Google Chronicle Backstory

Overview


Use the Google Chronicle Backstory integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. This integration also provides reputation and threat enrichment of indicators observed in the enterprise.

Configure Google Chronicle Backstory on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Google Chronicle Backstory.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • User's Service Account JSON
    • Provide comma(',') separated categories (e.g. APT-Activity, Phishing). Indicators belonging to these "categories" would be considered as "malicious" when executing reputation commands.
    • Provide comma(',') separated categories (e.g. Unwanted, VirusTotal YARA Rule Match). Indicators belonging to these "categories" would be considered as "suspicious" when executing reputation commands.
    • Specify the "severity" of indicator that should be considered as "malicious" irrespective of the category. If you wish to consider all indicators with High severity as Malicious, set this parameter to 'High'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
    • Specify the "severity" of indicator that should be considered as "suspicious" irrespective of the category. If you wish to consider all indicators with Medium severity as Suspicious, set this parameter to 'Medium'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
    • Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "malicious". The value provided should be greater than the suspicious threshold. This configuration is applicable to reputation commands only.
    • Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "suspicious". The value provided should be smaller than the malicious threshold. This configuration is applicable to reputation commands only.
    • Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "malicious". The confidence level configured should have higher precedence than the suspicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN_SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
    • Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "suspicious". The confidence level configured should have lesser precedence than the malicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN_SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
    • Fetches incidents
    • First fetch time interval. The time range to consider for initial data fetch.(<number> <unit>, e.g., 1 day, 7 days, 3 months, 1 year).
    • How many incidents to fetch each time
    • Backstory Alert Type (Select the type of data to consider for fetch incidents).
    • Select the severity of asset alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (Default-No Selection).
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


Fetch-incidents feature can pull events from Google Chronicle which can be converted into actionable incidents for further investigation. It is the function that Demisto calls every minute to import new incidents and can be enabled by the "Fetches incidents" parameter in the integration configuration.

The list of alerts (gcb-list-alerts) or IOC domain matches (gcb-list-iocs) are the two choices that can be configured.

Configuration Parameters for Fetch-incidents

  • First fetch time interval. The time range to consider for initial data fetch.(<number> <unit>, e.g. 1 day, 7 days, 3 months, 1 year): Default 3 days
  • How many incidents to fetch each time: Default 10
  • Select the severity of asset alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (Default-No Selection). Only applicable for asset alerts.
  • Backstory Alert Type (Select the type of data to consider for fetch incidents):
    • IOC Domain matches Default
    • Assets with alerts
NameInitial Value
First fetch time interval. The time range to consider for initial data fetch.(<number> <unit>, e.g. 1 day, 7 days, 3 months, 1 year).3 days
How many incidents to fetch each time.10
Select the severity of asset alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (Default-No Selection). Only applicable for asset alerts.Default No Selection
Backstory Alert Type (Select the type of data to consider for fetch incidents).IOC Domain matches (Default), Assets with alerts

Incident field mapping - Asset Alerts

NameInitial Value
name<AlertName> for <Asset>
rawJSONSingle Raw JSON
detailsSingle Raw JSON
severitySeverity of Alert

Incident field mapping - IOC Domain matches

NameInitial Value
nameIOC Domain Match: <Artifact>
rawJSONSingle Raw JSON
detailsSingle Raw JSON

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. gcb-list-iocs 2. gcb-assets 3. ip 4. domain 5. gcb-ioc-details 6. gcb-list-alerts

1. gcb-list-iocs


Lists the IOC Domain matches within your enterprise for the specified time interval. The indicator of compromise (IOC) domain matches lists for which the domains that your security infrastructure has flagged as both suspicious and that have been seen recently within your enterprise.

