Investigate an alert

Alerts are tied to data identified as a threat by your security systems. Investigating alerts gives you context about the alert and related entities.

When you click an alert, you are directed to a page that contains alert details organized into the following three tabs:

  • Overview: provides a summary of important details about the alert, including alert status and detection window.
  • Graph: visualizes alerts that are generated from a YARA-L rule. It provides a graph of the alert's relationship to other entities. When an alert is triggered, entities associated with the alert are displayed on the graph and on the left side of the screen, each with its own card. The alert graph uses the following entities in a UDM event: principal, target, src, observer, intermediary, and about .
  • Alert history: lists all the changes that have happened to this alert, including when the status of an alert has changed or a note has been added.

Below the graph that visualizes the relationships between the entities and the alert are the following three subtabs that provide more context about the alert:

  • Events: contains details about the events related to the alert.
  • Entities: contains details about each entity associated with the alert.
  • Alert context: provides additional context about the alert.

Before you begin

To populate the alert graph, you need to create a YARA-L rule that generates alerts. The quality of the alert graph is tied to the context that is built into the YARA-L rule. The outcome section of a rule provides context to the detections triggered by the rule.

We recommend adding the following UDM nouns to the outcome section, because they are used in the alert graph: principal, target, src, observer, intermediary, and about . For these UDM nouns, the following fields are used in the alert graph:

  • artifact.ip
  • asset.asset_id
  • asset.hostname
  • asset.ip
  • asset.mac
  • asset.product_object_id
  • asset_id
  • domain.name
  • file.md5
  • file.sha1
  • file.sha256
  • hostname
  • ip
  • mac
  • process.file.md5
  • process.file.sha1
  • process.file.sha256
  • resource.name
  • url
  • user.email_addresses
  • user.employee_id
  • user.product_object_id
  • user.userid
  • user.windows_sid

The values in the preceding list of UDM fields also link to UDM search from the Alert context subtab. For more information, see View context about the alert.

In the following YARA-L rule, an alert is generated when a significant number of Google Cloud service APIs have been disabled within a short time frame (1 hour).

rule gcp_multiple_service_apis_disabled {

  meta:
    author = "Google Cloud Security"
    description = "Detect when multiple Google Cloud Service APIs are disabled in a short period of time."
    severity = "High"
    priority = "High"

  events:
    $gcp.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
    $gcp.metadata.log_type = "GCP_CLOUDAUDIT"
    $gcp.metadata.product_event_type = "google.api.serviceusage.v1.ServiceUsage.DisableService"
    $gcp.security_result.action = "ALLOW"
    $gcp.target.application = "serviceusage.googleapis.com"
    $gcp.principal.user.userid = $userid

  match:
    $userid over 1h

  outcome:
    $risk_score = max(75)
    $network_http_user_agent = array_distinct($gcp.network.http.user_agent)
    $principal_ip = array_distinct($gcp.principal.ip)
    $principal_user_id = array_distinct($gcp.principal.user.userid)
    $principal_user_display_name = array_distinct($gcp.principal.user.user_display_name)
    $target_resource_name = array_distinct($gcp.target.resource.name)
    $dc_target_resource_name = count_distinct($gcp.target.resource.name)

  condition:
    $gcp and $dc_target_resource_name > 5
}

After an alert is generated, you can navigate to the Alert graph page to obtain more context about the alert and to further investigate it.

You can access the Graph from the Alerts and IOCs page or the UDM Search page.

Access the Alert graph from Alerts and IOCs

The Alerts and Indicators of Compromise (IOC) page enables you to filter and view all the alerts and IOCs that are currently affecting your enterprise. To learn more about this page and how to view IOC matches, visit View Alerts and IOCs.

To view more information about an alert from the Alerts and IOCs page, complete the following steps:

  1. From the navigation bar, click Detections > Alerts and IOCs.
  2. Find the alert you want to investigate in the alerts table.
  3. In that alert's row, click the text in the name column to open Alert graph.
  1. At the top of the navigation bar, select Search.
  2. Load a search with Search Manager or create a new search. Learn more about conducting a search in UDM in UDM Search.
    1. Three tabs are displayed: Overview, Entity, and Alerts. Click Alerts.
  3. Click the alert you want to investigate. The Alert viewer is displayed.
  4. Click View details to open Alert view.
  5. Click the Graph tab to display Alert graph.

View details about an alert

In Alert view, the Overview tab displays the following information with regards to the alert:

  • Alert Details: Alert status, creation date, severity, priority, and risk score.
  • Detection Summary: Detection rule that generated the alert. You can view other alerts from the same detection rule.
  • Events: Events associated with this alert.

In addition to viewing important information, you can adjust the alert status.

Change the alert status

  1. Click Change alert status in the upper right hand corner.
  2. In the window that appears, update the severity and priority levels accordingly.
  3. Click Save.

