Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
New To Chronicle: Building Our First Dashboard Tile
John Stoner
Principal Security Strategist, Google Cloud
August 29, 2023
Join the discussion
Interact with your peers, access best practices, documentation and more in the Google Cloud Security Community.
Explore the Community Explore the Community

Throughout the New To Chronicle series, we’ve talked about rules, searches, entities, threat indicators and other capabilities that an analyst can use as part of their daily work. One thing we have not touched on to date is visualizing data through dashboarding. Today, we are going to start exploring capabilities available to you within the dashboarding that Chronicle provides.

Chronicle leverages Google’s Looker service for dashboarding and has built the integration such that a number of the Chronicle datasets can be tapped into to visualize data. What do I mean by that? Well, parsed UDM events, entity data, detections, ingestion metrics and more are available for use with dashboards. In fact, if you aren’t entirely sure where to start, there are a set of dashboards to get you going including:

  • Context Aware Detections - Risk - insight into the current threat status of assets and users using rule detections data

  • Data Ingestion and Health - information about the type and volume of data being ingested into Chronicle

  • IOC Matches - visibility into IOCs including matches over time by category and top domain and IP indicators

  • Main - displays information about the status of data ingestion and geo location of IOCs detected

  • Rule Detections - insight into activity related to the detection engine and configured rules

  • User Sign In Overview - visibility into where your users are logging into your enterprise from and what applications they are signing into

These default dashboards serve as a starting point and can be copied and modified to suit. Alternatively, new dashboards can be created starting with a blank canvas. Today we are going to start from scratch and build a tile for our new dashboard.

To create a new dashboard, select Add - Create New in the dashboard section of Chronicle. Alternatively, if another user has a Chronicle dashboard they have already created, we could import that dashboard into our instance. Once the dashboard is created, you can add visualizations, text, markdown or buttons. Because we want to visualize our data, let’s select Visualization. This will generate a pop-up that will be used to build a tile that will sit within our dashboard.

We need to decide what dataset will be used for our visualization. Today, we are going to build a tile using our UDM data, so let’s select UDM Events.

Let’s start by naming our tile Top Talkers by Count - Principal -> Target IP. On the left side of the pop-up screen, we can see a listing of UDM fields, nested under their top level name, as well as a section for grouped fields and a measure at the bottom of the list called Count. 

Editorial note: I realize that in the image below you can’t see the Grouped Fields or the Count, but if you look in your instance, you will see it!

We can click on fields in the dataset to add them into the Data section to explore our data, but if we know what we are looking for, we can start by building a filter. Because the UDM data is the same as what we work with in search and rules, we may already have a good idea of what we want in our tile. Let’s filter on the field metadata.event_type.enum_name. 

Readers of this blog are likely familiar with metadata.event_type because we use this as a starting point in nearly every rule or search we build. While metadata.event_type is available in our dataset for dashboarding, that field stores an integer value of the event type. Rather than having to remember the integer, we have an additional field available to us,  metadata.event_type.enum_name, that contains the descriptive terms we use all the time. To add a field to the filter list, we can click the button that looks like an upside down triangle next to the field. It’s important to note that filter, pivot, information and other buttons are hidden until you hover over the field. In the filter section, we now have two filters; metadata.event_type.enum_name which is equal to NETWORK_CONNECTION and a default UDM metadata.event_timestamp filter that is set by default for the past 24 hours. This can be modified, so let’s set it for the past 7 days.

With our filters in place, let’s use the Find a Field filter and add .ip to it. This will result in only fields matching our filter to be shown in the list. Scrolling down, we can click on the principal.ip and the target.ip to add them to the Data section. We can clear our filter and scroll to the bottom of the list and click on Count. Notice that all three fields appear as headers in the Data section. Let’s click the Run button in the top right corner to view our data set.

Notice how our visualization is populated along with our data. That’s progress, but not quite what we had in mind. For starters, there are far too many results to visualize our top talkers. At the top right corner of the Data section, we have a row limit of 500. If we only want to visualize the top 10 results, and we already have our data sorted from highest to lowest, we can change that row limit to 10 and just get the top 10 results. That will help our visualization a good deal.

In our target.ip field, we have values of 8.8.8.8 and 9.9.9.9 listed. Both of these IP addresses are associated with DNS and for our purposes, we are going to filter them out. While we could go back into the UDM event list, we are already using these fields, so let’s click on the In Use sub-tab, find the target.ip field and click the filter button to add another filter. From there, we can change the drop-down from is equal to to is not equal to and add the values 8.8.8.8 and 9.9.9.9 into our filter list. With those changes, let’s click Run to refresh our results.

This looks better. Notice the yellow band that says Row limit reached. Don’t worry about this. The query underlying it runs to completion and then has a limit condition on it that just returns the number of rows that is in the text box we modified earlier. As long as you have the data ordered correctly, you will get your top talkers by event count.

If you are happy with your tile, you can save it. I’m pretty happy with what we have but because the target.ip is getting cut off with a column chart, I am going to change it to a bar chart and then click Save in the top right corner of the pop-up.

At this point, our tile will appear on our dashboard. We can grab the bottom right corner to change the height and width of the tile on the dashboard right. Additional controls to move the tile on the dashboard are in the top left corner, in the form of 6 dots and other tile controls are in the top right corner under the three dots. All of these controls are hidden until we click on the tile. Once you are happy with positioning, go ahead and make sure the dashboard is named and click Save.

With that, we have just created a dashboard and added our first tile in Chronicle. We will continue to add additional tiles periodically to highlight other views that can be created within the dashboards. If you haven’t tried building dashboards in Chronicle, hopefully this provides a springboard to get you started!

New to Chronicle Series

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page