Use context-enriched data in UDM Search

To enable security analysts during an investigation, Chronicle ingests contextual data from different sources, normalizes the ingested data, and provides additional context about artifacts in a customer environment. This document provides examples of how analysts can use contextually-enriched data in UDM Search.

For more information about data enrichment, see How Chronicle enriches event and entity data.

The following example finds a process module that loads a kernel32.dll file into a particular process.

metadata.event_type = "PROCESS_MODULE_LOAD" AND
target.file.file_type = "FILE_TYPE_PE_EXE" AND
target.file.pe_file.imports.library = "kernel32.dll"

Chronicle enriches events containing external IP addresses with geolocation data. This provides additional context during an investigation. This document explains how you can use geolocation-enriched fields when performing investigative searches.

Geolocation-enriched UDM fields can be accessed through UDM search as shown in the following examples.

Search by country name (country_or_region)

target.ip_geo_artifact.location.country_or_region = "Netherlands" OR
principal.ip_geo_artifact.location.country_or_region = "Netherlands"

Search by state

target.ip_geo_artifact.location.state = "North Holland" OR
principal.ip_geo_artifact.location.state = "North Holland"

Search by longitude and latitude

principal.location.region_latitude = 52.520588 AND principal.location.region_longitude = 4.788474

Search by unauthorized target geographies

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_geo_artifact.location.country_or_region = "Cuba" OR
    target.ip_geo_artifact.location.country_or_region = "Iran" OR
    target.ip_geo_artifact.location.country_or_region = "North Korea" OR
    target.ip_geo_artifact.location.country_or_region = "Russia" OR
    target.ip_geo_artifact.location.country_or_region = "Syria"
)

Search by Autonomous System Number (ASN)

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_geo_artifact.network.asn = 33915
)

By organization name

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_geo_artifact.network.organization_name = "google"
)

By carrier name

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_geo_artifact.network.carrier_name = "google llc"
)

By DNS domain

metadata.event_type = "NETWORK_CONNECTION" AND
(
    target.ip_geo_artifact.network.dns_domain = "lightower.net"
)

View geolocation-enriched fields in the UDM grid

Geolocation-enriched fields are displayed in UDM grid views including those in UDM Search, Detection View, User View, and Event Viewer.

Geolocation-enriched data in event viewer UDM event viewer

View image in new window

What's next

For information about how to use enriched data with other Chronicle features, see the following: