Chronicle Assets Sync

  • Updated
Table of Contents:

This article describes the Chronicle assets, their types and frequently asked questions about syncing these assets into Resolution Intelligence Cloud.

To enable asset sync, ensure that you have configured a Chronicle instance in your Resolution Intelligence Cloud's account.

What are Chronicle Assets

We get Events and Entities from Chronicle when we ingest different log types for our Chronicle instance. Entities provide context to network events which typically do not surface all the information known about the systems they connect to. For example, while a PROCESS_LAUNCH event might be linked to a user (abc@foo.corp) who launched the shady.exe process, the PROCESS_LAUNCH event won't indicate that the user (abc@foo.corp) was a recently-terminated employee on a highly-sensitive project. This context would normally provide for further research, which is conducted by a security analyst.

The entity data model enables you to ingest these types of entity relationships, providing richer and more focused IOC threat intelligence data. It also introduces and expands the Permission, Role, Vulnerability, and Resource messages to capture new context available from IAM, vulnerability management systems, and data protection systems.

An asset entity in Chronicle is created when a log line is parsed as an entity, a log line can be parsed as an entity or event, not both. Below are the default log sources that can provide asset entities.

  • Microsoft Defender for Endpoint
  • ServiceNow CMDB

Frequently Asked Questions

Why am I not seeing an asset entity in the Chronicle?

We don't have the right log sources that can provide asset entity information. [Like above mentioned log types]

What could be the reason for having entities before but not in the last few days / not having updated entity information?

  • The log source, which sends asset entity information, is not sending logs.

  • There could be an issue with parsing asset information from the log source (which sends entity information).

How do I verify the entity information from Chronicle?

  • On Big query: SELECT  FROM `chronicle-projecName.datalake.entity_graph` WHERE metadata.entity_type =1  LIMIT 1000

Related articles

Comments

0 comments

Please sign in to leave a comment.