Base Command

gcb-list-iocs

Input
Argument NameDescriptionRequired
preset_time_rangeFetches IOC Domain matches in the specified time interval. If configured, overrides the start_time argument.Optional
start_timeThe value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is the UTC time corresponding to 3 days earlier than current time.Optional
page_sizeThe maximum number of IOCs to return. You can specify between 1 and 10000. The default is 10000.Optional
Context Output
PathTypeDescription
Domain.NameStringThe domain name of the artifact.
GoogleChronicleBackstory.Iocs.ArtifactStringThe Indicator artifact.
GoogleChronicleBackstory.Iocs.IocIngestTimeDateTime(UTC) the IOC was first seen by Chronicle.
GoogleChronicleBackstory.Iocs.FirstAccessedTimeDateTime(UTC) the artifact was first seen within your enterprise.
GoogleChronicleBackstory.Iocs.LastAccessedTimeDateTime(UTC) the artifact was most recently seen within your enterprise.
GoogleChronicleBackstory.Iocs.Sources.CategoryStringSource Category represents the behavior of the artifact.
GoogleChronicleBackstory.Iocs.Sources.IntRawConfidenceScoreNumberThe numeric confidence score of the IOC reported by the source.
GoogleChronicleBackstory.Iocs.Sources.NormalizedConfidenceScoreStringThe normalized confidence score of the IOC reported by the source.
GoogleChronicleBackstory.Iocs.Sources.RawSeverityStringThe severity of the IOC as reported by the source.
GoogleChronicleBackstory.Iocs.Sources.SourceStringThe source that reported the IOC.
Command Example

!gcb-list-iocs page_size=1 preset_time_range="Last 1 day"

Context Example
{
"GoogleChronicleBackstory.Iocs": [
{
"FirstAccessedTime": "2018-10-03T02:12:51Z",
"Sources": [
{
"Category": "Spyware Reporting Server",
"RawSeverity": "Medium",
"NormalizedConfidenceScore": "Low",
"IntRawConfidenceScore": 0,
"Source": "ET Intelligence Rep List"
}
],
"LastAccessedTime": "2020-02-14T05:59:27Z",
"Artifact": "anx.tb.ask.com",
"IocIngestTime": "2020-02-06T22:00:00Z"
}
],
"Domain": [
{
"Name": "anx.tb.ask.com"
}
]
}
Human Readable Output

IOC Domain Matches

DomainCategorySourceConfidenceSeverityIOC ingest timeFirst seenLast seen
anx.tb.ask.comSpyware Reporting ServerET Intelligence Rep ListLowMedium7 days agoa year ago3 hours ago

2. gcb-assets


Returns a list of the assets that accessed the input artifact (IP, domain, MD5, SHA1 and SHA256) during the specified time.

Base Command

gcb-assets

Input
Argument NameDescriptionRequired
artifact_valueThe artifact indicator associated with assets. The artifact type can be one of the following: IP, Domain, MD5, SHA1, or SHA256.Required
preset_time_rangeFetches assets that accessed the artifact during the interval specified. If configured, overrides the start_time and end_time arguments.Optional
start_timeThe value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is the UTC time corresponding to 3 days earlier than current time.Optional
end_timeThe value of the end time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is current UTC time.Optional
page_sizeThe maximum number of IOCs to return. You can specify between 1 and 10000. The default is 10000.Optional
Context Output
PathTypeDescription
GoogleChronicleBackstory.Asset.HostNameStringThe hostname of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.IpAddressStringThe IP address of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.MacAddressStringThe MAC address of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.ProductIdStringThe Product ID of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.AccessedDomainStringThe domain artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedIPStringThe IP address artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedMD5StringThe MD5 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedSHA1StringThe SHA1 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedSHA256StringThe SHA256 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.FirstAccessedTimeDateThe time when the asset first accessed the artifact.
GoogleChronicleBackstory.Asset.LastAccessedTimeDateThe time when the asset last accessed the artifact.
Host.HostnameStringThe hostname of the asset that accessed the artifact.
Host.IDStringThe Product ID of the asset that accessed the artifact.
Host.IPStringThe IP address of the asset that accessed the artifact.
Host.MACAddressStringThe MAC address of the asset that accessed the artifact.
Command Example

!gcb-assets artifact_value=bing.com preset_time_range="Last 1 day"

Context Example
{
"GoogleChronicleBackstory.Asset": [
{
"FirstAccessedTime": "2018-10-18T04:38:44Z",
"AccessedDomain": "bing.com",
"HostName": "james-anderson-laptop",
"LastAccessedTime": "2020-02-14T07:13:33Z"
},
{
"FirstAccessedTime": "2018-10-18T02:01:51Z",
"AccessedDomain": "bing.com",
"HostName": "roger-buchmann-pc",
"LastAccessedTime": "2020-02-13T22:25:27Z"
}
],
"Host": [
{
"Hostname": "james-anderson-laptop"
},
{
"Hostname": "roger-buchmann-pc"
}
]
}
Human Readable Output

Assets related to artifact - bing.com

Host NameHost IPHost MACFirst Accessed TimeLast Accessed Time
james-anderson-laptop--2018-10-18T04:38:44Z2020-02-14T07:13:33Z
roger-buchmann-pc--2018-10-18T02:01:51Z2020-02-13T22:25:27Z

3. ip


Checks the reputation of an IP address.

