Professional Documents
Culture Documents
bookmark_border
Chronicle is designed to work exclusively with the Google Chrome browser. If you do
not have Chrome installed, go to https://www.google.com/chrome/. We recommend
upgrading Chrome to the most current version.
Chronicle is integrated into your single sign-on solution (SSO). You can log in to
Chronicle using the credentials provided by your enterprise.
Enterprise Insights view displays the domains and assets most in need of investigation
within your enterprise. From Domain view, navigate to Enterprise Insights view by
clicking on the menu icon and selecting Enterprise Insights.
The Procedural Filtering menu is available on Enterprise Insights view. Hovering over
the header categories row displays the sorting control for each column, enabling you to
sort alphabetically or by time depending on the category.
Enterprise Insights
The indicator of compromise (IOC) domain matches lists the domains that your security
infrastructure has flagged as suspicious and have been seen recently within your
enterprise. You can adjust the dates under investigation using the date slider (between
1 and 25 days back).
The assets and users within your enterprise with current security alerts are listed here.
You can organize this information by Asset, Alert name, or User. These assets might
require further investigation. Clicking on a user opens User view.
Chronicle provides a set of default dashboards for analysis and reporting within the
Chronicle user interface. Reporting is available by converting a dashboard to a
shareable file (for example, PDF, Excel, CSV, etc.). These dashboards are built upon the
capabilities of Looker: https://cloud.google.com/looker and BigQuery:
https://cloud.google.com/bigquery (both Google Cloud products). Looker acts as a
visualization layer while BigQuery acts as a data layer.
Before you can access Dashboards in Chronicle, complete the following steps:
Complete the following steps to access your Chronicle account and navigate to the
Dashboarding page:
1. Click the application menu icon in the upper right corner and select
the Dashboards option.
Note: If you are unable to view the Dashboards option in the menu, check with
your account manager to ensure the feature has been enabled for your account.
Application menu
Default Dashboards
The Context Aware Detections Risk dashboard provides insight into the current threat
status of assets and users in your enterprise. It is built using fields in the Rule
Detections Explore interface and retrieves data from the Chronicle rule_detections table in
BigQuery.
The severity and risk score values are variables defined in each rule. For an example,
see multi-event rule with outcome section. In each panel, data is sorted based on
severity first, and then risk score to identify users and assets most at risk.
The Data Ingestion and Health dashboard provides information about the type and
volume of data being ingested into your Chronicle account. This information must
remain relatively stable and predictable. However, a sudden drop in data ingestion can
indicate a problem either with the systems forwarding data from your enterprise or with
your Chronicle account.
The following Data Ingestion and Health dashboard shows visualizations that help you
understand the volume of ingested logs, ingestion errors, and other information.
You can view the following information in the Data Ingestion and Health dashboard:
• Ingestion Error Count. The total number of errors encountered during ingestion.
• Log Type Distribution by Events Count. A chart that shows the log types distribution
based on the number of events for each log type.
• Log Type Distribution by Throughput. A chart that shows the log types distribution based
on the throughput.
• Ingestion - Events by Status. A graph that shows the number of events based on their
status.
• Ingestion - Events by Log Type. A table that shows the number of events based on their
status and log type.
• Recently Ingested Events. A table that shows recently ingested events for each log type.
• Daily Log Information. A table that shows the numbers of logs for a day for each log
type.
• Event count vs Size. Graphs that compare event counts and size over a period of time.
• Ingestion Throughput. Graphs that show ingestion throughput over a period of time.
IOC Matches
The Indicator of Compromise (IOC) Matches dashboard provides visibility into the IOCs
currently present in your enterprise. It includes the following IOC charts:
IOC Matches
Main
The Main dashboard displays information about the status of the Chronicle data
ingestion system. It also includes a global map highlighting the geographic location of
the IOCs detected within your enterprise.
Main dashboard
Rule Detections
The Rule Detections dashboard provides insight into activity related to the detection
engine and the configured rules. Since your security analysts configure these rules to
search for specific threats, this information might be particularly relevant to your
organization.
Rule Detections
The User Sign in Overview dashboard provides insight into where your users are logging
into your enterprise from and what applications they are signing in to. This information
can be useful for tracking attempts by malicious actors to access your enterprise. For
example, you might find that a particular user has attempted to access your enterprise
from a country where you do not have an office or that a user in administration appears
to be repeatedly accessing an accounting application.
