In our past few blogs, we’ve looked at creating a new dashboard in Google Security Operations (SecOps), adding visualizations from search and building a time chart for detections. Today, we are going to apply filters to our dashboard.

We are going to take a look at the dashboard that we previously used to build the Top Ten Event Types, Network Traffic to Suspicious ASNs and Top Talkers - Sent Bytes charts. All of these charts happen to be based on the events data set. While we could mix different datasets within a single dashboard, this may create confusion when applying filters to these charts. Today we are going to use a single dataset. In general, as you are building your dashboards, make sure that your charts and filters within a dashboard align for the audience they are intended for.

If you recall, when we create our charts, we set a relative or absolute time for each chart. These timeframes are important to bound individual charts but oftentimes we want to take a more holistic view of the data by having a global time filter. By default, this filter is enabled and set for the past 1 day. 

However, while the filter is enabled, it isn’t associated with any charts, so using it won’t actually change the time ranges on the charts until you apply it to specific charts. In edit mode, click the filter to the right of the Add button to manage the filters in the dashboard.

Notice that our global time filter is already set to Enabled. In case you come across this and it isn’t enabled, just click the toggle button!

The time filter contains a drop down list that is used to associate the charts that we want to apply this filter to as well as the ability to set a default time value, either relative or absolute. While we do not need to apply the time filter to every chart in a dashboard, we may want to think about how to convey that to the others using this dashboard.

In this example, we are going to apply a time filter to our Top Talkers - Sent Bytes and Top Ten Event Types charts. Previously, these had relative time ranges of seven days and one day, respectively. While we are at it, let’s make our default time range 3 days for our time filter. Once we have completed the modifications to our filters, click Done and close the pop-up.

Now when I load my dashboard, I can see on the right side of the page my time range is for the past 3 days. Notice how each chart has its own time range displayed. The two that we associated with the global time filter have date ranges in the past three days, while the Network Traffic to Suspicious ASNs has a time range back to November. It is still using the relative 90 days that we specified when building the chart.

Users can change the time range when viewing the dashboard by clicking on the time selector in the right corner of the dashboard and then modifying the filter in the pop-up and clicking Apply.

Notice that when I change the time filter to 1 day that the charts for Top Talkers - Sent Bytes and Top Ten Event Types change but the chart for Network Traffic to Suspicious ASNs hasn’t changed at all.

Let’s add a filter for the field principal.ip. Again, make sure you are in edit mode and click the filter button. The Manage filters pop-up will appear. We can click on the plus sign and select the field we want to filter on from our list. We can change the filter name, but for simplicity sake, let’s not change the name today. Like the global time filter, we need to specify which charts this filter applies to. For now, we are going to just associate this filter with the Top Talkers - Sent Bytes chart. Finally, we have the option of setting default values for the filter. There are a number of operators that can be considered for use based on the type of field we are using.

Now that we have our filter, we can view our dashboard. If we want to apply a field filter to our dashboard, we can click on the filter on the left side of the dashboard. Remember, for the time filter, we clicked on the time on the right side of the dashboard. We can see that this field is applicable to a chart and we can use the operators and text box to input criteria. We can add additional logic around the principal.ip field here and we can remove the filter by clicking on the trash can as well. Once we are happy with our logic, we can click Apply.

Notice that the filter at the top of the dashboard has now changed and is showing a pill with the filter in it. Additionally, the Top Talkers - Sent Bytes chart has a little filter next to it with the number two in parenthesis next to it. Finally, the result set in the chart is showing IP pairs where the first value is 10.128.0.22 which is the principal.ip address.

In fact, if we click on the filter in the title bar of the chart, we will see which filters are applied. Here we can see that the Global Time Filter has been applied and the principal.ip filter. This is a good example where if you have a nice descriptive name for that principal.ip filter, you may want to consider using it.

Other charts in the same dashboard, like the Top Ten Event Types chart, did not have an additional filter applied to it. So we can see that with just the Global Time Filter applied, we have a value of one next to the filter in this chart. 

This brings us to my final thoughts on filters today. That is, because we have a good deal of flexibility to selectively deploy filters across one or many charts, using the description field when building the charts can be very helpful for a user to understand the charts that are associated with filters. In this example, when we click on the ℹ button next to the chart title, we get a tooltip with our chart description in it. Not only do we have a short explanation of the chart but we also have guidance explaining that the time filter is the only filter available to us for this chart. Using description helps inform the user of the dashboard what they can and perhaps cannot do with the chart within the dashboard.

I hope this blog provides you with some handy tips you can use as you start to apply filters to your dashboards!