Jump to Content
Security & Identity

Introducing new, faster search and investigative experience in Chronicle Security Operations

November 16, 2022
https://storage.googleapis.com/gweb-cloudblog-publish/images/Chronicle.max-2500x2500.jpg
Spencer Lichtenstein

Product Manager, Chronicle Security Operations

Try Google Cloud

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Free trial

In cybersecurity, speed matters. Whether a security analyst is trying to understand the details of an alert that was triggered by an indicator of compromise (IoC), or find additional context for a suspicious asset, speed is often the critical factor that will help thwart a cyberattack before threat actors are able to inflict damage. 

With speed in mind, we are pleased to announce the general availability of our new investigative experience in Chronicle Security Operations. We are continuing to deliver on our mission to bring the power of Google to security operations and are raising the bar for search and the investigative experience in the SOC. 

With this release, SecOps teams will be able to harness Chronicle’s lightning-fast search across any form of structured data. Additionally, the new investigation experience can provide greater flexibility to pivot and drill-down when conducting complex, open-ended threat investigations and surface insights quickly and easily.

Our Unified Data Model (UDM) schema, with its built-in flexibility that can effectively handle a wide variety of security related events, is at the heart of Chronicle’s powerful search. We have scaled this capability by optimizing query responses across structured data. Additionally, analysts can investigate large datasets and build complex queries with a new and intuitive user experience. With user personalization enhancements, analysts can quickly access saved searches and top queries in their environment to improve routine SOC workflows. 

With the new investigative experience, security teams can: 

Drive faster threat understanding with an interactive event results timeline that helps eliminate unnecessary long wait times by streaming results as they are processed to quickly begin threat analysis 

Use enhanced context and operationalize relevant data for threat analysis with one-click filter-to-query conversion

Personalize the analyst experience with saved search and search history functions for quicker analyst knowledge recall

Power threat investigation and hunting with a new, improved, highly performant UDM search 

Let’s look at an example of how to use the reimagined investigative experience and our new broader, faster search.

In our use-case, a security analyst is investigating a curated detection alert for potentially suspicious behavior on a Windows environment. Additionally, there is a low prevalence domain from host “win-dc-01” with ip “10.166.0.3”. To investigate further, let’s open the UDM Search page and construct a query containing the host and IP information along with destination information of the domain the host was contacting (edge.microsoft.com). Over 70,000 events stream into the investigation interface providing the analyst an immediate picture of data surrounding their alert.

https://storage.googleapis.com/gweb-cloudblog-publish/images/1_Chronicle_Security_Operations.max-2000x2000.jpg

The new interactive events timeline can provide a clear picture of event trends over time with key statistical data which can be easily filtered. Additionally, with the new quick filters, the analyst is able to easily filter out hosts that are known-good to get pertinent information about the domain.

https://storage.googleapis.com/gweb-cloudblog-publish/original_images/cast1_gif1_udm.gif

Analyzing value aggregations present in the filter panel, automatically generated by Chronicle, enables analysts to domain values of highest interest, and quickly determine that approximately 800 events were present in the last week that related to edge.microsoft.com URL. Since Microsoft Edge is disallowed in the organization, there should not be any outbound traffic to this type of destination.

https://storage.googleapis.com/gweb-cloudblog-publish/original_images/cast_2_gif2_udm.gif

As a final step before orchestrating a response in Chronicle SOAR’s case management, the analyst can save their search to quickly recall the steps they took in the future for related investigations.

https://storage.googleapis.com/gweb-cloudblog-publish/original_images/cast3_gif3_udm.gif

We have already seen our customers use these new capabilities in preview to build new use cases, accelerate existing threat hunting workflows, and drive faster threat response. We will continue our mission to bring Google speed, scale, and intelligence to the investigative experience, expediting “time to aha” for security analysts, and driving better, faster responses. 

Ready to put Chronicle to work in your Security Operations Center? Contact Google Cloud sales or your customer success CSM team. You can also learn more about all these new capabilities in Google Chronicle in our product documentation.

Posted in