This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Chronicle SIEM alerts detection delay.

Posted on 10-20-2023 12:13 AM
AThebrand
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi everyone, 

Yesterday I noticed that there could be a problem with our SIEM. I'll give you an example:

In curated detections, there is a rule to catch the command 

cmd  /c "echo hello_chronicle_world!"

I've activated this rule to make some tests and noticed something weird. 

AThebrand_0-1697785217698.png

As you can see in the picture above there are four different timestamps:

metadata.event_timestamp THIS SHOULD BE THE TIMESTAMP AT WHICH THE EVENT IT'S BEEN GENERATED ON THE HOST
metadata.ingested_timestamp THIS SHOULD BE THE TIMESTAMP AT WHICH THE EVENT IT'S BEEN INGESTED IN CHRONICLE
Detected at THIS SHOULD BE THE TIMESTAMP AT WHICH THE DETECTION RULE DETECTED THE EVENT
Created FINALLY THIS SHOULD BE THE TIMESTAMP AT WHICH THE ALERT IT'S BEEN CREATED

 If I'm right, why is there so much delay? The time between event creation and ingestion is minimal but there is 1 hour delay between ingestion and detection and then another hour from detection to alert generation.

I don't know if it could be related, the log type Is WINDOWS_SYSMON and all the logs of this type reach chronicle through chronicle forwarder for Linux.

I want also to specify that to be sure that the problem was not related to curated detections I've created a custom rule that matches the same things. The result is the same.

Thank you in advance.

A

0 2 926
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Chris_B
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

In my analysis of instances of delayed ingestion | parsing | detection | alerting  I've also seen some delays.

Some delays are simple like e.g. if your detection logic ran every hour and the logs were ingested right after it ran. In this simple example the detection would occur almost an hour after ingest. But this is not your example - I think you ran your detection logic right after you created the event ... maybe repeatedly until you got your result (alert) .

I've seen some delays in Chronic ingest/parsing compared to another SIEM were running on parallel... in some instances I've observed the Chonic logs are delayed... by 8 minutes I've seen in one example. We're working with our Google team to find out why.

 

Posted on --/--/---- --:-- AM
Chris_B
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Update: we found more info about log delays related to an EDR. The EDR is clooud based and its logs are pushed to a cloud bucket. The bucket is then polled per a cadence and the hop to a bucket then to  SIEM ingest  together with the cadence time add to log delays when compared to another SIEM we used.