Preview Dashboards overview
You can use the Preview Dashboards feature of Google Security Operations to build visualizations over different data sources. It is composed of different charts, which are populated using YARA-L 2.0.
Before you begin
Ensure that your Google SecOps instance has the following enabled:
Configure a Google Cloud project or migrate your Google SecOps instance to an existing cloud project.
Configure a Google Cloud Identity provider or third-party identity provider.
IAM permissions required for Preview Dashboards
IAM permission | Purpose |
---|---|
chronicle.nativeDashboards.create |
To create a new Preview Dashboard. |
chronicle.nativeDashboards.delete |
To delete a Preview Dashboard. |
chronicle.nativeDashboards.duplicate |
To make a copy of a Preview Dashboard. |
chronicle.nativeDashboards.get |
To view a Preview Dashboard. |
chronicle.nativeDashboards.list |
To view the list of all Preview Dashboards. |
chronicle.nativeDashboards.update |
To add and modify charts, update filters, and to change dashboard access. |
YARA-L 2.0 has the following unique properties when used in Preview Dashboards
Additional data sources, such as entity graph, ingestion metrics, rule sets, and detections are available in dashboards. Some of these data sources are not yet available in YARA-L rules and UDM search.
See YARA-L 2.0 functions for Google Security Operations Preview Dashboards and aggregate functions that include statistical measures.
The query in YARA-L 2.0 must must contain a
match
or anoutcome
section or both.The events section of a YARA-L rule is implied and does not need to be declared in queries.
The
condition
section of a YARA-L rule is not available for dashboards.
Data sources supported by Preview Dashboards
The following data sources are available in Preview Dashboards with the following YARA-L prefix.
Data source | Query time interval | YARA-L prefix | Schema |
---|---|---|---|
Events | 90 days | no prefix | Fields |
Entity graph | 365 days | graph | Fields |
Ingestion metrics | 365 days | ingestion | Fields |
Rule sets | 365 days | ruleset | Fields |
Detections | 365 days | detection | Fields |
IOCs | 365 days | ioc | Fields |
Impact of data RBAC for Preview Dashboards
Data role-based access control (data RBAC) is a security model that uses individual user roles to restrict user access to data within an organization. With data RBAC, administrators can define scopes and assign them to users to help ensure that users can access only the necessary data for their job functions. All the queries executed in Preview Dashboards are supported by data RBAC. For more information on access controls and scopes, see Access controls and scopes in data RBAC.
Events, entity graph, and IOC matches
The data returned from these sources aligns with the user's data access scopes. Users only see results from data within their assigned scopes. If a user has multiple scopes, queries run across the combined data of all authorized scopes. Data outside the user's accessible scopes doesn't appear in search results.
Detection and rulesets with detections
Detections are generated when incoming security data matches the criteria defined in a rule. Users can only see detections that originate from rules associated with their assigned scopes.
Ingestion metrics
Ingestion components are services or pipelines that ingest logs into the platform from source log feeds. Each ingestion component collects a different set of log fields into its own ingestion metrics schema. These metrics are only visible to global users.