Base Command

ip

Input
Argument NameDescriptionRequired
ipThe IP address to check.Optional
Context Output
PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe reputation score (0: Unknown, 1: Good, 2: Suspicious, 3: Bad)
IP.AddressStringThe IP address of the artifact.
IP.Malicious.VendorStringFor malicious IPs, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IPs, the reason that the vendor made the decision.
GoogleChronicleBackstory.IP.IoCQueriedStringThe artifact that was queried.
GoogleChronicleBackstory.IP.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.IP.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.IP.Sources.Address.PortNumberThe port number of the artifact.
GoogleChronicleBackstory.IP.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.IP.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.IP.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.IP.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.IP.Sources.SeverityStringImpact of the artifact on the enterprise.
Command Example

!ip ip=23.20.239.12

Context Example
{
"IP": {
"Address": "23.20.239.12"
},
"DBotScore": {
"Vendor": "Google Chronicle Backstory",
"Indicator": "23.20.239.12",
"Score": 0,
"Type": "ip"
},
"GoogleChronicleBackstory.IP": {
"Sources": [
{
"Category": "Known CnC for Mobile specific Family",
"FirstAccessedTime": "2018-12-05T00:00:00Z",
"Severity": "High",
"ConfidenceScore": 70,
"Address": [
{
"IpAddress": "23.20.239.12",
"Port": [
80
]
}
],
"LastAccessedTime": "2019-04-10T00:00:00Z"
},
{
"Category": "Blocked",
"FirstAccessedTime": "1970-01-01T00:00:00Z",
"Severity": "High",
"ConfidenceScore": "High",
"Address": [
{
"Domain": "mytemplatewebsite.com",
"Port": ""
},
{
"IpAddress": "23.20.239.12",
"Port": ""
}
],
"LastAccessedTime": "2020-02-16T08:56:06Z"
}
],
"IoCQueried": "23.20.239.12"
}
}
Human Readable Output

IP: 23.20.239.12 found with Reputation: Unknown

Reputation Parameters

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
-23.20.239.12Known CnC for Mobile specific Family70High2018-12-05T00:00:00Z2019-04-10T00:00:00Z
mytemplatewebsite.com23.20.239.12BlockedHighHigh1970-01-01T00:00:00Z2020-02-16T08:56:06Z

4. domain


Checks the reputation of a domain.

Base Command

domain

Input
Argument NameDescriptionRequired
domainThe domain name to check.Optional
Context Output
PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe reputation score (0: Unknown, 1: Good, 2: Suspicious, 3: Bad)
Domain.NameStringThe domain name of the artifact.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason that the vendor made the decision.
GoogleChronicleBackstory.Domain.IoCQueriedStringThe domain that queried.
GoogleChronicleBackstory.Domain.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.Domain.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.Domain.Sources.Address.PortNumberThe port number of the artifact.
GoogleChronicleBackstory.Domain.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.Domain.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.Domain.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.Domain.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.Domain.Sources.SeverityStringImpact of the artifact on the enterprise.
Command Example

!domain domain=bing.com

Context Example
{
"GoogleChronicleBackstory.Domain": {
"Sources": [
{
"Category": "Observed serving executables",
"FirstAccessedTime": "2013-08-06T00:00:00Z",
"Severity": "Low",
"ConfidenceScore": 67,
"Address": [
{
"Domain": "bing.com",
"Port": [
80
]
}
],
"LastAccessedTime": "2020-01-14T00:00:00Z"
}
],
"IoCQueried": "bing.com"
},
"Domain": {
"Name": "bing.com"
},
"DBotScore": {
"Vendor": "Google Chronicle Backstory",
"Indicator": "bing.com",
"Score": 0,
"Type": "domain"
}
}
Human Readable Output

Domain: bing.com found with Reputation: Unknown

Reputation Parameters

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
bing.com-Observed serving executables67Low2013-08-06T00:00:00Z2020-01-14T00:00:00Z

5. gcb-ioc-details


Accepts an artifact indicator and returns any threat intelligence associated with the artifact. The threat intelligence information is drawn from your enterprise security systems and from Chronicle's IoC partners (for example, the DHS threat feed).

