Can someone please help me here. Thanks!

This is a timely question as a part one of a two part blog is coming on-line later today around the alert graph. I will post that link once it is live, but it will be found in the Community Blog section of the site.

The listing of indicators are the fields within the nouns. The nouns that are supported are principal, target and src. So, the principal.hostname, target.hostname and src.hostname are supported in the alert graph but the observer.hostname, for example would not be.

For the alert to populate the graph, it uses that match variables and the outcome variables within a rule. So, the outcome section in the YARA-L rule needs to be populated for these details to fill in.

It's a fair point on the example. I have provided some updates around this page to revamp some of the information around indicators and can add the rule example to the list.

The rules within the our Github Community Rules provide numerous examples on how you could populate the alert graph with outcome variables.

Here is part one of a two part blog on using the alert graph https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Chronicle-Alert-Graph-Part-1/ba-p/707582