User Sign in Overview
The Chronicle default dashboards cannot be modified. However, you can make a copy
of any of the default dashboards and add it to either the Personal or Shared dashboards
sections. The copies can be modified, enabling you to customize these dashboards for
your enterprise as needed.
To copy a default dashboard, click the three-dot menu icon. The following options are
available:
• Copy to Personal
• Copy to Shared
The personal dashboards are only visible by you based on your username. The shared
dashboards are visible to all members of your organization Chronicle account.
Options - Copy to Personal or Shared
Once you have made a copy of a default dashboard, you can select it from the Personal
or Shared Dashboards section. Click the three dot menu in the upper right corner and
select Edit dashboard. You can then edit any of the dashboard elements by selecting
the three dot menu on the element and selecting Edit. This opens the Looker popup
window, enabling you to modify the element further.
Example: Creating a New Dashboard, for an example of how to create a new dashboard.
Creating a new dashboard is much like editing an existing dashboard.
Note: The Chronicle dashboards are built with Looker. For detailed information on all of
the features and capabilities of Looker dashboards, see the Looker documentation.
Edit dashboard
You can create a new dashboard either within the Personal or Shared Dashboards
sections. Personal dashboards are only visible within your own Chronicle account. The
shared dashboards are visible to all members of your team who also have access to
your Chronicle account.
Note: This feature is built on Looker. For detailed information on all of the features and
capabilities of Looker dashboards, see the Looker documentation.
The following example illustrates how to create a dashboard for monitoring the top 25
IOCs in your enterprise:
• IOC Matches
• Rule Detections
Choose an Explore
5. Select Ioc Matches (Ioc - Indicator of Compromise).
IOC Matches
6. For Dimensions, select Asset Hostname and Confidence Score from the left
navigation panel. You typically need to select at least two dimensions to create a
new visualization.
Set the Ioc Matches Confidence Score control from highest to lowest and set
the Row Limit to 25 as shown in the figure.
7. Select the Table icon and click Run to test the visualization against your
Chronicle data.
Dimensions
8. The following table is displayed with the Top 25 IOCs by Confidence against
Assets within your enterprise. Give the Explore a title (Top 25 IOCs in this
example) in the upper left corner of the pop-up window. Click Save to save the
Explore and return to the Dashboards window.
Top 25 IOCs
9. Give the new dashboard a name (Check First in this example). Click Save.
The Dashboards page is displayed with the added new dashboard.
New dashboard displaying the Top 25 IOCs
Investigate an asset
bookmark_border
This page shows you how to investigate an asset.
To view data in this view, make sure you are ingesting and normalizing data from
devices on your network, such as EDR, firewall, web proxy, etc.
Chronicle allows you to investigate alerts from other security products. You can
investigate assets to determine whether any have been compromised, determine the
nature of the compromise, and begin remediating issues.
1. Enter the hostname, client IP address, or MAC address for the asset you want to
investigate:
• Hostname—Either short (for example, mattu) or fully qualified (for example,
mattu.ads.altostrat.com).
• Internal IP address—Internal IP address for the client (for example,
10.120.89.92). Both IPv4 and IPv6 are supported.
• MAC address—MAC address for any device within your enterprise (for example,
00:53:00:4a:56:07).
Note: If you enter an IP or MAC address, Chronicle automatically pivots to the machine
that is associated with that IP or MAC address at the specified search time.
2. Enter a timestamp for the asset (current UTC time and date are default).
3. Click Search.
Asset view
You can adjust the Asset view to hide benign activity and help highlight the data
relevant to an investigation. The following descriptions refer to the Asset view figure.
Asset view
When you search for an asset, activity returns a default time window of 2 hours.
Hovering over the header categories row displays the sorting control for each column,
enabling you to sort alphabetically or by time depending on the category. Adjust the
time window using the time slider or by scrolling the mouse wheel while the cursor is
over the Prevalence Graph. See also the Time Slider and Prevalence Graph.
2 DOMAINS sidebar list
Use this list to see the first lookup of each distinct domain within a given time window,
helping to hide noise caused by assets frequently connecting to domains.
Domains list
3 Time slider
The Time Slider lets you adjust the time period under examination. You can adjust the
slider to view between one minute and one day of events (you can also adjust this using
the scroll wheel of your mouse over the Prevalence Graph).
