Dashboards overview

Chronicle SIEM dashboards can be used to view and analyze the data in Chronicle SIEM, including security telemetry, ingestion metrics, detections, alerts, and IOCs. These dashboards are built upon the capabilities of Looker.

Chronicle SIEM provides you with multiple default dashboards, described in this document. You can also create custom dashboards.

Default dashboards

To navigate to the Dashboards page, click Dashboards in the left navigation.

Default dashboards contain predefined visualizations of the data stored within your Chronicle SIEM instance. These dashboards are designed for a specific use case, such as understanding the state of the Chronicle SIEM data ingestion system or monitoring the threat status in your enterprise.

Each default dashboard includes a time range filter that lets you view data for a specific time period. This can be helpful when troubleshooting issues or identifying trends. For example, you can use the filter to view data for the past week or over a specific time range.

Default dashboards cannot be modified. You can make a copy of a default dashboard, and then modify the new dashboard to support a specific use case.

Chronicle SIEM provides the following default dashboards:

Main dashboard

The Main dashboard displays information about the status of the Chronicle SIEM data ingestion system. It also includes a global map highlighting the geographic location of the IOCs detected within your enterprise.

You can view the following visualizations in the Main dashboard:

  • Ingested Events: the total number of events ingested.
  • Throughput: the volume of data that is ingested for a specific time.
  • Alerts: the total number of alerts occurred.
  • Events Over Time: a column chart that displays the events that occurred over a period of time.
  • Global Threat Map - IOC IP Matches: the location from which IOC matching events occurred.

Cloud Detection and Response Overview dashboard

The Cloud Detection and Response dashboard helps you monitor the security status of your cloud environment and investigate potential threats. The dashboard shows visualizations that help you understand the volume of data sources, rule sets, alerts, and other information.

The Time filter lets you to filter the data by time period.

The GCP Log Type filter lets you to filter the data by Google Cloud log type.

You can view the following visualizations in the Cloud Detection and Response Overview dashboard:

  • CDIR Rulesets Enabled: displays the percentage of Chronicle SIEM rule sets enabled for your cloud environment from the total rule sets provided by GCTI for Chronicle SIEM users. GCTI provides multiple prepackaged curated rules. You can enable or disable these rule sets.

  • GCP Data Sources Covered: displays the percentage of data sources covered, out of the total Google Cloud data sources available. For example, if you can ingest data by using 40 log types but you send data for only 20, the tile displays 50%.

  • CDIR alerts: displays the number of alerts raised from the rules within your GCTI rulesets or Cloud threats. You can use the Time filter to set the number of days for which this data is displayed.

  • Recent Alerts: displays recent alerts with their severity and risk score. You can sort the table using the Event Timestamp Time column and navigate to each alert for more information. It provides the number of aggregated security findings enhanced by Security Command Center. These security findings are generated by GCTI curated detection rule sets and categorized by finding type. You can use the Time filter to set the number of days for which this data is displayed.

  • Alerts by Severity Over Time: displays the total alerts by severity, trending over time. You can use the Time filter to set the number of days for which this data is displayed.

  • Detection Coverage: provides information about Chronicle SIEM rule sets and their status, total detections, and the date of the most recent detection. You can use the Time filter to set the number of days for which this data is displayed.

  • Cloud Data Coverage: provides information about all available Google Cloud services, parsers that cover each service, first seen event, last seen event, and the total throughput.

For more information about CDIR rule sets, see Overview of Cloud Threats Category.

The table is followed by graphs of all Google Cloud services with their associated data that show their ingestion trend over the following time intervals:

  • Last 24 hours
  • Last 30 days
  • Last six months

Context Aware Detections - Risk dashboard

The Context Aware Detections - Risk dashboard provides insight into the current threat status of assets and users in your enterprise. It is built using fields in the Rule Detections explore interface.

The severity and risk score values are variables defined in each rule. For an example, see Outcome section syntax. In each panel, data is sorted based on severity, and then risk score to identify users and assets most at risk.

You can view the following visualizations in the Context Aware Detections - Risk dashboard:

  • Assets and Devices at Risk: lists the top 10 assets based on the severity that you set the rule in the Meta > Severity. See Meta section syntax. The severity levels are Super High, Critical, High, Large, Medium, and Low. If the hostname value is not present in the record, then it displays the IP address.
  • Users at Risk: lists the top 10 users based on severity. The severity levels are Super High, Critical, High, Large, Medium, and Low. If the username value is not present in the record, then it displays the email ID.
  • Aggregate Risk: for each date, displays the total aggregated risk score.
  • Detection Results: displays details about the detections returned by detection engine rules. The table includes the rule name, detection ID, risk score, and severity.

