Jump to Content
Data Analytics

Extending the power of Chronicle with BigQuery and Looker

July 21, 2021
Rajesh Gwalani

Product Manager, Chronicle

Chronicle, Google Cloud’s security analytics platform, is built on Google’s infrastructure to help security teams run security operations at unprecedented speed and scale. Today, we’re excited to announce that we’re bringing more industry-leading Google technology to security teams by integrating Chronicle with Looker and BigQuery. Backed by this powerful toolset, security analysts can create brand new visual workflows that increase efficiency and improve outcomes in the Security Operations Center (SOC). 

New Looker visualizations in Chronicle

Chronicle’s new visualizations - powered by Looker, Google Cloud’s business intelligence (BI) and analytics platform - enables a multitude of new security use cases such as dashboarding, reporting, compliance, and data exploration. Out of the box, security teams can access brand new, Looker-driven embedded dashboards in five content categories at no additional cost to the Chronicle license:

Chronicle security overview - a set of overview visualizations that surface high level insights such as statistics and trends on ingested events, number of alerts, and a global threat map

Data ingestion and health - an overview of all security telemetry ingested into Chronicle, including data types and volume

IOC matches - a granular view into IOC matches detected in Chronicle, with views into IOC matches across IPs, domains, and assets

Rule detections - detailed insight into the top 10 triggered detection rules, the top users, IPs, and assets associated with rules, and more

User sign-in data - insights into sign-in data across the organization including sign-in status over time as well as top sign-ins by application and user

https://storage.googleapis.com/gweb-cloudblog-publish/images/Looker-based_dashboard.max-700x700.jpg

Example Looker-based dashboard displaying visualizations related to IOC matches in the Chronicle environment

Chronicle’s dashboards are easy-to-use and fully customizable so that you can access and display the security information that’s most important to your organization. In addition to out-of-the-box visualizations, it’s simple and straightforward to create your own dashboards from scratch based on a number of parameters. This flexible dashboarding framework powered by Looker allows all default and custom dashboards to be edited, saved, and shared for on-demand analysis and reporting.

In the example below, Windows security logs or EDR logs can be used to create powerful visualizations for ransomware detections including top hosts impacted by ransomware, number of alerts over time, fake process creations, and lateral movement activity.

https://storage.googleapis.com/gweb-cloudblog-publish/images/custom-built_Looker_dashboard.max-1000x1000.jpg

Example custom-built Looker dashboard for ransomware detections

Take security-driven data science to the next level with BigQuery

Chronicle also now integrates with BigQuery, making it easier than ever for analysts to leverage complex, massive security data sets to find problems faster and more easily. With this integration, Chronicle customers can export petabytes of security telemetry into BigQuery - Google Cloud’s serverless, highly scalable multi-cloud data warehouse - introducing endless possibilities for security-driven data science. For example, security teams can use BigQuery to join the security telemetry in Chronicle’s Unified Data Model (UDM) with a dataset of their choice or run custom analytics on top of UDM data, such as in Deloitte’s PACE analytics solution.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Data_from_Chronicles_Unified_Data_Model.max-2000x2000.jpg

Data from Chronicle’s Unified Data Model (UDM)  can be sent to BigQuery for deep analysis and to create visualizations.

Each Chronicle tenant now includes a private, managed BigQuery data lake that features data export at regular intervals and 180 days of data retention included at no additional cost. In addition to Looker, customers can use any BigQuery compatible tool - such as Google Data Studio, Grafana, Google Sheets, and Tableau - to create visualizations with Chronicle data. 

Chronicle customers can get started today using the BigQuery data lake to build security visualizations in a tool of their choice, with embedded Looker-driven dashboards in Chronicle available to all customers in Preview mode. To learn more about Chronicle, complete the Contact Sales form.

Posted in