This section provides additional information about the asset, including the client IP and
MAC address associated with a given hostname for the specified time period. It also
provides information on when the asset was first observed in your enterprise and the
time data was last collected.
5 Prevalence graph
The Prevalence graph shows the the maximum number of assets in the enterprise that
have recently connected to the displayed network domain. Large gray circles indicate
first connections to domains. Small gray circles indicate subsequent connections to the
same domain. Frequently accessed domains fall to the bottom of the graph while
infrequently accessed domains rise to the top. The red triangles displayed on the graph
are associated with security alerts at the time specified under the prevalence graph.
6 Asset insight blocks
The Asset Insight blocks highlight the domains and alerts that you might want to
investigate further. They provide additional context as to what might have triggered an
alert and can help you determine if a device is compromised. The Asset Insight blocks
are a reflection of the currently displayed events and vary depending on their threat
relevance.
Alerts from your existing security infrastructure. These alerts are labeled with a red
triangle in Chronicle and might warrant further investigation.
• Leverages WHOIS registration metadata to determine if the asset queried domains that
have been recently registered (in the past 30 days from the start of the search time
window).
• Recently registered domains typically have a higher threat relevance since they might
have been explicitly created to avoid existing security filters. Appears for the Fully
Qualified Domain Name (FQDN) at the current view's timestamp. For example:
• Examines your company's DNS data to determine whether an asset queried domains
that have never been visited before by anyone at your company. For example:
• A few other assets visited phishing.altostrat.com on May 10, 2018, but there is
no other activity for altostrat.com or any of its subdomains in your organization
before May 10, 2018.
• Proofpoint, Inc. publishes the Emerging Threats (ET) Intelligence Rep List composed of
suspicious IP addresses and domains.
• Domains are matched against the asset-to-indicator lists for the current time range.
• Cyber threat indicators compiled by DHS, including malicious IP addresses and the
sender addresses of phishing emails.
Alerts
The following figure shows third-party alerts that are correlated to the asset under
investigation. These alerts can come from popular security products (anti-virus,
intrusion detection, firewall, etc.). They provide you with additional context when
investigating an asset.
Alert interaction in Asset view
To open the Procedural Filtering menu, click the icon in the top-right corner of the
Chronicle user interface.
Procedural Filtering menu
The Procedural Filtering menu, shown in the following figure, enables you to further
filter information pertaining to an asset, including:
• Prevalence
• Event type
• Log source
You can use the Prevalence slider to filter out the high prevalence domains and focus
on the domains which fewer assets across your enterprise have accessed. The
minimum Prevalence value is 1, meaning you could focus on the domains which are
linked to a single asset within your enterprise. The maximum value varies depending on
the number of assets you have within your enterprise.
Hovering over an item brings up controls that enable you to include, exclude, or view
only the data relevant to that item. As shown in the following figure, you can set the
control to view only the top-level domains (TLDs) by clicking the O icon.
Procedural filtering on a single TLD.
The Procedural Filtering menu is also available from Enterprise Insights view.
You can use procedural filtering to view events from specific security vendors for an
asset in Asset view. For example, you can use the Log Source filter to focus on events
from a security vendor such as Tanium.
You can then view the Tanium events from the TIMELINE sidebar as shown in this
figure.
Filtering Zscaler events
You will see the namespace attached to your assets throughout the Chronicle UI,
especially whenever there is a list of assets, including the following:
• UDM Search
• Enterprise Insights
• Detection views
Note: The following sections illustrate some of the places that namespaces appear in the UI. They also
appear in many of the other views used for investigation.
Search bar
When using the search bar, the namespaces associated with each asset are displayed.
Selecting an asset within a specific namespace opens it in Asset view, showing the
other activities associated with the same namespace. If you want to see the activity of a
specific asset across all namespaces, you can select the last entry [all namespaces].
Any asset not associated with a namespace is assigned to the default namespace.
However, the default namespace is not displayed in lists such as the one shown below
for the Chronicle search bar.
Search bar
Asset view
In Asset view, the namespace is indicated in the title of the asset at the top of the page.
If you select the drop down menu by clicking on the down arrow, you can select the
other namespaces associated with the asset.
Throughout the Chronicle user interface, namespaces are shown anywhere an asset is
referenced (except for the default or untagged namespace), including within the IP
address, Domain, and Hash views.
