SIEM Dashboard Creation: To Case History

Question

Hi everyone,I'm working on building a dashboard in Google SecOps where I want to implement a user-based filter. The idea is: when filters a specific username, the dashboard should dynamically display:That user’s login detailsPrevious cases/incidents the user was involved inLast login region(Any other relevant user metadata)I'm looking for suggestions or best practices on how to structure this kind of dashboard, particularly:What data sources should be connected or joined?How to design the filter to retrieve and reflect all these details for a selected user?Any recommended tools or integrations within GCP that simplify this?Thanks in advance for any guidance or examples!

Eoved · Answer

Hi,If I were you, I'd start building that user-based dashboard in Google SecOps by prioritizing the ingestion of your Identity Provider (IdP) logs (like Entra ID, Okta, Google Workspace, etc.). These are absolutely crucial, as they contain the most accurate and immediate user login details.Fortunately, Google SecOps gives you a fantastic head start. There's already a"User Sign-In Overview"dashboard that provides much of the functionality you're looking for. Here’s what I’d recommend:Duplicatethe existing "User Sign-In Overview" dashboard. This allows you to customize it without affecting the original.Add a Dashboard Filterto the duplicated version. Configure the filter to use a common user identifier likeprincipal.user.userid,target.user.userid, orprincipal.user.email_addresses.This step is key—it will let you select a specific user and have the entire dashboard dynamically update with their information.I think if you start from this, you'll be on the right track!

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded