Throughout the New To Chronicle series, we’ve talked about rules, searches, entities, threat indicators and other capabilities that an analyst can use as part of their daily work. One thing we have not touched on to date is visualizing data through dashboarding. Today, we are going to start exploring capabilities available to you within the dashboarding that Chronicle provides.
Chronicle leverages Google’s Looker service for dashboarding and has built the integration such that a number of the Chronicle datasets can be tapped into to visualize data. What do I mean by that? Well, parsed UDM events, entity data, detections, ingestion metrics and more are available for use with dashboards. In fact, if you aren’t entirely sure where to start, there are a set of dashboards to get you going including:
Context Aware Detections - Risk - insight into the current threat status of assets and users using rule detections data
Data Ingestion and Health - information about the type and volume of data being ingested into Chronicle
IOC Matches - visibility into IOCs including matches over time by category and top domain and IP indicators
Main - displays information about the status of data ingestion and geo location of IOCs detected
Rule Detections - insight into activity related to the detection engine and configured rules
User Sign In Overview - visibility into where your users are logging into your enterprise from and what applications they are signing into
These default dashboards serve as a starting point and can be copied and modified to suit. Alternatively, new dashboards can be created starting with a blank canvas. Today we are going to start from scratch and build a tile for our new dashboard.
To create a new dashboard, select Add - Create New in the dashboard section of Chronicle. Alternatively, if another user has a Chronicle dashboard they have already created, we could import that dashboard into our instance. Once the dashboard is created, you can add visualizations, text, markdown or buttons. Because we want to visualize our data, let’s select Visualization. This will generate a pop-up that will be used to build a tile that will sit within our dashboard.
We need to decide what dataset will be used for our visualization. Today, we are going to build a tile using our UDM data, so let’s select UDM Events.
Let’s start by naming our tile Top Talkers by Count - Principal -> Target IP. On the left side of the pop-up screen, we can see a listing of UDM fields, nested under their top level name, as well as a section for grouped fields and a measure at the bottom of the list called Count.
Editorial note: I realize that in the image below you can’t see the Grouped Fields or the Count, but if you look in your instance, you will see it!
We can click on fields in the dataset to add them into the Data section to explore our data, but if we know what we are looking for, we can start by building a filter. Because the UDM data is the same as what we work with in search and rules, we may already have a good idea of what we want in our tile. Let’s filter on the field metadata.event_type.enum_name.
Readers of this blog are likely familiar with metadata.event_type because we use this as a starting point in nearly every rule or search we build. While metadata.event_type is available in our dataset for dashboarding, that field stores an integer value of the event type. Rather than having to remember the integer, we have an additional field available to us, metadata.event_type.enum_name, that contains the descriptive terms we use all the time. To add a field to the filter list, we can click the button that looks like an upside down triangle next to the field. It’s important to note that filter, pivot, information and other buttons are hidden until you hover over the field. In the filter section, we now have two filters; metadata.event_type.enum_name which is equal to NETWORK_CONNECTION and a default UDM metadata.event_timestamp filter that is set by default for the past 24 hours. This can be modified, so let’s set it for the past 7 days.
With our filters in place, let’s use the Find a Field filter and add .ip to it. This will result in only fields matching our filter to be shown in the list. Scrolling down, we can click on the principal.ip and the target.ip to add them to the Data section. We can clear our filter and scroll to the bottom of the list and click on Count. Notice that all three fields appear as headers in the Data section. Let’s click the Run button in the top right corner to view our data set.
Notice how our visualization is populated along with our data. That’s progress, but not quite what we had in mind. For starters, there are far too many results to visualize our top talkers. At the top right corner of the Data section, we have a row limit of 500. If we only want to visualize the top 10 results, and we already have our data sorted from highest to lowest, we can change that row limit to 10 and just get the top 10 results. That will help our visualization a good deal.
In our target.ip field, we have values of 220.127.116.11 and 18.104.22.168 listed. Both of these IP addresses are associated with DNS and for our purposes, we are going to filter them out. While we could go back into the UDM event list, we are already using these fields, so let’s click on the In Use sub-tab, find the target.ip field and click the filter button to add another filter. From there, we can change the drop-down from is equal to to is not equal to and add the values 22.214.171.124 and 126.96.36.199 into our filter list. With those changes, let’s click Run to refresh our results.
This looks better. Notice the yellow band that says Row limit reached. Don’t worry about this. The query underlying it runs to completion and then has a limit condition on it that just returns the number of rows that is in the text box we modified earlier. As long as you have the data ordered correctly, you will get your top talkers by event count.
If you are happy with your tile, you can save it. I’m pretty happy with what we have but because the target.ip is getting cut off with a column chart, I am going to change it to a bar chart and then click Save in the top right corner of the pop-up.
At this point, our tile will appear on our dashboard. We can grab the bottom right corner to change the height and width of the tile on the dashboard right. Additional controls to move the tile on the dashboard are in the top left corner, in the form of 6 dots and other tile controls are in the top right corner under the three dots. All of these controls are hidden until we click on the tile. Once you are happy with positioning, go ahead and make sure the dashboard is named and click Save.
With that, we have just created a dashboard and added our first tile in Chronicle. We will continue to add additional tiles periodically to highlight other views that can be created within the dashboards. If you haven’t tried building dashboards in Chronicle, hopefully this provides a springboard to get you started!