Chronicle Technical Training

Learn the technical aspects you need to know about Chronicle and how it can help you detect and action threats.

• Foundations of Chronicle
• Overview: What is Chronicle, and why is it useful?
• Overview: Chronicle demo
• Overview: Chronicle website
• Overview: Chronicle help documentation
• User Interface: Structured query search
• User Interface: Raw log scan
• User Interface: Chronicle Views (incl. IP view, Domain view, Hash view, Asset view)
• User Interface: Enterprise Insights
• User Interface: Dashboard Views
• User Interface: Rules Views, Rule Dashboard, Managed Analystics,. Rule Editor
• Other Fundamental Chronicle Concepts: UDM Overview
• Other Fundamental Chronicle Concetps: UDM Help Center Documentations
• Collecting and Parsing Data
• Getting Data: List of Supported data / log sources
• Getting Data: Methods of ingestion data into Chronicle
• Getting Data: How to guide for ingesting AWS Logs into Chronicle
• Getting Data: Feed Management API
• Getting Data: How to guide for troubleshooting Forwarder issues / monitoring Forwarder health
• Getting Data: When to use the Ingest API vs. the Feed Management UI or Forwarder
• Getting Data: How-to guide: Overview Ingest API with example configuration
• Getting Data: Help Center on Ingestion API
• Parsing data: Overview of writing parsers
• Parsing data: Parser API overview
• Parsing Data: Supported Default Parsers
• Parsing data: When to use default parsers
• Parsing Data: How-to: JSON parser example guide
• Parsing Data: How-to: KeyValue example guide
• Parsing data: How-to: GROK example guide
• Access
• Authentication: How to configure IdPs, using GCP as an example
• Authentication: How to guide for configuring Okta IdP
• Authenication: How to guide for configuring Azure IdP
• Authenication: How to guide for configuring Cloud Identity IdP
• Authorization: Role Based Access Control overview
• Authorization: Help Center: Role-Based Access Control (RBAC)
• Authorization:Help Center: Roles and permissions
• Building Rules to Find Threats
• Rules overview
• Help Center: Rules dashboard
• Rules Engine overview
• Help Center: Rules editor
• Demo: Building a YARA-L Rule
• YARA-L 2.0 language syntax
• How to write a rule for a single / multi-event
• How to write a rule for EntityGraph
• How to Deploy a rule using the Detection API
• Detection API overview
• Rule Detections View (Finding detections of rule in the rule detection view UI)
• Troubleshooting Rules: Community Help Forum
• Investigating Threats
• Ways to investigate a threat
• Demoing the Chronicle search UI
• Looker Help Center
• Chronicle Search API
• Accessing the Chronicle Data Lake
• Chronicle Data Lake structure - reference (incl. Dataset & Tables, Schema, Retention)
• What is BigQuery and how can you use it to hunt for and report threats?
• Excercise Files
• Reference: SQL functions
• Reference: Understanding repeated fields/ Joining Data & Enums
• Responding to Threats
• How to respond to threats, best practices, recommendation to use a SOAR for systematic responses
• How-to guide for Siemplify integration
• Siemplify documentation (e.g. APIs)
• Quiz
• Chronicle Technical Training Quiz
• Your Next Steps
• Course Badge