Curated dashboard queries: Entities

Supported in:

This document is for Security Operations Center (SOC) managers and analysts who want to monitor threat landscapes and system health using curated dashboards— predefined dashboards designed for visibility across various security use cases. This document provides a collection of curated dashboards and their underlying queries for the SOAR cases source type.

You can use these queries in the query editor or as a baseline for custom widgets. For information on how to create and manage dashboards, see Manage dashboards.

Dashboard name Description Chart name Query example
PCI - Alert Overview Provides a consolidated view of alerts and insights regarding security breaches and events affecting PCI standards. Required: The PCI_Assets (Payment Card Industry Assets) reference list must be created to scope data; otherwise, charts don't load. Top PCI Assets by Risk 

graph.metadata.entity_type = "ASSET"
graph.entity.hostname in %PCI_Assets
$Hostname = graph.entity.hostname
$Risk_Score = graph.risk_score.risk_score

match:
  $Hostname, $Risk_Score

order:
  $Risk_Score desc
Ransomware Spotlight Monitoring Provides a comprehensive view of ransomware-related detections across all security tools. Highlights recent events, affected devices, and detection sources to accelerate incident response. Recent Ransomware Intel Sources Events 
graph.metadata.threat[0].description = /ransom/ nocase
strings.coalesce(if(graph.entity.ip != "", graph.entity.ip, ""), if(graph.entity.url != "", graph.entity.url, ""), if($Hash != "", $Hash, "")) != ""

$IOC_Type = graph.metadata.entity_type
$Threat = graph.metadata.threat[0].description
$Hash = group(graph.entity.file.sha256,graph.entity.file.md5)
$IOC_Value = strings.coalesce(if(graph.entity.ip != "", graph.entity.ip, ""), if(graph.entity.url != "", graph.entity.url, ""), if($Hash != "", $Hash, ""))
$Date = timestamp.get_date(graph.metadata.collected_timestamp.seconds)

match:
  $Date, $Threat, $IOC_Value, $IOC_Type

outcome:
  $Count = count(graph.metadata.event_metadata.id)

order:
  $Count desc
Threat Intelligence Overview Provides real-time and historical tracking of top threats, IOCs, and targeted systems. Monitors risk scores, severity, and indicator metrics to detect emerging infrastructure threats. IOCs with High Risk Score 
$IOC_Type = graph.metadata.entity_type
$Risk_Score = graph.metadata.threat.risk_score
$Date = timestamp.get_date(graph.metadata.collected_timestamp.seconds)
$Hash = group(graph.entity.file.sha256,graph.entity.file.md5)
$IOC_Value = strings.coalesce(if(graph.entity.ip != "", graph.entity.ip, ""), if(graph.entity.url != "", graph.entity.url, ""), if($Hash != "", $Hash, ""))
$IOC_Value !=""

match:
  $Date, $IOC_Type, $IOC_Value

outcome:
  $Total_Risk_Score =  math.round(avg($Risk_Score), 2)
  $Count = count(graph.metadata.event_metadata.id)


order:
  $Total_Risk_Score desc
HIPAA Dashboard Monitors HIPAA compliance and security metrics in real-time. Provides visibility into PHI access and potential risks to ensure data confidentiality and integrity. Top Assets by Risk 
graph.metadata.entity_type = "ASSET"
graph.entity.hostname in %ePHI_assets.Hostname

$Hostname = graph.entity.hostname
$Risk_Score = graph.risk_score.risk_score

match:
  $Hostname, $Risk_Score

order:
  $Risk_Score desc

Need more help? Get answers from Community members and Google SecOps professionals.