Review an alert using Chronicle

This guide shows how to investigate an alert using Chronicle.

What is an alert?

An alert is an Indicator of Compromise (IOC), flagged by Chronicle, indicating an anomaly in the normal workflow of traffic within the enterprise. You should investigate alerts as a possible breach of security.

How do alerts get to Chronicle?

Chronicle taps into various external sources within the security community using industry-wide databases updated continuously. Chronicle also has a feature-rich programming language, YARA-L, so you can craft your own custom rules.

For more information on YARA-L, see the Overview of the YARA-L 2.0 language. For more information on rules, see Manage Rules Using Rules Editor.

Before you begin

You can perform these steps from your company's Chronicle instance or from the Chronicle demo environment.

Chronicle is designed to work exclusively with the Google Chrome or Mozilla Firefox browsers.

Google recommends upgrading your browser to the most current version. You can download the latest version of Chrome from https://www.google.com/chrome/.

Chronicle is integrated into your single sign-on solution (SSO). You can log in to Chronicle using the credentials provided by your enterprise.

  1. Launch Chrome or Firefox.

  2. Ensure you have access to your corporate account.

  3. To access the Chronicle application, where customer_subdomain is your customer-specific identifier, navigate to: https://customer_subdomain.backstory.chronicle.security.

    Chronicle Landing Page Chronicle Landing Page

View Alerts and IOC Matches

In the navigation bar, select Detection > Alerts and IOCs.

The Alerts and IOC Matches tabs are displayed. You may have to adjust the time range using the calendar control in the top right for matches and alerts to appear.

Pivot to Asset view

Next, drill down to a particular asset that may have been compromised.

  1. From the IOC Matches tab, click on a domain to open Domain view.

  2. Select the Timeline tab.

  3. To pivot to Asset view, select an event by clicking on its time. Asset view shows details of the selected asset around the timeline of the alert trigger, as shown in the following figure.

    Asset View Asset view

    The bubbles in the main window represent the prevalence of the asset. The graph is arranged so events occurring less often are at the top. These low-prevalence events are considered suspicious. Use the Time slider in the upper right to zoom in to events requiring investigation.

  4. If the Procedural Filtering menu is not visible, open it by clicking the Filter icon Filter icon (near the upper right corner).

  5. At the top of the menu, adjust the Prevalence slider to filter out common events. Using the Time and Prevalence sliders, to identify suspicious events.

  6. Open the alert from the Timeline sidebar list. In the left panel, select the Timeline tab which display events occurring around the alert. The triggering event is highlighted in green.

Investigate what triggered the alert

There are several ways to gain more insight into the triggering event.

  • In the middle panel, an orange dialog box may appear above a small orange triangle indicating the location, in time, of the alert. If the dialog box is not displayed, hovering over the triangle causes it to appear. The dialog contains the date, time, and description of the alert.

  • The left panel in Asset view shows the Timeline tab. If the event is labeled Rule Alert, it will also mention a description of the alert.

  • Hovering over the Rule Alert event causes an Expand icon Expand Event Icon to appear on the right side of the event. Clicking on this icon will open a new window with more details about the event in UDM format, as shown in the following figure.

    Event Details Event Details