Quickstart investigating an alert

This guide shows how to investigate an alert using Chronicle.

Background

What is an alert?

An alert is an Indicator of Compromise (IOC), flagged by Chronicle, indicating an anomaly in the normal workflow of traffic within the enterprise. You should investigate alerts as a possible breach of security.

How do alerts get to Chronicle?

Chronicle taps into various external sources within the security community using industry-wide databases updated continuously. Chronicle also has a feature-rich programming language, so you can craft your own custom rules.

Before you begin

You can perform these steps from your company's Chronicle instance or from the Chronicle demo environment.

Chronicle is designed to work exclusively with the Google Chrome browser. If you do not have Chrome installed, go to https://www.google.com/chrome/. We recommend upgrading Chrome to the most current version.

Chronicle is integrated into your single sign-on solution (SSO). You can log in to Chronicle using the credentials provided by your enterprise.

  1. Launch the Google Chrome browser.

  2. Ensure you have access to your corporate account.

  3. To access the Chronicle interface, where customername is your organization-specific identifier, navigate to: https://customername.backstory.chronicle.security.

    Chronicle Landing Page Chronicle Landing Page

Search for a domain

  1. In the landing page search field, enter the domain of a company. In this example, we use google.com.

    Chronicle Landing Page Chronicle landing page

  2. Click Search, and then select google.com in the Domains dropdown menu to open Domain view.

    The panel on the left shows all assets that have accessed this domain in the timeframe displayed. The panel on the right displays a histogram of all assets linking to this domain.

    Domain View Domain view

View Enterprise Insights

  1. Select the Application menu icon Application Menu Icon (in the upper right, between the Search button and the Timeline slider) to open the Application dropdown menu as shown in the following figure.

    Application Menu Application menu

  2. Select Enterprise Insights to open Enterprise Insights view. Here, IOC matches and recent alerts are displayed. You may have to increase the time range using the slider for matches and alerts to appear.

    Enterprise Insights Enterprise Insights

Pivot to Asset view

Next, drill down to a particular asset that may have been compromised.

  1. Click on an asset in Enterprise Insights view to open Asset view. Asset view shows details of the selected asset around the timeline of the alert trigger, as shown in the following figure.

    Asset View Asset view

    The bubbles in the main window represent the prevalence of the asset. The graph is arranged so events occurring less often are at the top. These low-prevalence events are considered suspicious. Use the Time slider in the upper right to zoom in to events requiring investigation.

  2. If the Procedural Filtering menu is not visible, open it by clicking the Filter icon Filter icon (near the upper right corner).

  3. At the top of the menu, adjust the Prevalence slider to filter out common events. Using the Time and Prevalence sliders, to identify suspicious events.

  4. Open the alert from the Timeline sidebar list. In the left panel, select the Timeline tab which display events occurring around the alert. The triggering event is highlighted in green.

Investigate what triggered the alert

There are several ways to gain more insight into the triggering event.

  • In the middle panel, an orange dialog box may appear above a small orange triangle indicating the location, in time, of the alert. If the dialog box is not displayed, hovering over the triangle causes it to appear. The dialog contains the date, time, and description of the alert.

  • The left panel in Asset view shows the Timeline tab. If the event is labeled Rule Alert, it will also mention a description of the alert.

  • Hovering over the Rule Alert event causes an Expand icon Expand Event Icon to appear on the right side of the event. Clicking on this icon will open a new window with more details about the event in UDM format, as shown in the following figure.

    Event Details Event Details