal information available for this IP address.

Investigate a domain
bookmark_border
Chronicle enables you to investigate specific domains to determine if any are present
within your enterprise, and what impact these outside systems might have had on your
assets. Domain view is derived from the security information and data that you have
forwarded to Chronicle. Make sure you are ingesting and normalizing data from devices
on your network, such as EDR, firewall, web proxy, etc.

To access Domain view in Chronicle, complete the following steps:

1. Enter the domain (ending with a known public suffix) or URL you need to investigate in
the search bar at the top of the user interface.

2. Click SEARCH. If the domain exists, it is listed under the DOMAINS heading. Click the
domain name link to pivot to Domain view. If the domain is present within your
 enterprise, additional information is displayed in Domain view. If the domain is not
present, Domain view will be empty.

Domain context

Domain view

1 VT Context

Click VT Context to view the VirusTotal information available for this domain.

2 WHOIS

Chronicle displays the WHOIS information associated with the registered domain. This
information can be useful when assessing a domain's reputation.

3 Prevalence

Chronicle provides a graphical representation of the historical prevalence of a given

FQDN and its TLD. This graph can be used to determine whether the domain has been
accessed from within the enterprise before, and can provide an indication of whether
the domain is associated with a particular campaign targeting the enterprise. Typically,
less prevalent domains, ones that fewer assets have connected to, might represent a
greater threat to your enterprise.

When you hold the pointer over a bar in the Prevalence graph, the graph lists the assets
that accessed the domain. Due to the high prevalence of DNS servers, they aren't listed.
If all of the assets are DNS servers, no assets are listed.

4 Domain insights

Domain insights provide you with more context about domains under investigation. You
can use them to determine whether a domain is benign or malicious. They also let you
further investigate an indicator to determine if there is a broader compromise.

The domain insights displayed vary depending on the availability of information

associated with the domain within your Chronicle account, but might include the
following:

• ET Intelligence Rep List: Checks against ProofPoint's Emerging Threats (ET)

Intelligence Rep List and lists known threats tied to specific IP addresses and
domains.
• ESET Threat Intelligence: Checks against ESET's threat intelligence service.
• Resolved IPs: All resolved IP addresses that have been seen in your organization
for a given Fully Qualified Domain Name. For example:
• Search for test.altostrat.com (Fully Qualified Domain Name)

• 2 resolved IPs (198.51.100.81 and 203.0.113.81) are displayed

• Associated subdomains: All associated subdomains that have been seen in your
organization for a given Fully Qualified Domain Name. Many adversaries use the
same domain and subdomain for their attacks. For example:
• Search for sandbox.altostrat.com (Fully Qualified Domain Name)

• 2 subdomains (test.sandbox.altostrat.com and staging.sandbox.altostrat.com)

are displayed

• Sibling Domains: All sibling domains that have been seen in your organization for
a given Fully Qualified Domain Name at a given level. For example:
• Search for sandbox.altostrat.com

• 1 sibling domain (foo.altostrat.com) is displayed

Timeline

The Timeline tab lists all of the events for the domain. The Asset identifier column
shows the asset ID. In a small number of cases, Chronicle replaces the asset ID with the
IP address of the asset.

Investigate a user
bookmark_border
Chronicle User view enables customers to better understand how users within an
enterprise are impacted by security events. By focusing on the behavior of individual
users, security administrators can search for activity indicating an account compromise
or other security concerns. Make sure you are ingesting and normalizing data from
devices on your network, such as EDR, firewall, web proxy, user context, and
authentication, etc.

Search for a user

To open User view in Chronicle, enter the username or email address of a user within
your enterprise in the Search field. If the user is present within your Chronicle account,
that user is displayed as a result. Click the username to pivot to User view.

You can also access User view from the Recent Alerts panel in Enterprise Insights view.
In addition to Assets, there is a column for Users impacted by alerts.

Analyze user activity with User view

User view aliasing

User view includes a user aliasing feature to ensure events associated with a single
user are not duplicated and are easier to search within your Chronicle account. For
example, if you have an employee named Dennis whose user identifier is dennis and
whose email is dennis@altostrat.com and you search for dennis in Chronicle, events for
both dennis and dennis@altostrat.com are returned.

User view features

User view includes many features and user interface controls to enable you to more
closely examine the user data within your enterprise. Some of these features are unique
to User view and some are shared with the other Chronicle event views (Domain View,
IP Address View, etc.).

