This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

New to Google SecOps: Using UDM Searches in Dashboards

Posted on 01-22-2025 08:52 AM
and filed in security-blog
jstoner
Staff

Last time, we introduced native dashboarding to Google Security Operations (SecOps) and created a new dashboard and pie chart by calculating a listing of the top ten event types generated in the past day. Today, we are going to continue building out our dashboard using UDM event data. Wait! Don’t turn the page! Just because we covered a UDM search last time, doesn’t mean I don’t have new stuff to show you, so stick with me…

The two charts we are going to add use network connection data. While we could edit the dashboard we created last time and add new charts like we did when we created the pie chart, I want to show you another way you can take a UDM search and add it to a dashboard.

In our search window, we can construct a search just as we’ve done thousands of times and run it to view the results.

ntc-dashboard2-01a.png

This search is a statistical search that uses a reference list to compare UDM network connection events to a listing of suspicious ASNs. It aggregates the events by IP, ASN, carrier and location and generates an event count. The top ten IP addresses and associated information are returned based on that event count.

metadata.event_type = "NETWORK_CONNECTION"
target.ip_geo_artifact.network.asn in %suspicious_asn
match:
   target.ip, target.ip_geo_artifact.network.asn, target.ip_geo_artifact.network.carrier_name, target.ip_geo_artifact.location.country_or_region
outcome:
   $event_count = count(metadata.event_type)
order:
   $event_count desc
limit: 10

At this point we have a statistical search output which hopefully looks familiar. At the top of the stats section is a sub-tab with Statistics and Visualize.

ntc-dashboard2-01.png

 

If we click on Visualize, the statistics view changes to a view that is similar to what we saw when we created the dashboard chart last time. Notice we have a chart type drop-down, an Add to Dashboard button, and a settings section to the left of our results set. 

ntc-dashboard2-02.png

 

If we just want to display a table in the dashboard, we can click Add to Dashboard and get a pop-up prompting us for the name of the chart. Once we name the chart and provide an optional description, we can modify the default time range of the chart and then add the chart to either a new or existing dashboard. In this case, we want to add the chart to the existing dashboard we created last time, so we can click on the drop-down, find our dashboard, select it and then click the Add to dashboards button at the bottom of the pop-up.

ntc-dashboard2-03.png

Once we’ve done that, our table is added to our dashboard. You will likely have to adjust the sizing of the charts, but once it is there, you have just added a UDM statistical search to a dashboard from the search portion of the UI!

ntc-dashboard2-04.png

Let’s take a look at another UDM chart. This time, we are going to display pairs of IP addresses based on the amount of bytes sent. Notice that we are using YARA-L functions like strings.concat, net.ip_in_range_cidr and the aggregation function of sum to generate our results. It’s important to remember that the YARA-L functionality that is supported in search is available to be used when building dashboards which is what we are highlighting.

metadata.event_type = "NETWORK_CONNECTION"
$ip = strings.concat(principal.ip,"/",target.ip)
net.ip_in_range_cidr(principal.ip, "10.0.0.0/8")
NOT net.ip_in_range_cidr(target.ip, "::1")
match:
   $ip
outcome:
   $total_bytes_sent = sum(network.sent_bytes)
order:
   $total_bytes_sent desc
limit: 10

ntc-dashboard2-05.png

As in the previous example, we can select the visualize sub-tab to convert our statistical results to another chart type, this time a bar graph, configure it and add it to our dashboard.

ntc-dashboard2-06.png

Once we’ve named it and arranged our charts on our existing dashboard, we now have the original pie chart, the table with suspicious ASNs and a bar chart of top IP pair talkers.

ntc-dashboard2-07.png

 

With native dashboarding in Google SecOps, we can now create UDM statistical searches and add them directly to dashboards in addition to having the ability to build charts directly in the dashboard. We can also use reference lists with our charts, like we did with the suspicious ASN listing and finally, we can use YARA-L functions and outcome aggregate functions like sum in addition to count with our data sets!

2 0 30.2K
Article Labels
Authors