Using Chronicle dashboards
Chronicle provides a set of default dashboards for analysis and reporting within the Chronicle user interface. Reporting is available by converting a dashboard to a shareable file (for example, PDF, Excel, CSV, etc.). These dashboards are built upon the capabilities of Looker: https://cloud.google.com/looker and BigQuery: https://cloud.google.com/bigquery (both Google Cloud products). Looker acts as a visualization layer while BigQuery acts as a data layer.
Before you begin
Before you can access Dashboards in Chronicle, complete the following steps:
Launch the Google Chrome browser.
If you do not have Chrome installed, go to https://www.google.com/chrome/.
Ensure you have access to your corporate account.
Complete the following steps to access your Chronicle account and navigate to the Dashboarding page:
Navigate to your company's Chronicle account:
Your screen should resemble the following figure.
Chronicle landing page
Accessing the Chronicle Dashboards
Complete the following step to navigate to the Dashboards page:
Click the application menu icon in the upper right corner and select the Dashboards option.
Note: If you are unable to view the Dashboards option in the menu, check with your account manager to ensure the feature has been enabled for your account.
Chronicle provides a set of default dashboards. These provide various visualizations of the data stored within your Chronicle account. These dashboards help you to understand the state of the Chronicle data ingestion system, along with the current threat status for your enterprise. All of the default dashboards include a time control.
Context Aware Detections - Risk dashboard
The Context Aware Detections Risk dashboard provides insight into the current threat
status of assets and users in your enterprise. It is built using fields in the Rule Detections Explore interface and retrieves data from the Chronicle
rule_detections table in BigQuery.
The severity and risk score values are variables defined in each rule. For an example, see multi-event rule with outcome section. In each panel, data is sorted based on severity first, and then risk score to identify users and assets most at risk.
Context Aware Detections
Assets and Devices at Risk panel: Lists the top 10 assets based on the severity. The Severity levels are Super High, High, Large, Medium, and Low. If the hostname value is not present in the record, the IP Address is displayed.
Users at Risk panel: Lists the top 10 users based on the severity. The Severity levels are Super High, High, Large, Medium, and Low. If the user name value is not present in the record, the email is displayed.
Aggregate Risk panel: For each date, the total risk score is aggregated and displayed as an area graph.
Detection Results panel: Provides the details of various detections of the corresponding rule along with score and severity.
Data Ingestion and Health
The Data Ingestion and Health dashboard provides information about the type and volume of data being ingested into your Chronicle account. This information must remain relatively stable and predictable. However, a sudden drop in data ingestion can indicate a problem either with the systems forwarding data from your enterprise or with your Chronicle account.
The following Data Ingestion and Health dashboard shows visualizations that help you understand the volume of ingested logs, ingestion errors, and other information.
You can view the following information in the Data Ingestion and Health dashboard:
- Ingested Events Count. The total number of events ingested.
- Ingestion Error Count. The total number of errors encountered during ingestion.
- Log Type Distribution by Events Count. A chart that shows the log types distribution based on the number of events for each log type.
- Log Type Distribution by Throughput. A chart that shows the log types distribution based on the throughput.
- Ingestion - Events by Status. A graph that shows the number of events based on their status.
- Ingestion - Events by Log Type. A table that shows the number of events based on their status and log type.
- Recently Ingested Events. A table that shows recently ingested events for each log type.
- Daily Log Information. A table that shows the numbers of logs for a day for each log type.
- Event count vs Size. Graphs that compare event counts and size over a period of time.
- Ingestion Throughput. Graphs that show ingestion throughput over a period of time.
The Indicator of Compromise (IOC) Matches dashboard provides visibility into the IOCs currently present in your enterprise. It includes the following IOC charts:
- IOC Matches Over Time by Category
- Top 10 Domains IOC indicators
- Top 10 IP IOC Indicators
- Top 10 Assets by IOC Matches
The Main dashboard displays information about the status of the Chronicle data ingestion system. It also includes a global map highlighting the geographic location of the IOCs detected within your enterprise.
Note: The mapping feature is unavailable in some regions of the world.
The Rule Detections dashboard provides insight into activity related to the detection engine and the configured rules. Since your security analysts configure these rules to search for specific threats, this information might be particularly relevant to your organization.
User Sign In Overview
The User Sign in Overview dashboard provides insight into where your users are logging into your enterprise from and what applications they are signing in to. This information can be useful for tracking attempts by malicious actors to access your enterprise. For example, you might find that a particular user has attempted to access your enterprise from a country where you do not have an office or that a user in administration appears to be repeatedly accessing an accounting application.
User Sign in Overview
Copying a Default Dashboard
The Chronicle default dashboards cannot be modified. However, you can make a copy of any of the default dashboards and add it to either the Personal or Shared dashboards sections. The copies can be modified, enabling you to customize these dashboards for your enterprise as needed.
To copy a default dashboard, click the three-dot menu icon. The following options are available:
- Copy to Personal
- Copy to Shared
The personal dashboards are only visible by you based on your username. The shared dashboards are visible to all members of your organization Chronicle account.
Options - Copy to Personal or Shared
Once you have made a copy of a default dashboard, you can select it from the Personal or Shared Dashboards section. Click the three dot menu in the upper right corner and select Edit dashboard. You can then edit any of the dashboard elements by selecting the three dot menu on the element and selecting Edit. This opens the Looker popup window, enabling you to modify the element further.
Example: Creating a New Dashboard, for an example of how to create a new dashboard. Creating a new dashboard is much like editing an existing dashboard.
Note: The Chronicle dashboards are built with Looker. For detailed information on all of the features and capabilities of Looker dashboards, see the Looker documentation.
Example: Creating a New Dashboard
You can create a new dashboard either within the Personal or Shared Dashboards sections. Personal dashboards are only visible within your own Chronicle account. The shared dashboards are visible to all members of your team who also have access to your Chronicle account.
Note: This feature is built on Looker. For detailed information on all of the features and capabilities of Looker dashboards, see the Looker documentation.
The following example illustrates how to create a dashboard for monitoring the top 25 IOCs in your enterprise:
Click NEW to create a new dashboard.
Click Edit Dashboard.
Click Add Tile. The options available in the following steps mirror what is also available from a Looker account.
Choose an Explore from the following list. Explores are the classes of data within your Chronicle account you can use to create a data visualization for your new dashboard.
- Ingestion Stats
- IOC Matches
- Rule Detections
Choose an Explore
Select Ioc Matches (Ioc - Indicator of Compromise).
For Dimensions, select Asset Hostname and Confidence Score from the left navigation panel. You typically need to select at least two dimensions to create a new visualization.
Set the Ioc Matches Confidence Score control from highest to lowest and set the Row Limit to 25 as shown in the figure.
Select the Table icon and click Run to test the visualization against your Chronicle data.
The following table is displayed with the Top 25 IOCs by Confidence against Assets within your enterprise. Give the Explore a title (Top 25 IOCs in this example) in the upper left corner of the pop-up window. Click Save to save the Explore and return to the Dashboards window.
Top 25 IOCs
Give the new dashboard a name (Check First in this example). Click Save. The Dashboards page is displayed with the added new dashboard.
New dashboard displaying the Top 25 IOCs
For additional functionality, you can use the BigQuery export feature in conjunction with your own Looker account.