Chronicle User view features

1 User information

Displays information about the user stored within your enterprise IT systems (for
example, Active Directory, Workday, Okta, etc.).
2 Date selection

Use the left and right arrows to examine the events associated with the user over a one
calendar week interval (Saturday through Sunday). If no data is available in the currently
displayed time period, you are given First Seen and Last Seen options to shift the view
quickly to a relevant time period.

3 X-axis time shift

By default, User view centers the Gradient Heat Map at 12:00 UTC (noon). Using the X-
Axis Time Shift control, you can center the Heat Map up to 12 hours before or after
12:00. This enables you to focus on atypical time periods for the user. For example, you
could time shift the display to 0:00 UTC (midnight) to focus on user activity in the late
evening and early morning hours as shown in these figures.

Setting X-Axis time shift to +12

X-Axis time shift set to +12

4 Gradient heat map

User view Gradient Heat Map displays an aggregate view of user activity across the
time period you are investigating. Each square indicates an hour of the day (UTC) for a
logged user activity across the time period. This chart enables you to locate abnormal
or atypical user activity.

Clicking on a square shows the activity date and clicking on that date from the green
popover takes you to that hour of events in the Timeline.

The color of each square varies from black through shades of gray to white:

• Black squares indicate no user activity.

• White squares indicate frequent user activity.
• Dark gray to light gray squares indicate increasing levels of activity with dark
shades of gray representing less activity and light shades of gray representing
more.

For example, a user is routinely active during normal work hours and never active late at
night or on weekends. However, this user has recently become active every day at 3AM.
The Gradient Heat Map enables you to quickly locate this type of atypical activity.

5 User alerts

User security alerts are captured by Chronicle and displayed here. You can click the
associated links to further investigate the alert.

7 Columns

Customize the columns displayed in the Timeline tab.

6 Timeline and assets

The Timeline and Assets tabs are also available within User view. As with other
Chronicle views, the Timeline tab lists events chronologically and the Assets tab lists
the assets associated with the user alphabetically or numerically. The assets displayed
correspond to this specific user's activity within your enterprise and is limited by the
time period specified.

Use these tabs as follows:

• Timeline tab—Selecting an event in the Timeline tab also highlights the

corresponding event in the Gradient Heat Map in green. Alerts are indicated by a
red triangle and red text.
 • Asset tab—Selecting an asset highlights it in green in the Asset tab and all
activity involving that asset is also highlighted in green in the Gradient Heat Map.
You can pivot to Asset view by clicking on the first accessed or last accessed in
the Assets tab.

8 Procedural filtering

You can open the Procedural Filtering menu by clicking the Procedural Filtering icon in
User View and filter the user information based on a variety of characteristics. For
example, you could filter on Principal Location to examine the geographic location of
the user's login attempts. It might indicate that a user is logging in from unusual
locations.

Procedural filtering on principal location

Investigate a file
bookmark_border
You can use Chronicle to search your data for a specific file based on its MD5, SHA-1, or
SHA-256 hash value. Make sure you are ingesting and normalizing data from devices on
your network, such as EDR data.

If additional information is available for a file hash found within a customer's Chronicle
account, this additional information is added to the associated UDM events
automatically. You can search for these UDM events manually using UDM Search or by
using rules.

To view a file hash, you can:

• View a file in Hash view directly

• Navigate to Hash view from another view
View a file in Hash view directly

To open Hash view directly, enter the hash value in the Chronicle search field and
click Search.

Hash view

Chronicle provides additional information about the file, including the following:
 • Partner Engines Detecting—Other security vendors who have detected the file.
• Properties/Metadata—Known properties of the file.
• VT Submitted / ITW Filenames—Known malicious in-the-wild (ITW) malware
submitted to VirusTotal.
Navigate to Hash view from another view

You can also navigate to Hash view while investigating an asset in an another view (for
example, Asset view) by completing the following steps:

1. Open an investigation view. For example, select an asset to view it within Asset
view.
2. In the TIMELINE to the left, scroll down to any event tied to a process or file
modification, such as Network Connection.

Selecting an Event in Asset view

3. Open the Raw Log/UDM viewer by clicking the open icon in the TIMELINE.
4. You can open Hash view for the file by clicking the hash value (for example,
principal.process.file.md5) within the displayed UDM event.

Search raw logs using Raw Log Scan

bookmark_border
When you conduct a search, Chronicle first examines the security data that has been
ingested, parsed, and normalized. If the information you are searching for is not found
in the normalized data, you can use Raw Log Scan to examine the raw unparsed logs.
You can also use regular expressions to more closely examine the raw logs.

