Learn the technical aspects you need to know about Chronicle and how it can help you detect and action threats.
Overview
Syllabus
- Foundations of Chronicle
- Overview: What is Chronicle, and why is it useful?
- Overview: Chronicle demo
- Overview: Chronicle website
- Overview: Chronicle help documentation
- User Interface: Structured query search
- User Interface: Raw log scan
- User Interface: Chronicle Views (incl. IP view, Domain view, Hash view, Asset view)
- User Interface: Enterprise Insights
- User Interface: Dashboard Views
- User Interface: Rules Views, Rule Dashboard, Managed Analystics,. Rule Editor
- Other Fundamental Chronicle Concepts: UDM Overview
- Other Fundamental Chronicle Concetps: UDM Help Center Documentations
- Collecting and Parsing Data
- Getting Data: List of Supported data / log sources
- Getting Data: Methods of ingestion data into Chronicle
- Getting Data: How to guide for ingesting AWS Logs into Chronicle
- Getting Data: Feed Management API
- Getting Data: How to guide for troubleshooting Forwarder issues / monitoring Forwarder health
- Getting Data: When to use the Ingest API vs. the Feed Management UI or Forwarder
- Getting Data: How-to guide: Overview Ingest API with example configuration
- Getting Data: Help Center on Ingestion API
- Parsing data: Overview of writing parsers
- Parsing data: Parser API overview
- Parsing Data: Supported Default Parsers
- Parsing data: When to use default parsers
- Parsing Data: How-to: JSON parser example guide
- Parsing Data: How-to: KeyValue example guide
- Parsing data: How-to: GROK example guide
- Access
- Authentication: How to configure IdPs, using GCP as an example
- Authentication: How to guide for configuring Okta IdP
- Authenication: How to guide for configuring Azure IdP
- Authenication: How to guide for configuring Cloud Identity IdP
- Authorization: Role Based Access Control overview
- Authorization: Help Center: Role-Based Access Control (RBAC)
- Authorization:Help Center: Roles and permissions
- Building Rules to Find Threats
- Rules overview
- Help Center: Rules dashboard
- Rules Engine overview
- Help Center: Rules editor
- Demo: Building a YARA-L Rule
- YARA-L 2.0 language syntax
- How to write a rule for a single / multi-event
- How to write a rule for EntityGraph
- How to Deploy a rule using the Detection API
- Detection API overview
- Rule Detections View (Finding detections of rule in the rule detection view UI)
- Troubleshooting Rules: Community Help Forum
- Investigating Threats
- Ways to investigate a threat
- Demoing the Chronicle search UI
- Looker Help Center
- Chronicle Search API
- Accessing the Chronicle Data Lake
- Chronicle Data Lake structure - reference (incl. Dataset & Tables, Schema, Retention)
- What is BigQuery and how can you use it to hunt for and report threats?
- Excercise Files
- Reference: SQL functions
- Reference: Understanding repeated fields/ Joining Data & Enums
- Responding to Threats
- How to respond to threats, best practices, recommendation to use a SOAR for systematic responses
- How-to guide for Siemplify integration
- Siemplify documentation (e.g. APIs)
- Quiz
- Chronicle Technical Training Quiz
- Your Next Steps
- Course Badge