LinkedIn
Twitter
We are on a mission to drive the adoption for our Google SecOps Native Dashboard feature, and we want YOU, our amazing community, to lead the charge! Letโs unlock the full potential of this together! We also want you to empower your security operations with the new Native Dashboard, create insightful visualizations and gain better visibility using our out-of-the-box dashboards created by Google SecOps internal team!
This isn't just any contest; it's your chance to shine and help shape the future of SecOps visibility! Your vote matters so be sure to check out the details below on how you can help us determine a winner!
Duration: March 31st - April 30th
Announcement date: Winners will be announced Mid-May 2025
How to Participate
- Create a dashboard using the Google SecOps Native Dashboard feature.
- Leverage the provided out-of-the-box dashboard samples as a foundation or inspiration.
- Share a screenshot or short video (you may blur out sensitive confidential information) of their dashboard by responding to this post in the Google SecOps community. Please include a brief description of the dashboard's purpose and key visualizations.
- Use a specific hashtag (e.g., #SecOpsDashboardChallenge) to facilitate tracking.
To begin exploring dashboards in Google SecOps
- Log in to your Google SecOps portal.
- Navigate to "Dashboard & Report" in the left-hand menu.
- Select "Native Dashboard".
- Review the pre-built sample dashboards on the main dashboard pages for inspiration.
- Start building your own custom native dashboards.
Resources
- Native Dashboard Documentations
- Native Dashboards preview in Chronicle SIEM
- Native Dashboard Blog Posts
Judging Criteria
We will select three winners based on the following criteria:
- Most Creative Dashboard: This will reward innovative and visually appealing dashboards that showcase unique data visualizations or use cases.
- Most Liked Dashboard: This is where we need your help Community! The winner will be determined by the number of likes or reactions received, reflecting the community's favorite. Please vote for your favorite dashboards by clicking the like button for each dashboard you like the most.
- Most Innovative Dashboard: This will recognize dashboards that demonstrate novel problem-solving, automation, or integration capabilities within the SecOps environment.
Prize
All participants will receive a reward! The 1st place winner will receive 3 swag items, 2nd place will receive 2 swag items, and 3rd place will receive 1 swag item! Once the winner has been determined, we will contact you to ship your prize out!
Example Dashboards
Curated Public Dashboards examples:
๐ #SecOpsDashboardChallenge: Google Workspace Native Dashboard
I'm excited to share my submission for the Google Cloud SecOps Native Dashboard Challenge!
My entry focuses on Google Workspace, visualized natively using custom queries to support SecOps workflows.
๐ง Dashboard Overview:
The dashboard is structured into modular sectionsโ Google Workspace and Google Mail with clearly labeled headers and interactive buttons that act as hyperlinks to other native dashboards and admin tools (e.g., Google Admin Log Search, Email Investigation Tool, Google Vault). This enhances usability and integrates triage tools directly into the dashboard experience.
๐Widget Highlights:
Google Workspace Section
๐Login Status Over Time
- Visualizes successful and failed login trends.
- Helps surface authentication anomalies and brute-force patterns.
// User Login Events over time
metadata.event_type = "USER_LOGIN"
$action = security_result.action
$action != 0
$date = timestamp.get_date(metadata.event_timestamp.seconds)
match:
$action, $date
outcome:
$event_count = count(metadata.id)
order:
$date asc
๐คGoogle Workspace Admin Events
- Tracks sensitive admin operations like group modifications or 2FA changes.
- Bar chart sorted by event count for instant visibility into high-risk activities.
// Filter for Google Workspace Admin events
metadata.vendor_name = "Google Workspace"
metadata.product_name = "admin"
// Filter out events o low interest
metadata.event_type != "USER_UNCATEGORIZED"
metadata.event_type != "STATUS_UNCATEGORIZED"
metadata.event_type != "GENERIC_EVENT"
metadata.event_type != "USER_UNCATEGORIZED"
metadata.event_type != "EMAIL_UNCATEGORIZED"
// Extract event_type field
$event_type = metadata.event_type
//$event_type != "" // Ensure event_type is populated
match:
$event_type
outcome:
$event_count = count(metadata.id)
order:
$event_count desc
๐ฅUnique Users in Login Events
Real-time metric to gauge daily Unique Login population.
