Dashboards overview

Supported in:

Google Security Operations SIEM dashboards can be used to view and analyze the data in Google Security Operations SIEM, including security telemetry, ingestion metrics, detections, alerts, and IOCs. These dashboards are built upon the capabilities of Looker.

Google Security Operations SIEM provides you with multiple default dashboards, described in this document. You can also create custom dashboards.

Default dashboards

To navigate to the Dashboards page, click Dashboards in the left navigation.

Default dashboards contain predefined visualizations of the data stored within your Google Security Operations SIEM instance. These dashboards are designed for a specific use case, such as understanding the state of the Google Security Operations SIEM data ingestion system or monitoring the threat status in your enterprise.

Each default dashboard includes a time range filter that lets you view data for a specific time period. This can be helpful when troubleshooting issues or identifying trends. For example, you can use the filter to view data for the past week or over a specific time range.

Default dashboards cannot be modified. You can make a copy of a default dashboard, and then modify the new dashboard to support a specific use case.

Google Security Operations SIEM provides the following default dashboards:

Main dashboard

The Main dashboard displays information about the status of the Google Security Operations SIEM data ingestion system. It also includes a global map highlighting the geographic location of the IOCs detected within your enterprise.

You can view the following visualizations in the Main dashboard:

  • Ingested Events: the total number of events ingested.
  • Throughput: the volume of data that is ingested for a specific time.
  • Alerts: the total number of alerts occurred.
  • Events Over Time: a column chart that displays the events that occurred over a period of time.
  • Global Threat Map - IOC IP Matches: the location from which IOC matching events occurred.

Preview Dashboard

You can use the preview dashboards feature of Google Security Operations to build visualizations over different data sources. A Google Security Operations dashboard is composed of different charts, which are populated using YARA-L 2.0.

Data Sources for Google Security Operations preview dashboards

The following data sources are available in preview dashboards with the following YARA-L prefix.

YARA-L 2.0 syntax for Google Security Operations preview dashboards

YARA-L 2.0 has the following unique properties when used in preview dashboards:

  • Additional data sources, such as entity graph, ingestion metrics, rule sets, and detections are available in dashboards. These data sources are not yet available in YARA-L rules and UDM search.

  • Google Security Operations preview dashboards use the YARA-L syntax. For more information, see YARA-L 2.0 functions for Google Security Operations preview dashboards and aggregate functions that include statistical measures. UDM search (for example, principal.hostname = "john") does not work with Google Security Operations preview dashboards.

  • The events section of a YARA-L rule is implied and does not need to be declared in queries.

  • The condition section of a YARA-L rule is not used for dashboards.

Getting started with Google Security Operations preview dashboards

Create a new dashboard

To create a new dashboard, do the following:

  1. On the Preview dashboards page, click Create dashboard. The Create dashboard window appears.

  2. Enter a name and description for your dashboard.

  3. In the Start with Existing Dashboard list, select Blank dashboard. You can also start by copying an existing dashboard.

  4. Set the access for your dashboard to either private or shared. Private dashboards are only visible to you whereas shared dashboards are visible to all users within your organization.

  5. Click Create to create a new dashboard.

Add a chart

A dashboard is composed of charts that are populated with data using YARA-L. To add a chart to your dashboard, do the following:

  1. On the Editing dashboard page, click Add chart.

  2. In the Search section, enter a YARA-L query to explore and transform your data. The following YARA-L query retrieves the dates and severity levels of detections, filtering out those with unknown severity, and counts the distinct detections for each date. The detections are sorted by date in ascending order.

    $date = timestamp.get_date(detection.created_time.seconds)
    $severity = detection.detection.severity
    $severity != "UNKNOWN_SEVERITY"
    match:
        $date, $severity
    outcome:
        $detection_count = count_distinct(detection.id)
    order:
        $date asc
    
  3. For the time range specified, select either absolute or relative.

  4. After you have entered the query, click Run Search. The results are displayed in a tabular format, which is the default chart type.

  5. In the Chart details, enter a name for the chart.

  6. To turn the data from your tabulated search results into a bar graph, select Chart type > Bar graph.

  7. In the Data settings, enter a data type and field value for the X-axis and Y-axis. To build on the example YARA-L rule, you can enter the following values:

    • X-axis field: date
    • Y-axis field: detection_count
  8. In the Axis label, enter a label for the X-axis and the Y-axis.

  9. In the Grouping, select Grouped.

  10. In the Series, set the field for grouping to severity. This changes the chart to be grouped by severity.

  11. Review the results and then click Add to dashboard.

Add a filter

You can use filters to modify the available data based on a specific field, affecting only the charts that use that field in their query.