For example, in IP Address view (as shown below), namespaces are included in both the
asset tab and in the prevalence graph.
Ingestion labels
To further narrow your search, you can use ingestion labels to set up separate feeds.
For a full list of supported ingestion labels, see Supported default parsers.
The following examples illustrate three different ways you can add a namespace to the
logs you ingest to your Chronicle account.
As shown in this example, the logs originating from WINEVTLOG include the namespace
tag FORWARDER. The logs originating from NIX_SYSTEM include the namespace
tag CORPORATE.
This sets an overall namespace to the log collector. If your environment contains a mix
of logs that belong to multiple namespaces and you are unable to segment these
machines (or this is by design), Google recommends creating multiple collectors for the
same log source that is filtering the logs to their respective namespace using regular
expressions.
You can also configure a namespace when you send your logs through
the unstructuredlogentries endpoint within the Chronicle ingestion API as shown in the
following example:
{
"customer_id": "c8c65bfa-5f2c-42d4-9189-64bb7b939f2c",
"log_type": "BIND_DNS",
"namespace": "FORWARDER"
"entries": [
{
"log_text": "26-Feb-2019 13:35:02.187 client 10.120.20.32#4238:
query: altostrat.com IN A + (203.0.113.102)",
"ts_epoch_microseconds": 1551188102187000
},
{
"log_text": "26-Feb-2019 13:37:04.523 client 10.50.100.33#1116:
query: examplepetstore.com IN A + (203.0.113.102)",
"ts_rfc3339": "2019-26-02T13:37:04.523-08:00"
},
{
"log_text": "26-Feb-2019 13:39:01.115 client 10.1.2.3#3333: query:
www.example.com IN A + (203.0.113.102)"
},
]
}
In this example, the namespace is a body parameter of the API POST call. Logs
from BIND\_DNS forward their log data with the FORWARDER namespace tag.
As stated in the Feed management user guide, Chronicle Feeds Management enables
you to set up and manage various log streams within your Chronicle tenant.
Investigate an IP address
bookmark_border
Chronicle enables you to investigate specific IP addresses to determine if any are
present within your enterprise and what impact these outside systems might have had
on your assets. The Chronicle IP Address view is derived from the same security
information and data forwarded from your enterprise and can examine using Asset
view. Make sure you are ingesting and normalizing data from devices on your network,
such as EDR, firewall, web proxy, etc.
From Asset view, you begin your investigation from within your enterprise and look
outward. From IP Address view, you begin your investigation from outside your
enterprise and look in.
IP Address context
IP Address view
1 Prevalence
Typically, less prevalent IP addresses, ones that fewer assets have connected to, might
represent a greater threat to your enterprise. Unlike the Prevalence graph in Asset view,
the graph this figure shows a high prevalence access at the top of the graph, and low
prevalence access at the bottom.
When you hold the pointer over a bar in the Prevalence graph, the graph lists the assets
that accessed the IP address. Due to the high prevalence of DNS servers, they aren't
listed. If all of the assets are DNS servers, no assets are listed.
Adjust the slider to focus on events tied to a specific range of dates as shown in the
Prevalence graph.
3 IP Address insights
IP address insights provide you with more context about the IP address under
investigation. You can use them to determine whether an IP address is benign or
malicious. They also provide you with the ability to further investigate an indicator to
determine if there is a broader compromise.
4 VT Context
Click VT Context to view the VirusTotal information available for this IP address.
Investigate a domain
bookmark_border
Chronicle enables you to investigate specific domains to determine if any are present
within your enterprise, and what impact these outside systems might have had on your
assets. Domain view is derived from the security information and data that you have
forwarded to Chronicle. Make sure you are ingesting and normalizing data from devices
on your network, such as EDR, firewall, web proxy, etc.
1. Enter the domain (ending with a known public suffix) or URL you need to investigate in
the search bar at the top of the user interface.
2. Click SEARCH. If the domain exists, it is listed under the DOMAINS heading. Click the
domain name link to pivot to Domain view. If the domain is present within your
enterprise, additional information is displayed in Domain view. If the domain is not
present, Domain view will be empty.
Domain context
Domain view
1 VT Context
Click VT Context to view the VirusTotal information available for this domain.
2 WHOIS
Chronicle displays the WHOIS information associated with the registered domain. This
information can be useful when assessing a domain's reputation.
