Skip to main content

Questions on Chronicle Asset Prevalence

  • March 10, 2022
  • 4 replies
  • 25 views
S
Forum|alt.badge.img+1

As per https://cloud.google.com/chronicle/docs/investigation/investigate-asset#:~:text=Prevalence%20measures%20the%20number%20of,are%20unlikely%20to%20require%20investigation.

 

Prevalence measures the number of assets within your enterprise connected to a specific domain over the past seven days. More assets connecting to a domain means that the domain has greater prevalence within your enterprise. High prevalence domains, such as google.com, are unlikely to require investigation.

 

I have few questions on prevalence:

  1. Is it unique assets?
  2. How do you define assets(ie asset id as per chronicle, user, IP address, etc.)?
  3. Is it calculated per day for last 7 day and maximum of that or calculated on overall 7 days?

 

4 replies

darrenswift
Staff
Forum|alt.badge.img+3
  • darrenswift
  • Staff
  • March 11, 2022

Good afternoon, 

An asset is classed as an end point such as a laptop / server / vm etc, Chronicle will correlate all logs relating to that asset from EDR, DHCP, Windows events, Firewall, network and give a view of the activity over a period of time. 

Each day is calculated as per your search query, the maximum range displayed in the prevalence chart in the UI is 1 day of activity, however you can filter and search through what days / time ranges you would like. 

Prevalence is important as it allows Chronicle to use detection rules, reference prevalence and sequence events together, i.e. if A + B + C happen then alert and assign a risk score of X. Chronicle also builds in context cards about the low prevalence domains from intelligence feeds and Virus Total. 

Happy to show you this in the software if you would like. 

N
S
Forum|alt.badge.img+1
  • strider
  • Author
  • New Member
  • March 14, 2022

Good afternoon, 

An asset is classed as an end point such as a laptop / server / vm etc, Chronicle will correlate all logs relating to that asset from EDR, DHCP, Windows events, Firewall, network and give a view of the activity over a period of time. 

Each day is calculated as per your search query, the maximum range displayed in the prevalence chart in the UI is 1 day of activity, however you can filter and search through what days / time ranges you would like. 

Prevalence is important as it allows Chronicle to use detection rules, reference prevalence and sequence events together, i.e. if A + B + C happen then alert and assign a risk score of X. Chronicle also builds in context cards about the low prevalence domains from intelligence feeds and Virus Total. 

Happy to show you this in the software if you would like. 


Each day is calculated as per your search query, the maximum range displayed in the prevalence chart in the UI is 1 day of activity, however you can filter and search through what days / time ranges you would like. 

Does it mean that prevalence would be calculated for each day based on search criteria and maximum would be shown? 

Prevalence is important as it allows Chronicle to use detection rules, reference prevalence and sequence events together, i.e. if A + B + C happen then alert and assign a risk score of X. Chronicle also builds in context cards about the low prevalence domains from intelligence feeds and Virus Total. 

What role does prevalence play in this?  @darrenswift 

darrenswift
Staff
Forum|alt.badge.img+3
  • darrenswift
  • Staff
  • March 16, 2022

Each day is calculated as per your search query, the maximum range displayed in the prevalence chart in the UI is 1 day of activity, however you can filter and search through what days / time ranges you would like. 

Does it mean that prevalence would be calculated for each day based on search criteria and maximum would be shown? 

Prevalence is important as it allows Chronicle to use detection rules, reference prevalence and sequence events together, i.e. if A + B + C happen then alert and assign a risk score of X. Chronicle also builds in context cards about the low prevalence domains from intelligence feeds and Virus Total. 

What role does prevalence play in this?  @darrenswift 


Hi Strider, 

In short yes to your first question, each time you search an asset this is calculated, or if you click through from an IOC, detection rule to an asset you get the same. 

The second part is probably easier explained here: https://chroniclesec.medium.com/powering-security-operations-with-context-aware-detections-alert-prioritization-and-risk-scoring-a75389904917 

This is part of our wider initiatives on how to add contextual elements to an alert which an analyst would normally have to do manually, risk score this and thus prioritise an analysts focus on high fidelity alerts. Prevalence can be related here, as it is another weighting factor to consider during a detection. 

I hope this helps 

S
Forum|alt.badge.img+1
  • strider
  • Author
  • New Member
  • March 23, 2022

Hi Strider, 

In short yes to your first question, each time you search an asset this is calculated, or if you click through from an IOC, detection rule to an asset you get the same. 

The second part is probably easier explained here: https://chroniclesec.medium.com/powering-security-operations-with-context-aware-detections-alert-prioritization-and-risk-scoring-a75389904917 

This is part of our wider initiatives on how to add contextual elements to an alert which an analyst would normally have to do manually, risk score this and thus prioritise an analysts focus on high fidelity alerts. Prevalence can be related here, as it is another weighting factor to consider during a detection. 

I hope this helps 


So the document states 7 days (https://cloud.google.com/chronicle/docs/investigation/investigate-asset#:~:text=Prevalence%20measures%20the%20number%20of,are%20unlikely%20to%20require%20investigation) but it seems to be based on search range...I am bit confused.

Is it possible to bring in our own prevalence score? @darrenswift 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.