To add a filter, do the following:

  1. On the main dashboard page, click the pencil icon to edit the dashboard.

  2. On the Editing dashboard page, click the filter icon to add a filter.

  3. On the Manage filters window, click the plus icon to configure a new filter.

  4. In the Field to filter field, enter a field based on which you want to filter the data. For example, detection.collection_elements.references.event.principal.hostname

  5. In the Filter name field, enter a name for the filter.

  6. In the Apply to field, select a chart on which the filter needs to be applied.

  7. Optional: Set a default value for the filter.

  8. Click Done to add the filter and close the Manage filters window.

Apply the filter

To apply a filter to the chart, do the following:

  1. In the dashboard view, click the filter icon to view the dashboard filters.

  2. On the Dashboard filters window, select the filter you created.

  3. Enter a value for the field on which you want to filter.

  4. Click Apply. The chart on which the filter is applied is updated to reflect the filtered results.

Add a global time filter

You can apply a global time filter to select a time range over which data can be viewed across all charts. The global time filter is available by default for all charts and is capable of handling time across all data sources. Unlike other time filters (for example, creating a filter on the metadata.event_timestmap field) that only filter from within the time range specified in the individual chart, a global time filter when applied, takes precedence over the time period selected in the individual chart.

To add a global time filter, do the following:

  1. On the main dashboard page, click the pencil icon to edit the dashboard.

  2. On the Editing dashboard page, click the filter icon to add a filter.

  3. On the Manage filters window, select Global time filter from the filters list.

  4. Click the toggle to ensure that the global time filter is enabled.

  5. In the Apply to field, select the charts on which the global time filter needs to be applied.

  6. In the Set default values field, set a time range over which data is viewed in either absolute or relative terms.

  7. Click Done to add the filter and close the Manage filters window.

Cloud Detection and Response Overview dashboard

The Cloud Detection and Response dashboard helps you monitor the security status of your cloud environment and investigate potential threats. The dashboard shows visualizations that help you understand the volume of data sources, rule sets, alerts, and other information.

The Time filter lets you to filter the data by time period.

The GCP Log Type filter lets you to filter the data by Google Cloud log type.

You can view the following visualizations in the Cloud Detection and Response Overview dashboard:

  • CDIR Rulesets Enabled: displays the percentage of Google Security Operations SIEM rule sets enabled for your cloud environment from the total rule sets provided by GCTI for Google Security Operations SIEM users. GCTI provides multiple prepackaged curated rules. You can enable or disable these rule sets.

  • GCP Data Sources Covered: displays the percentage of data sources covered, out of the total Google Cloud data sources available. For example, if you can ingest data by using 40 log types but you send data for only 20, the tile displays 50%.

  • CDIR alerts: displays the number of alerts raised from the rules within your GCTI rulesets or Cloud threats. You can use the Time filter to set the number of days for which this data is displayed.

  • Recent Alerts: displays recent alerts with their severity and risk score. You can sort the table using the Event Timestamp Time column and navigate to each alert for more information. It provides the number of aggregated security findings enhanced by Security Command Center. These security findings are generated by GCTI curated detection rule sets and categorized by finding type. You can use the Time filter to set the number of days for which this data is displayed.

  • Alerts by Severity Over Time: displays the total alerts by severity, trending over time. You can use the Time filter to set the number of days for which this data is displayed.

  • Detection Coverage: provides information about Google Security Operations SIEM rule sets and their status, total detections, and the date of the most recent detection. You can use the Time filter to set the number of days for which this data is displayed.

  • Cloud Data Coverage: provides information about all available Google Cloud services, parsers that cover each service, first seen event, last seen event, and the total throughput.

For more information about CDIR rule sets, see Overview of Cloud Threats Category.

The table is followed by graphs of all Google Cloud services with their associated data that show their ingestion trend over the following time intervals:

  • Last 24 hours
  • Last 30 days
  • Last six months

Context Aware Detections - Risk dashboard

The Context Aware Detections - Risk dashboard provides insight into the current threat status of assets and users in your enterprise. It is built using fields in the Rule Detections explore interface.

The severity and risk score values are variables defined in each rule. For an example, see Outcome section syntax. In each panel, data is sorted based on severity, and then risk score to identify users and assets most at risk.

You can view the following visualizations in the Context Aware Detections - Risk dashboard:

  • Assets and Devices at Risk: lists the top 10 assets based on the severity that you set the rule in the Meta > Severity. See Meta section syntax. The severity levels are Super High, Critical, High, Large, Medium, and Low. If the hostname value is not present in the record, then it displays the IP address.
  • Users at Risk: lists the top 10 users based on severity. The severity levels are Super High, Critical, High, Large, Medium, and Low. If the username value is not present in the record, then it displays the email ID.
  • Aggregate Risk: for each date, displays the total aggregated risk score.
  • Detection Results: displays details about the detections returned by detection engine rules. The table includes the rule name, detection ID, risk score, and severity.

