Skip to main content
Question

Building a Unified IOC Search Dashboard Across All Data Sources in Google SecOps (Chronicle)

  • March 24, 2026
  • 1 reply
  • 37 views
Bartosz J
Forum|alt.badge.img+2

Hi Community,

Our team is looking to build a unified dashboard in Google SecOps (Chronicle) that enables analysts to search for Indicators of Compromise (IOCs) across all available data sources from a single interface.

Use Cases:

  • Username search: Enter a username and retrieve all events associated with that user across all ingested data sources within a configurable time range (e.g., last X days).
  • IP address search: Query an IP address and see all related network activity, authentication events, alerts, etc.
  • Hash value search: Look up a file hash and identify all occurrences across endpoint, proxy, and other relevant log sources.

Essentially, we're looking for a centralized IOC pivot dashboard that aggregates results from multiple log types and presents a consolidated view for faster investigation and threat hunting.

1 reply

James_E
Staff
Forum|alt.badge.img+8
  • James_E
  • Staff
  • April 6, 2026

Your use cases resemble more of a UDM Search than an actual dashboard. If you want to create a dashboard to look at IOC’s, you can use the IOC dataset here. Some charts have the ability to “drilldown” to a UDM search based on the selected entity in the dashboard. That should get you started.

    Terms & ConditionsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.