Chrome Extensions for Chronicle SIEM
I use Chrome extensions to make my day-to-day work with Chronicle SecOps more efficient. In this post, I explain the essential Chrome extensions for Chronicle SecOps.
Here be Dragons
🐉 Please note that all extensions are third-party software and are used at your own risk.
- Only install extensions from trusted sources.
- Read the extension’s description carefully before installing it.
- Make sure the extension has a good rating and reviews.
- Keep your extensions up to date.
- Disable or uninstall extensions that you no longer use.
With that said, here are the Chrome extensions I use with Chronicle SecOps suite to improve my day to day usage.
ATT&CK Powered Suit
Powered Suit is a free, open-source Chrome extension that allows you to instantly search for MITRE ATT&CK techniques, groups, and more.
When used with Chronicle SecOps, the Powered Suit extension enables you to quickly look up additional contextual information for vendor alerts, user-defined YARA-L alerts, or Chronicle Curated Analytics, such as MITRE ATT&CK Tactics and Techniques.
This can help you understand the intent behind an alert or detection, as well as provide insights into response and mitigation options.
You can search for free form text, or more often I use this to search for Tactics & Techniques
The extension is created by the Center for Threat-Informed Defense and is released for free in service of their mission to advance the state of the art and the state of the practice in threat-informed defense globally.
The Center for Threat-Informed Defense does not collect or share any data about users or their usage of ATT&CK Powered Suit. Search queries and other features are performed locally in the browser.
💡 Note, if you’re managing a Case via Chronicle SOAR the Mitre ATT&CK mappings are a native decoration you can have as part of a Playbook.
Related Links
Better Previews
Links & Search Preview is a Chrome extension that allows you to preview links and search results on the same page, without opening new tabs.
To preview a link, simply hover over it and click on the “preview” tooltip that appears. To perform a search in preview mode, select the text you want to search for and click on the “search” tooltip button that appears.
When used with Chronicle SIEM this enables you to easier stay in one Tab rather than having to open several Tabs, e.g., within Alert Graph under the Graph Summary you can pivot to see Contextual enrichment views, e.g., to investigate further around a File Hash, a User or Asset Context, or a YARA-L Rule.
When installed you will see Preview Link as an entry on your Right click menu, clicking on this will open the embedded preview which can be resized or minimized.
Related Links
World Clocks
Displays the time for user configured time zones.
Chronicle SIEM stores all timestamps in UTC. This extension is useful in conjunction with Chronicle SecOps when you need to quickly correlate an event or detection back to a user-reported time zone.
To configure the time zones you wish to see click the Edit button and adjust accordingly.
Related Links
Other Chrome Tips
There are several features in Chrome that are extremely useful that do not require Chrome Extensions. Everything listed below works on MS Edge as far as I’m aware.
Use Chrome Profiles per Tenant
If you manage multiple Chronicle SIEM instances, I recommend using multiple Chrome profiles instead of logging into a single Chrome instance with multiple identities. This has several advantages:
- You can choose a different color scheme for each Chrome profile.
- You can use a desktop window manager to create multiple workspaces for each Chronicle SIEM instance.
- This allows you to manage multiple tenants simultaneously in a more efficient way.
Here are the steps on how to set up multiple Chrome profiles:
- Open Chrome.
- Click on the three dots in the top right corner of the window.
- Select “Settings.”
- Scroll down and click on “Advanced.”
- Under “Privacy and security,” click on “Manage people.”
- Click on “Add person.”
- Enter a name for the new profile.
- Click on “Create.”
- The new profile will be created and you will be able to switch to it by clicking on the profile icon in the top right corner of the window.
Binding Keyboard Shortcuts
The ability to bind a custom keyboard shortcut to a Chrome Extension is a little hidden away. Here are the steps how to do it:
- Open Chrome
- In the address bar type chrome://extensions/
- Click the Hamburger icon (the three horizontal lines) in the top left hand corner
- Click Keyboard Shortcuts
- Find the Extension in question and assign a Keyboard shortcut
Chrome Site Search
I previously wrote about using the Chrome Site Search feature to enable quick searches, e.g., searching raw logs, or accessing contextual views. The value being that you can far quick run several searches using keyboard shortcuts than using a mouse and UI workflows.
Chrome Side Panel?
The side panel feature in Chrome has the potential to be a valuable tool for SecOps workflows, e.g., the ability to show Extensions inline, a split view Browser, or to create your own custom integrations easily, all of which would make the side panel an even more powerful tool for SecOps professionals, but at present I do not find a use for this feature personally.
Summary
I hope the above provides you useful guidance and inspiration on how Chrome Extensions can provide small improvements to your day to day Chronicle SecOps usage.
I did not include the Chronicle Chrome Extension in here as this has not been updated in a long time, but I understand an updated version may be available in the near future.
The other major item missing from here would be Bard or ChatGPT. I’ll revisit this topic as a dedicated blog in its own in the near future, and specifically once the Bard roll out means its available in more geographies.
Have an essential Chrome Extension that should be added, please let me know.
