If you’ve used Google SecOps for any period of time, you’ve likely built at least a chart, if not a full dashboard with Google SecOps dashboarding capability. When this capability was added to the platform, Looker was the dashboarding tool. A new dashboarding capability has recently been launched in public preview that provides users the ability to build their own dashboards using the same syntax that statistical search uses, allowing users to write a query once and leverage that logic in search and dashboards!

The first thing a user will see will be a listing of dashboards available to them. A set of curated dashboards is available to assist users in getting a jumpstart on their own dashboards. On the far right side of the page, users can pin dashboards, curated or user created, to the listing and by clicking on the three dots to the right of the pin, a dashboard can be duplicated.

Clicking on a dashboard will open the dashboard and return results based on the default filters that are applied. Notice in the main dashboard below, we are returning data for the past seven days. On the top right corner of the page is a refresh button and a full screen toggle.

Dashboards can be built for a number of different datasets within Google SecOps including UDM event data, UDM entity graph data, detections, IOCs, rule sets and ingestion metrics. Over the next few weeks, additional blogs will provide examples using these different datasets to illustrate how these dashboards can be constructed.

With that, let’s dive into building our first chart in a dashboard!

Let’s start by clicking the Create dashboard button in the top right corner of the dashboard listing. A pop-up will appear where we can name our dashboard and add a description. Because we are going to start from scratch, we will not select anything in the drop down under the Start with Existing Dashboard heading, though if we wanted to leverage dashboards available to us as a starting point, we could. Finally, we can choose to make this dashboard available to others within the organization by selecting Public. If we want to keep it to ourselves, we can click Private. Share settings can be changed after the dashboard has been created so we will leave it private for now and then click Create.

The dashboard looks a little bare since we didn’t start with another dashboard. Notice our dashboard name and description carries over into the top corner of the dashboard edit view. Below the name is an Add button that contains chart and button options. To the right of the Add button is the filter. By default, there is a global time filter enabled for the past day. We will circle back to filters in a future blog, for now, let’s leave it as it is. Go ahead and select Chart under the Add button.

For those of you who have used the search interface in Google SecOps, this query interface will look very familiar. We can build our search or leverage our search history, saved searches or searches that have been shared with us. That said, it is important to note that the searches for dashboards need to be statistical searches, that is they must have a match and/or outcome section in the search.

Another important section of this interface is the time range. Notice the drop-down that can be set to a relative or absolute time range. For this, we will leave it at a relative range of the Last 1 day.

For this first chart, we are going to generate a top ten list of the most frequently seen event types for the past day. To get this data set, we can query the UDM data and build a search that looks just like a UDM statistical search. We covered statistical searches a few months ago, but in case you would like a refresher, check out the blogs Introducing Statistical Search and Getting More From Statistical Searches or their associated videos here and here.

The short version of the query is that we are collecting the values in the metadata.event_type field and grouping (matching) on them and then counting the number of events with each event type. We are sorting them from greatest to least and displaying the first ten in the result set.

metadata.event_type = $event_type
match:
   $event_type
outcome:
   $event_count = count($event_type)
order:
   $event_count desc
limit: 10

When we run our query, we get our output in a tabular view. I didn’t bother showing that and jumped from that Chart Type on the right side of the page to a Pie chart. The Chart Details on the left of the page will require each chart to have a name to allow it to be added to the dashboard. Depending on the chart type, other fields may be required as well. For instance, the field and value the data uses is required for the pie chart and you can select them from their respective drop-downs. Once you are happy with your chart, click Add to dashboard.

With that, our first chart is populated on our dashboard. While in edit mode, each chart has a few controls associated with it that I will briefly highlight. On the top left of the chart is a set of dots that can be grabbed to move the chart around the palette. On the opposite lower corner, there is a small right angle marker that is used to resize the chart. On the top right corner of each chart are options to view that chart in full screen mode, edit, refresh, duplicate and delete the chart.

With that, let’s bring this initial blog on the new dashboarding capabilities in Google SecOps to a close. In future blogs, we will continue to build out this dashboard and introduce additional capabilities. Also, as I mentioned earlier, this capability has just been introduced as a public preview, so be on the lookout for additional improvements! Keep an eye out for additional curated dashboards that can be leveraged for more use cases too!