We have Data RBAC configured to segregate visibility between regional SOC teams (per namespace). A scoped analyst group (GRP_SECOPS_SOC-AP) is restricted to namespaces IFAP and UNIFAP via a Data Access Scope using only the standard Namespace label (no custom labels).
IAM bindings on the group (all with the condition resource.name.endsWith("/soc-siem-ap")):
- Chronicle API Restricted Data Access
- Chronicle API Editor
- Chronicle Restricted Data Access Reader (no condition — base UI)
- Custom role with
chronicle.nativeDashboards.get/list,chronicle.dashboardCharts.get/list,chronicle.dashboardQueries.get/list
Problem: On a native dashboard panel using the Ingestion metrics data source, the following query returns no data for the scoped analyst, but returns data correctly for a global (unrestricted) admin:
ingestion.component = "Ingestion API"
$namespace = ingestion.namespace
match:
$namespace
outcome:
$Total_Log_Volume = math.round(sum(ingestion.log_volume) / (1000 * 1000 * 1000), 4)If we change the outcome to count(ingestion.log_count), the scoped analyst does see data (correctly filtered to IFAP/UNIFAP). Only the byte/volume metric (sum(ingestion.log_volume)) comes back empty under the scope.
Questions:
- Is
ingestion.log_volume(bandwidth/bytes) expected to not resolve under a Namespace-based Data RBAC scope, whilelog_countdoes? - If this is by design, what is the supported way to expose approximate ingestion volume (GB) to scoped users in a native dashboard?
- If not by design, what IAM permission or instance setting enables ingestion volume metrics for scoped users?
Instance region: US.
