"New to Chronicle" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to Security Operations Platforms or replacing their Security Operations Platforms with Chronicle. You can view the entire series here.
Today we are going to explore how we can use saved searches to be more efficient with common questions that could be asked during a day in security operations. Below is a view of the search interface. We’ll start by acknowledging the obvious change which is the layout of the interface itself. Notice how the menu items are now on the left side of the screen. This is bringing together in a single tab all of the security operations functions that traditionally a SIEM and a SOAR performed!
On the search screen itself, search syntax is still entered at the top of the screen, but on the lower portion of the screen, we have lists with your search history, your saved searches and searches that have been shared with you. These lists provide rapid access to searches that are used on a regular basis by you or the organization as a whole.
The far right column contains a set of searches that are shared with you, that is, the logged on user. Notice that many of these have a Chronicle logo next to them, and the word, "shared." The shared searches with the Chronicle logo denotes shared searches that we provide as a starting point, but searches unique to your organization can also be saved and shared.
The middle column are searches that you have saved. The second search from the top of the list is named, "Investigative Search - Zeek." We are going to use this to highlight how saved searches can be parameterized and reused. Before we click on it, notice that the search has a title, description, when it was last updated and by whom. The purple values under the description indicate that this is a parameterized search.
When we select our search, notice that we get a pop-up that prompts for values for the protocol, and two IP addresses.
We can start by entering the IP addresses that we are interested in seeing communication between. Notice that the protocol prompt is returning a drop-down list to choose from. This is because the field network.application_protocol is an enumerated field in UDM. Enumerated fields have a fixed set of values so what we see in the drop-down list are the values that could exist in this field. Once we provide our parameters for the search, we can click Load Search.
When we load our search, syntax for the search is populated and parameters replace the variable that we saw in purple in the prompt. We can adjust our time range as desired and click Search to execute. Our result set will replace the three lists of searches at the bottom of the screen. Just like any other search, we can add additional columns, use the quick filters on the left side of the screen or apply in-line filters to our existing data set to filter our results further.
As we analyze our results, we notice that there are a number of SMB communications between these two systems over the past 24 hours. When we review the values in the field target.file.full_path, we can see that a number of events appear to contain a folder called, "Policies" which might be indicative that the group policy objects are being shared on a regular basis between these two servers.
We could filter this out by adding criteria directly into our search or through the inline filters. However, if we wanted to modify our saved search to always exclude the Policies folder, we could. Let’s modify our saved search.
To create or modify a saved search from the results screen, we can click on History - Open Search Manager or the three dots on the far right side of the screen next to the Search button and select Search Manager.
Within the search manager, we can filter by word and the type of search, that is Chronicle defined, authored by you and shared with you. The middle portion of the pop-up is the search criteria. We will add our additional condition target.file.full_path != /\\Policies\\/ which excludes the field target.file.full_path if there is a folder named Policies. We could tighten or loosen our criteria further by adding additional strings to our regular expression or using the nocase modifier but for today, this is sufficient.
Notice on the right side of the screen are the variables that are used in the search. $protocol, $first_ip and $second_ip each have a prompt on the right. Providing prompts is considered a best practice, particularly if these searches are being shared with others within the organization. Also notice that we are using grouped fields for the IP address. This allows us to search multiple IP address fields for this pair of addresses. There is a tradeoff to using grouped fields; because we are searching many fields for the IP address our coverage will be better, but the amount of data that needs to be searched to find our results will be larger as well because grouped IP addresses will search across 11 distinct IP address fields in UDM. For a quick refresher on grouped fields, there’s a blog for that!
Finally, on the left side of the screen, we can hover over our Saved Search and three dots will appear. We can click on those three dots and either delete our saved search or share it across our organization. Once we are happy with our modifications, click Save Edits to save our search. The Save Edits button immediately changes to a Load Search button once the modification has been completed and when we click Load Search we get a prompt for our parameterized fields. Once we enter them in, our search will appear with our additional criteria added to it.
Now, when we run our search, we get results of SMB traffic between these IP address pairs but without those policy files. If we want to save our search without those parameterized values, we can click on the three dots to the right of the search button and click Save Search. The search manager pop-up will appear and the new saved search can be named and tuned further if desired.
I hope this provides a good introduction to the saved searches functionality within Chronicle. Saved searches can be parameterized or static, they can be shared across an organization or kept for yourself. Existing searches can be saved and used as baselines for future saved searches. And don’t forget, we can always take an existing saved search and then modify it before running the search!