Re: Questions on Chronicle Asset Prevalence

strider · 03-09-2022 05:21 PM

As per https://cloud.google.com/chronicle/docs/investigation/investigate-asset#:~:text=Prevalence%20measure....

Prevalence measures the number of assets within your enterprise connected to a specific domain over the past seven days. More assets connecting to a domain means that the domain has greater prevalence within your enterprise. High prevalence domains, such as google.com, are unlikely to require investigation.

I have few questions on prevalence:

Is it unique assets?
How do you define assets(ie asset id as per chronicle, user, IP address, etc.)?
Is it calculated per day for last 7 day and maximum of that or calculated on overall 7 days?

darrenswift

Good afternoon,

An asset is classed as an end point such as a laptop / server / vm etc, Chronicle will correlate all logs relating to that asset from EDR, DHCP, Windows events, Firewall, network and give a view of the activity over a period of time.

Each day is calculated as per your search query, the maximum range displayed in the prevalence chart in the UI is 1 day of activity, however you can filter and search through what days / time ranges you would like.

Prevalence is important as it allows Chronicle to use detection rules, reference prevalence and sequence events together, i.e. if A + B + C happen then alert and assign a risk score of X. Chronicle also builds in context cards about the low prevalence domains from intelligence feeds and Virus Total.

Happy to show you this in the software if you would like.

strider

Each day is calculated as per your search query, the maximum range displayed in the prevalence chart in the UI is 1 day of activity, however you can filter and search through what days / time ranges you would like.

Does it mean that prevalence would be calculated for each day based on search criteria and maximum would be shown?

Prevalence is important as it allows Chronicle to use detection rules, reference prevalence and sequence events together, i.e. if A + B + C happen then alert and assign a risk score of X. Chronicle also builds in context cards about the low prevalence domains from intelligence feeds and Virus Total.

What role does prevalence play in this? @darrenswift

darrenswift

Hi Strider,

In short yes to your first question, each time you search an asset this is calculated, or if you click through from an IOC, detection rule to an asset you get the same.

The second part is probably easier explained here: https://chroniclesec.medium.com/powering-security-operations-with-context-aware-detections-alert-pri...

This is part of our wider initiatives on how to add contextual elements to an alert which an analyst would normally have to do manually, risk score this and thus prioritise an analysts focus on high fidelity alerts. Prevalence can be related here, as it is another weighting factor to consider during a detection.

I hope this helps

strider

So the document states 7 days (https://cloud.google.com/chronicle/docs/investigation/investigate-asset#:~:text=Prevalence%20measure...) but it seems to be based on search range...I am bit confused.

Is it possible to bring in our own prevalence score? @darrenswift