Chronicle Assets Sync

To enable assets sync, ensure that you have configured a Chronicle instance in your Resolution Intelligence Cloud's account.

What are Chronicle Assets

We get Events and Entities from Chronicle when we ingest different log types for our Chronicle instance. Entities provide context to network events which typically do not surface all the information known about the systems they connect to. For example, while a PROCESS_LAUNCH event might be linked to a user (abc@foo.corp) who launched the shady.exe process, the PROCESS_LAUNCH event won't indicate that the user (abc@foo.corp) was a recently-terminated employee on a highly-sensitive project. This context would normally only be provided by further research conducted by a security analyst.

The entity data model enables you to ingest these types of entity relationships, providing richer and more focused IOC threat intelligence data. It also introduces and expands the Permission, Role, Vulnerability, and Resource messages to capture new context available from IAM, vulnerability management systems, and data protection systems.

An asset entity in Chronicle is created when a log line is parsed as an entity, a log line can be parsed as an entity or event, not both. Below are the default log sources which can give assets entities.

• Microsoft Defender for Endpoint

• ServiceNow CMDB

Frequently Asked Questions

Why I am not seeing an asset entity in Chronicle?

Because we don't have the right log sources that can provide asset entity information. [Like above mentioned log types]

What could be the reason have entities before but not from the last few days / not having updated entity information

• The log source which sends asset entity information is not sending logs

• Could be an issue with parsing asset information from the log source [that sends entity info]

How do I verify If I am getting entity information Chronicle

• On Big query: SELECT  FROM `chronicle-projecName.datalake.entity_graph` WHERE metadata.entity_type =1  LIMIT 1000