Example of using Google Data Studio to build LimaCharlie dashboards.
The idea behind this garage-project is to create beautiful dashboards and/or nice widgets to be embedded into customers websites or SOC content management systems.
An example of how the code can be embedded can be found here, together with a minimalistic web page template.
This approach will also allow you to have a granular control of the permissions related to users authorised to access the dashboard, and even schedule periodic reports that will automatically land in users mailbox.
With a bit more of coding (slightly advanced), it will be also possible to create alerts based on Google Big Query.
We can leverage the power of LimaCharlie webhook outputs, Google Cloud and Google data studio.
If you are not familiar with Google Cloud Functions, I created a basic one here. Once authenticated in Google Cloud Platform, let's create a new Node.js Cloud Function as per the example we just mentioned.
STEP 1 ► Create a new Google Cloud project
STEP 2 ► Create a new Google Cloud function
And you can just use the small piece of Node.js code shared in this repo as mentioned before:
With the cloud function deployed you are ready to go to the next step:
STEP 3 ► Now that you have a Cloud Function set, you can move to the tab TRIGGER, this will show you a Trigger URL:
This is the URL we should pass to app.limacharlie.io as core parameter of a new output:
STEP 4 ► Create a new LimaCharlie Output:
Add Output → Choose Detection Output Stream → Choose Webhook as Output Destination:
In the field Output Destination paste the Trigger URL of your Google Cloud Function:
For this experiment I flagged the following parameters:
- Wrap JSON Event with Event Type
- Flatten JSON to a single level
As soon as you will save the new output, all the detections that will fire in the related LimaCharlie ORG, will trigger the Google Cloud Function.
You can test the output looking at the Output Samples directly from the web UI:
IMPORTANT: It's now time to check that your detection data are landing into Google Cloud Platform Logs, for doing this you can leverage the Log Explorer under the Logging Operations tab, and use the traditional SQL syntax to perform a query.
A basic one from the Log Explorer can be "author" or whatever terms you are expecting to be in your Detections Output (in this example we will hunt for "powershell" activities):
If events are not flowing, you cannot go forward with further steps.
STEP 5 ► Create a Sink:
Navigate to the log router and CREATE SINK:
The sink creation procedure is very intuitive, and it is assisted by a very nice wizard, but you need to be sure to choose the following configuration between the several steps:
| Step | Field | Option |
|---|---|---|
| Sink Destination | Select Sink Service | BigQuery dataset |
| Sink Destination | Select BigQuery dataset | Create a new BigQuery dataset |
| Choose logs to include in sink | Create an inclusion filter | Your SQL query |
Now that the new sink is created, as soon as a new event will be logged AND it will match the inclusion filter you created, the new BigQuery dataset will be automatically populated:
CONGRATULATIONS: LimaCharlie is now connected to BigQuery!
You can now leverage all the power of BigQuery with LimaCharlie:
HINT: To test the environement, you can simulate attacks with LimaCharlie leveraging our Atomic Red Team integration (https://www.youtube.com/watch?v=oL6D30IeZ7c):
STEP 6 ► Create a new Data Studio project:
Now that we have our BigQuery dataset and table set as part of our Google Cloud project, we can easily connect it to Google Data Studio as a datasource that will "give life" to the components of our dashboards and reports:
When the Connect to data window will appear, we just need to select the BigQuery option, and follow the swim-lane (Project → Dataset → Table → Configuration) until we reach our desired data source.
The option Use timestamp as a data range dimension is recommended but not mandatory:
We can create a new report, insert the desired components on our preferred layout and then, keeping the focus on the element we want to connect to our data, add a new data source to it:
Add you favourite search criteria control:
Finally select ADD , and since then your component in the dashboard is ready to show the data with the option and the style you want to apply!
Schedule a report delivery via email or just manage access to dashboard link:
STEP 7 ► Have fun!