Skip to main content

Hello all,

I am working with the dashboards, the aim is to provide a "ROI" view on the product (SIEM in particular). The huge wall I am hitting at the moment is about generating a simple count of all the alerts generated and the IoC matched. The very same you can find in the "Alerts & IoC" page, but summarized in a dashboard with other info... should be a piece of cake, right?? 

First step: find the right data model. The only "Explores" that have some fields seems to be "Rule Detections" and "IoC Matches" respectively. But:

For the alerts, the only actual field I can relate to the alerts is "Alert Name". All the rest seems to be related to just detections. And when I try a run over 1 hr, I got a list of rules, that are not even active as alerts... Quite unsatisfactory.

For the IoC, even more puzzling. There is a quite useful "Ccount" measure, just that the numbers are totally different when you compare the same time range in the "IoC Matches" page.

 

Is there anyone who had more luck?

And in general, is there some reference about all the different fields/measures/dimensions that you can find in the Explorer modules? Apart from the names, there is almost no other info to tell them what they are and how they work (or at least, i could not find them in the documentation).

 

Thanks everybody,

 

A

 

 

For Rule Detections, filter by the detection.alert_type = 2. "2" is the enum value for "ALERTING". This will filter your dashboard by alerting rule detections.


For IOC Matches, the documentation here states a the differences in the date matching between Alerts & IOC and the dashboards schema: https://cloud.google.com/chronicle/docs/reports/dashboards-overview#ioc. You may have to play around with the time bucket filter in the IoC schema.

Hi Cyberdarren!

Thanks for the advice! About the alerts, I tested it out and the results are closer now,  but still quite different numbers (5.1k against 132 k).

Here I am attaching the 2 results and the tile configuration:

I also opened a ticket with the support, the latest update says that the "Alerts" widget in the Main Dashboard is part of a legacy component, which may no longer align fully with the current system behavior. Not sure if this will be fixed somehow.

A

 

 

 

 

For Rule Detections, filter by the detection.alert_type = 2. "2" is the enum value for "ALERTING". This will filter your dashboard by alerting rule detections.


For IOC Matches, the documentation here states a the differences in the date matching between Alerts & IOC and the dashboards schema: https://cloud.google.com/chronicle/docs/reports/dashboards-overview#ioc. You may have to play around with the time bucket filter in the IoC schema.


Hi @cyberdarren ,

What is the key-value to filter out the open or closed alerts in the dashboard. Like is it detections.alert_state .. if yes then what are the values for open or closed respectively? Or is some other fields responsible for it

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.