3 Prevalence
When you hold the pointer over a bar in the Prevalence graph, the graph lists the assets
that accessed the domain. Due to the high prevalence of DNS servers, they aren't listed.
If all of the assets are DNS servers, no assets are listed.
4 Domain insights
Domain insights provide you with more context about domains under investigation. You
can use them to determine whether a domain is benign or malicious. They also let you
further investigate an indicator to determine if there is a broader compromise.
• Associated subdomains: All associated subdomains that have been seen in your
organization for a given Fully Qualified Domain Name. Many adversaries use the
same domain and subdomain for their attacks. For example:
• Search for sandbox.altostrat.com (Fully Qualified Domain Name)
• Sibling Domains: All sibling domains that have been seen in your organization for
a given Fully Qualified Domain Name at a given level. For example:
• Search for sandbox.altostrat.com
The Timeline tab lists all of the events for the domain. The Asset identifier column
shows the asset ID. In a small number of cases, Chronicle replaces the asset ID with the
IP address of the asset.
Investigate a user
bookmark_border
Chronicle User view enables customers to better understand how users within an
enterprise are impacted by security events. By focusing on the behavior of individual
users, security administrators can search for activity indicating an account compromise
or other security concerns. Make sure you are ingesting and normalizing data from
devices on your network, such as EDR, firewall, web proxy, user context, and
authentication, etc.
To open User view in Chronicle, enter the username or email address of a user within
your enterprise in the Search field. If the user is present within your Chronicle account,
that user is displayed as a result. Click the username to pivot to User view.
You can also access User view from the Recent Alerts panel in Enterprise Insights view.
In addition to Assets, there is a column for Users impacted by alerts.
User view includes a user aliasing feature to ensure events associated with a single
user are not duplicated and are easier to search within your Chronicle account. For
example, if you have an employee named Dennis whose user identifier is dennis and
whose email is dennis@altostrat.com and you search for dennis in Chronicle, events for
both dennis and dennis@altostrat.com are returned.
User view includes many features and user interface controls to enable you to more
closely examine the user data within your enterprise. Some of these features are unique
to User view and some are shared with the other Chronicle event views (Domain View,
IP Address View, etc.).
1 User information
Displays information about the user stored within your enterprise IT systems (for
example, Active Directory, Workday, Okta, etc.).
2 Date selection
Use the left and right arrows to examine the events associated with the user over a one
calendar week interval (Saturday through Sunday). If no data is available in the currently
displayed time period, you are given First Seen and Last Seen options to shift the view
quickly to a relevant time period.
By default, User view centers the Gradient Heat Map at 12:00 UTC (noon). Using the X-
Axis Time Shift control, you can center the Heat Map up to 12 hours before or after
12:00. This enables you to focus on atypical time periods for the user. For example, you
could time shift the display to 0:00 UTC (midnight) to focus on user activity in the late
evening and early morning hours as shown in these figures.
User view Gradient Heat Map displays an aggregate view of user activity across the
time period you are investigating. Each square indicates an hour of the day (UTC) for a
logged user activity across the time period. This chart enables you to locate abnormal
or atypical user activity.
Clicking on a square shows the activity date and clicking on that date from the green
popover takes you to that hour of events in the Timeline.
The color of each square varies from black through shades of gray to white:
For example, a user is routinely active during normal work hours and never active late at
night or on weekends. However, this user has recently become active every day at 3AM.
The Gradient Heat Map enables you to quickly locate this type of atypical activity.
5 User alerts
User security alerts are captured by Chronicle and displayed here. You can click the
associated links to further investigate the alert.
7 Columns
The Timeline and Assets tabs are also available within User view. As with other
Chronicle views, the Timeline tab lists events chronologically and the Assets tab lists
the assets associated with the user alphabetically or numerically. The assets displayed
correspond to this specific user's activity within your enterprise and is limited by the
time period specified.
8 Procedural filtering
You can open the Procedural Filtering menu by clicking the Procedural Filtering icon in
User View and filter the user information based on a variety of characteristics. For
example, you could filter on Principal Location to examine the geographic location of
the user's login attempts. It might indicate that a user is logging in from unusual
locations.
Investigate a file
bookmark_border
You can use Chronicle to search your data for a specific file based on its MD5, SHA-1, or
SHA-256 hash value. Make sure you are ingesting and normalizing data from devices on
your network, such as EDR data.
