google/chrome-enterprise-security-events Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Reading time: 7 minutes

google/chrome-enterprise-security-events Dashboards

ChromeOS Data Controls

Widget	Description	Type
Rule Trigger Types	Displays and groups a list of trigger types by vendor. Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \|Vendor.trigger_type=?triggertype \|rename(Vendor.trigger_type, as="Trigger Type") \|groupBy(["Trigger Type"])`	`Pie Chart`
Top Users Triggering Data Control Rules	Displays a list of top Chrome users triggering data control rules by username. Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \|user.name=?deviceuser \|rename(user.name, as= "Device User") \|top("Device User", as=count)`	`Table`
User - Rules Triggered	Displays a flow chart of device users who have triggered rules. Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \|user.name=?deviceuser \|Vendor.triggered_rules=?triggeredrules \|rename(user.name, as= "Device User") \|rename(Vendor.triggered_rules, as="Triggered Rule") \|sankey(source="Device User", target="Triggered Rule")`	`Sankey`
Source - Destination	Displays a flowchart of events from source to destination. Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \| case{ Vendor.trigger_type="PRINTING" \| Vendor.destination := "PRINTING"; * } \| Vendor.source=?source \| Vendor.destination=?destination \|rename(Vendor.source, as="Source") \|rename(Vendor.destination, as="Destination") \|sankey(source="Source", target="Destination")`	`Sankey`
Rules Triggered	Displays a table of triggered rules and associated data (timestamp, device user, triggered rule, etc.) Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \|user.name=?deviceuser \| Vendor.triggered_rules=?triggeredrules \| Vendor.trigger_type=?triggertype \| Vendor.result=?result \|rename(user.name, as= "Device User") \|rename(Vendor.triggered_rules, as="Triggered Rule") \|rename(Vendor.trigger_type, as="Trigger Type") \|rename(Vendor.result, as="Outcome") \|table(["@timestamp", "Device User", "Triggered Rule", "Trigger Type", "Outcome"])`	`Table`
Rules Triggered Chart	Displays a chart of triggered rules via data access control events by vendor. Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \|Vendor.triggered_rules=?triggeredrules \|rename(Vendor.triggered_rules, as="Triggered Rule") \|groupBy(["Triggered Rule"])`	`Pie Chart`

ChromeOS Overview

Widget	Description	Type
Recent User Logons	Displays a list of Google Chrome logons including user name and device name. Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \| event.reason="CHROMEOS_AFFILIATED_LOGIN" \|device.name=?device_name \| user.name=?device_user \|rename(device.name, as="Device Name") \|rename(user.name, as="Device User") \|select(["@timestamp", "Device Name", "Device User"])`	`Table`
Recent Non-Company User Logons	Displays a table of recent non-company Chrome logins with timestamp and device name. Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \|event.reason="CHROMEOS_UNAFFILIATED_LOGIN" \|device.name=?device_name \|rename(device.name, as="Device Name") \|select(["@timestamp", "Device Name"])`	`Table`
Peripheral Connected	Displays a table of connected peripherals and associated data (timestamp, device name, device user, etc.) Hide Query Show Query logscale `#Vendor="google" \|Vendor.client_type="CHROME_OS_DEVICE" event.action="CHROMEOS_PERIPHERAL_ADDED" \|device.name=?device_name \| user.name=?device_user \|Vendor.event_detail=/vendor:\s(?<VendorName>.?),.product:\s(?<ProductDetail>.*?),/i \|rename(device.name, as="Device Name") \|rename(user.name, as="Device User") \|select(["@timestamp", "Device Name", "Device User", "VendorName", "ProductDetail"])`	`Table`
Guest Account Logons	Displays a list of Chrome guest account logons by device. Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \| event.reason="CHROMEOS_GUEST_SESSION_LOGIN" \|device.name=?device_name \|timeChart(function=count())`	`Single Value`
Non-Company User Logons	Displays a list of non-company user Chrome logons. Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \| event.reason="CHROMEOS_UNAFFILIATED_LOGIN" \|device.name=?device_name \|timeChart(function=count())`	`Single Value`
Chrome Remote Desktop Usage	Displays a note regarding Google Chrome remote desktop usage.	`Note`
Host Connection Started	Displays a table of host connections started and related data (timestamp, device name, and device user). Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_CRD_HOST_STARTED" \|device.model.name=?device_name \| user.name=?device_user \|rename(device.model.name, as="Device Name") \|rename(user.name, as="Device User") \|select(["@timestamp", "Device Name", "Device User"])`	`Table`
USB Drive Usage		`Note`
User Logons	Displays the number of Chrome user logons. Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \| event.reason="CHROMEOS_AFFILIATED_LOGIN" \| device.name=?device_name \| user.name=?device_user \|timeChart(function=count())`	`Single Value`
Client Connected	Displays a table of connected clients and associated data (timestamp, device name, device user). Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_CRD_CLIENT_CONNECTED" \|device.name=?device_name \| user.name=?device_user \|rename(device.name, as="Device Name") \|rename(user.name, as="Device User") \|select(["@timestamp", "Device Name", "Device User"])`	`Table`
Recent Guest Account Logons	Displays a table of recent Chrome guest account logons with timestamp and device name data. Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \|event.reason="CHROMEOS_GUEST_SESSION_LOGIN" \|device.name=?device_name \|rename(device.name, as="Device Name") \|select(["@timestamp", "Device Name"])`	`Table`
Logons		`Note`

