Has anyone created a dashboard to track assets (servers) status? When I search a server for example, I get Entity Information with Last seen value. Is there a way to get a dashboard of all entities and their last seen status? This way I can know if any server or asset has stopped sending logs?
+14- Bronze 5
Hi @ISOL
Does the below satisfy your requirements? To use this, please import the below code into your 'SIEM Dashboards' components within your Google Chronicle instance. It is worth noting that Looker Embedded (which is what is used in the SIEM Dashboards) has a maximum row limit of 5,000.
lookml:
- dashboard: entity_tracker
description: ""
elements:
- col: 0
column_limit: 50
conditional_formatting_include_nulls: false
conditional_formatting_include_totals: false
defaults_version: 1
dynamic_fields:
- _kind_hint: measure
_type_hint: number
category: table_calculation
expression: diff_hours(${entity_graph.metric__last_seen_max_date}, now())
label: Time Last Seen
table_calculation: time_last_seen
value_format: null
value_format_name: null
enable_conditional_formatting: false
explore: entity_graph_connector
fields:
- entity_graph.entity__hostname
- entity_graph.metric__first_seen_max_date
- entity_graph.metric__last_seen_max_date
filters:
entity_graph.time_filter: 24 years
header_font_size: 12
header_text_alignment: left
height: 18
hide_row_totals: false
hide_totals: false
limit: 500
limit_displayed_rows: false
model: scn
name: Entity First Seen -> Last Seen -> Last Seen Time since now()
row: 0
rows_font_size: 12
show_row_numbers: true
show_view_names: false
size_to_fit: true
sorts:
- entity_graph.metric__first_seen_max_date desc
table_theme: white
title: Entity First Seen -> Last Seen -> Last Seen Time since now()
transpose: false
truncate_text: true
type: looker_grid
width: 23
layout: newspaper
title: Entity Tracker
metadata:
exported_at: "2024-10-04T07:03:05-07:00"
file_fingerprint: "1667063027957888623318369620402778155636"
looker_version: 24.12.51
version: "1"
Kind Regards,
Ayman C
+2- Bronze 1
Hi @ISOL
Does the below satisfy your requirements? To use this, please import the below code into your 'SIEM Dashboards' components within your Google Chronicle instance. It is worth noting that Looker Embedded (which is what is used in the SIEM Dashboards) has a maximum row limit of 5,000.
lookml:
- dashboard: entity_tracker
description: ""
elements:
- col: 0
column_limit: 50
conditional_formatting_include_nulls: false
conditional_formatting_include_totals: false
defaults_version: 1
dynamic_fields:
- _kind_hint: measure
_type_hint: number
category: table_calculation
expression: diff_hours(${entity_graph.metric__last_seen_max_date}, now())
label: Time Last Seen
table_calculation: time_last_seen
value_format: null
value_format_name: null
enable_conditional_formatting: false
explore: entity_graph_connector
fields:
- entity_graph.entity__hostname
- entity_graph.metric__first_seen_max_date
- entity_graph.metric__last_seen_max_date
filters:
entity_graph.time_filter: 24 years
header_font_size: 12
header_text_alignment: left
height: 18
hide_row_totals: false
hide_totals: false
limit: 500
limit_displayed_rows: false
model: scn
name: Entity First Seen -> Last Seen -> Last Seen Time since now()
row: 0
rows_font_size: 12
show_row_numbers: true
show_view_names: false
size_to_fit: true
sorts:
- entity_graph.metric__first_seen_max_date desc
table_theme: white
title: Entity First Seen -> Last Seen -> Last Seen Time since now()
transpose: false
truncate_text: true
type: looker_grid
width: 23
layout: newspaper
title: Entity Tracker
metadata:
exported_at: "2024-10-04T07:03:05-07:00"
file_fingerprint: "1667063027957888623318369620402778155636"
looker_version: 24.12.51
version: "1"
Kind Regards,
Ayman C
Thank you so much Ayman! I was able to import, but all the entities have the same first and last seen (1970-01-01).
+14- Bronze 5
Thank you so much Ayman! I was able to import, but all the entities have the same first and last seen (1970-01-01).
Hi @ISOL
Within your instance, when looking at an entity, can you find one with a last seen which is not equivalent to 1970-01-01? Have you also tried sorting the column within the dashboard, or filtering out results that are 1970-01-01?
Kind Regards,
Ayman
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.