Google Chronicle Training

Topics:

• What is SIEM? Evolution and challenges.
• What is SOAR? Benefits and use cases.
• The convergence of SIEM and SOAR.

Topics:

• Chronicle's unique architecture
• Key components: Ingestion, UDM, Detection Engine, Context Graph, SOAR.
• Value proposition: Speed, scale, context.

Topics:

• Why UDM? Normalization, correlation, and search efficiency.
• Key UDM event types and fields.
• Mapping raw logs to UDM.

Topics:

• Overview of the dashboard, search bar, and various views.
• Basic search syntax and filters.

Topics:

• Supported data sources in Chronicle.
• Overview of various ingestion methods: Google Cloud Storage, Pub/Sub, Chronicle
• Forwarder, API integrations.

• The Chronicle Forwarder: Role as a lightweight agent for on-premises data collection.
• Step-by-step guide to setting up new data sources using the Chronicle Forwarder.
• Understanding various collector types: Syslog, File, Windows Event Forwarding (WEF),
• Packet Capture (PCAP).
• Configuring the Chronicle Forwarder to ingest logs.
• Ensuring proper UDM mapping for events and logs

• Ingesting Google Cloud Platform (GCP) logs (e.g., Audit Logs, VPC Flow Logs) via Pub/Sub

• Understanding parser types and their role in transforming raw logs to UDM.
• Monitoring ingestion health and identifying parsing errors.
• Troubleshooting common ingestion issues (e.g., malformed logs, incorrect parser selection).

• Reviewing UDM mapping for ingested data.
• Introduction to enrichment data sources.

• What are Endpoint Agents? Role in collecting high-fidelity endpoint telemetry.
• Mandiant Agent / Google Cloud Endpoint Agent/ Blueconic: Overview of its
• Capabilities (process execution, network connections, file modifications, registry).
• Deployment and Management Considerations for Endpoint Agents.
• Value proposition for EDR-like visibility and advanced threat hunting within Chronicle.

• Overview of Chronicle Licensing: How ingestion volume and specific features impact
• Licensing.
• Single-Tenant Architecture Licensing:
• Typically based on the total daily ingestion volume (e.g., GB/day).
• Dedicated Chronicle instance for the organization.
• Predictable costs based on anticipated data growth.
• Multi-Tenant Architecture Licensing (e.g., MSSP Model):
• Chronicle can be deployed by Managed Security Service Providers (MSSPs)
• Considerations for data segregation, role-based access control (RBAC) across multiple clients, and reporting.
• Benefits for MSSPs: centralized platform, economies of scale.
• Key Licensing Considerations

• Leveraging UDM fields for precise searches.
• Using Boolean operators (AND, OR, NOT), wildcards (*), and regular expressions (re:) in search.
• Time range filters and their importance.
• Grouping and aggregating search results using group by

• Deep dive into event details: raw logs vs. UDM view.
• Understanding asset views: historical activity, associated events, and relationships.
• User views and their role in investigations.

• Detailed exploration of key UDM event types and their common fields (e.g.,network. direction, process.file.md5, principal.user.userid).
• Understanding the hierarchy and relationships within UDM.

• Visualizing relationships between entities (assets, users, domains, IPs, hashes).
• Navigating the Context Graph for lateral movement and attack path analysis.
• Utilizing the event timeline for chronological investigation and event correlation.

• Understanding alert severity and priority.
• Manual and automated case creation from detections.
• Integrating with external ticketing systems (conceptual).

• Using Chronicle's built-in and custom case management features.
• Adding notes, evidence, and assigning tasks within a case.
• Collaborative investigation workflows.

• Deep dive into YARA-L structure: rule, meta, strings, events, outcome.
• Understanding event variables and event aggregations.
• Using functions and operators in YARA-L (e.g., count_distinct, array_length, contains).

• Mapping MITRE ATT&CK techniques to YARA-L detection logic.
• Crafting rules for common attack patterns (e.g., brute force, data exfiltration, malware execution).

• Using the YARA-L rule testing environment.
• Interpreting test results and debugging rules.
• Strategies for effective rule validation.

• Leveraging reference lists for dynamic rule conditions.
• Using match and events sections for complex correlation.
• Implementing multi-stage detections.

• Managing rule versions and deployments (draft, active, disabled).
• Tuning rules to reduce false positives and improve efficacy.
• Understanding rule suppression and exclusion

• Overview of Google's curated detection sets.
• Extending and customizing curated detections.
• Best practices for naming conventions, documentation, and rule ownership.

• Overview of Mandiant Threat Intelligence and its capabilities.
• Introduction to VirusTotal and its role in threat analysis.

• How Mandiant Threat Intelligence feeds into Chronicle.
• Using VirusTotal integrations for enrichment and context

• Creating YARA-L rules based on Mandiant indicators and behaviors.
• Using VirusTotal data within investigations to assess file/URL reputation.
• Proactive threat hunting using TI.

• Creating and managing reference lists for dynamic rule conditions and enrichment.
• Use cases for IP blacklists, user whitelists, known good hashes.

• Building custom dashboards for security posture, threat trends, and operational metrics.
• Creating scheduled reports for compliance and management.
• Leveraging Chronicle's built-in reporting capabilities.

• Managing users and roles within Chronicle.
• Implementing least privilege principles.
• Integrating with identity providers (e.g., Google Workspace, Azure AD).

• What is Security Orchestration, Automation, and Response?
• Key SOAR capabilities: Orchestration, Automation, Case Management, Playbooks.
• Benefits: Reduced MTTR, improved analyst efficiency, consistent response

• The role of SOAR within the Chronicle platform.
• Case management interface and features.
• Understanding the playbook engine and its components

• Introduction to playbook design principles.
• Triggers, conditions, and actions.
• Types of playbook actions: enrichment, containment, notification

• Overview of out-of-the-box connectors for various security tools (EDR, Firewall, Threat Intel, Ticketing).
• Understanding the purpose of each connector

• Navigating the visual playbook editor.
• Adding steps, conditions, and loops.
• Using variables and expressions within playbooks.

• Alert Enrichment: Automating data collection from threat intelligence, asset management, and identity systems.
• Phishing Response: Automating email analysis, user notification, and email quarantine.
• Malware Containment: Automating endpoint isolation and file quarantine.
• User Account Compromise: Automating password resets and account disabling.

• Implementing complex conditional logic and branching.
• Error handling and retry mechanisms in playbooks.
• Sub-playbooks and modular playbook design.

• Leveraging Chronicle's API for custom integrations and data export.
• Integrating SOAR with external systems (e.g., CMDB, vulnerability scanners, ITSM).
• Using webhooks for triggering playbooks from external sources.

• Proactive threat hunting methodologies using Chronicle's capabilities.
• Developing repeatable threat hunting queries and playbooks.

• Strategies for phased deployment.
• Performance tuning and cost optimization.
• Data retention policies and compliance.