Close the alert

  1. Click Close alert.
  2. In the window that appears, you have the option to leave a note to add more context about why you closed the alert.
  3. Enter your information and press Save.

View entity relationships

The Graph shows you how different alerts and entities are connected. This feature gives you a visual, interactive graph that you can use to expand relationship information about existing entities to surface unknown relationships. You can also expand your search by increasing the time range and expanding past point-in-time alerts for richer alert paths.

You can also expand your search by clicking the + icon in the upper right hand side of any node. Doing this displays all the nodes related to that entity.

Graph icons

Different entities are represented by different icons.

Icon Entity the icon represents Explanation
User A user is a person or other entity that requests access to and uses information from your network. Examples: janedoe, cloudysanfrancisco@gmail.com
database Resource Resources are a generic term for entities that have their own unique resource name. Examples: BigQuery table, database, and project.
IP Address
description File
Domain name
URL
device_unknown Unknown entity type An entity type not recognized by Chronicle's software.
memory Asset An asset is anything that produces value for your organization. This can include hostnames, MAC addresses, and internal IP addresses. Examples: 10.120.89.92 (internal IP address), 00:53:00:4a:56:07 (MAC address)

If two or more alerts come from the same rule, they are grouped together in a group icon. Indicators that represent the same entity are consolidated into one icon.

To learn more about each of these icons, review the following documents:

When you click Alert graph, the graph shows all results 12 hours before and after the alert. If there are no entities for the alert, only the original alert appears on the graph.

The main alert is highlighted in a red circle. Alerts are connected to entities with a solid line and other alerts with a dotted line. If you hold the pointer over an edge (the line connecting two nodes), it shows you the outcome variable or match variable that connects it to a node on the graph.

On the left-hand side, there are cards for each node that include details about associated rules, detection windows, severity and priority status, and more.

Directly above the graph is a button labeled Graph options. When you click Graph options, two options appear: Non-alerting detections and Risk score. Both are toggled on by default and can be toggled on or off based on your preference.

To move the nodes, simply drag the nodes around the graph. When you release the node, it is pinned where you left it until you click Refresh.

Add and remove nodes

If you click a node, a table appears at the bottom of the screen. You can do the following actions on each node:

Alert

  • See related entities, alerts, and events
  • See outcomes and matches from the alert
  • Remove any subgraph
  • Add or remove related entities and alerts from the graph by checking boxes in the On Graph column

Entity

  • See all related alerts
  • Remove any subgraph
  • Add or remove related alerts from the graph by checking or unchecking boxes in the On Graph column

Group

  • See all the entities or alerts that make up that group
  • Ungroup individual nodes by clicking On Graph on the table at the bottom of the page.

To add or remove the risk score from the nodes, check or uncheck the Risk Score box above the table.

Expand the alert graph

To see more related nodes, click the + icon at the bottom of the alert. The entities and alerts related to the icon you selected pop up. Each new alert has a card on the side with more details.

Reset the graph

If you want to clear the graph, you can adjust the time range in the right hand window. The maximum range is 90 days. Resetting the time range also resets the graph to its original state. Updating the time range clears the graph of any additional nodes and resets the graph to its original state.

To move the nodes back to the default position, click refresh.

View context about the alert

The Alert context section contains a list of values that provide additional context about the alert.

The alert context has a Type column that tells you which part of the rule generated the alert that you selected—outcome or match. The next column is called Variable. These variable names are based on the names of the match and outcome variables defined in the rule. Finally, the far right column is UDM Field. Variables that have a UDM field listed are also linked in the Values column.

In addition to the UDM fields listed in the Before you begin section, the following UDM fields are also linked to the UDM search page:

  • file.full_path
  • process.command_line
  • process.file.full_path
  • process.parent_process.product_specific_process_id
  • process.pid
  • process.product_specific_process_id
  • resource.product_object_id

The specific UDM nouns that are associated with these fields are principal, target, src, observer, intermediary, and about . If you click a value, a UDM search is triggered, passing the value along with the time range of the past day.

In the example YARA-L rule featured in the Before you begin section, the following UDM fields will be linked to the UDM search page:

  • principal.ip
  • principal.user.userid
  • principal.user.user_display_name
  • target.resource.name

View alert history

The Alert History tab allows you to see a full history of all of the actions that have taken place for this alert. This includes:

  • When the alert first appeared
  • Any notes people on your team have left about this alert
  • If the severity has changed
  • If priority has been changed
  • If the alert has been closed

Alerts from Chronicle SOAR

Alerts from Chronicle SOAR include additional information about the Chronicle SOAR case. These alerts also provides a link to open the case in Chronicle SOAR. For more information, see the Chronicle SOAR cases overview.

Alert for Chronicle SOAR case

Alert for Chronicle SOAR case