Data Ingestion and Health dashboard

The Data Ingestion and Health dashboard provides information about the type, volume, and health of data being ingested into your Google Security Operations SIEM tenant. You can use this dashboard to monitor for anomalies in your environment.

This dashboard provides visualizations that help you understand the volume of ingested logs, ingestion errors, and other relevant information. The data on the dashboard is refreshed every 15 minutes, so you might need to wait up to 15 minutes to see the latest information.

You can view the following visualizations in the Data Ingestion and Health dashboard:

  • Ingested Events Count: the total number of events ingested.
  • Ingestion Error Count: the total number of errors encountered during ingestion.
  • Log Type Distribution by Events Count: displays the log types distribution based on the number of events for each log type.
  • Log Type Distribution by Throughput: displays the log types distribution based on the throughput.
  • Ingestion - Events by Status: displays the number of events based on their status.
  • Ingestion - Events by Log Type: displays the number of events based on their status and log type.
  • Recently Ingested Events: displays recently ingested events for each log type.
  • Daily Log Information: displays the numbers of logs for a day for each log type.
  • Event count vs Size: compares event count and size over a period of time.
  • Ingestion Throughput: displays ingestion throughput over a period of time.

IOC Matches dashboard

The Indicator of Compromise (IOC) Matches dashboard provides visibility into the IOCs present in your enterprise.

You can view the following visualizations in the IOC Matches dashboard:

  • IOC Matches Over Time by Category: displays the number of IOC matches based on their category.
  • Top 10 Domains IOC indicators: lists the top 10 domain IOC indicators along with the count.
  • Top 10 IP IOC Indicators: lists the top 10 IP address IOC indicators along with the count.
  • Top 10 Assets by IOC Matches: lists the top 10 assets by IOC matches along with the count.
  • Top 10 IOC matches by Category, Type, and Count: lists the top 10 IOC matches by category, type, and along with the count.
  • Top 10 IOC Values: lists the top 10 IOC values along with the count.
  • Top 10 Rarely Seen Values: lists the top 10 rarely occurring IOC matches along with the count.

Rule Detections dashboard

The Rule Detections dashboard provides insight into the detections returned by detection engine rules. To receive detections, you must enable rules. For more information, see Running a rule against live data.

You can view the following visualizations in the Rule Detections dashboard:

  • Rule Detections Over Time: displays the number of rule detections over a period of time.
  • Rule Detections by Severity: displays the severity of the rule detections.
  • Rule Detections by Severity Over Time: displays the daily count of detections by severity over time.
  • Top 10 Rule Names by Detections: lists the top 10 rules returning the largest number of detections.
  • Rule Detections by Name Over Time: displays the rules that returned detections each day and the number of detections returned.
  • Top 10 Users by Rule Detections: lists the top 10 user identifiers which appeared in events that triggered detections.
  • Top 10 Asset Names by Rule Detections: lists the top 10 asset names which appeared in events that triggered detections, such as hostname.
  • Top 10 IPs by Rule Detections: lists the top 10 IP addresses which appeared in events that triggered detections.

User Sign In Overview dashboard

The User Sign in Overview dashboard provides insight into users logging into your enterprise. This information can be useful for tracking attempts by malicious actors to access your enterprise.

For example, you might find that a particular user has attempted to access your enterprise from a country where you don't have an office or that an specific user appears to repeatedly access an accounting application.

You can view the following visualizations in the User Sign In Overview dashboard:

  • Number of Successful Sign Ins: the total number of successful sign ins.
  • Number of Failed Sign Ins: the total number of failed sign ins.
  • Sign Ins By Status: displays the split of successful and failed sign-ins.
  • Sign Ins by Status Over Time: displays the split of successful and failed sign-ins over the time range.
  • Top 10 Applications By Sign Ins: displays the split of top 10 frequent applications based on the number of sign ins.
  • Sign Ins By Application: lists the count of sign in status for each application. The count of each application is populated based on the log data that you define in the security_result.action field. See Event enumerated types.
  • Top 10 Countries by Sign Ins: displays the count of top 10 countries where users signed in from.
  • Sign Ins by Country: displays the count of all countries where users signed in from.
  • Top 10 Sign Ins By IP: displays the top 10 IP addresses where users signed in from.
  • Sign In Location Map: displays the locations of IP addresses where users signed in from.
  • Top 10 Users by Sign In Status: displays the count of sign in status for each user. The count of each application is populated based on the log data that you define in the security_result.action field. See Event enumerated types.

What's next