Quickstart conducting a search

This document describes how to conduct searches when investigating alerts and potential security issues using Chronicle.

Before you begin

Chronicle is designed to work exclusively with the Google Chrome browser. If you do not have Chrome installed, go to https://www.google.com/chrome/. We recommend upgrading Chrome to the most current version.

Chronicle is integrated into your single sign-on solution (SSO). You can log in to Chronicle using the credentials provided by your enterprise.

  1. Launch the Google Chrome browser.

  2. Ensure you have access to your corporate account.

  3. To access the Chronicle interface, where customername is your organization-specific identifier, navigate to: https://customername.backstory.chronicle.security.

    Chronicle Landing Page Chronicle Landing Page

Accessing Chronicle Enterprise Insights

Complete the following steps to access your Chronicle account and navigate to Enterprise Insights view:

  1. In the upper right corner is the application menu icon Select application menu icon. Selecting this opens the application dropdown menu, as shown in the following figure.

    Application menu on landing page Application menu

  2. Select Enterprise Insights as shown in the following figure. Enterprise Insights view shows IOC matches and recent alerts. Adjust the time range using the slider to display a greater range of matches and alerts.

    Enterprise Insights page Enterprise Insights

Searching for IOC matches in Domain view

Enterprise Insights view includes the following sections:

  • IOC Domain Matches

  • Recent Alerts

The Domain column in the IOC Domain Matches section contains a list of suspect domains. Clicking on a domain in this column opens Domain view, as shown in the following figure, providing detailed information about this domain.

Domain View Domain view

Searching using User view

To navigate to User view, complete the following steps:

  1. From Enterprise Insights view, the Recent Alerts section contains a column listing users who have triggered an alert within the time frame displayed in the Enterprise Insights header. This time frame is adjustable using the time slider bar. You might have to increase the time range using the slider for matches and alerts to appear.
  2. Clicking the user name in this column displays details about the user's activity which might be necessary to investigate the threat further.

Searching using Asset view

To navigate to Asset view, complete the following steps:

  1. From Enterprise Insights view, the Recent Alerts section contains a list of assets that have triggered an alert within the time frame displayed in the Enterprise Insights header. This time frame is adjustable using the time slider bar. You might have to increase the time range using the slider for matches and alerts to appear.
  2. Click on the asset you want to explore further. Chronicle pivots to Asset view as shown in the following figure.

    Asset view

  3. The bubbles in the main window indicate the prevalence of the asset. The graph is arranged so events occurring less often are at the top. These low-prevalence events are considered more likely to be suspicious. To zoom in to the events requiring further investigation, use the time range slider in the upper right.

  4. Narrowing the search further can be done using Procedural Filtering. If the Procedural Filtering dropdown menu is not already open, click the icon Filtering Icon near the upper right corner. At the top of the dropdown menu, use the prevalence slider to filter out normal events and target more suspicious events.

Using the Chronicle Search field

Initiate a search directly from the Chronicle home page, as shown in the following figure.

Search Field Chronicle Search field

On this page, you can enter the following search terms:

  • Hostname displays Domain view
(for example, plato.example.com)
  • Domain displays Domain view
(for example, altostrat.com)
  • IP address displays IP Address view
(for example, 192.168.254.15)
  • URL displays Domain view
(for example, https://new.altostrat.com)
  • Username displays Asset view
(for example, betty-decaro-pc)
  • File hash displays Hash view
(for example, e0d123e5f316bef78bfdf5a888837577)

You do not have to specify which type of search term you are entering, Chronicle determines it for you. The results are shown in the appropriate investigative view. For example, typing a username in the search field displays Asset view.

Searching raw logs

You have the option of searching the indexed database or searching raw logs. Searching raw logs is a more comprehensive search, but takes longer than an indexed search.

To further pinpoint your search, you can use regular expressions, make the search entry case sensitive, or select log sources. You can also select the timeline you want using the Start and End time fields.

To conduct a raw log search, complete the following steps:

  1. Type in your search term, and then select Raw Log Scan in the dropdown menu, as shown in the following figure.

    Raw Log Scan Menu Dropdown menu showing Raw Log Scan option

  2. After setting your raw search criteria, click the Search button.

  3. From Raw Log Scan view, you can further analyze your log data.