"New to Chronicle" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to Security Operations Platforms or replacing their Security Operations Platforms with Chronicle. You can view the entire series here.

We’ve spent the last few blogs building tiles in dashboards and today, we will continue this effort while introducing some new concepts that provide additional context to your data.

Previously, we built a tile called Top Talkers by Count using the combination of principal.ip and target.ip. We grouped our data on these two fields and counted the number of events to determine the IP addresses on that list. While that is one way to look at this data, perhaps we want to assess volume in a different way than event count. We could focus on fields like network.sent_bytes or network.received_bytes.  Depending on the requirements or situation, either could work well, but in other circumstances we may just want the total byte count instead. For those familiar with the UDM schema, you may be thinking, do we have a place to store total bytes at the event level? No, total bytes are not stored at the event level. However, by defining a custom field, specifically a custom measure within a tile, you can create one.

Because we are identifying systems with the largest total byte count, we will be adding a new tile separate from our Top Talkers by Count tile. We’ve mentioned it before but to add a new tile to an existing dashboard, we will put the dashboard in edit mode and then click Add -> Visualization in the top left corner of the dashboard. Our tile is based on UDM events, so select the UDM events explore from the list. With that, we can start building our tile.

As with our other tiles in this dashboard, we are going to focus our data on the past 7 days. We are also going to limit our tile to just network connection events. If you are following along and building this tile in your environment, you can broaden these filters to fit your needs. To filter on network connection events, we can use the field metadata.event_type_enum_name and use the filter section to select the value(s) desired.

While we are at it, let’s add two additional filters to ensure that all network.received_bytes and network.sent_bytes are not null. We also selected the fields that we want to start with, including the principal.ip field, the byte counts and the event count. Because we are grouping on all three fields to create a count, we are only seeing a single IP address in this result set. That’ll change soon enough but because we are going to be using these byte fields, I wanted to make sure we show them for the moment.

There are a couple of different types of custom fields that can be created within a tile; custom dimension, custom measure and table calculation. A dimension is essentially a field, so what we want to do is create a custom dimension that adds together the values from network.received_bytes and network.sent_bytes.

When we select custom dimension, we get a pop-up to enter in the expression for our new dimension. As we type in the expression section, prompts for field names and other functions will be available to you. We need to make sure we provide a name for our custom dimension, in this case Total Bytes, and then we can click Save.

Once we click save, notice the dimension is added under the section called Custom Fields on the field list. It also adds it to our data section as a new column. For the values to populate, you will need to click Run in the top right of the pop-up. When it runs, notice how our sent and received bytes add up to the total bytes. If we are satisfied with our custom dimensions working properly, we can remove the sent and received bytes from our data section because we no longer need these fields to be displayed. To remove columns, remember that we can click the cog next to the field name and select remove.

With just three columns, the IP address, the total bytes custom dimension and our event count, we click run and get our results. The problem with our results is that we still have a number of IP addresses repeated in our result set, each with a different total byte value and then counts for each combination. This is because the custom dimension is being treated as a grouped field. It is a special field, but it is handled like any other field, that is we group by each and then get a count of the unique combination of all of the fields. To generate a sum of the Total Bytes, we are going to use another custom field option; the custom measure.

The first thing we need to do is choose the field that we want to measure. The listing will provide all of the fields available in the field list including the custom dimension we already created. To make it easier to find your field, start typing the letters in the field name and you will get a filtered list. We need to provide a name for our custom measure and then we need to select the measurement type. The measurement types available to us will depend on the type of field we are measuring. Because this field is an integer, we can perform a number of numeric calculations including sum. If this were a string field, other options would exist. Once we have selected Sum, we can click Save.

Our new custom measure, Sum of Total Bytes, appears in our field list and also in the data section as a new column. We removed our custom dimension of Total Bytes because we don’t need to group by that value and then clicked Run. The output we see is dramatically different; there are three IP addresses that meet our criteria but now we have an event count and a sum of the total bytes for each over the past seven days. That’s looking pretty good, but let’s add one more thing to this. Let’s add a few table calculations on the values that are part of this table.

The third custom field available to us in a tile is called a table calculation. Like other custom field options, we can use an expression to build our own, but Chronicle dashboards have five prebuilt calculations that can be very handy, so we are going to use one of them today. In the image above, we have added a percent of column calculation to the UDM event count. This is the reason the field list on the left side has a table calculation value in green as well as the data section has a column in green as well. To add a table calculation, we select the cog next to the field that is being calculated and select calculations followed by the specific calculation you would like to use. If you want to define your own, you will need to add the table calculation first to the field list before applying it.

Now that we have our data set, let’s click on the visualization section and build the visualization for our tile. We are going to keep it simple here and stick with a tabular view. We need to make sure we provide a name for our tile, click Save and the tile will appear on our dashboard.

You may need to resize the tile or rearrange it and most importantly, don’t forget to save the dashboard when you are done arranging the tiles. If anyone is shaking their head that we only have three IP addresses in our data set, just remember to use your filters to further tighten (or loosen) your data set as appropriate for your requirements and if the goal of your tile is to create a Top N listing of some sort; use the Row limit in the data section to limit the number of rows returned to the tile.

I hope this was helpful and provides a good starting point to extend your dashboarding by adding in custom fields to your tiles!