Event Information

Widget	Description	Type
Events	Displays a table of events and their associated data (timestamp, device ID, device user, client type, etc.) Hide Query Show Query logscale #Vendor="google" \|Vendor.client_type = ?client_type \|event.action = ?event \|host.os.type = ?os_platform \|event.reason = ?reason \|rename(device.id, as="Device ID") \|rename(user.name, as="Device User") \|rename(Vendor.client_type, as="Client Type") \|rename(event.action, as="Event") \|rename(Vendor.content_name, as="Content Name") \|rename(Vendor.browser_version, as="Browser Version") \|rename(host.os.type, as="OS Platform") \|rename(host.os.version, as="OS Version") \|rename(Vendor.reason, as="Reason") \|rename(Vendor.reason, as="Result") \|rename(Vendor.trigger_type, as="Trigger Type") \|rename(Vendor.agents.crowdstrike.agentId, as="CrowdStrike Agent ID") \|rename(Vendor.agents.crowdstrike.customerId, as="CrowdStrike Customer ID") \|select([@timestamp, "Device ID", "Device User", "Client Type", "Event", "Content Name", "Browser Version", "OS Platform", "OS Version", "Reason", "Result", "Trigger Type", "CrowdStrike Agent ID", "CrowdStrike Customer ID"])	`Table`
Chrome Browser Crash Events	Displays a table of Chrome browser crash events and associated data (device ID, device user, browser version, etc.) Hide Query Show Query logscale #Vendor="google" \|event.action = "browserCrashEvent" \| device.id=?device_id \| device.model.name=?device_name \| user.name=?device_user \| Vendor.browser_version=?{browser_version=} \| Vendor.browser_channel=?{browser_channel=} \|rename(device.id, as="Device ID") \|rename(device.model.name, as="Device Name") \|rename(user.name, as="Device User") \|rename(Vendor.browser_version, as="Browser Version") \|rename(Vendor.browser_channel, as="Browser Channel") \|select(["Device Name","Device ID", "Device User", "Profile User", "Browser Version", "Browser Channel"])	`Table`
Security Events by Reason Timechart	Displays a chart of severity events by reason and limits results to the first 10 entries. Hide Query Show Query logscale `#Vendor="google" \|event.reason=?reason \|timeChart(event.reason,limit=10)`	`Time Chart`
Security Events Timechart	Displays a chart of Google security events and limits results to the first 10 entries. Hide Query Show Query logscale `#Vendor="google" \|event.action=?event \|timeChart(event.action,limit=10)`	`Time Chart`

