This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Indicators supported by Chronicle

Posted on 02-05-2024 02:42 AM
mountaincode2
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

In the following document:

https://cloud.google.com/chronicle/docs/investigation/investigate-alert

> To maximize graph capabilities, specify the important indicators in the outcome section. Here are the indicators supported by Chronicle: hostname, asset_id, etc.

But the list of indicators are basically Nouns in UDM. So why are they referred to as indicators?

Also, when it says "specify the important indicators" in the outcome section. Does it mean in the outcome section of the YARA-L rule? If yes, why is it required to specify these indicators in the outcome section. Also, in the YARA-L rule that follows in the documentation, the indicators are not specified in the YARA-L rule.

Can you please break it down.

Thank you.

 

Solved Solved
1 3 156
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Here is part one of a two part blog on using the alert graph https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Chronicle-Alert-Graph-Part-1/ba-p/7075...

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
mountaincode2
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Can someone please help me here. Thanks!

Jump to Solution

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

This is a timely question as a part one of a two part blog is coming on-line later today around the alert graph. I will post that link once it is live, but it will be found in the Community Blog section of the site.

The listing of indicators are the fields within the nouns. The nouns that are supported are principal, target and src. So, the principal.hostname, target.hostname and src.hostname are supported in the alert graph but the observer.hostname, for example would not be.

For the alert to populate the graph, it uses that match variables and the outcome variables within a rule. So, the outcome section in the YARA-L rule needs to be populated for these details to fill in.

It's a fair point on the example. I have provided some updates around this page to revamp some of the information around indicators and can add the rule example to the list.

The rules within the our Github Community Rules provide numerous examples on how you could populate the alert graph with outcome variables.

Jump to Solution

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Here is part one of a two part blog on using the alert graph https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Chronicle-Alert-Graph-Part-1/ba-p/7075...

Jump to Solution
Top Solution Authors
View all