Skip to main content

Create dashboards in Chronicle SIEM with additional fields

  • January 22, 2025
  • 6 replies
  • 94 views
A
Forum|alt.badge.img+1

We have built a custom parser and mapped some of our fields to additional fields. Parser is active in SecOps.  Below are the additional fields mapping. Our requirement is to create a tile in SIEM with the  fields dns_host_addr, dns_name, dns_response_time. All these fields have to be included in the table view. Please let us know the steps to create a tabular view with all of these fields. 

mutate {
replace => {
"dns_host_addr" => "%{msg.dns_host_addr}"
}
on_error => "DNS_Host_address_replace_error"
}

if ![DNS_Host_address_replace_error] {
mutate {
replace => {
"additional_dnshostaddr" => ""
}
}
mutate {
replace => {
"additional_dnshostaddr.key" => "dns_host_addr"
"additional_dnshostaddr.value.string_value" => "%{dns_host_addr}"
}
on_error => "dns_host_addr_key_value_failed"
}
mutate {
merge => {
"event.idm.read_only_udm.additional.fields" => "additional_dnshostaddr"
}
on_error => "DNS_Host_address_merge_error"
}
}
mutate {
replace => {
"dns_resp_time" => "%{msg.dns_response_time}"
}
on_error => "DNS_Response_time_replace_error"
}

if ![DNS_Response_time_replace_error] {
mutate {
replace => {
"additional_dnsresptime" => ""
}
}
mutate {
replace => {
"additional_dnsresptime.key" => "dns_response_time"
"additional_dnsresptime.value.string_value" => "%{dns_resp_time}"
}
on_error => "dns_resp_time_key_value_replace_failed"
}
mutate {
merge => {
"event.idm.read_only_udm.additional.fields" => "additional_dnsresptime"
}
on_error => "dns_resp_time_merge_error"
}
}
mutate {
replace => {
"dns_name" => "%{msg.dns_name}"
}
on_error => "DNS_Name_replace_error"
}

if ![DNS_Name_replace_error] {
mutate {
replace => {
"additional_dnsname" => ""
}
}
mutate {
replace => {
"additional_dnsname.key" => "dns_name"
"additional_dnsname.value.string_value" => "%{dns_name}"
}
on_error => "dns_name_key_value_replace_failed"
}
mutate {
merge => {
"event.idm.read_only_udm.additional.fields" => "additional_dnsname"
}
on_error => "dns_name_merge_failed"
}
}

6 replies

rajukg11
Staff
Forum|alt.badge.img+6
  • rajukg11
  • Staff
  • January 22, 2025

Are you using the Native Dashboards (new feature that is in Preview)?  

If so, in your query you can create a field like this:

$code = additional.fields["additional_dnsname"]
    A
    Forum|alt.badge.img+1
    • Arthy
    • Author
    • New Member
    • January 23, 2025

    Are you using the Native Dashboards (new feature that is in Preview)?  

    If so, in your query you can create a field like this:

    $code = additional.fields["additional_dnsname"]

    We are not using Native dashboards. To get the native dashboard view, We have created a role in GCP with the below permissions and attached it our project.

    chronicle.analytics.list
    chronicle.nativeDashboards.create
    chronicle.nativeDashboards.delete
    chronicle.nativeDashboards.duplicate
    chronicle.nativeDashboards.get
    chronicle.nativeDashboards.list
    chronicle.nativeDashboards.update
    chronicle.operations.cancel

    Even after that we didn't get the native dashboard view.  Is native dashboard the only solution to solve this issue ? Please let us know how to proceed forward to address this issue.

    rajukg11
    Staff
    Forum|alt.badge.img+6
    • rajukg11
    • Staff
    • January 23, 2025

    Native dashboards is in preview.  You will see that option in the Dashboards section within Chronicle UI if it is enabled for your tenant.  If not, please request your account team to enable it for you.  I am not sure how I can display the additional field.key as a column header in the Looker dashboard.  I will take a look into this.

    AymanC
    Forum|alt.badge.img+13
    • AymanCBronze 5
    • Bronze 5
    • January 23, 2025

    Hi @Arthy,

    One way to solve this use case, is by utilising a table calculation, with the below example formula:

    if(${events__additional__fields.key} = "dns_response_time", ${events__additional__fields.value__string_value}, "")

     

    This will output another column with the data in additional.fields.value based on a key being a certain value, otherwise the row will contain "" (null). You would create a separate table calculation for each additional.fields.key and value pair you want to display.

    Hope this helps!

    Kind Regards,

    Ayman

    rajukg11
    Staff
    Forum|alt.badge.img+6
    • rajukg11
    • Staff
    • January 23, 2025

    Even though Ayman's solution gives you the results in separate column headers, unfortunately, it still gives you 2 different rows one for each additional field assuming you are selecting 2 different additional fields.  There is no way to see both in the same row.   This is not an issue with the Native dashboards which is in Public Preview so we can easily turn this on in your tenant.

    AymanC
    Forum|alt.badge.img+13
    • AymanCBronze 5
    • Bronze 5
    • January 24, 2025

    Even though Ayman's solution gives you the results in separate column headers, unfortunately, it still gives you 2 different rows one for each additional field assuming you are selecting 2 different additional fields.  There is no way to see both in the same row.   This is not an issue with the Native dashboards which is in Public Preview so we can easily turn this on in your tenant.


    I believe it would be possible to use 'Concat' combined with if statements to output these 3 values into one column if required. If the row output is showing two rows, but because the newly created Measure is blank, you can add a filter to filter out events where that custom measure is blank.

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.