Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
New to Chronicle: Dashboarding - Using Pivot to Create a Time Chart
John Stoner
Principal Security Strategist, Google Cloud
September 28, 2023
Join the discussion
Interact with your peers, access best practices, documentation and more in the Google Cloud Security Community.
Explore the Community Explore the Community

"New to Chronicle" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to Security Operations Platforms or replacing their Security Operations Platforms with Chronicle. You can view the entire series here.

In security operations, there are numerous questions asked that draw on the same data sets, but need to be visualized in slightly different ways. In our last blog, we built a tabular view of detections by severity for the past seven days. While that answers one question, it’s entirely possible the next question is, how many critical severity detections occurred each day for the past seven days? And while you are at, can you help me visualize detection severities by day in something other than a tabular view? These kinds of questions are the type that we are going to cover today and to do this we are going to use the pivot capability to build a crosstab, quickly followed by a time chart. Previously, we created a new visualization from scratch, but the ability also exists within dashboards to duplicate a tile and then edit it. Let’s start there. As always, make sure that we are in edit mode for the dashboard, so click the three buttons in the top corner of the dashboard and select Edit dashboard. From there, we can mouse over the tile that we want to duplicate. When we do that, the three dots in the upper right corner of the tile will appear and we can click on it, followed by Duplicate tile.

With that, a new, identical tile is created. The only difference is that (Copy) is appended to the end of the tile name. If your dashboard has multiple tiles already on it, you may need to scroll to the bottom of the dashboard to find it. On the new tile, mouse over the upper right corner, click on the three dots and then click Edit.

At this point, we are going to be in the Edit Tile pop-up window. This is the same interface we used in previous blogs to create our tiles. Let’s start by changing the name of our tile to Detections By Severity By Date - Past 7 Days.

We don’t need to modify our filters this time, but we do need different fields to address our requirements. If we are going to visualize this data by severity and by date, we probably don’t need both the integer and visualization for severity. Let’s remove the visualization by clicking on the cog in the top right corner of the column and select Remove.

We also need to add a date so that we can group our detections by both severity and date. We have used the text box called Find a Field on the left side of the pop-up in the past, but we can also click on the In Use sub-tab and view the fields we are currently using in our tile. Notice how the Date field is not in gray but the Filter button is. This is because the field is not in the data section, but it is being used in the filter. Let’s go ahead and click on the field in the list and it will be added to the data section.

Once we have made those changes, we can click Run to see what our data set would look like. I’m going to be honest and say I don’t love it. If I am trying to inform leadership around the daily status of detections, providing them an integer value is probably not ideal, nor is a listing of dates side by side with each integer.

So we have a little more work to do. We can start by going back to our field list and adding the field Severity and removing Severity Int because Severity is a text value of Info, Low, Medium, High and Critical where Security Int is the integer value for each severity value. If we click Run, we see that our data now is populated with a descriptive term for severity and if we expand our Visualization section and select area chart, we can even get a nice visualization. 

The problem though is that each count value is grouped by the date of the detection and severity which could get a little confusing to read. Ideally, we want to have a count of each severity for each day, which is where a crosstab comes into play. For those unfamiliar with crosstabs, this is a table containing two or more variables. To do this, we are going to use the pivot function. 

The first question is what field should we pivot on? This is going to depend on how we want to visualize our data. When building a pivot we will have variables represented both horizontally and vertically in our result set so some thought needs to be put toward this.

To demonstrate this, let’s first pivot on the detection date. If we click on the cog next to the date field and select Pivot, we will see our severity values appear as rows in our data section while each value in the date range will appear as columns. Because we are limiting our results to seven days with our filter condition, we will have seven columns, one for each day. When we click Run, we will get a count for each severity per day. 

In a tabular view, this may look nice and may meet our needs. Unfortunately, if we are trying to visualize the number of detections by severity by day, this doesn’t tell the story we are trying to tell. As we look at the area chart, we can see there are a large number of low severity detections, but understanding how many happened each day is a bit difficult to discern here.  Notice the values on the X axis of the visualization align with the Severity column in the Data section. If we are looking to visualize our data by day (or any other time value) in an area (or line) chart, we want that field to be represented as rows and instead pivot on the other value, in this case Severity.

Wait! Does that mean I need to start over if I pivot on the wrong field(s)?

Not at all, we’ve used the cog next to the field in the data section to hide data and remove columns; we can also use it to pivot or in this case unpivot a specific field. By the way, pivot can also be selected for a specific field from the field list just like a filter.

If we pivot on the severity and click Run, notice that our severity values are now across the top of the data table and our area chart takes our dates and maps them across the X axis of the area chart. The counts for each severity for each day are laid out across the graph as a count of each severity for each day. Now we have a tile our leadership can quickly consume!

We can further refine our chart or criteria if we need to test further, but we can click Save at this point and we will see our tile rendered in our dashboard. Remember to save your dashboard, even if you plan to build more tiles or modify your dashboard further so you don’t lose your work.

Today we took our existing tile, duplicated it and modified it to provide a time series based view of our detection severity broken out by day. Pivot is a powerful tool that can be used in dashboards to provide crosstab output for any number of datasets. Remember these tips when building dashboards for your team in Chronicle!

New to Chronicle Series

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page