// Count of Unique User Login
$event.metadata.event_type = "USER_LOGIN"
outcome:
$Count = count_distinct($event.principal.user.userid)
๐งพ Admins by Activity
Tracks who is making changes which is useful for detecting ClickOps vs IaC and User vs Service Account.
metadata.log_type = "WORKSPACE_ACTIVITY"
metadata.product_name = "admin"
$admin_user = principal.user.email_addresses
$admin_user != ""
match:
$admin_user
outcome:
$action_count = count(metadata.id)
order:
$action_count desc
limit: 10
๐Users Created by Whom
Help quickly track user creation events over time and identify anomalies.
// Who is creating users over time
metadata.log_type = "WORKSPACE_ACTIVITY"
metadata.product_name = "admin"
metadata.event_type = "USER_CREATION"
$actor = principal.user.email_addresses
$actor != ""
$date = timestamp.get_date(metadata.event_timestamp.seconds)
match:
$date, $actor
outcome:
$user_creation_count = count(metadata.id)
order:
$date asc
๐บAdmin Activity (Non Corp IP)
- Tracks Admin activity from non Corp addresses to identify potential anomalies in near real-time.
// Admin Activity (Non Corp IP)
metadata.log_type = "WORKSPACE_ACTIVITY"
metadata.product_name = "admin"
principal.user.email_addresses != /trusteduser/ // Filter out trusted email addresses or service accounts if any
$admin_ip = principal.asset.ip
$admin_ip != ""
$admin_ip != /123.123.123.123/. // Filter out your trusted subnets if any
match:
$admin_ip
outcome:
$action_count = count(metadata.id)
order:
$action_count desc
limit: 10
Google Mail Section
โ ๏ธUser Phishing Reports & Suspicious Labels
- Visualizes user-reported phishing attempts and supports investigation into potential emerging threats.
// Count phishing report events (User Phishing classification) by hour
metadata.log_type = "WORKSPACE_ACTIVITY"
metadata.product_name = "admin"
metadata.vendor_name = "Google Workspace"
metadata.product_event_type = "SECURITY_CENTER_RULE_THRESHOLD_TRIGGER"
metadata.event_type = "GENERIC_EVENT"
$rule_name = security_result.rule_name
$rule_name = "User Phishing classification"
$event_date = timestamp.get_date(metadata.event_timestamp.seconds)
match:
$rule_name, $event_date
outcome:
$event_count = count(metadata.id)
order:
$event_date asc
โ๏ธEmail Trends: Delivery Errors, Labels, and Spam
- Several widgets show delivery issues, label breakdowns, and spam volumes across dates.
- One of my favorite widgets charts post-delivery actions (e.g., user-marked spam, Gmail classification changes), giving insight into detection accuracy and user interaction.
// Title: Suspicous Gmail Message Labels Over Time
// Description: Visualize email classifications (Spam, Phish, Error, etc.) over time.
metadata.log_type = "WORKSPACE_ACTIVITY"
metadata.product_name = "gmail"
metadata.event_type = "EMAIL_TRANSACTION"
// Extract the label and date
$label = security_result.detection_fields.value
$date = timestamp.get_date(metadata.event_timestamp.seconds)
// Filter: Make sure both are populated
$label = / - /
$label != /Clean/
$label != /clean/
$label != /policy_holder/
$label != ""
$date != ""
match:
$label, $date
outcome:
$event_count = count(metadata.id)
order:
$date asc
๐Filtered Suspicious Emails and Link Domains
A table aggregates subject/sender/link domain combinations with counts to quickly pivot into threat hunting or playbook workflows.
// Suspicious Email by subject and sender (Filtered View)
metadata.log_type = "WORKSPACE_ACTIVITY"
metadata.product_name = "gmail"
metadata.event_type = "EMAIL_TRANSACTION"
$from = network.email.from
$subject = network.email.subject
$mail_id = network.email.mail_id
$mail_id != ""
$subject != ""
// Build your filters!
