Curated dashboard queries: Entities

Supported in:

Google secops SIEM

This document is for Security Operations Center (SOC) managers and analysts who want to monitor threat landscapes and system health using curated dashboards— predefined dashboards designed for visibility across various security use cases. This document provides a collection of curated dashboards and their underlying queries for the SOAR casessource type.

You can use these queries in the query editor or as a baseline for custom widgets. For information on how to create and manage dashboards, see Manage dashboards .

Dashboard name	Description	Chart name	Query example
PCI - Alert Overview	Provides a consolidated view of alerts and insights regarding security breaches and events affecting PCI standards. Required: The `PCI_Assets` (Payment Card Industry Assets) reference list must be created to scope data; otherwise, charts don't load.	Top PCI Assets by Risk	`graph.metadata.entity_type = "ASSET" graph.entity.hostname in %PCI_Assets $Hostname = graph.entity.hostname $Risk_Score = graph.risk_score.risk_score match: $Hostname, $Risk_Score order: $Risk_Score desc`
Ransomware Spotlight Monitoring	Provides a comprehensive view of ransomware-related detections across all security tools. Highlights recent events, affected devices, and detection sources to accelerate incident response.	Recent Ransomware Intel Sources Events	graph.metadata.threat[0].description = /ransom/ nocase strings.coalesce(if(graph.entity.ip != "", graph.entity.ip, ""), if(graph.entity.url != "", graph.entity.url, ""), if($Hash != "", $Hash, "")) != "" $IOC_Type = graph.metadata.entity_type $Threat = graph.metadata.threat[0].description $Hash = group(graph.entity.file.sha256,graph.entity.file.md5) $IOC_Value = strings.coalesce(if(graph.entity.ip != "", graph.entity.ip, ""), if(graph.entity.url != "", graph.entity.url, ""), if($Hash != "", $Hash, "")) $Date = timestamp.get_date(graph.metadata.collected_timestamp.seconds) match: $Date, $Threat, $IOC_Value, $IOC_Type outcome: $Count = count(graph.metadata.event_metadata.id) order: $Count desc
Threat Intelligence Overview	Provides real-time and historical tracking of top threats, IOCs, and targeted systems. Monitors risk scores, severity, and indicator metrics to detect emerging infrastructure threats.	IOCs with High Risk Score	$IOC_Type = graph.metadata.entity_type $Risk_Score = graph.metadata.threat.risk_score $Date = timestamp.get_date(graph.metadata.collected_timestamp.seconds) $Hash = group(graph.entity.file.sha256,graph.entity.file.md5) $IOC_Value = strings.coalesce(if(graph.entity.ip != "", graph.entity.ip, ""), if(graph.entity.url != "", graph.entity.url, ""), if($Hash != "", $Hash, "")) $IOC_Value !="" match: $Date, $IOC_Type, $IOC_Value outcome: $Total_Risk_Score = math.round(avg($Risk_Score), 2) $Count = count(graph.metadata.event_metadata.id) order: $Total_Risk_Score desc
HIPAA Dashboard	Monitors HIPAA compliance and security metrics in real-time. Provides visibility into PHI access and potential risks to ensure data confidentiality and integrity.	Top Assets by Risk	`graph.metadata.entity_type = "ASSET" graph.entity.hostname in %ePHI_assets.Hostname $Hostname = graph.entity.hostname $Risk_Score = graph.risk_score.risk_score match: $Hostname, $Risk_Score order: $Risk_Score desc`

Need more help? Get answers from Community members and Google SecOps professionals.