Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
New to Chronicle: Dashboarding - Tabular Summary of Detections
John Stoner
Principal Security Strategist, Google Cloud
September 14, 2023
Join the discussion
Interact with your peers, access best practices, documentation and more in the Google Cloud Security Community.
Explore the Community Explore the Community

"New to Chronicle" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to Security Operations Platforms or replacing their Security Operations Platforms with Chronicle. You can view the entire series here.

In our last blog, we built our first dashboard tile in Chronicle to view the Top Talkers in our environment. If you aren’t familiar with building dashboards in Chronicle or just need a quick refresher, I’d suggest taking a moment to review before reading further because we will be building on top of what we covered last time. Don’t worry, I’ll wait…

The dashboard tile we are going to build today is going to provide us visibility into the severity of the detections that have been triggered over the past seven days. We are going to build from the dashboard that we created last time. Before we can add more tiles to it, we must get into edit mode, so click the three buttons in the top corner of the dashboard and select Edit dashboard.

To add a new tile, we can click Add in the top left corner of the dashboard in edit mode and select Visualization from the drop-down. Because we are building a tile about the detections in Chronicle, select the Rule Detections explore from the listing.

In the Edit Tile pop-up, start by naming our tile Detections By Severity - Past 7 Days. Because we want to gather detections for the past seven days, let’s start by identifying the date field to filter on. 

Using the text box called Find a Field on the left side of the pop-up, we can enter the string date to filter on date fields. The field that contains date and time when the detection occurred is called Detection Timestamp Date. 

To the right of each field, when we mouse over, a set of buttons appear that can be used for creating a pivot (more on that next time), an information button, and a filter by field button. We are going to click on the Filter by field button to the right of the field name.

When we click on the filter by field button, notice how this field is populated under the filter section, which you can see in the top center of the pop-up.  While we can easily work with other portions of the date like the month or quarter if we wanted to build some longer range dashboards, we are going to focus on returning detections for the past 7 days and we can use the drop-down and text boxes below each filtered field to set this criteria. Additional filters can be added in the same manner but for today, we are going to stick with just this one.

With our date range established, let’s select some fields to populate our tile. Notice in our field list, there are three different severity fields. Severity is a text value of Info, Low, Medium, High and Critical. Severity Visual is the same but with those little colored matchsticks next to each value. Security Int is the integer value for each severity value. 

Why would I want an integer when I’ve got text strings to describe the severity?

Great question. The benefit of having the integer value in a separate field is really to help us out when it comes to sorting our data for viewing. I won’t ask for a show of hands, but how many people have ever seen a dashboard that has severity sorted by alphabetical order and critical is first and medium is last?

In our tile, we are going to click on the Severity Int, Severity Visual and Count to populate our dataset. This time, we are not going to sort on Count, but we will sort on the Security Int field, so that our results are sorted from lowest to highest severity. If you want the highest severity to be top of the list, just click on the Security Int field a second time to reverse the sort order.

Now let’s turn toward our visualization. For this tile, we are going to stick with the default tabular view, but we really don’t want that integer value taking up space. With our sort in place, let’s click on the cog next to the Security Int field in the data section. In the drop-down menu, select the Hide this field from visualization option. This will remove this column from our tabular value. We could run our criteria again if we needed to test further, but we can click Save at this point and we will see our tile in our dashboard. After taking the time to build a tile, I always recommend saving your dashboard, even if you plan to build more tiles or modify your dashboard further.

Building tiles in dashboards can be very straightforward once key fields have been identified. I hope this example shows how you can quickly and easily build tiles that help surface information in dashboards to your security operations team.

New to Chronicle Series

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page