Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
New to Chronicle: Formatting, Filtering and Sharing Dashboards
John Stoner
Principal Security Strategist, Google Cloud
November 9, 2023
Join the discussion
Interact with your peers, access best practices, documentation and more in the Google Cloud Security Community.
Explore the Community Explore the Community

"New to Chronicle" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to Security Operations Platforms or replacing their Security Operations Platforms with Chronicle. You can view the entire series here.

The past two months we’ve been building a dashboard in Chronicle one tile at a time. This will be our last dashboard focused blog for the moment, but we wanted to wrap up this arc by adding some additional context to our dashboard, as well as a filter and wrap up how we can share dashboards.

We are going to start with the dashboard and tiles that we have built previously. In case you are just joining us, or in case you want to build your own dashboard, the following blogs will get you to this point:

While we have these four tiles in our dashboard, adding elements that provide additional context, links and filters make this dashboard more than just a passive view of the data within Chronicle. To get started, we need to put our dashboard in edit mode. Once in edit mode, we can see the blue band across the top of the screen with the Add button in the top left corner of the screen. We are going to start by adding Text to our dashboard.

The text element provides the ability to add text and apply formatting to it, including different size headers, justification, bullets or numbering as well as links and font modifications, like bold, italics, underlines and color changes. For this example, we used these text elements as headers in the dashboards to separate the detection and network traffic tiles. We used the triangle in the lower right of the tile to resize it to fit and the dots in the top left of the text box, to move it around the dashboard, just like other tiles that have data in them.

The next element we are going to add is a markdown. The markdown provides a header, subheader and body within a single tile. If we were just going to add a header like we did with the text element, the markdown element might be sufficient for that purpose.  

Like the visualizations and text elements, we can select Markdown under the Add button in the top left corner of the dashboard editor. When we do, a pop-up opens prompting for a title, subtitle and body. There are a number of options available for the markdown, in fact, this link provides options for your consideration. In this example, we are going to place our Chronicle logo in the space between the two detection tiles.

Once we create our markdown, we need to click Save in the pop-up. We can then move the newly created markdown within our dashboard. The controls for all of these dashboard elements are the same and while a little trial and error may be needed to get tiles lined up exactly how you want them, it’s pretty easy to use.

Let’s add a few buttons to our dashboard. If a user is working in a dashboard and they want to pivot to another dashboard or any other hyperlink, they can do this easily with button elements. Buttons are added under the same Add menu item we used for other dashboard elements. Here we have added two buttons, one that opens the Main Dashboard in Chronicle and the other the Rule Detection dashboard. Notice how we enter a label, hyperlink and optionally a description. There are additional design elements available as well. Once we have configured our button, we can click Save and reposition the buttons as needed.

At this point, we are looking pretty good, but there is one more element that we need to add to our dashboard. The filter element provides a method to pass parameters through the dashboard to one or more tiles. Click on Filters - Add Filter at the top of the dashboard editor.

We are going to filter by time so we need to select the time field we are using in our tiles. In our example, we have two tiles using the UDM view and two tiles using the detection view. We selected the UDM view, but we could have selected the detection view and it would work either way. The key thing is to make sure that you are using the correct time fields to filter. In our earlier blogs, we set up filters in each tile with a specific time field. If we use those fields, then we won’t have any issues. We named our filter Time Range as this will be displayed next to the filter in the dashboard. Depending on the field being filtered on, we have a number of different control options. Advanced provides a robust set of date/time options to choose from. Let’s click on the subtab Tiles to Update.

This section is where we connect our Time Range filter to the appropriate tiles. When we created our filter, the two tiles that used the UDM view were already populated with the view and fields that we had previously configured. The two detection tiles did not have a specific field to filter on, but by clicking on each one and selecting the detection date field, we are able to connect each tile to the time range filter. If we didn’t want a tile to have a time boundary on it, we could just leave it blank. More on this in a little bit. Once we have set all of our tiles to the filter, we can click Add.

Notice at the top of the dashboard we now have a filter named Time Range with a configurable value. We can modify the time value and click on the refresh circle on the top right side of the dashboard and have our tiles recalculate based on the specified time range. Here is our finished dashboard using the time filter and returning data for the past seven days.

You may be thinking, what about those tiles that we created in the past that had seven day filters on them, does that factor into this time range filter? The answer is they do, but only if we do not specify a Field to Filter in the dashboard filter. Notice in our dashboard that the time range is set to September 2023. However, the time chart for Detections By Severity By Date has the past seven days of data displayed in the tile. The reason for this is because the tile was set for a seven day filter and we did not add the tile into the dashboard filter. Because of that it uses the time filters set in the tile itself.

With a completed dashboard, we can provide users the ability to download the content into a pdf or csv. We could schedule delivery of the dashboard in pdf via email. We could also export our dashboard. Exporting the dashboard will output a yaml file of the dashboard that can be imported into another Chronicle instance by selecting Add - Import Dashboard from the Personal or Shared dashboard sections. In fact, we posted the yaml file for this dashboard to our Github site. Help yourself to it, review the work that we’ve done over the past five blogs with the dashboard and adjust it to meet your own needs.

I hope this arc of dashboarding blogs helps you develop your own dashboards in Chronicle!

New to Chronicle Series

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page