Data ingestion to Chronicle overview

The following diagram illustrates how your security data can flow to Chronicle and how Chronicle handles that data and prepares it for analysis using the Chronicle user interface.

Flow and Processing of Customer Security Data to Chronicle

Chronicle processes customer security data as follows:

1. An internal data forwarding service (such as Chronicle Forwarder) or a standard secure protocol (such as SFTP) sends raw security data directly to Chronicle. The security data is encrypted while in transit to Chronicle.
2. Chronicle retrieves security data stored in a cloud service (such as Amazon S3 or Google Cloud). The data is encrypted while in transit to Chronicle.
3. Chronicle logically segregates and stores your security data into your account in an encrypted form. Data is accessed by the customer only, plus a limited number of Google personnel as necessary to support, develop, and maintain the product.
4. Chronicle parses and validates the raw security data, making data easier to process and display.
5. Chronicle indexes the data to make it easier to search.
6. After it is validated and parsed, Chronicle checks the security data against third-party feeds (such as the DHS threat feed) and Chronicle's internal threat analytics tools and systems.
7. Chronicle stores parsed and indexed data in an encrypted form within each account.
8. You log into your account to search and review your security data.
9. Chronicle searches for matches between your security data and the VirusTotal malware database. In a Chronicle event view, such as Asset view, click VT Context to display information from VirusTotal. Your security data is never shared with VirusTotal.