Base Command

gcb-ioc-details

Input
Argument NameDescriptionRequired
artifact_valueThe artifact indicator value. The supported artifact types are IP and domain.Required
Context Output
PathTypeDescription
Domain.NameStringThe domain name of the artifact.
IP.AddressStringThe IP address of the of the artifact.
GoogleChronicleBackstory.IocDetails.IoCQueriedStringThe artifact entered by the user.
GoogleChronicleBackstory.IocDetails.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Address.PortNumberThe port number of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.IocDetails.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.IocDetails.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.IocDetails.Sources.SeverityStringImpact of the artifact on the enterprise.
Command Example

!gcb-ioc-details artifact_value=23.20.239.12

Context Example
{
"IP": {
"Address": "23.20.239.12"
},
"GoogleChronicleBackstory.IocDetails": {
"Sources": [
{
"Category": "Known CnC for Mobile specific Family",
"FirstAccessedTime": "2018-12-05T00:00:00Z",
"Severity": "High",
"ConfidenceScore": 70,
"Address": [
{
"IpAddress": "23.20.239.12",
"Port": [
80
]
}
],
"LastAccessedTime": "2019-04-10T00:00:00Z"
},
{
"Category": "Blocked",
"FirstAccessedTime": "1970-01-01T00:00:00Z",
"Severity": "High",
"ConfidenceScore": "High",
"Address": [
{
"Domain": "mytemplatewebsite.com",
"Port": ""
},
{
"IpAddress": "23.20.239.12",
"Port": ""
}
],
"LastAccessedTime": "2020-02-16T08:56:06Z"
}
],
"IoCQueried": "23.20.239.12"
}
}
Human Readable Output

IoC Details

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
-23.20.239.12Known CnC for Mobile specific Family70High2018-12-05T00:00:00Z2019-04-10T00:00:00Z
mytemplatewebsite.com23.20.239.12BlockedHighHigh1970-01-01T00:00:00Z2020-02-16T08:56:06Z

6. gcb-list-alerts


List all the alerts tracked within your enterprise for the specified time range. Both the parsed alerts and their corresponding raw alert logs are returned.

Base Command

gcb-list-alerts

Input
Argument NameDescriptionRequired
preset_time_rangeFetch alerts for the specified time range. If preset_time_range is configured, overrides the start_time and end_time arguments.Optional
start_timeThe value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is the UTC time corresponding to 3 days earlier than current time.Optional
end_timeThe value of the end time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is current UTC time.Optional
page_sizeThe maximum number of IOCs to return. You can specify between 1 and 10000. The default is 10000.Optional
severityThe severity by which to filter the returned alerts. If not supplied, all alerts are fetched. The possible values are "High", "Medium", "Low", or "Unspecified".Optional
Context Output
PathTypeDescription
GoogleChronicleBackstory.Alert.AssetNameStringThe asset identifier. It can be IP Address, MAC Address, Hostname or Product ID.
GoogleChronicleBackstory.Alert.AlertInfo.NameStringThe name of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.SeverityStringThe severity of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.SourceProductStringThe source of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.TimestampStringThe time of the alert in Backstory.
GoogleChronicleBackstory.Alert.AlertCountsNumberThe total number of alerts.
Command Example

!gcb-list-alerts page_size=1 preset_time_range="Last 1 day"

Context Example
{
"GoogleChronicleBackstory.Alert": [
{
"AssetName": "rosie-hayes-pc",
"AlertInfo": [
{
"Timestamp": "2020-02-14T03:02:36Z",
"SourceProduct": "Internal Alert",
"Name": "Authentication failure [32038]",
"Severity": "Medium"
}
],
"AlertCounts": 1
}
]
}
Human Readable Output

Security Alert(s)

AlertsAssetAlert NamesFirst SeenLast SeenSeveritiesSources
1rosie-hayes-pcAuthentication failure [32038]6 hours ago6 hours agoMediumInternal Alert