This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

Dashboard for Alerts and IoC and general fields references

Posted on 03-13-2025 10:36 AM
Tonio
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello all,

I am working with the dashboards, the aim is to provide a "ROI" view on the product (SIEM in particular). The huge wall I am hitting at the moment is about generating a simple count of all the alerts generated and the IoC matched. The very same you can find in the "Alerts & IoC" page, but summarized in a dashboard with other info... should be a piece of cake, right?? 

First step: find the right data model. The only "Explores" that have some fields seems to be "Rule Detections" and "IoC Matches" respectively. But:

For the alerts, the only actual field I can relate to the alerts is "Alert Name". All the rest seems to be related to just detections. And when I try a run over 1 hr, I got a list of rules, that are not even active as alerts... Quite unsatisfactory.

For the IoC, even more puzzling. There is a quite useful "Ccount" measure, just that the numbers are totally different when you compare the same time range in the "IoC Matches" page.

 

Is there anyone who had more luck?

And in general, is there some reference about all the different fields/measures/dimensions that you can find in the Explorer modules? Apart from the names, there is almost no other info to tell them what they are and how they work (or at least, i could not find them in the documentation).

 

Thanks everybody,

 

A

 

 

0 3 484
Topic Labels
0 Likes
Reply
3 REPLIES 3

Posted on --/--/---- --:-- AM
cyberdarren
Staff
Reply posted on --/--/---- --:-- AM

For Rule Detections, filter by the detection.alert_type = 2. "2" is the enum value for "ALERTING". This will filter your dashboard by alerting rule detections.

For IOC Matches, the documentation here states a the differences in the date matching between Alerts & IOC and the dashboards schema: https://cloud.google.com/chronicle/docs/reports/dashboards-overview#ioc. You may have to play around with the time bucket filter in the IoC schema.

Reply

Posted on --/--/---- --:-- AM
asahaa
Bronze 1
Bronze 1
In response to cyberdarren
Reply posted on --/--/---- --:-- AM

Hi @cyberdarren ,

What is the key-value to filter out the open or closed alerts in the dashboard. Like is it detections.alert_state .. if yes then what are the values for open or closed respectively? Or is some other fields responsible for it

0 Likes
Reply

Posted on --/--/---- --:-- AM
Tonio
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi Cyberdarren!

Thanks for the advice! About the alerts, I tested it out and the results are closer now,  but still quite different numbers (5.1k against 132 k).

Here I am attaching the 2 results and the tile configuration:

Tonio_2-1742490465509.pngTonio_3-1742490472353.pngTonio_1-1742490452472.png

I also opened a ticket with the support, the latest update says that the "Alerts" widget in the Main Dashboard is part of a legacy component, which may no longer align fully with the current system behavior. Not sure if this will be fixed somehow.

A

 

 

 

 

0 Likes
Reply
Top Solution Authors
View all