Extension Monitoring

Widget	Description	Type
Recent Block Listed Extension Installations	Displays a table of recent block listed extension installations and associated data (extension ID, extension name, device ID, device user, etc.) Hide Query Show Query logscale #Vendor="google" \|event.action="browserExtensionInstallEvent" \|match(file="chrome_extensions_blocklist.csv", field="extension_id") \|Vendor.extension_id=?extension_id \|Vendor.extension_name=?extension_name \|rename(Vendor.extension_id, as="Extension ID") \|rename(Vendor.extension_name, as="Extension Name") \|rename(device.id, as="Device ID") \|rename(user.name, as="Device User") \|rename(host.os.type, as="OS Platform") \|select(["Extension Name", "Extension ID", "@timestamp", "Device User", "Device ID", "OS Platform"])	`Table`
Least Installed Extensions over the last 30 Days	Displays a table of a users least installed extensions over the last 30 days. Hide Query Show Query logscale `#Vendor="google" \|event.action="browserExtensionInstallEvent" \|Vendor.extension_id=?extension_id \|Vendor.extension_name=?extension_name \|groupby([Vendor.extension_id, Vendor.extension_name], function=count(as=Count)) \| sort(Count, order=asc) \|rename(Vendor.extension_id, as="Extension ID") \|rename(Vendor.extension_name, as="Extension Name") \|select(["Extension Name", "Extension ID", "Count"])`	`Table`
Recent Extension Intallations	Displays a list of recent Chrome browser extensions installed, organized by device ID and user profile. Hide Query Show Query logscale `#Vendor="google" \|event.action="browserExtensionInstallEvent" \|Vendor.extension_id=?extension_id \|Vendor.extension_name=?extension_name \|rename(Vendor.extension_id, as="Extension ID") \|rename(Vendor.extension_name, as="Extension Name") \|rename(device.id, as="Device ID") \|rename(Vendor.profile_user, as="Profile User") \|select(["@timestamp", "Device ID", "Profile User", "Extension Name", "Extension ID"])`	`Table`
Note for Extension Blocklist	Extension Blocklist can be added in the Files tab with the file name chrome_extensions_blocklist.csv and column header extension_id. The query is matching the unique ID of the extension from the Chrome web store. The ID can be found in the URL of the extension in the Chrome web store. Eg: kchfmpdcejfkipopnolndinkeoipnoia for User-Agent Switcher	`Note`

