When you search for an asset in Chronicle, for example using an IP address or a hostname, you are able to see all the activity associated with that asset. Sometimes there are multiple assets associated with the same IP address or hostname (for example, from overlapping RFC 1918 IP address assignments on different network segments).
The asset namespacing feature enables you to classify categories of assets sharing a common network environment, or namespace, and then conduct searches for those assets within the Chronicle user interface based on their namespace. For example, you could create namespaces for cloud networks, corp versus prod segmentation, merger and acquisition networks, and so on.
Namespace creation and assignment
All assets have a namespace that is either automatically defined or manually configured. Namespaces can be used to enhance your security data, enabling you to provide context to the environment of a device. If no namespace is provided in the logs, a default namespace is associated with the assets which is labeled untagged in the Chronicle UI. Logs ingested into Chronicle before namespace support are implicitly labeled as part of the default or untagged namespace.
You can configure namespaces using the following:
- Linux version of the Chronicle Forwarder.
- Some of the normalization parsers (for example, for GCP) can automatically populate namespace (for GCP, based on project and VPC identifiers).
Namespaces in the Chronicle UI
You will see the namespace attached to your assets throughout the Chronicle UI, in particular whenever there is a list of assets. This includes the Enterprise Insights page, any detection views, and within Raw Log Scan and Structured Search.
When searching your data from the search bar, the namespaces associated with each asset are displayed. Selecting an asset within a specific namespace, opens it in Asset view, showing the other activities associated with the same namespace. If you want to see the activity of a specific asset across all namespaces, you can select the last entry [all namespaces].
Any asset not associated with a namespace is assigned to the default namespace. However, the default namespace is not displayed in lists such as the one shown below for the Chronicle search bar.
In Asset view, the namespace is indicated in the title of the asset at the top of the page. If you select the drop down menu by clicking on the down arrow, you can select the other namespaces associated with the asset.
Asset view with namespaces
IP Address, Domain, and Hash views
Throughout the Chronicle user interface, namespaces are shown anywhere an asset is referenced (except for the default or untagged namespace), including within the IP address, Domain, and Hash views.
For example, in IP Address view (as shown below), namespaces are included in both the asset tab and in the prevalence graph.
IP Address view with namespaces