You can use Raw Log Scan to investigate artifacts that appear in logs, but are not
indexed, including:

• Usernames

• Filenames

• Registry keys

• Command-line arguments

• Raw HTTP request-related data

• Domain names based on regular expressions

• Asset namespaces and addresses

Raw log scan

To use Raw Log Scan, enter a search string in the search field on either the landing page
or the menu bar (for example, an MD5 hash). Enter at least 4 characters (including
wildcards). If Chronicle cannot find the search string, it opens the Raw Logs
Scan option. Specify the Start Time and End Time (the default is 1 week) and
click SEARCH.

Raw Log Scan from the landing page

Events associated with the search string are displayed. You can open the associated
raw log by clicking the arrow button.

You can also click the Log Sources drop-down menu and select one or more of the data
sources you are sending to Chronicle to search. The default setting is All.

Regular expressions

You can use regular expressions to search for and match sets of character strings
within your security data using Chronicle. Regular expressions enable you to narrow
your search down using fragments of information, as opposed to using (for example) a
complete domain name.

To run a search using regular expression syntax, enter your search in the Search field
with the regular expression, check the Run Query as Regex checkbox, and
click SEARCH. Your regular expression must be from 4 to 66 characters long.

Raw Log Scan run as a regular expression

The Chronicle's regular expression infrastructure is based on Google RE2, an open-

source regular expression engine. Chronicle uses the same regular expression syntax.
See the RE2 documention for more information.

The following table highlights some of the common regular expression syntaxes you
can use for your searches.

Any character .

x number of any characters {x}

Character class [xyz]

Negated character class [^xyz]

Alphanumeric (0-9A-Za-z) [[:alnum:]]

Alphabetic (A-Za-z) [[:alpha:]]

Digits (0-9) [[:digit:]]

Lower case (a-z) [[:lower:]]

Upper case (A-Z) [[:upper:]]

Word characters (0-9A-Za-z_) [[:word:]]

Hex digit (0-9A-Fa-f) [[:xdigit:]]

The following examples illustrate how you could use this syntax to search across your
data:

• goo.le\.com—match google.com, goooogle.com, etc.

• goo\w{3}\.com—match google.com, goodle.com, goojle.com, etc.

• [[:digit:]]\.[[:alpha:]]—match 34323.system, 23458.office, 897.net, etc.

Sample regular expressions to search for Windows logs

This section provides regular expression query strings you can use with Chronicle raw
log scan to find commonly monitored Windows events. These examples assume the
Windows log messages are in JSON format.

For more information about commonly monitored Windows Event IDs, see the Events to
Monitor topic in Microsoft documentation. The examples provided follow a similar
pattern, described in these use cases.

Use Case: Return events with the EventID 1150

Regex String: \"EventID\"\:\s*1150

Values Matched: "EventID":1150

Use Case:Return events with an Event ID that is either 1150 or 1151

Regex String (?:\"EventID\"\:\s*)(?:1150|1151)

Values Matched "EventID":1150 and "EventID":1151

Use Case: Return events with an Event ID that is either 1150 or 1151, and with ThreatID 9092

Regex String (?:\"EventID\"\:\s*)(?:1150|1151).*(?:\"ThreadID\"\:\s*9092)

Values Matched "EventID":1150 <...any number of characters...> "ThreadID":9092
and
"EventID":1151 <...any number of characters...glt; "ThreadID":9092

Find account management events

These regular expression query strings identify common account management events
using the EventID attribute.

Type of Event Regular Expression

User Account Created EventID\"\:\s*47

User Account Enabled EventID\"\:\s*472

User Account Disabled EventID\"\:\s*472

User Account Deleted EventID\"\:\s*472

User Rights Modification EventID\"\:\s*470

Member Added to Security Enabled Global Group EventID\"\:\s*472

Member Removed from Security Enabled Global Group EventID\"\:\s*472

Security Enabled Global Group was Deleted EventID\"\:\s*473

Find logon success events

These regular expression query strings identify types of successful logon events using
the EventID and LogonType attributes.

Type of Event Regular Expression

Logon Success EventID\"\:\s*4624

Logon Success - Interactive (LogonType=2) EventID\"\:\s*4624.*?LogonType\"\:\s*\"2\"

Logon Success - Batch Login (LogonType=4) EventID\"\:\s*4624.*?LogonType\"\:\s*\"4\"

Logon Success - Service Login (LogonType=5) EventID\"\:\s*4624.*?LogonType\"\:\s*\"5\"

Logon Success - RemoteInteractive Login (LogonType=10) EventID\"\:\s*4624.*?LogonType\"\:\s*\"10\"

Logon Success - Interactive, Batch, Service, or RemoteInteractive (?:EventID\"\:\s*4624.*?LogonType\"\:\s*\")(?:2

Find logon failure events

These regular expression query strings identify types of failed logon events using the
EventID and LogonType attributes.