$from != ""
(
$from != /COMPANY_DOMAIN/ AND
$from != /TRUSTED SENDERS/ AND
)
// Suspicious words in subject - examples below, my list was longer.
($subject = /password/ nocase or
$subject = /update/ nocase or
$subject = /verify/ nocase or
$subject = /security/ nocase or
$subject = /urgent/ nocase or
$subject = /Account/ nocase or
match:
$subject, $from
outcome:
$phish_subject_email_count = count_distinct($mail_id)
order:
$phish_subject_email_count desc
limit:
20
๐ฉTop Reported Email Domains
Give us a quick view of which email senders our Users are reporting the most so that we can take action.
// Gmail messages with specific user actions or reclassifications
metadata.vendor_name = "Google Workspace"
metadata.product_name = "gmail"
metadata.log_type = "WORKSPACE_ACTIVITY"
metadata.event_type = "EMAIL_TRANSACTION"
// Extract needed fields
$label = about.labels.value
$message_id = network.email.mail_id
$sender = network.email.from
// Ensure fields are populated
$label != ""
$message_id != ""
$sender != "" and $sender != /allowlist-senders/ //update this to your needs
// Match labels 69 o 70 and 71 based on description
(
$label = /69 - / or
$label = /70 - / //and
//$label = /71 - /
)
match:
$sender
outcome:
$unique_message_count = count_distinct($message_id)
order:
$unique_message_count desc
โ๏ธBehind the Scenes
- All visualizations are built using native Dashboards YARA-L queries.
- I plan to share a GitHub repo soon with my complete query set.
Please feel free to comment and suggest ideas!
Thanks
#SecOps Dashboard Challenge
Dashboard Name: MITRE Threat Matrix View
The MITRE Threat Matrix View dashboard is organized to provide comprehensive visibility into adversary behavior using the MITRE ATT&CK framework. Each tactic from the matrix is represented with two dedicated panels, offering both quantitative and contextual analysis of triggered detection rules.
Panel Breakdown:
Tactic:
Purpose: Displays the count and details of security rules that were triggered under the specific MITRE tactic.
Insight Provided: Helps analysts understand which detection rules are being actively engaged for a given tactic, highlighting areas of active threat activity or potential false positives.
Query:
detection.detection.rule_name = $rule_name
detection.detection.outcomes["mitre_attack_tactic"] = /Execution/ nocase
detection.detection.outcomes["mitre_attack_technique"] != ""
outcome:
$Rule_Count = count_distinct($rule_name)
Technique:
Purpose: Visualizes the distribution of triggered rules across the techniques under the given tactic.
Insight Provided: Offers a granular view into which specific techniques (e.g., Credential Dumping, Lateral Movement) are being observed most often, helping pinpoint attack patterns.
Query:
detection.detection.rule_name = $rule_name
detection.detection.outcomes["mitre_attack_tactic"] = /Execution/ nocase
detection.detection.outcomes["mitre_attack_technique"] != ""
detection.detection.outcomes["mitre_attack_technique"] = $technique
match:
$technique, $rule_name
outcome:
$Rule_Count = count_distinct($rule_name)
Dashboard Name: Overview Dashboard
Query:
Panel Name: Avg GB Ingested per Day
// Filter events to those from the "Ingestion API" component
ingestion.component="Ingestion API"
// Extract the date from the ingestion start time
$date = timestamp.get_date(ingestion.start_time)
// Calculate the total log volume in gigabytes (GB) for each date, rounded to 3 decimal places
outcome:
$number_days = count_distinct(timestamp.get_date(ingestion.start_time))
$log_volume = math.round(sum(ingestion.log_volume) / 1073741824,3)
$per_day = math.round($log_volume / $number_days,3)
// 1073741824 bytes = 1 GB
Panel Name: Total GB Ingested
// Filter events to those from the "Ingestion API" component
ingestion.component="Ingestion API"
