Hello everyone,
I am trying to build a dashboard in Google SecOps that displays statistics about malicious IP addresses observed in firewall traffic and correlated against Mandiant Fusion IOC data.
The correlation works correctly in Log Search using a query similar to the following:
$e.metadata.log_type = "CHECKPOINT_FIREWALL"
$e.security_result.action = "ALLOW"
$origen = $e.principal.ip
$origen != ""
$gti.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$gti.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$gti.graph.metadata.source_type = "GLOBAL_CONTEXT"
$gti.graph.metadata.threat.verdict_info.confidence_score >= 90
$ip_ioc = $gti.graph.entity.ip
$origen = $ip_ioc
The query returns results successfully in Log Search.
However, when I try to use the same logic in a Dashboard/Report widget, no data is returned. I also tested simplified queries that only reference MANDIANT_FUSION_IOC graph entities (without any UDM event correlation), and they still return no results in Dashboards.
My questions are:
-
Are Dashboard/Report queries allowed to access
graph/GLOBAL_CONTEXTdata sources such asMANDIANT_FUSION_IOC? -
Is there any limitation preventing dashboards from querying entity graph data directly?
Any guidance or documentation references would be greatly appreciated.
Thank you.