Security Overview

Widget	Description	Type
Security Event Counts by OS Platform	Displays a pie chart of security event counts by OS platform. Hide Query Show Query logscale `#Vendor="google" \|host.os.type=?os_platform \|groupBy(host.os.type) \|rename(host.os.type,as="OS Platform")`	`Pie Chart`
Potential Credential Leak Websites	Displays a table of URLs via Chrome that may have credential leaks, including bad navigation events or password reuse events and limits results to the first 10 entries. Hide Query Show Query logscale `#Vendor="google" \|event.action=/^(badNavigationEvent\|passwordReuseEvent)$/ \|event.reason="SOCIAL_ENGINEERING" \|url.original=?url \|rename(url.original, as="URL") \|top(["URL"],limit=10,rest=others,as="Count")`	`Table`
Unique Device IDs	Displays the number of unique device IDs. Hide Query Show Query logscale `#Vendor="google" \|device.id=?device_id \|count("device.id", distinct=true, as="Count")`	`Single Value`
Security Events by Reason	Displays a chart of Google security events by reason. Hide Query Show Query logscale `#Vendor="google" \|groupBy("event.reason")`	`Bar Chart`
Trigger Types		`Note`
Problematic Hostnames	Displays a table of problematic host names and limits results to the first 10 entries. Hide Query Show Query logscale `#Vendor="google" \|event.action=/^(badNavigationEvent\|passwordReuseEvent\|dangerousDownloadEvent)$/ \|url.original=?url \|rename(url.domain, as="Hostname") \|top(["Hostname"],limit=10,rest=others,as="Count")`	`Table`
Unique Trigger Types	Displays a list of unique trigger types by vendor. Hide Query Show Query logscale `count(Vendor.trigger_type, distinct=true)`	`Single Value`
Unique Users with Security Events	Displays a list of unique users with security events. Hide Query Show Query logscale `count(user.name, distinct=true)`	`Single Value`
Devices		`Note`
Top Security Event Results	Displays a table of the top 10 Google security events. Hide Query Show Query logscale `#Vendor="google" \|top(Vendor.result,limit=10,rest=others,as="Count") \|rename(Vendor.result,as="Result") \|select(["Result","Count"])`	`Table`
Security Events by Trigger Type	Displays a list of vendor security events by trigger type. Hide Query Show Query logscale `#Vendor="google" \|top(Vendor.trigger_type, as="Count") \|rename(Vendor.trigger_type,as="Trigger Type") \|select(["Trigger Type","Count"])`	`Table`
Users with Events	Displays a table of events by device user. Hide Query Show Query logscale `#Vendor="google" \|top(user.name, as="Count") \|rename(user.name,as="Device User")`	`Table`
Websites		`Note`
Device User to Device Mapping	Displays a flow chart of device users to devices using Google data. Hide Query Show Query logscale `#Vendor="google" \|user.name=?device_user \|device.id=?device_id \|rename(user.name, as="Device User") \|rename(device.id, as="Device ID") \|sankey(source="Device User", target="Device ID")`	`Sankey`
Device ID to Host Mapping	Displays a table of device data such as device name, device ID, Device user, etc. Hide Query Show Query logscale `#Vendor="google" \|device.id=?device_id \| device.model.name=?device_name \| user.name=?device_user \| Vendor.profile_user=?profile_user \|groupBy(["device.id", "device.model.name", "user.name", "Vendor.profile_user"]) \|rename(device.id, as="Device ID") \|rename(device.model.name, as="Device Name") \|rename(user.name, as="Device User") \|rename(Vendor.profile_user, as="Profile User") \|select(["Device Name","Device ID", "Device User", "Profile User"])`	`Table`
Security Events by Event Type	Displays a table of the top 10 Google security events by event type. Hide Query Show Query logscale `#Vendor="google" \|event.action=?{event=*} \|top(event.action,limit=10,rest=others,as="Count") \|rename(event.action, as="Event Type") \|select(["Event Type","Count"])`	`Table`
Security Events by Chrome User	Displays a list of security events by Chrome user profile and limits the results to the first 10 entries. Hide Query Show Query logscale `#Vendor="google" \|Vendor.profile_user!="" \|Vendor.profile_user=?profile_user \|top(Vendor.profile_user,limit=10,rest=others,as="Count") \|rename(Vendor.profile_user,as="Profile User") \|select(["Profile User", "Count"])`	`Table`
Unique OSs with Security Events	Displays unique OSs with security events. Hide Query Show Query logscale `#Vendor="google" \|host.os.type=?os_platform \|count(host.os.type, distinct=true, as="OS Platform")`	`Single Value`
Events by Chrome Browser Version	Displays a pie chart of Google Chrome browser versions. Hide Query Show Query logscale `#Vendor="google" \|groupBy(Vendor.browser_version)`	`Pie Chart`
User Events and Browser Summary		`Note`
Top OS Platforms with Security Events	Displays a table of the top 10 OS platforms with security events. Hide Query Show Query logscale `#Vendor="google" \|host.os.type=?os_platform \|top(host.os.type,limit=10,rest=others,as="Count") \|rename(host.os.type,as="OS Platform") \|select(["OS Platform","Count"])`	`Table`
Potential Malware Websites	Displays a table of potential malware websites by URL and limits results to the first 10 entries. Hide Query Show Query logscale `#Vendor="google" \|event.action=/^(badNavigationEvent\|passwordReuseEvent\|dangerousDownloadEvent)$/ \|event.reason="MALWARE" \|url.original=?url \|rename(url.original, as="URL") \|top(["URL"],limit=10,rest=others,as="Count")`	`Table`
Top Device Users with Events	Displays a table of the top 10 device users and their events. Hide Query Show Query logscale `#Vendor="google" \|user.name=?device_user \|top(user.name,limit=10,rest=others,as="Count") \|rename(user.name,as="Device User") \|select(["Device User","Count"])`	`Table`
Operating System		`Note`

Enter search term