Type of Event Regular Expression

Logon Failure EventID\"\:\s*4625

Logon Failure - Interactive (LogonType=2) EventID\"\:\s*4625.*?LogonType\"\:\s*\"2\"

Logon Failure - Batch Login (LogonType=4) EventID\"\:\s*4625.*?LogonType\"\:\s*\"4\"

Logon Failure - Service Login (LogonType=5) EventID\"\:\s*4625.*?LogonType\"\:\s*\"5\"

Logon Failure - RemoteInteractive Login (LogonType=10) EventID\"\:\s*4625.*?LogonType\"\:\s*\"10\"

Logon Failure - Interactive, Batch, Service, or RemoteInteractive (?:EventID\"\:\s*4625.*LogonType\"\:\s*\")(?:2|

Find process, service and task events

These regular expression query strings identify certain process and service events
using the EventID attribute.

Type of Event Regular Expression

Process Start EventID\"\:\s*4688

Process Exit EventID\"\:\s*4689

Service Installed EventID\"\:\s*4697

New Service Created EventID\"\:\s*7045

Schedule Task Created EventID\"\:\s*4698

Find events related to object access

These regular expression query strings identify different types of process and service
related events using the EventID attribute.

Type of Event Regular Expression

Audit Log Cleared EventID\"\:\s*1102

Object Access Attempted EventID\"\:\s*4663

Share Accessed EventID\"\:\s*5140

Overview of procedural filtering

bookmark_border
Procedural Filtering enables you to further filter information pertaining to an asset,
including by event type, log source, network connection status, and Top Level Domain
(TLD). The Procedural Filtering menu options change depending on the Chronicle view
and the breadth and types of security data currently displayed in the UI.

This describes how to access and use Procedural Filtering when investigating an alert
using Chronicle for the following views:

Filter data in Enterprise Insights

bookmark_border
Complete the following steps to navigate to Enterprise Insights view:

1. In the screen's upper right corner is the application menu icon . Click the icon
to open the application dropdown menu. Select Enterprise Insights as shown in
the following figure.

Application menu
2. The Enterprise Insights view is displayed with IOC Domain Matches and Recent
Alerts. You can adjust the time range using the slider to display a greater range
of matches and alerts.
 Enterprise Insights view
3. Click the icon in the top right corner of the Chronicle user interface.
The Procedural Filtering menu opens as shown in the following figure. From
Enterprise Insights, the Procedural Filtering menu enables you to further filter
information pertaining to the current alerts and IOCs within your enterprise.

Filtering options
The following Procedural Filtering options are available from Enterprise Insights:
• ALERT NAME CATEGORIES
• ALERT VENDOR SOURCE
• IOC CATEGORIES
• IOC CONFIDENCE SCORE
• IOC FEED
• IOC/ALERT SEVERITY
 • TLD

Filter data in User view

bookmark_border
Chronicle User view enables you to better understand how users within an enterprise
might be impacted by security events. By focusing on the behavior of individual users,
security administrators can search for activity indicating an account compromise or
other security concern.

1. To open User view, enter the username or email address of a user within your
enterprise in the search field.
Note: If the user is present within your Chronicle account, that user is displayed as a
result.

Search for a user from the landing page

2. Click SEARCH to pivot to User view.
3. Select the user from the USERS dropdown menu.

Autodetected user menu

4. User view is displayed.

User view
5. Click the right arrow in the Detections column in the left navigation panel.

Raw Log details pop-up window

6. Click the icon in the top right corner of the Chronicle user interface.
The Procedural Filtering menu opens as shown in the following figure.
 Filtering menu
The following Procedural Filtering options are available in User view:
• AUTH TYPE

• EVENT TYPE

• LOG SOURCE

• OUTCOME

• PRINCIPAL LOCATION

• TARGET APPLICATION

Summary of Visual elements in the view

Chronicle includes the following user interface elements to help you investigate any
issues that might be present within your enterprise:

Element Description

Time slider The time slider allows you to adjust the time period under examination. You can adjust the slider to view between
day of events. Available only in: Enterprise Insights, Asset view, IP Address view, Domain view, Hash view, User view
Rules Editor.

Prevalence Prevalence measures the number of assets within your enterprise that have connected to a specific domain over th
Available only in: Asset view, IP Address view, Domain view, Hash view.

Right Navigation Panel

Element Description

Expand all Expands all the collapsed items.

Collapse all Collapses all the expanded items.

Reset Displays the default view and includes All (there are exceptions).

