Neste documento, explicamos como usar o recurso "Painéis" do Google Security Operations para criar visualizações
em diferentes fontes de dados. Ele é composto de diferentes gráficos, que são preenchidos usando propriedades da YARA-L 2.0.
Antes de começar
Verifique se a instância do Google SecOps tem o seguinte ativado:
Os painéis oferecem insights sobre eventos de segurança, detecções e dados relacionados.
Esta seção descreve as fontes de dados compatíveis e explica como o controle de acesso baseado em função (RBAC) afeta a visibilidade e o acesso aos dados nos painéis.
Fontes de dados compatíveis
Os painéis incluem as seguintes fontes de dados, cada uma com o prefixo YARA-L correspondente:
O controle de acesso baseado em função (RBAC) de dados é um modelo de segurança que usa funções de usuário individuais para restringir o acesso aos dados em uma organização.
Com o RBAC de dados, os administradores podem definir escopos e atribuí-los aos usuários, garantindo que o acesso seja limitado apenas aos dados necessários para as funções de trabalho.
Todas as consultas nos painéis seguem as regras de RBAC de dados.
Para mais informações sobre controles e escopos de acesso, consulte Controles e escopos de acesso no RBAC de dados.
Eventos, gráfico de entidade e correspondências de IOC
Os dados retornados dessas fontes são restritos aos escopos de acesso atribuídos ao usuário, garantindo que ele veja apenas resultados de dados autorizados.
Se um usuário tiver vários escopos, as consultas vão incluir dados de todos os escopos atribuídos.
Os dados fora dos escopos acessíveis ao usuário não aparecem nos resultados da pesquisa do painel.
Regras
Os usuários só podem ver as regras associadas aos escopos atribuídos a eles.
Detecção e conjuntos de regras com detecções
As detecções são geradas quando os dados de segurança recebidos correspondem aos critérios definidos em uma regra. Os usuários só podem ver detecções originadas de regras associadas aos escopos atribuídos a eles. Os conjuntos de regras com detecções só ficam visíveis para usuários globais.
Fontes de dados do SOAR
Casos e alertas, manuais e histórico de casos só ficam visíveis para usuários globais.
Métricas de ingestão
Os componentes de ingestão são serviços ou pipelines que trazem registros para a plataforma
de feeds de registros de origem. Cada componente de ingestão coleta um conjunto específico de campos de registro no próprio esquema de métricas de ingestão. Essas métricas só ficam visíveis para usuários globais.
Recursos avançados e monitoramento
Para ajustar as detecções e melhorar a visibilidade, use configurações avançadas, como regras do YARA-L 2.0 e métricas de ingestão. Esta seção explora esses insights de recursos, ajudando você a otimizar a eficiência da detecção e monitorar o processamento de dados.
Propriedades da YARA-L 2.0
A YARA-L 2.0 tem as seguintes propriedades exclusivas quando usada em painéis:
Outras fontes de dados, como gráfico de entidades, métricas de ingestão, conjuntos de regras e detecções, estão disponíveis nos painéis. Algumas dessas fontes de dados ainda não estão disponíveis nas regras da YARA-L e na pesquisa do Modelo de dados unificado (UDM).
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-21 UTC."],[[["\u003cp\u003eNative Dashboards in Google Security Operations allow users to create visualizations from various data sources using YARA-L 2.0 properties.\u003c/p\u003e\n"],["\u003cp\u003eAccessing and interacting with Native Dashboards requires specific IAM permissions, such as the ability to list, view, create, duplicate, update, and delete dashboards.\u003c/p\u003e\n"],["\u003cp\u003eNative Dashboards support multiple data sources, including events, entity graphs, ingestion metrics, rule sets, detections, and IOCs, each with distinct query time intervals and YARA-L prefixes.\u003c/p\u003e\n"],["\u003cp\u003eData role-based access control (RBAC) restricts data visibility within Native Dashboards to only the data that users have been granted access to based on their assigned roles and scopes.\u003c/p\u003e\n"],["\u003cp\u003eYARA-L 2.0 queries used in Native Dashboards must include a \u003ccode\u003ematch\u003c/code\u003e or \u003ccode\u003eoutcome\u003c/code\u003e section, and the \u003ccode\u003eevents\u003c/code\u003e and \u003ccode\u003econdition\u003c/code\u003e sections of a YARA-L rule are handled implicitly or are unavailable, respectively.\u003c/p\u003e\n"]]],[],null,["Dashboards overview \nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document explains how to use the Dashboards feature of Google Security Operations to build visualizations\nover different data sources. It's composed of different charts,\nwhich are populated using YARA-L 2.0 properties.\n\nBefore you begin\n\nEnsure that your Google SecOps instance has the following enabled:\n\n- [Configure a Google Cloud project](/chronicle/docs/onboard/configure-cloud-project)\n or migrate your Google SecOps instance to an [existing cloud project](/chronicle/docs/onboard/link-chronicle-cloud).\n\n- Configure a [Google Cloud Identity provider](/chronicle/docs/onboard/configure-cloud-authentication)\n or [third-party identity provider](/chronicle/docs/onboard/configure-authentication).\n\n- [Configure feature access control using IAM](/chronicle/docs/onboard/configure-feature-access).