Data Ingestion and Health dashboard

The Data Ingestion and Health dashboard provides information about the type, volume, and health of data being ingested into your Chronicle SIEM tenant. You can use this dashboard to monitor for anomalies in your environment. The following image

This dashboard shows visualizations that help you understand the volume of ingested logs, ingestion errors, and other information.

You can view the following visualizations in the Data Ingestion and Health dashboard:

  • Ingested Events Count: the total number of events ingested.
  • Ingestion Error Count: the total number of errors encountered during ingestion.
  • Log Type Distribution by Events Count: displays the log types distribution based on the number of events for each log type.
  • Log Type Distribution by Throughput: displays the log types distribution based on the throughput.
  • Ingestion - Events by Status: displays the number of events based on their status.
  • Ingestion - Events by Log Type: displays the number of events based on their status and log type.
  • Recently Ingested Events: displays recently ingested events for each log type.
  • Daily Log Information: displays the numbers of logs for a day for each log type.
  • Event count vs Size: compares event count and size over a period of time.
  • Ingestion Throughput: displays ingestion throughput over a period of time.

IOC Matches dashboard

The Indicator of Compromise (IOC) Matches dashboard provides visibility into the IOCs present in your enterprise.

You can view the following visualizations in the IOC Matches dashboard:

  • IOC Matches Over Time by Category: displays the number of IOC matches based on their category.
  • Top 10 Domains IOC indicators: lists the top 10 domain IOC indicators along with the count.
  • Top 10 IP IOC Indicators: lists the top 10 IP address IOC indicators along with the count.
  • Top 10 Assets by IOC Matches: lists the top 10 assets by IOC matches along with the count.
  • Top 10 IOC matches by Category, Type, and Count: lists the top 10 IOC matches by category, type, and along with the count.
  • Top 10 IOC Values: lists the top 10 IOC values along with the count.
  • Top 10 Rarely Seen Values: lists the top 10 rarely occurring IOC matches along with the count.

Rule Detections dashboard

The Rule Detections dashboard provides insight into the detections returned by detection engine rules. To receive detections, you must enable rules. For more information, see Running a rule against live data.

You can view the following visualizations in the Rule Detections dashboard:

  • Rule Detections Over Time: displays the number of rule detections over a period of time.
  • Rule Detections by Severity: displays the severity of the rule detections.
  • Rule Detections by Severity Over Time: displays the daily count of detections by severity over time.
  • Top 10 Rule Names by Detections: lists the top 10 rules returning the largest number of detections.
  • Rule Detections by Name Over Time: displays the rules that returned detections each day and the number of detections returned.
  • Top 10 Users by Rule Detections: lists the top 10 user identifiers which appeared in events that triggered detections.
  • Top 10 Asset Names by Rule Detections: lists the top 10 asset names which appeared in events that triggered detections, such as hostname.
  • Top 10 IPs by Rule Detections: lists the top 10 IP addresses which appeared in events that triggered detections.

User Sign In Overview dashboard

The User Sign in Overview dashboard provides insight into users logging into your enterprise. This information can be useful for tracking attempts by malicious actors to access your enterprise.

For example, you might find that a particular user has attempted to access your enterprise from a country where you don't have an office or that an specific user appears to repeatedly access an accounting application.

You can view the following visualizations in the User Sign In Overview dashboard:

  • Number of Successful Sign Ins: the total number of successful sign ins.
  • Number of Failed Sign Ins: the total number of failed sign ins.
  • Sign Ins By Status: displays the split of successful and failed sign-ins.
  • Sign Ins by Status Over Time: displays the split of successful and failed sign-ins over the time range.
  • Top 10 Applications By Sign Ins: displays the split of top 10 frequent applications based on the number of sign ins.
  • Sign Ins By Application: lists the count of sign in status for each application. The count of each application is populated based on the log data that you define in the security_result.action field. See Event enumerated types.
  • Top 10 Countries by Sign Ins: displays the count of top 10 countries where users signed in from.
  • Sign Ins by Country: displays the count of all countries where users signed in from.
  • Top 10 Sign Ins By IP: displays the top 10 IP addresses where users signed in from.
  • Sign In Location Map: displays the locations of IP addresses where users signed in from.
  • Top 10 Users by Sign In Status: displays the count of sign in status for each user. The count of each application is populated based on the log data that you define in the security_result.action field. See Event enumerated types.

What's next