Show all Includes all the items.

Hide all Excludes all the items.

Include Includes the excluded items. Hovering over the icon provides a preview in green.

Exclude Filters out the selected item. Hovering over the icon provides a preview in orange.

Exclude FIlters out the other items except the selected item.
others

Left Navigation Panel

Expand all Expands all the collapsed items.

Collapse all Collapses all the expanded items.

Wrap text Wraps text to the next line when it gets to the right margin, otherwise the text is displayed on one line only.

Unwrap text Unwrap text expands the text in one line only.

Actions Download as CSV - Download the information in CSV format.

Search rows Provides an option to enter a keyword to search each row.

Filter data in Rule Detections view

bookmark_border
Rule Detections view displays the metadata attached to the rule and a graph showing
the number of detections found by the rule over recent days.

To access the Rule Detection view in Chronicle, complete the following steps:

1. In the screens upper right corner is the application menu icon . Click the icon
to open the application dropdown menu. Select Enterprise Insights as shown in
the following figure.
 Application Menu
2. Select View Rules. The Rules Dashboard view is displayed.

Rules dashboard
3. Click a rule name. The Rule Detections view is displayed.
 Rule Detections view
4. Click the right arrow in the Detections column in the left navigation panel.

Raw log details pop-up window

5. Click the icon in the top right corner of the Chronicle user interface.
The Procedural Filtering menu opens as shown in the following figure.
 Procedural filtering menu
The following Procedural Filtering options are displayed in the Rule Detection
view (this list does not include all the filtering options):
• METADATA.EVENT_TYPE
• METADATA.PRODUCT_NAME
• NETWORK.APPLICATION_PROTOCOL
• NETWORK.DNS.QUESTIONS.CLASS
• NETWORK.DNS.ANSWERS.DATA
• NETWORK.DNS.ANSWERS.NAME
• NETWORK.DNS.ANSWERS.TTL
• NETWORK.DNS.ANSWERS.TYPE
• NETWORK.DNS.QUESTIONS.CLASS
• NETWORK.DNS.QUESTIONS.NAME
• NETWORK.DNS.QUESTIONS.TYPE

Filter data in Asset view

bookmark_border
Asset view enables you to investigate assets within your enterprise and whether or not
they have interacted with suspicious domains. You can adjust Asset view to hide benign
activity and help highlight the data relevant to an investigation.

Complete the following steps to navigate to Asset view page:

1. Enter the asset (ending with a known public suffix) or URL you need to
investigate in the search bar at the top of the user interface. Click SEARCH.

Search for an asset from the landing page

2. Select the asset from the ASSETS drop-down menu.

Chronicle search autodetect menu

3. Asset view is displayed.
 Asset view
4. Click the icon in the top right corner of the Chronicle user interface.
The Procedural Filtering menu opens as shown in the following figure.
Procedural Filtering enables you to further filter information pertaining to an
asset, including by event type, log source, network connection status, and Top
Level Domain (TLD).

Filtering menu
The following Procedural Filtering options are available in Asset view:
 • EVENT TYPE

• LOG SOURCE

• NETWORK CONNECTION STATUS

• TLD

Filter options
Navigate Asset view
Prevalence

Prevalence measures the number of assets within your enterprise connected to a

specific domain over the past seven days. More assets connecting to a domain means
that the domain has greater prevalence within your enterprise. High prevalence
domains, such as google.com, are unlikely to require investigation. You can use the
Prevalence slider to filter out the high prevalence domains and focus on the domains
which fewer assets across your enterprise have accessed. The minimum Prevalence
value is 1, meaning you could focus on the domains which are linked to a single asset
within your enterprise. The maximum value varies depending on the number of assets
you have within your enterprise.

Chronicle provides a graphical representation of the historical prevalence of a given

FQDN and its TLD. This graph can be used to determine whether the domain has been
accessed from within the enterprise before, and can provide an indication of whether
the domain is associated with a particular campaign targeting the enterprise. Typically,
less prevalent domains, ones that fewer assets have connected to, might represent a
greater threat to your enterprise.
Time slider

The time slider allows you to adjust the time period under examination. You can adjust
the slider to view between one minute and one day of events (you can also adjust this
using the scroll wheel of your mouse over the Prevalence Graph). Domains that more
assets have accessed are displayed as more prevalent in Asset view.

Timeline tab

Selecting an event in the Timeline tab also highlights the corresponding event in the
Gradient Heat Map in green. Alerts are indicated by a red triangle and red text.

