Building a Unified IOC Search Dashboard Across All Data Sources in Google SecOps (Chronicle)

Question

Hi Community,Our team is looking to build a unified dashboard in Google SecOps (Chronicle) that enables analysts to search for Indicators of Compromise (IOCs) across all available data sources from a single interface.Use Cases:Username search: Enter a username and retrieve all events associated with that user across all ingested data sources within a configurable time range (e.g., last X days).	IP address search: Query an IP address and see all related network activity, authentication events, alerts, etc.	Hash value search: Look up a file hash and identify all occurrences across endpoint, proxy, and other relevant log sources.Essentially, we're looking for a centralized IOC pivot dashboard that aggregates results from multiple log types and presents a consolidated view for faster investigation and threat hunting.

SoarAndy · Accepted Answer

I personally am finding it hard to know what to suggest:

Dashboard filers work on one key location, but ip/hash/username are stored in 3 different keys. You could have 3 visuals represeting 3 entity types
But dashboards are not designed to list 100,000 entires (SIEM search is for that), and so it doesn’t work as a starting point as it has no search (again, SIEM search does)
If you pivot from the “known enrichments” these are not guaranteed to have Event traffic, so you would end up with lots of empty queries

I would suggest using a saved search with a parameter, ${ioc} that would do well with Group but this isn’t a dashboard interface with interlinked visuals.

Other people might have better ideas so I’ll defer to them

Bartosz J · Answer

Thank you, this is a great answer!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded