This capability recently reached public preview and at the moment, the ability to share or export outside of the organization is not in the public preview. As we get closer to general availability, these additional capabilities should be something that can be taken advantage of...

Hi @jstoner, Thanks for the information.

Just a small question, is there currently a marketplace where these native dashboards can be published, or is there a possibility that they might be available for sharing in the future?

We have additional initiatives planned around dashboards in 2025, the initial release to public preview is just the start. We have a marketplace that is currently playbooks and integrations. As we move in to 2025 and beyond and make it possible to have additional functionality, I would imagine things like what you are suggesting may be possible. 

Thanks for the update, @jstoner 

I just wanted to check if it's possible to perform a group by on an aggregated field with multiple fields (more than two) in preview dashboards?

Additionally, are joins supported in preview dashboard queries? Specifically, can we join more than two product event types in a single query to retrieve the desired results?

I'd suggest for the first question to give it a try and see if it is performing how you would expect it and if not to open a ticket with any gaps you see in it. I did a quick test to group on a few different IP address fields and it returned results that aligned with search but I realize there may be other use cases, so I would try it and open a ticket if it does not meet what you are looking to achieve.

While you can do dashboard panels for entity graph, ingestion metrics, udm, rulesets, detections and ioc, at the moment, we are not allowing joins of those different datasets in dashboards.

Thank you for the update.
I'll check for other use cases and let you know.

For the joins query, I want to clarify if it's possible to join different event type logs (e.g., can we combine two logs with different event types, such as 'http' and 'conn,') from the same dataset?

Hello @jstoner ,

Following up on the previous set of questions, I have a few more regarding the Preview Dashboard query: 

1. Is there an possibility to use nested IF statements in the outcome or any other section, similar to the CASE statement in SQL?

2. Is it possible to generate filters by utilizing custom fields (fields formed by merging or applying operations on UDM fields)?

3. Can multiple aggregations be applied to a single field in the outcome section?
- For instance, if I set $count = count(metadata.id), can I subsequently utilize $count in another aggregation, such as $sum = sum($count), or is there an alternative method to accomplish this?

4. Is there a choice to pivot fields in the Preview Dashboards?

The dashboards leverage the same kind of syntax that statistical search uses which builds on top of a good chunk of YARA-L concepts from the rules engine. There are a few things that are different between rules and search/dashboards that we are working to close further.

Yes, you can use conditional logic in the outcome section, yes you can create custom fields using functions like strings.concat, yes you can use aggregation functions like count, count_distinct, sum, max, min and more in the outcome section on the same field.

I think I'd like to understand your definition of pivot. Is it dynamic like a gsheet or excel to drop fields and have things auto-recalculate? No. Can I use multiple dimensions in my search and use one for the X axis like time and another to separate event types for instance and make a time chart? Yes.

I recommend taking a look at the yara-l syntax reference as well as the blog series New to Google SecOps or the videos for more examples of using different function and building searches. I will be publishing some more content regarding these dashboards shortly.

Thank you for your response @jstoner.

Apologies for the delayed update.

I have a quick question—can we use multiple conditional logic statements (such as multiple if-else) in the outcome section? For example, if I want to derive a value from another field, is that possible?

I have a "severity" field in my UDM with values 1, 2, and 3. I want to create a new field called "severity_level," where if the severity value is 1, it should be categorized as "Critical," if 2, as "High," and if 3, as "Low."

Is this achievable?

Hi @AashShah,

Does the below proof of concept help you to achieve your use case:

This is under the assumption that the UDM field you are referring to which contains the 'severity' is 'security_result.risk_score',
This is under the assumption that you want to match (aggregate) the results based on a UDM field 'principal.ip'

If the value within the UDM field you are calling is a string, use the variable in the outcome section with the value 'severity_level_field_string', otherwise if it is of a int / float, utilise the outcome section with the value 'severity_level_field_non_string'.

Kind Regards,

Ayman