Asset tab

Selecting an asset highlights it in green in the Asset tab and all activity involving that
asset is also highlighted in green on the Gradient Heat Map. You can pivot to Asset view
by clicking on first accessed or last accessed in the Assets tab.

TIMELINE Sidebar List

When you search for an asset, activity is returned with a default time window of 2 hours.
Hovering over the header categories row displays the sorting control for each column,
enabling you to sort alphabetically or by time depending on the category. Adjust the
time window using the time slider or by scrolling the mouse wheel while the cursor is
over the Prevalence Graph.

DOMAINS sidebar list

Use this list to see the first lookup of each distinct domain within a given time window.
This helps to hide noise caused by assets frequently connecting to domains.

Summary of Visual elements in the view

Chronicle includes the following user interface elements to help you investigate any
issues that might be present within your enterprise:

Element Description

Time slider The time slider allows you to adjust the time period under examination. You can adjust the slider to view between
day of events. Available only in: Enterprise Insights, Asset view, IP Address view, Domain view, Hash view, User view
Rules Editor.

Prevalence Prevalence measures the number of assets within your enterprise that have connected to a specific domain over th
Available only in: Asset view, IP Address view, Domain view, Hash view.
Element Description

Right Navigation Panel

Expand all Expands all the collapsed items.

Collapse all Collapses all the expanded items.

Reset Displays the default view and includes All (there are exceptions).

Show all Includes all the items.

Hide all Excludes all the items.

Include Includes the excluded items. Hovering over the icon provides a preview in green.

Exclude Filters out the selected item. Hovering over the icon provides a preview in orange.

Exclude FIlters out the other items except the selected item.
others

Left Navigation Panel

Expand all Expands all the collapsed items.

Collapse all Collapses all the expanded items.

Wrap text Wraps text to the next line when it gets to the right margin, otherwise the text is displayed on one line only.

Unwrap text Unwrap text expands the text in one line only.

Actions Download as CSV - Download the information in CSV format.

Search rows Provides an option to enter a keyword to search each row.

Filter data in Domain view

bookmark_border
Domain view enables you to investigate whether or not specific domains are present
within your enterprise and what impact they might have had on your assets.

To access Domain view in Chronicle, complete the following steps:

1. Enter the domain (ending with a known public suffix) or URL you need to
investigate in the search bar. Click SEARCH.
 Search for a domain from the landing page
2. Select the domain from the DOMAINS drop-down menu.

Chronicle search autodetect menu

3. Domain view is displayed.

Domain view
4. Click the icon in the top right corner of the Chronicle user interface.
The Procedural Filtering menu opens as shown in the following figure.
Procedural Filtering enables you to further filter information pertaining to an
asset, including by event type, log source, network connection status, and Top
Level Domain (TLD).
 Filtering menu
The following Procedural Filtering options are available in Domain view:
• ASSETS
• EVENT TYPE
• LOG SOURCE
• NETWORK CONNECTION STATUS
• TLD

Filter options

Filter data in IP Address view

bookmark_border
IP Address view enables you to investigate whether or not specific IP addresses are
present within your enterprise and what impact they might have had on your assets.

Chronicle enables you to investigate specific IP addresses to determine if any are

present within your enterprise and what impact these outside systems might have had
on your assets. IP Address view is derived from the same security information and data
that you have forwarded to Chronicle from your enterprise and can also examine using
Asset view.

From Asset view, you begin your investigation from within your enterprise and look
outward. From IP Address view, you begin your investigation from outside your
enterprise and look in.

To access IP Address view in Chronicle, complete the following steps:

1. Enter the IP address you need to investigate in the search bar at the top of the
Chronicle user interface. Click SEARCH.

Search for an IP Address from the landing page

2. Select the IP address from the DESTINATIONS IPS drop-down menu.

Chronicle search autodetect menu

3. IP Address view is displayed.
 IP Address view
4. Click the icon in the top right corner of the Chronicle user interface.
The Procedural Filtering menu opens as shown in the following figure.
Procedural Filtering enables you to further filter information pertaining to an
asset, including by event type, log source, network connection status, and Top
Level Domain (TLD).

Filtering Menu
The following Procedural Filtering options are available in IP Address view:
• EVENT TYPE
• LOG SOURCE
• NETWORK CONNECTION STATUS
• TLD
 Filter options

Filter data in Hash view

bookmark_border
Hash view enables you to search and investigate files based on their hash value.

Open Hash view

You can open Hash view the following ways:

• Search for the file hash directly

• Pivot to Hash view when viewing a process- or file-based event in Asset view

Search for the file hash directly

To open Hash view directly:

1. Enter the hash value in the Chronicle search field. Click SEARCH.
 Search for hash from the landing page
2. Select the hash value from the HASHES drop-down menu.

