SIEM (Security Information and Event Management) is an application that collects, aggregates, and analyzes log data to monitor critical activities within an organization.
Chronicle is a cloud-based SIEM platform built on Google’s core infrastructure. It allows enterprises to securely retain, analyze, and search massive amounts of security and network telemetry.
In Chronicle, security analysts can search for events using the search field. Procedural Filtering allows users to apply filters to refine search results further, such as including or excluding specific event types or log sources. Additionally, Chronicle supports YARA-L, a specialized language used to create rules for searching through ingested log data.
There are two primary search modes in Chronicle:
- Unified Data Model (UDM) Search: The default search mode in Chronicle, UDM Search queries data that has been ingested, parsed, and normalized, making searches faster due to the indexed and structured data.
- Raw Log Search: This mode searches through unparsed, raw logs. While more flexible in terms of data points you can query (e.g., usernames, filenames, hashes), it is slower than UDM Search. Regular expressions can also be used to match specific patterns.
You are a security analyst at a financial services company. An alert is raised indicating that an employee received a phishing email. Upon reviewing the alert, you identify a suspicious domain in the email body: signin.office365x24.com. Your task is to investigate whether other employees received similar emails, whether anyone visited the domain, and determine any further threats. You will use Chronicle to investigate this domain.
- Access threat intelligence reports on the domain.
- Identify which assets accessed the domain.
- Evaluate the HTTP events associated with the domain.
- Determine which assets submitted login information to the domain.
- Identify any additional related domains.
- Access your Chronicle account.
-
In the search bar, type
signin.office365x24.comand click Search. UnderDOMAINS, selectsignin.office365x24.comto view the results. The following are key points from the legacy view, VirusTotal (VT) integration, and the IP address40.100.174.34:-
Image 1: Legacy View
-
Image 2: VT View
-
Image 3: IP Address
40.100.174.34
-
| Observe | Description | Note |
|---|---|---|
| VT Context | Provides VirusTotal information about the domain. | Chronicle identified that 7 security vendors flagged this domain as malicious. |
| WHOIS | Summarizes information about the domain, including owner contact details and registration data. | Useful for determining the origin of malicious websites. The domain was first seen 7 months ago, as of February 10th, 2024. |
| Prevalence | Displays the historical access pattern of the domain. | The domain was accessed on July 9th, 2023, and February 10th, 2024. |
| Resolved IP | Provides IP addresses associated with the domain. | Two IP addresses map to signin.office365x24.com: 104.215.148.63 & 40.100.174.34. |
| Sibling Domains | Displays related domains under the same parent domain. | One sibling domain found: login.office365x24.com. |
| ET Intelligence Rep List | Includes threat intelligence details from ProofPoint's Emerging Threats (ET) Intelligence Rep List. | Category: Drop site for logs or stolen credentials. Confidence: 22/127, Severity: Medium, Active from: 2018-12-31 T00:00:00Z, Active until: 2019-01-08 T00:00:00Z. More info can be found here. |
| Timeline | Details the events and interactions with the domain. | Reveals HTTP requests, including GET and POST methods. |
| ASSETS | Lists assets that accessed the domain. | 6 assets accessed the domain. |
- According to the ET Intelligence Rep List,
signin.office365x24.comis categorized as a "Drop site for logs or stolen credentials." - The following assets accessed the domain:
ashton-davidson-pcbruce-monroe-pccoral-alvarez-pcemil-palmer-pcjude-reyes-pcroger-spence-pc
- The IP address
40.100.174.34is linked to bothsignin.office365x24.comandsignin.accounts-google.com. - Several
POSTrequests were made tosignin.office365x24.com, targeting URLs likehttp://signin.office365x24.com/login.php.