Investigate an alert
Alerts are tied to data identified as a threat by your security systems. Investigating alerts gives you context about the alert and related entities.
When you click an alert, a page opens with three tabs: Overview, Alert graph, and Alert history.
- Overview gives a summary of important details about the alert, including alert status and detection window.
- Alert graph is an interactive graph that gives you a visual representation of the alert's relationship to other entities.
- Alert history lists all the changes that have happened to this alert, including when alert status is changed or a note had been added.
Before you begin
Before you start, you need to set up rules in the Rules tab. To maximize graph capabilities, specify the important indicators in the outcome section. Here are the indicators supported by Chronicle:
hostname
asset_id
ip
mac
asset.product_object_id
asset.hostname
asset.asset_id
asset.ip
asset.mac
user.userid
user.product_object_id
user.windows_sid
user.email_addresses
file.md5
file.sha1
file.sha256
process.file.md5
process.file.sha1
process.file.sha256
artifact.ip
domain.name
resource.name
To create new rules or edit existing ones, follow the steps outlined in Manage rules using Rules Editor.
The following rule only searches for results that include the host name and a risk score:
rule OutcomeRuleSingleEvent {
meta:
author = "noone@google.com"
events:
$u.metadata.event_type = "FILE_COPY"
$u.principal.file.size = $file_size
$u.principal.hostname = $hostname
outcome:
$suspicious_host = $hostname
$risk_score = if($file_size > 1024, 50, 20)
condition:
$u
}
Under the graph are three tabs: Events, Entities, and Alert Context. Each tab lets you learn more about the related topic:
- Events contains details about events related to the alert
- Entities contains details about each entity
- Alert Context has a Type column that tells you which part of the rule generated the node you selected: Outcome or Match.
To learn more about the outcome section of rules, read YARA-L 2.0.
Navigate to the Alert graph
You can access the Alert graph from the Alerts and IOCs page or the UDM Search page.
Access the Alert graph from Alerts and IOCs
The Alerts and Indicators of Compromise (IOC) page enables you to filter and view all the alerts and IOCs that are currently affecting your enterprise. To learn more about this page and how to view IOC matches, visit View Alerts and IOCs.
To view more information about an alert from the Alerts and IOCs page, complete the following steps:
- From the navigation bar, click Detections > Alerts and IOCs.
- Find the alert you want to investigate in the alerts table.
- In that alert's row, click the text in the name column to open Alert graph.
Access the Alert graph from UDM Search
- At the top of the navigation bar, select Search.
- Load a search with Search Manager or create a new search. Learn more
about conducting a search in UDM in UDM
Search.
- Three tabs are displayed: Overview, Entity, and Alerts. Click Alerts.
- Click the alert you want to investigate. The Alert viewer is displayed.
- Click View details to open Alert view.
- Click the Graph tab to display Alert graph.
View details about an alert
In Alert view, the Overview tab displays the following information with regards to the alert:
- Alert Details: Alert status, creation date, severity, priority, and risk score.
- Detection Summary: Detection rule that generated the alert. You can view other alerts from the same detection rule.
- Events: Events associated with this alert.
In addition to viewing important information, you can adjust the alert status.
Change the alert status
- Click Change alert status in the upper right hand corner.
- In the window that appears, update the severity and priority levels accordingly.
- Click Save.
Close the alert
- Click Close alert.
- In the window that appears, you have the option to leave a note to add more context about why you closed the alert.
- Enter your information and press Save.
View entity relationships
The Alert Graph shows you how different alerts and entities are connected. This feature gives you a visual, interactive graph that you can use to expand relationship information about existing entities to surface unknown relationships. You can also expand your search by increasing the time range and expanding past point-in-time alerts for richer alert paths.
You can also expand your search by clicking the + icon in the upper right hand side of any node. Doing this displays all the nodes related to that entity.
Icons in alert graph
Different entities are represented by different icons.
Icon | Entity the icon represents | Explanation |
User | A user is a person or other entity that requests access to and uses information from your network. Examples: janedoe, cloudysanfrancisco@gmail.com | |
database | Resource | Resources are a generic term for entities that have their own unique resource name. Examples: BigQuery table, database, and project. |
IP Address | ||
description | File | |
Domain name | ||
URL | ||
device_unknown | Unknown entity type | An entity type not recognized by Chronicle's software. |
memory | Asset | An asset is anything that produces value for your organization. This can include hostnames, MAC addresses, and internal IP addresses. Examples: 10.120.89.92 (internal IP address), 00:53:00:4a:56:07 (MAC address) |
If two or more alerts come from the same rule, they are grouped together in a group icon. Indicators that represent the same entity are consolidated into one icon.
To learn more about each of these icons, review the following documents:
- Investigate a user
- Resource-oriented design
- Investigate an asset
- Investigate a Domain
- Investigate a file
- Investigate an IP address
Navigate the alert graph
When you click Alert graph, the graph shows all results 12 hours before and after the alert. If there are no entities for the alert, only the original alert appears on the graph.
The main alert is highlighted in a red circle. Alerts are connected to entities with a solid line and other alerts with a dotted line. If you hold the pointer over an edge (the line connecting two nodes), it shows you the outcome variable or match variable that connects it to a node on the graph.
On the left-hand side, there are cards for each node that include details about associated rules, detection windows, severity and priority status, and more.
Directly above the graph is a button labeled Graph options. When you click Graph options, two options appear: Non-alerting detections and Risk score. Both are toggled on by default and can be toggled on or off based on your preference.
To move the nodes, simply drag the nodes around the graph. When you release the node, it is pinned where you left it until you click Refresh.
Add and remove nodes
If you click a node, a table appears at the bottom of the screen. You can do the following actions on each node:
Alert
- See related entities, alerts, and events
- See outcomes and matches from the alert
- Remove any subgraph
- Add or remove related entities and alerts from the graph by checking boxes in the On Graph column
Entity
- See all related alerts
- Remove any subgraph
- Add or remove related alerts from the graph by checking or unchecking boxes in the On Graph column
Group
- See all the entities or alerts that make up that group
- Ungroup individual nodes by clicking On Graph on the table at the bottom of the page.
To add or remove the risk score from the nodes, check or uncheck the Risk Score box above the table.
Expand the alert graph
To see more related nodes, click the + icon at the bottom of the alert. The entities and alerts related to the icon you selected pop up. Each new alert has a card on the side with more details.
Reset the graph
If you want to clear the graph, you can adjust the time range in the right hand window. The maximum range is 90 days. Resetting the time range also resets the graph to its original state. Updating the time range clears the graph of any additional nodes and resets the graph to its original state.
To move the nodes back to the default position, click refresh.
View alert history
The Alert History tab allows you to see a full history of all of the actions that have taken place for this alert. This includes:
- When the alert first appeared
- Any notes people on your team have left about this alert
- If the severity has changed
- If priority has been changed
- If the alert has been closed
Alerts from Chronicle SOAR
Alerts from Chronicle SOAR include additional information about the Chronicle SOAR case. These alerts also provides a link to open the case in Chronicle SOAR. For more information, see the Chronicle SOAR cases overview.
Alert for Chronicle SOAR case