If additional information is available for a file hash found within a customer's Chronicle
account, this additional information is added to the associated UDM events
automatically. You can search for these UDM events manually using UDM Search or by
using rules.
To open Hash view directly, enter the hash value in the Chronicle search field and
click Search.
Hash view
Chronicle provides additional information about the file, including the following:
• Partner Engines Detecting—Other security vendors who have detected the file.
• Properties/Metadata—Known properties of the file.
• VT Submitted / ITW Filenames—Known malicious in-the-wild (ITW) malware
submitted to VirusTotal.
Navigate to Hash view from another view
You can also navigate to Hash view while investigating an asset in an another view (for
example, Asset view) by completing the following steps:
1. Open an investigation view. For example, select an asset to view it within Asset
view.
2. In the TIMELINE to the left, scroll down to any event tied to a process or file
modification, such as Network Connection.
You can use Raw Log Scan to investigate artifacts that appear in logs, but are not
indexed, including:
• Usernames
• Filenames
• Registry keys
• Command-line arguments
To use Raw Log Scan, enter a search string in the search field on either the landing page
or the menu bar (for example, an MD5 hash). Enter at least 4 characters (including
wildcards). If Chronicle cannot find the search string, it opens the Raw Logs
Scan option. Specify the Start Time and End Time (the default is 1 week) and
click SEARCH.
You can also click the Log Sources drop-down menu and select one or more of the data
sources you are sending to Chronicle to search. The default setting is All.
Regular expressions
You can use regular expressions to search for and match sets of character strings
within your security data using Chronicle. Regular expressions enable you to narrow
your search down using fragments of information, as opposed to using (for example) a
complete domain name.
To run a search using regular expression syntax, enter your search in the Search field
with the regular expression, check the Run Query as Regex checkbox, and
click SEARCH. Your regular expression must be from 4 to 66 characters long.
The following table highlights some of the common regular expression syntaxes you
can use for your searches.
Any character .
The following examples illustrate how you could use this syntax to search across your
data:
This section provides regular expression query strings you can use with Chronicle raw
log scan to find commonly monitored Windows events. These examples assume the
Windows log messages are in JSON format.
For more information about commonly monitored Windows Event IDs, see the Events to
Monitor topic in Microsoft documentation. The examples provided follow a similar
pattern, described in these use cases.
Use Case: Return events with an Event ID that is either 1150 or 1151, and with ThreatID 9092
These regular expression query strings identify common account management events
using the EventID attribute.
These regular expression query strings identify types of successful logon events using
the EventID and LogonType attributes.
These regular expression query strings identify types of failed logon events using the
EventID and LogonType attributes.
These regular expression query strings identify certain process and service events
using the EventID attribute.
These regular expression query strings identify different types of process and service
related events using the EventID attribute.
This describes how to access and use Procedural Filtering when investigating an alert
using Chronicle for the following views:
1. In the screen's upper right corner is the application menu icon . Click the icon
to open the application dropdown menu. Select Enterprise Insights as shown in
the following figure.
Application menu
2. The Enterprise Insights view is displayed with IOC Domain Matches and Recent
Alerts. You can adjust the time range using the slider to display a greater range
of matches and alerts.
Enterprise Insights view
3. Click the icon in the top right corner of the Chronicle user interface.
The Procedural Filtering menu opens as shown in the following figure. From
Enterprise Insights, the Procedural Filtering menu enables you to further filter
information pertaining to the current alerts and IOCs within your enterprise.
Filtering options
The following Procedural Filtering options are available from Enterprise Insights:
• ALERT NAME CATEGORIES
• ALERT VENDOR SOURCE
• IOC CATEGORIES
• IOC CONFIDENCE SCORE
• IOC FEED
• IOC/ALERT SEVERITY
• TLD
1. To open User view, enter the username or email address of a user within your
enterprise in the search field.
Note: If the user is present within your Chronicle account, that user is displayed as a
result.
User view
5. Click the right arrow in the Detections column in the left navigation panel.
• EVENT TYPE
• LOG SOURCE
• OUTCOME
• PRINCIPAL LOCATION
• TARGET APPLICATION
Chronicle includes the following user interface elements to help you investigate any
issues that might be present within your enterprise:
Element Description
Time slider The time slider allows you to adjust the time period under examination. You can adjust the slider to view between
day of events. Available only in: Enterprise Insights, Asset view, IP Address view, Domain view, Hash view, User view
Rules Editor.
