Welcome to the Corelight Dashboards for Chronicle. These dashboards are designed to provide you with valuable insights and visualizations for your Corelight data. Whether you're a security analyst, network administrator, or IT professional, these dashboards can help you monitor and analyze network traffic effectively.
For more information on the Block structure and customization, refer to Looker Marketplace Documentation
- This block works with Chronicle datasets in Google BigQuery.
- The BigQuery Export feature needs to be enabled for your Chronicle tenant. (Reach out to your Chronicle representative to set this up.)
- The connection with Chronicle dataset needs to be created in Looker, refer to Connecting with DB
-
To create a connection to the chronicle, First, open the Looker instance and navigate to the Home page.
-
Now select the main menu. Then click on Admin and go to the connection page.
-
Now click on the Add connection to create a new connection.
-
Enter the name of the connection as you prefer (Ex: corelight-chronicle) and select Google BigQuery Standard SQL in the Dialect. Now several new fields will appear.
-
Enter the Billing Project ID field (Ex here: chronicle-crds) , where Chronicle data is present.
-
Enter the relevant dataset name (Ex: datalake).
-
To configure authentication, select the service account method and upload your service account file.
-
In Optional settings, Set both the timestamps (Database timestamp and query timestamp) as UTC (the time fields shown in dashboards will be affected accordingly).
-
Click on the Connect button (
) to complete the connection setup. Looker is now connected to the Google Chronicle database!
-
Go to this corelight/block-corelight-chronicle github repository and fork the main repository.
-
Go to Looker Instance and Turn on “Development Mode”.
-
Select Projects from the Develop menu.
-
From the LookML Projects page, select New LookML Project to open the New Project page.
-
From the LookML Projects page, select New LookML Project to open the New Project page.
-
On the New Project page, specify the options for the project:
a. Project Name: corelight-dashboards
b. Starting Point: Choose a Blank Project.
c. Select Create Project. Looker creates the project and opens it in the Looker IDE.
-
Select the Settings icon from the navigation bar, and open the Configure Git page by selecting the Configure Git button.
-
In Looker's Configure Git section, paste the HTTPS URL for the forked Corelight Looker dashboard git repository in the Repository URL field, then select Continue.
-
In the Repository URL paste the repo URL which you have forked in Step-1
- Enter GitHub username and Personal Access Token, then click “Test and Finalize Setup”.
-
Note: Make sure the Personal Access Token (PAT) you created from your github repository has Read/Write permissions of the repository.
-
After successful connection head over to the Project settings page and change the production branch from master to main and click on save the configuration by scrolling below.
-
Now, you should be able to see the code from the main branch. If not do the following:
a. In the ‘Git Actions’ tab from the left side, click on the “Pull from…” option.
b. Select the “Pull From Production” option and click on the Confirm button.
-
In the ‘File Browser’ tab from the left side, click on ‘manifest.lkml’ and update the value of the following constant if required and then click “Save Changes”.
a. CONNECTION_NAME: The name of the connection you created to connect with the chronicle.b. CHRONICLE_URL: The base URL of your Chronicle tenant (i.e., https://{your_tenant}.backstory.chronicle.security)
-
After saving the changes, click on "Validate LookML" on the top right corner and then click on "Commit changes" and Push the latest changes to the repository.
-
After the above steps, In the Git Actions, click on the “Deploy to Production” or you can press “Deploy to Production” from the top right corner.
-
On the Homepage of your Looker instance, navigate to the “LookML dashboards” tab under the “Folders” tab to access and view all the created dashboards.
For any future enhancements into Looker Dashboards make sure the repo you forked in Step-1 of Get the Block from the GitHub Repository section is in sync with this corelight/block-corelight-chronicle github repository.
To sync this changes in forked repository from the main repository, make sure to follow the steps below:
-
In the event of any additional changes required for the Dashboards in the future, the main repository will be updated. Once you have created a fork of your repository, you can synchronize it by selecting the "Sync fork" option located at the top of your repo.
-
After clicking "Sync fork" you'll see an option to either "Discard commit" or "Update branch" Select "Update branch" and your branch will be updated with the latest changes from the main branch.
- Note: If you don’t see the "Update Branch" option and instead see "Open Pull Request," click the "Discard commits'' button. This will discard all your local commits while keeping your changes in your Looker code. After clicking "Discard commits," you will have the latest code changes from the main repository.
-
After completing the steps above, go to your Looker instance and refresh the window. You will then see the option to pull the latest code from production by clicking the "Pull from Production" button in the top right corner. This will update your repo with the latest code from the main branch.
-
If in some case Pull from Production doesn’t permits head over to git actions and click on Pull from... option which will open a popup which shows "Pull from Production" and confirm it.
-
After Pulling the code from Production, Deploy the latest code changes to Production by pressing the "Deploy to Production" button from the top right corner.
Now your code will be upgraded to the latest code and it will be in sync with the main repository corelight/block-corelight-chronicle.
- For guidance on fully utilizing and analyzing dashboards in Looker, refer to Looker Guide Documentation