This guide shows how to investigate an alert using Chronicle.
What is an alert?
An alert is an Indicator of Compromise (IOC), flagged by Chronicle, indicating an anomaly in the normal workflow of traffic within the enterprise. You should investigate alerts as a possible breach of security.
How do alerts get to Chronicle?
Chronicle taps into various external sources within the security community using industry-wide databases updated continuously. Chronicle also has a feature-rich programming language, so you can craft your own custom rules.
Before you begin
You can perform these steps from your company's Chronicle instance or from the Chronicle demo environment.
Chronicle is designed to work exclusively with the Google Chrome browser. If you do not have Chrome installed, go to https://www.google.com/chrome/. We recommend upgrading Chrome to the most current version.
Chronicle is integrated into your single sign-on solution (SSO). You can log in to Chronicle using the credentials provided by your enterprise.
Launch the Google Chrome browser.
Ensure you have access to your corporate account.
To access the Chronicle interface, where customername is your organization-specific identifier, navigate to: https://customername.backstory.chronicle.security.
Chronicle Landing Page
Search for a domain
In the landing page search field, enter the domain of a company. In this example, we use
Chronicle landing page
Click Search, and then select
google.comin the Domains dropdown menu to open Domain view.
The panel on the left shows all assets that have accessed this domain in the timeframe displayed. The panel on the right displays a histogram of all assets linking to this domain.
View Enterprise Insights
Select the Application menu icon (in the upper right, between the Search button and the Timeline slider) to open the Application dropdown menu as shown in the following figure.
Select Enterprise Insights to open Enterprise Insights view. Here, IOC matches and recent alerts are displayed. You may have to increase the time range using the slider for matches and alerts to appear.
Pivot to Asset view
Next, drill down to a particular asset that may have been compromised.
Click on an asset in Enterprise Insights view to open Asset view. Asset view shows details of the selected asset around the timeline of the alert trigger, as shown in the following figure.
The bubbles in the main window represent the prevalence of the asset. The graph is arranged so events occurring less often are at the top. These low-prevalence events are considered suspicious. Use the Time slider in the upper right to zoom in to events requiring investigation.
If the Procedural Filtering menu is not visible, open it by clicking the Filter icon (near the upper right corner).
At the top of the menu, adjust the Prevalence slider to filter out common events. Using the Time and Prevalence sliders, to identify suspicious events.
Open the alert from the Timeline sidebar list. In the left panel, select the Timeline tab which display events occurring around the alert. The triggering event is highlighted in green.
Investigate what triggered the alert
There are several ways to gain more insight into the triggering event.
In the middle panel, an orange dialog box may appear above a small orange triangle indicating the location, in time, of the alert. If the dialog box is not displayed, hovering over the triangle causes it to appear. The dialog contains the date, time, and description of the alert.
The left panel in Asset view shows the Timeline tab. If the event is labeled Rule Alert, it will also mention a description of the alert.
Hovering over the Rule Alert event causes an Expand icon to appear on the right side of the event. Clicking on this icon will open a new window with more details about the event in UDM format, as shown in the following figure.