Prevalence Prevalence measures the number of assets within your enterprise that have connected to a specific domain over th
Available only in: Asset view, IP Address view, Domain view, Hash view.
Reset Displays the default view and includes All (there are exceptions).
Include Includes the excluded items. Hovering over the icon provides a preview in green.
Exclude Filters out the selected item. Hovering over the icon provides a preview in orange.
Exclude FIlters out the other items except the selected item.
others
Wrap text Wraps text to the next line when it gets to the right margin, otherwise the text is displayed on one line only.
Unwrap text Unwrap text expands the text in one line only.
To access the Rule Detection view in Chronicle, complete the following steps:
1. In the screens upper right corner is the application menu icon . Click the icon
to open the application dropdown menu. Select Enterprise Insights as shown in
the following figure.
Application Menu
2. Select View Rules. The Rules Dashboard view is displayed.
Rules dashboard
3. Click a rule name. The Rule Detections view is displayed.
Rule Detections view
4. Click the right arrow in the Detections column in the left navigation panel.
1. Enter the asset (ending with a known public suffix) or URL you need to
investigate in the search bar at the top of the user interface. Click SEARCH.
Filtering menu
The following Procedural Filtering options are available in Asset view:
• EVENT TYPE
• LOG SOURCE
• TLD
Filter options
Navigate Asset view
Prevalence
The time slider allows you to adjust the time period under examination. You can adjust
the slider to view between one minute and one day of events (you can also adjust this
using the scroll wheel of your mouse over the Prevalence Graph). Domains that more
assets have accessed are displayed as more prevalent in Asset view.
Timeline tab
Selecting an event in the Timeline tab also highlights the corresponding event in the
Gradient Heat Map in green. Alerts are indicated by a red triangle and red text.
Asset tab
Selecting an asset highlights it in green in the Asset tab and all activity involving that
asset is also highlighted in green on the Gradient Heat Map. You can pivot to Asset view
by clicking on first accessed or last accessed in the Assets tab.
When you search for an asset, activity is returned with a default time window of 2 hours.
Hovering over the header categories row displays the sorting control for each column,
enabling you to sort alphabetically or by time depending on the category. Adjust the
time window using the time slider or by scrolling the mouse wheel while the cursor is
over the Prevalence Graph.
Use this list to see the first lookup of each distinct domain within a given time window.
This helps to hide noise caused by assets frequently connecting to domains.
Chronicle includes the following user interface elements to help you investigate any
issues that might be present within your enterprise:
Element Description
Time slider The time slider allows you to adjust the time period under examination. You can adjust the slider to view between
day of events. Available only in: Enterprise Insights, Asset view, IP Address view, Domain view, Hash view, User view
Rules Editor.
Prevalence Prevalence measures the number of assets within your enterprise that have connected to a specific domain over th
Available only in: Asset view, IP Address view, Domain view, Hash view.
Element Description
Reset Displays the default view and includes All (there are exceptions).
Include Includes the excluded items. Hovering over the icon provides a preview in green.
Exclude Filters out the selected item. Hovering over the icon provides a preview in orange.
Exclude FIlters out the other items except the selected item.
others
Wrap text Wraps text to the next line when it gets to the right margin, otherwise the text is displayed on one line only.
Unwrap text Unwrap text expands the text in one line only.
1. Enter the domain (ending with a known public suffix) or URL you need to
investigate in the search bar. Click SEARCH.
Search for a domain from the landing page
2. Select the domain from the DOMAINS drop-down menu.
Domain view
4. Click the icon in the top right corner of the Chronicle user interface.
The Procedural Filtering menu opens as shown in the following figure.
Procedural Filtering enables you to further filter information pertaining to an
asset, including by event type, log source, network connection status, and Top
Level Domain (TLD).
Filtering menu
The following Procedural Filtering options are available in Domain view:
• ASSETS
• EVENT TYPE
• LOG SOURCE
• NETWORK CONNECTION STATUS
• TLD
Filter options
From Asset view, you begin your investigation from within your enterprise and look
outward. From IP Address view, you begin your investigation from outside your
enterprise and look in.
