Chronicle FAQs

What is Chronicle?

Chronicle is a cloud service, built as a specialised layer on top of core Google infrastructure designed for enterprises to privately retain, analyse, and search the massive amounts of security and network telemetry they generate. Chronicle normalises, indexes, correlates, and analyses the data to provide instant analysis and context or risky activity.

What data can Chronicle ingest?

Chronicle can ingest numerous security telemetry types through a variety of methods including: Forwarder – a lightweight software component, deployed in the customer’s network, that supports Syslog, packet capture, and existing log management / SIEM data repositories. Ingestion API’s – API’s that enable logs to be sent directly to the Chronicle platform, eliminating the need for additional hardware or software in customer environments. Third-party integrations – Integration with third-party cloud APIs to facilitate ingestion of logs, including sources like Office 365 and Azure AD. Chronicle has forwarders for both Linux and Windows, details can be found here:

• https://cloud.google.com/chronicle/docs/install/forwarder-linux & system requirements here:
• https://cloud.google.com/chronicle/docs/install/forwarder-linux#system_requirements

An architectural overview of the data ingestion flow to Chronicle can be found here:

• https://cloud.google.com/chronicle/docs/dataingestion-flow

How does Chronicle deliver results?

The analytical capabilities of Chronicle are delivered to security professionals as a simple, browser-based application. Many of these capabilities are also accessible programmatically via API’s. At its core, the purpose of Chronicle is to ingest all security telemetry allowing analysts to quickly gain visibility of potential threats. This allows an analyst to quickly determine what it is, what it’s doing, whether it matters, and how best to respond.

How long does it take to implement Google Chronicle?

From initial design workshop and set up to successfully ingesting logs it would be approximately 2 weeks. Cyberseer then ensure logs are being parsed correctly, finalise any rule customisations and configure required alerting. Therefore, Chronicle would be at initial operating capability in approximately 4 weeks.

What deployment architecture would I need to run Chronicle’s security analytics platform?

The architecture for the solution will involve Google Cloud’s Platform, Chronicle SaaS for log storage, dash-boarding, alerting and searching. A log collector/forwarder will be configured for on premise data sources which will forward to the Chronicle SaaS tenant. Other log sources which are in the cloud will have collectors configured or cloud to cloud connectors depending on the technology.

What is Cyberseer’s Managed Service for Google Chronicle?

Cyberseer integrated ASPECT with Chronicle to provide customers high fidelity alert monitoring and prioritisation. ASPECT – Cyberseer’s fully automated, anonymised 24×7 alert enrichment and escalation platform processes the output generated by all Cyberseer’s selected detection technologies and enforces a standardised, efficient workflow, each time, and every time, to identify and deliver priority alerts to our skilled, experienced analysts. Cyberseer ASPECT will pull alerts raised from within Chronicle and enrich the data. Potential priority alerts will be raised to tier 3 analysts who will then triage the alerts. Incidents will be raised and incidents where mitigation steps have been predefined and pre-agreed will be actioned by Cyberseer. Cyberseer’s automation allows our analysts to spend their time understanding our customers environment, defining use cases with relevant data sources, and carrying out proactive threat hunting.

Does the Cyberseer SOC service include any threat intelligence or threat feeds?

Yes, Google Chronicle utilises threat feeds from VirusTotal, Uppercase, ET, Avast and DHS. Other third-party threat feeds can also be incorporated into the Chronicle platform if you have them. Cyberseer offer an additional service with our partner Digital Shadows to provide additional detection use cases including brand reputation, data leakage, spoofing, credential leakage that can be integrated into Chronicle and the MDR service.

How does Cyberseer ensure its service remains fit for purpose evolving in line with changing attacker TTPs?

Cyberseer work closely with the customer to understand the wider digital strategy to assess and quantify further risk and build visibility using the MITRE ATT&CK framework and the associated TTP’s. We continually provide TTP insights in this framework as your environment develops.

How does Cyberseer reduce the number of false positives raised to the customer

Human expertise. Our team of highly skilled experienced tier 3 analysts own this process. They focus on tuning rules to reduce the number of false positives they receive from the deployed detection technology. From there experience and exposure to a diverse customer base they can quickly reduce the false positives you receive from the service. Cyberseer’s automation platform ASPECT provides enrichment of alerts and supports our Analysts to make quick decisions. Continuous improvement of your data sources against TTPs will be managed in the weekly meeting minutes to support higher alert efficacy.

Does Cyberseer perform proactive threat hunting?

Cyberseer actively look for TTP’s that attackers use. This enables us to detect attacks including zero-day behaviour. If we deem a search can be automated by creating rules that yield low false positives, then those would be implemented into the customers systems so that the system can alert quickly when that technique occurs in the future.

Is Google Chronicle easy to scale?

The license for Chronicle is based on the number of users. The addition of new technologies can easily be ingested into the service without the requirement for additional storage cost. This allows you to scale out as you grow without worrying about logging costs. Cyberseer can work with you to incorporate these technologies or advise on complementary technologies and if appropriate add these into the service. It is worth noting that whilst Chronicle commercially offer a solution to ingest everything, not all data is made equal. The Cyberseer SOC will consult with you on use cases against TTPs and advise on the need for the most valuable additional data sources. Importantly we want to partner with you and keep an ongoing understanding of your strategy over the service term.

How does Google Chronicle baseline ‘normal’ system behaviour access across our estate?

How long does the tuning take?

Chronicle normalises the data rather than baselining the system behaviour. We then apply rules and threat hunting to this normalised data. Chronicle uses a feature called prevalence which would highlight activity not usually seen, for example how many times has this IP address been seen in your network. This process starts as soon as logs are correctly ingested. From our experience, 2 weeks after the initial operating capability is signed off is when we start seeing value from this feature set.

Can a log repository be provided to support forensic investigations and meet PCI compliance? (12 months retention of logs)?

Yes, and yes, Chronicle is PCI compliant. 12 months hot data retention is the minimum available with Chronicle.

Can the log repository be accessed for our own investigations?

Yes

What are the network bandwidth requirements for Google Chronicle?

Chronicle do not stipulate a minimum requirement for the forwarder. It would be very much based on the events per second and volume of logs. To reduce bandwidth the forwarder does compress packets before it leaves the edge / network.

Where does my data reside?

Data resides in GCP datacenters in the EU. Data will be stored by Chronicle for a year. No customer data will be stored by Cyberseer.

Does Chronicle work with the XDR approach?

Google Chronicle can work within the new XDR approach. Chronicle can take endpoint and log data and provide deep contextualisation and the latest threat intelligence, looking beyond the endpoint. Associating files, links, and other assets to an indicator of compromise can cut down on response time and aid in vulnerability management. Additionally, Chronicle’s ability to use modern YARA-L language, search petabytes in less than a second, visualise data, and mapped to the MITRE ATT&CK framework makes it a leading cloud security solution.

What benefits does Google Chronicle offer?