// Calculate the total log volume in gigabytes (GB) for each date, rounded to 3 decimal places
outcome:
$log_volume = math.round(sum(ingestion.log_volume) / 1073741824,3)
// 1073741824 bytes = 1 GB
Panel Name: Ingestion Metrics by Date & Logs
$log_type = ingestion.log_type AND $log_type != ""
ingestion.component = "Ingestion API"
ingestion.log_type != "" AND ingestion.log_type != "FORWARDER_HEARTBEAT"
$date = timestamp.get_date(ingestion.start_time) AND ingestion.start_time != 0
match:
$date, $log_type
outcome:
$thoughput = math.round(sum(ingestion.log_volume) / (1000 * 1000 * 1000), 1)
Query:
Panel Name: Detections
detection.detection.rule_name = /.*/
outcome:
$detections = count(detection.id)
Panel Name: Rule Detection by Severity
$severity = detection.detection.rule_labels["severity"]
$severity != ""
match:
$severity
Panel Name: Rules Detection by Severity Over Time
$severity = detection.detection.rule_labels["severity"]
$severity != ""
$detection_time = timestamp.get_date(detection.detection_time.seconds)
match:
$severity, $detection_time
outcome:
$count = count_distinct(detection.id)
order:
$detection_time
outcome:
$count = count_distinct(detection.id)
Query:
Panel Name: Rule detection over time
$date = timestamp.get_date(detection.detection_time.seconds)
match:
$date
outcome:
$total=count_distinct(detection.id)
order:
$date
Panel Name: Top 10 Rule Names by Detections
$rulename = detection.detection.rule_name
match:
$rulename
outcome:
$detection_count = count_distinct(detection.id)
order:
$detection_count desc
limit:
10
Query:
Panel Name: Top 10 IOC Matches
ioc.category != ""
ioc.category = $category
match:
$category
outcome:
$ioc_matches = count(ioc.category)
order:
$ioc_matches desc
Panel Name: IOC type
ioc.ioc_type = $ioc_type
match:
$ioc_type
outcome:
$ioc_matches = count(ioc.ioc_type)
order:
$ioc_matches desc
Panel Name: IOC IPs
ioc.ioc_value != ""
ioc.ioc_value = $ioc_value_ip
ioc.ioc_type = "IOC_TYPE_IP"
match:
$ioc_value_ip
outcome:
$ioc_matches = count(ioc.ioc_value)
order:
$ioc_matches desc
Panel Name: IOC DOMAIN
ioc.ioc_value != ""
ioc.ioc_value = $ioc_value_domain
ioc.ioc_type = "IOC_TYPE_DOMAIN"
match:
$ioc_value_domain
outcome:
$ioc_matches = count(ioc.ioc_value)
order:
$ioc_matches desc
Panel Name: IOC Matches By Category
ioc.ioc_type = $ioc_type
ioc.category = $ioc_category
match:
$ioc_category, $ioc_type
outcome:
$ioc_matches = count(ioc.category)
order:
$ioc_matches desc
Panel Name: IOC Matches By Domain
ioc.ioc_value = $ioc_value_domain
ioc.ioc_type = "IOC_TYPE_DOMAIN"
ioc.category = $ioc_category
ioc.severity = $ioc_severity
match:
$ioc_value_domain, $ioc_category, $ioc_severity
Thanks.
#SecOps Dashboard Challenge
I have created a GCP Dashboard that shows:
- Access denied events by account for finding config errors and other anomalies.
- Failed Logins by Application to detect auth anomaly trends by Application.
- GCP resources that we ingest logs for so that we know what we have in the system.
- GCP Projects over time that are encountering failures to find anomalies.
// Title: Top Resources Triggering Access Denied Events
// Description: Counts access denied events grouped by resource name and type to highlight frequent targets.
// Filter for GCP Audit logs
metadata.log_type = "GCP_CLOUDAUDIT"
// Focus only on BLOCK actions
$action = security_result.action
$action = "BLOCK"
// Extract fields
$resource_name = target.resource.name
$resource_name != ""
$resource_type = target.resource.resource_type
$resource_type != 0
// Extract event date (optional for time series)
$date = timestamp.get_date(metadata.event_timestamp.seconds)
$date != ""
// Group by resource name and resource type
match:
$resource_name, $resource_type, $date
outcome:
$denied_count = count(metadata.id)
order:
$denied_count desc
limit: 50
