Skip to main content

Reference list dashboard

  • June 10, 2025
  • 2 replies
  • 88 views
R
Forum|alt.badge.img+8

Hello Community 
While we cannot use data tables in native dashboards , i have a question 
i want to develop a dashboard using multiple reference lists ( because reference list cannot be multi collumn ) where i want the results to combine results from list1 and list2 into my visualization
for exemple : 
string in %list1 ( exemple :username) 
string in %list2 (exemple : userid )

and in the dashboard must contain results from list1 and list2 , each username with his userid

Thanks 

    2 replies

    TomAtGoogle
    Staff
    Forum|alt.badge.img+5
    • TomAtGoogle
    • Staff
    • June 12, 2025

    Unfortunately I have bad news.

    Currently, there is no direct way to use reference lists within the existing SecOps Native Dashboards, which utilize Looker Embedded. Users have reported encountering errors such as "metadata unavailable for reference list" or "invalid arguments" when attempting to call reference lists directly in these dashboards.

    However, the ability to call reference lists is available in the new preview dashboard capabilities. This feature is currently in private preview, and access requires contacting your Google Cloud account team.

    Workarounds for Current Native Dashboards:

    If you need to incorporate data from reference lists into your current native dashboards, consider the following workarounds:

    • Directly paste into filters: You can copy a tab-separated list from your reference list (e.g., from Excel after stripping quotes) and paste it directly into a filter within the dashboard. The system will assume the correct data type.
    • Utilize detection rules: Create a simple detection rule that uses the reference list. Then, build your dashboard around the detection events generated by this rule.
    • Ingest as a custom CSV feed: Ingest your reference list data into a custom CSV feed. This allows the data to be available for querying and visualization within the dashboard environment.

    While direct integration of reference lists into the current native dashboards is not supported, the new preview dashboard capabilities are designed to include this functionality.

    Below are a couple of links where this has been mentioned previously.

    https://www.googlecloudcommunity.com/gc/SIEM-Forum/Reference-Lists-and-Visualizations/m-p/755640
    https://www.googlecloudcommunity.com/gc/SecOps-SIEM/Reference-List-in-chronicle-custom-dashboard/m-p/824187 

     

    jstoner
    Staff
    Forum|alt.badge.img+22
    • jstoner
    • Staff
    • June 12, 2025

    Alright, I think with some of our pace of innovation and terminology changing over time, there may be some confusion here. Native dashboards, currently in public preview does not today support data tables, but this capability is under development and is forthcoming.

    Native dashboarding does not rely on Looker at all and uses the same YARA-L constructs as statistical search and the ability to use reference lists with dashboard charts does exist. In fact below is an example of that. The downside to this approach is that you have to columns of values that you are comparing versus the row match capability that data tables will provide (and contain more flexibility), but again it is forthcoming. The column approach, if it meets your requirements is a good approach in the meantime.

    Hope this helps!

     

    metadata.event_type = "USER_LOGIN"
    target.user.userid = $userid
    target.user.user_display_name = $username
    target.user.userid in %userid_list_admins 
    target.user.user_display_name in %user_name_list_admins 
    match:
      $userid, $username
    outcome:
      $event_count = count($userid)
    order:
      $event_count desc
    limit: 10
      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.