Chronicle search autodetect menu

3. Hash view is displayed.

Hash view
Navigate to Hash view from Asset view

You can also navigate to Hash view while investigating an asset in Asset view.

1. Search for an asset and view it in Asset view.

 Search for asset from the landing page
2. Asset view is displayed.

Asset view
3. From the TIMELINE tab to the left, scroll down to any event tied to a process or
file modification, such as PROCESS_LAUNCH.
Note: If you are not able to locate PROCESS_LAUNCH in the Event column, change the
start-date on the top left corner to a few days previous to the present date. Also, slide
the Time slider on the top right corner to 1 Day. Doing this will refresh the TIMELINE
panel and display the other required events.
 Increase the time range to find events
4. Expand the file to view details and investigate.

Find a process or file-related event

5. You can open Hash view for the file by clicking the hash value in Asset view.

Hash value link in Asset view

 6. Hash view is displayed.

Hash view
Filter options in Hash view

The following Procedural Filtering options are available in Hash view:

• ASSETS

• EVENT TYPE

• LOG SOURCE

• PID

• PROCESS NAME

Hash view filtering options

Filter data in Raw Log Scan view

bookmark_border
Raw Log Scan enables you to examine your raw unparsed logs. When you execute a
search, Chronicle first examines the security data that has been both ingested and
parsed. If the information you are searching for is not found, you can use Raw Log Scan
to examine your raw unparsed logs. You can also use regular expressions to more
closely examine the raw logs.

Use Raw Log Scan to investigate artifacts that appear in logs but are not indexed,
including:

• Usernames
• Filenames
• Registry keys
• Command line arguments
• Raw HTTP request-related data
• Domain names based on regular expressions
• Asset names and addresses

To use Raw Log Scan in Chronicle, complete the following steps:

1. Enter a search string in the search bar on either the landing page or the menu bar
at the top of the Chronicle user interface. Click SEARCH.

Search for text value from the landing page

2. Select Raw Log Scan from the dropdown menu.
 Chronicle search autodetect menu
3. Chronicle opens the Raw Log Scan options.

Raw Log Scan search options menu

4. Specify the Start Time and End Time (the default is 1 week) and click SEARCH.
5. Raw Log Scan view is displayed, as shown below.
Raw Log Scan view
You can use regular expressions to search for and match sets of character
strings within your security data using Chronicle. Regular expressions enable you
to narrow your search down using fragments of information, as opposed to using
a complete domain name, for example.
The following Procedural Filtering options are available in the Raw Log Scan
view:
• EVENT TYPE
• LOG SOURCE
• NETWORK CONNECTION STATUS
• TLD
 Raw Log Scan view filtering options

Viewing rules in Rules Dashboard

bookmark_border
To open the Rules Dashboard in Chronicle, select Rules from the menu icon apps. The
Rules Dashboard displays all of the rules you currently have stored within your Chronicle
account and includes the following features:

• Trend chart displays the rule with the greatest number of detections over the
past 3 weeks.
• Displays a graph of the activity associated with the rules. Hovering over a bar in
the chart displays the date and number of detections.
• Run frequency indicates the approximate frequency the rule will execute.
• Live Status (Enabled or Disabled).
• Rule severity as in the Rule metadata.

If you hover over a rule and click the menu icon to the right, you can open the Rule
Settings menu and manipulate the Live Rule, Run Frequency, and Notifications options.
 • Live Rule monitors your incoming logs for threats until it is deleted or disabled.
• Alerting indicates an anomaly in the normal workflow of traffic within the
enterprise. You should investigate alerts as a possible breach of security.
• Run Frequency indicates the approximate frequency the rule will execute and
impacts the latency with which detections are discovered for each rule.
• YARA-L Retrohunt enables you to use the selected rule to search for detections
throughout existing data in Chronicle.
• Edit Rule enables you to edit existing rules and create new rules.
• View Rule Detections enables you to view detections generated by a live rule.
• Archive hides the rule and the security data related to that rule (and all of its
versions) without actually deleting the rule.

Clicking a rule name opens the Rule Detections view (see View Rule Detections) for
more information).

Rules Dashboard to view the status of rules

Running a rule against historical data

bookmark_border
When you create and enable a new rule, the rule begins searching for detections based
on the events received by your Chronicle account in real time. A retrohunt enables you
to use the selected rule to search for detections throughout existing data in Chronicle.
To start a retrohunt, complete the following steps:

1. Navigate to the Rules Dashboard.

2. Click the Rules option icon for a rule and select Yara-L Retrohunt.

YARA-L Retrohunt option

3. In the YARA-L Retrohunt pop-up window, select the start time and end time for
your search. The default is one week. The window provides the available date
and time range. Click RUN when ready.