1. Enter the IP address you need to investigate in the search bar at the top of the
Chronicle user interface. Click SEARCH.
Filtering Menu
The following Procedural Filtering options are available in IP Address view:
• EVENT TYPE
• LOG SOURCE
• NETWORK CONNECTION STATUS
• TLD
Filter options
• Pivot to Hash view when viewing a process- or file-based event in Asset view
1. Enter the hash value in the Chronicle search field. Click SEARCH.
Search for hash from the landing page
2. Select the hash value from the HASHES drop-down menu.
Hash view
Navigate to Hash view from Asset view
You can also navigate to Hash view while investigating an asset in Asset view.
Asset view
3. From the TIMELINE tab to the left, scroll down to any event tied to a process or
file modification, such as PROCESS_LAUNCH.
Note: If you are not able to locate PROCESS_LAUNCH in the Event column, change the
start-date on the top left corner to a few days previous to the present date. Also, slide
the Time slider on the top right corner to 1 Day. Doing this will refresh the TIMELINE
panel and display the other required events.
Increase the time range to find events
4. Expand the file to view details and investigate.
Hash view
Filter options in Hash view
• ASSETS
• EVENT TYPE
• LOG SOURCE
• PID
• PROCESS NAME
Use Raw Log Scan to investigate artifacts that appear in logs but are not indexed,
including:
• Usernames
• Filenames
• Registry keys
• Command line arguments
• Raw HTTP request-related data
• Domain names based on regular expressions
• Asset names and addresses
1. Enter a search string in the search bar on either the landing page or the menu bar
at the top of the Chronicle user interface. Click SEARCH.
• Trend chart displays the rule with the greatest number of detections over the
past 3 weeks.
• Displays a graph of the activity associated with the rules. Hovering over a bar in
the chart displays the date and number of detections.
• Run frequency indicates the approximate frequency the rule will execute.
• Live Status (Enabled or Disabled).
• Rule severity as in the Rule metadata.
If you hover over a rule and click the menu icon to the right, you can open the Rule
Settings menu and manipulate the Live Rule, Run Frequency, and Notifications options.
• Live Rule monitors your incoming logs for threats until it is deleted or disabled.
• Alerting indicates an anomaly in the normal workflow of traffic within the
enterprise. You should investigate alerts as a possible breach of security.
• Run Frequency indicates the approximate frequency the rule will execute and
impacts the latency with which detections are discovered for each rule.
• YARA-L Retrohunt enables you to use the selected rule to search for detections
throughout existing data in Chronicle.
• Edit Rule enables you to edit existing rules and create new rules.
• View Rule Detections enables you to view detections generated by a live rule.
• Archive hides the rule and the security data related to that rule (and all of its
versions) without actually deleting the rule.
Clicking a rule name opens the Rule Detections view (see View Rule Detections) for
more information).
Note: Any detections made with a version of a rule remain with it. If you switch to a different
version of a rule, the detections you view are associated with that version and that version only.
1. Select a rule.
2. Click the rule menu icon and select View Versions as shown below.
View Versions menu option
3. Rule versions view is displayed.
Rules Editor
1. Use the Search rules field to search for an existing rule. You can also scroll
through the rules using the scroll bar. Click any of the rules in the left panel to
view the rule in the rule display panel.
2. Select the rule you are interested in from the Rules List. The rule is displayed in
the rule editing window. By selecting a rule, you open the rule pop-up menu and
select the following options:
• Live Rule—Enable or disable the rule.
• Duplicate Rule—Make a copy of the rule, helpful if you want to make a similar
rule.
Multicolumn view
The Timeline tab is also available and lists the events detected by the rule. As
with the Timeline tab in other Chronicle views, you can select an event and open
the associated raw log or UDM event.
You can also manipulate what information is displayed on the Timeline tab by
clicking the Columns icon to open the multicolumn view options. Multicolumn
view enables you to select a variety of categories of log information to display,
including common types such as hostname and user and many more specific
categories provided by UDM.
Multicolumn view
7. Click RUN TEST to run the rule displayed in the rule editing window. Chronicle
begins to collect detections. This gives you a quick way to check if the rule is
working as expected. The detection information is displayed in the TEST RULE
RESULTS window. At any time you can click CANCEL TEST to stop this process.
Note: These test results are not saved and will not be viewable in the Rules Dashboard.
Test Rule Results