\n\nIAM permissions required\n\nThe following permissions are required to access dashboards:\n\n| IAM permission | Purpose |\n|----------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `chronicle.nativeDashboards.list` | [View the list of all dashboards](/chronicle/docs/reports/manage-native-dashboards#view-dashboards). |\n| `chronicle.nativeDashboards.get` | [View a dashboard](/chronicle/docs/reports/manage-native-dashboards#view-a-dashboard), [apply a dashboard filter](/chronicle/docs/reports/native-dashboards-filters#apply-filter), and [apply the global filter](/chronicle/docs/reports/native-dashboards-filters#apply-global-time-filter). |\n| `chronicle.nativeDashboards.create` | [Create a new dashboard.](/chronicle/docs/reports/manage-native-dashboards#new-dashboards) |\n| `chronicle.nativeDashboards.duplicate` | [Make a copy of an existing dashboard.](/chronicle/docs/reports/manage-native-dashboards#copy-dashboards) |\n| `chronicle.nativeDashboards.update` | [Add and edit charts](/chronicle/docs/reports/manage-native-dashboard-charts), [add a filter](/chronicle/docs/reports/native-dashboards-filters#add-filter), [change dashboard access](/chronicle/docs/reports/manage-native-dashboards#change-dashboard-access), and [manage the global time filter](/chronicle/docs/reports/native-dashboards-filters#manage-global-time-filter). |\n| `chronicle.nativeDashboards.delete` | [Delete a dashboard](/chronicle/docs/reports/manage-native-dashboards#delete-dashboards). |\n\nUnderstand dashboards\n\nDashboards provide insights into security events, detections, and related data.\nThis section outlines the supported data sources and explains how role-based access\ncontrol (RBAC) affects visibility and data access within the dashboards.\n\nData sources supported\n\nDashboards include the following data sources, each with its corresponding YARA-L prefix:\n\n| Data source | Query time interval | YARA-L prefix | Schema |\n|-------------------|---------------------|----------------|----------------------------------------------------------------------------------------|\n| Events | 90 days | `no prefix` | [Fields](/chronicle/docs/reference/udm-field-list) |\n| Entity graph | 365 days | `graph` | [Fields](/chronicle/docs/reference/udm-field-list#udm_entity_data_model) |\n| Ingestion metrics | 365 days | `ingestion` | [Fields](/chronicle/docs/reference/ingestion-metrics-schema) |\n| Rule sets | 365 days | `ruleset` | [Fields](/chronicle/docs/reference/yaral-functions-native-dashboards#rule_sets_fields) |\n| Detections | 365 days | `detection` | [Fields](/chronicle/docs/reference/rest/v1alpha/Collection) |\n| IOCs | 365 days | `ioc` | [Fields](/chronicle/docs/reference/yaral-functions-native-dashboards#ioc_fields) |\n| Rules | No Time limit | `rules` | [Fields](/chronicle/docs/reference/yaral-functions-native-dashboards#rule_fields) |\n| Cases and alerts | 365 days | `case` | [Fields](/chronicle/docs/reference/soar-data-dashboard#cases-and-alerts) |\n| Playbook | 365 days | `playbook` | [Fields](/chronicle/docs/reference/soar-data-dashboard#playbook) |\n| Case history | 365 days | `case_history` | [Fields](/chronicle/docs/reference/soar-data-dashboard#case-history) |\n\nImpact of data RBAC\n\nData role-based access control (RBAC) is a security model that uses\nindividual user roles to restrict user access to data within an organization.\nData RBAC lets administrators define scopes and assign them to users, ensuring\naccess is limited to only the data necessary for their job functions.\nAll queries in dashboards follow data RBAC rules.\nFor more information about access controls and scopes, see [Access controls and scopes in data RBAC](/chronicle/docs/administration/datarbac-overview#access-control-with-scopes-labels).\n\nEvents, entity graph, and IOC matches\n\nThe data returned from these sources is restricted to the user's assigned access scopes, ensuring that they only see results from authorized data.\nIf a user has multiple scopes, queries include data from all assigned scopes.\nData outside the user's accessible scopes doesn't appear in dashboard search results.\n\nRules\n\nUsers can only see rules that are associated with their assigned scopes.\n\nDetection and rulesets with detections\n\nDetections are generated when incoming security data matches the criteria defined\nin a rule. Users can only see detections that originate from rules associated with\ntheir assigned scopes. The rulesets with detections are only visible to\n[global users](/chronicle/docs/administration/datarbac-overview#user-roles).\n\nSOAR data sources\n\nCases and alerts, playbooks, and case history are only visible to [global users](/chronicle/docs/administration/datarbac-overview#user-roles).\n\nIngestion metrics\n\nIngestion components are services or pipelines that bring logs into the platform\nfrom source log feeds. Each ingestion component collects a specific set of log\nfields within its own ingestion metrics schema. These metrics are only visible to\n[global users](/chronicle/docs/administration/datarbac-overview#user-roles).\n\nAdvanced features and monitoring\n\nTo fine-tune detections and improve visibility, you can use advanced configurations, such as YARA-L 2.0 rules and ingestion metrics. This section explores these feature insights, helping you optimize detection efficiency and monitor data processing.\n\nYARA-L 2.0 properties\n\nYARA-L 2.0 has the following unique properties when used in dashboards:\n\n- Additional data sources, such as entity graph, ingestion metrics, rule sets,\n and detections are available in dashboards. Some of these data sources are not yet available\n in YARA-L rules and Unified Data Model (UDM) search.\n\n- See [YARA-L 2.0 functions for Google Security Operations dashboards](/chronicle/docs/reference/sample-yaral-for-native-dashboard#yara-l-functions-native-dashboards)\n and aggregate functions that include statistical measures.\n\n- The query in YARA-L 2.0 must contain a `match` or an `outcome` section, or both.\n\n- The `events` section of a YARA-L rule is implied and does not need to be declared in queries.\n\n- The `condition` section of a YARA-L rule is not available for dashboards.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