Yara-L Retrohunt pop-up window

4. You can view the progress of the retrohunt run from the rule detections view for
the rule. If you cancel a retrohunt in progress, you can still view any detections it
was able to make while running.
5. If you have completed multiple retrohunts, you can view the results of past
retrohunt runs by clicking the date range link as shown in the following figure.
 The results of each run are displayed in the Timeline and Detections graph in
Rule Detections view.

Yara-L retrohunt runs

View previous versions of a rule

bookmark_border
You can create multiple versions of a rule. This enables you to experiment with your rule
logic for a more nuanced examination of your event data.

Note: Any detections made with a version of a rule remain with it. If you switch to a different
version of a rule, the detections you view are associated with that version and that version only.

To view the versions of a rule, navigate to the Rules Editor:

1. Select a rule.
2. Click the rule menu icon and select View Versions as shown below.
 View Versions menu option
3. Rule versions view is displayed.

Viewing rule versions

From this view, you can select any of the previous versions of the rule as shown
in this figure. Rule versions are labeled with the time it was created.
4. This view provides you with a number of options:
• SAVE AS NEW—Saves the currently displayed version of the rule as a new
and separate rule.
• VIEW DETECTIONS—Display the detections stored with this version of the
rule. Note: These detections might not be current depending on the age of
the rule version.
• RUN TEST—Test the current version of the rule in real time, enabling you
to determine the effectiveness of this version of the rule.
 Note: Detections found through the test are not saved.
5. When you have finished examining the versions of the selected rule, click EXIT to
return to the Rules Editor.

Manage rules using Rules Editor

bookmark_border
The Rules Editor enables you to edit existing rules and create new rules.

Rules Editor

1. Use the Search rules field to search for an existing rule. You can also scroll
through the rules using the scroll bar. Click any of the rules in the left panel to
view the rule in the rule display panel.
2. Select the rule you are interested in from the Rules List. The rule is displayed in
the rule editing window. By selecting a rule, you open the rule pop-up menu and
select the following options:
• Live Rule—Enable or disable the rule.

• Duplicate Rule—Make a copy of the rule, helpful if you want to make a similar
rule.

• View Rule Detections—Open the Rule Detections window to display the

detections captured by this rule.
3. Use the Rule Editing window to edit existing rules and to create new rules. The
Rule Editing window includes an automatic completion feature to enable you to
view the correct YARA-L syntax available for each section of the rule. Whenever
composing or editing a rule, Chronicle recommends walking through the
automatic recommendations to ensure your completed rule uses the correct
syntax. More details about the YARA-L syntax and best practices can be
found here.
4. Click New in the Rules Editor to open the Rules Editor Window. It automatically
populates it with the default rule template as shown in the following figure.
Chronicle automatically generates a unique name for the rule. Create your new
rule in YARA-L. When you have finished, click SAVE NEW RULE. Chronicle checks
the syntax of your rule. If the rule is valid, it is saved and automatically enabled. If
the syntax is invalid, it returns an error. To delete the new rule, click DISCARD.
Note: After you have saved a rule, you cannot delete it from the Rules Editor or the Rules
Dashboard.Note: For Multi-event rules correlating more than one event with a match
section size of over one hour, the rule's run frequency (when executing as a Live Rule) is
automatically set to 1 hour.

New Rule Template

5. To view information on the current detections associated with a rule, click the
rule in the rules list and click View Rule Detections to open Rule Detections view.
The Rule Detections view displays the metadata attached to the rule and a graph
showing the number of detections found by the rule over recent days.
6. Click Edit Rule to return to the Rules Editor.
Rule Detections

Multicolumn view

The Timeline tab is also available and lists the events detected by the rule. As
with the Timeline tab in other Chronicle views, you can select an event and open
the associated raw log or UDM event.
You can also manipulate what information is displayed on the Timeline tab by
clicking the Columns icon to open the multicolumn view options. Multicolumn
view enables you to select a variety of categories of log information to display,
including common types such as hostname and user and many more specific
categories provided by UDM.
 Multicolumn view
7. Click RUN TEST to run the rule displayed in the rule editing window. Chronicle
begins to collect detections. This gives you a quick way to check if the rule is
working as expected. The detection information is displayed in the TEST RULE
RESULTS window. At any time you can click CANCEL TEST to stop this process.
Note: These test results are not saved and will not be viewable in the Rules Dashboard.
Test Rule Results