google/chrome-enterprise-security-events Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

google/chrome-enterprise-security-events Dashboards

ChromeOS Data Controls

Widget	Description	Type
Rule Trigger Types	Displays and groups a list of trigger types by vendor. Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \|Vendor.trigger_type=?triggertype \|rename(Vendor.trigger_type, as="Trigger Type") \|groupBy(["Trigger Type"])`	`Pie Chart`
Top Users Triggering Data Control Rules	Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \|user.name=?deviceuser \|rename(user.name, as= "Device User") \|top("Device User", as=count)`	`Table`
User - Rules Triggered	Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \|user.name=?deviceuser \|Vendor.triggered_rules=?triggeredrules \|rename(user.name, as= "Device User") \|rename(Vendor.triggered_rules, as="Triggered Rule") \|sankey(source="Device User", target="Triggered Rule")`	`Sankey`
Source - Destination	Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \| case{ Vendor.trigger_type="PRINTING" \| Vendor.destination := "PRINTING"; * } \| Vendor.source=?source \| Vendor.destination=?destination \|rename(Vendor.source, as="Source") \|rename(Vendor.destination, as="Destination") \|sankey(source="Source", target="Destination")`	`Sankey`
Rules Triggered	Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \|user.name=?deviceuser \| Vendor.triggered_rules=?triggeredrules \| Vendor.trigger_type=?triggertype \| Vendor.result=?result \|rename(user.name, as= "Device User") \|rename(Vendor.triggered_rules, as="Triggered Rule") \|rename(Vendor.trigger_type, as="Trigger Type") \|rename(Vendor.result, as="Outcome") \|table(["@timestamp", "Device User", "Triggered Rule", "Trigger Type", "Outcome"])`	`Table`
Rules Triggered Chart	Hide Query Show Query logscale `#Vendor="google" \|event.action = "dataAccessControlEvent" \|Vendor.triggered_rules=?triggeredrules \|rename(Vendor.triggered_rules, as="Triggered Rule") \|groupBy(["Triggered Rule"])`	`Pie Chart`

ChromeOS Overview

Widget	Description	Type
Recent User Logons	Displays a list of Google Chrome logons including user name and device name. Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \| event.reason="CHROMEOS_AFFILIATED_LOGIN" \|device.name=?device_name \| user.name=?device_user \|rename(device.name, as="Device Name") \|rename(user.name, as="Device User") \|select(["@timestamp", "Device Name", "Device User"])`	`Table`
Recent Non-Company User Logons	Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \|event.reason="CHROMEOS_UNAFFILIATED_LOGIN" \|device.name=?device_name \|rename(device.name, as="Device Name") \|select(["@timestamp", "Device Name"])`	`Table`
Peripheral Connected	Hide Query Show Query logscale `#Vendor="google" \|Vendor.client_type="CHROME_OS_DEVICE" event.action="CHROMEOS_PERIPHERAL_ADDED" \|device.name=?device_name \| user.name=?device_user \|Vendor.event_detail=/vendor:\s(?<VendorName>.?),.product:\s(?<ProductDetail>.*?),/i \|rename(device.name, as="Device Name") \|rename(user.name, as="Device User") \|select(["@timestamp", "Device Name", "Device User", "VendorName", "ProductDetail"])`	`Table`
Guest Account Logons	Displays a list of Chrome guest account logons by device. Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \| event.reason="CHROMEOS_GUEST_SESSION_LOGIN" \|device.name=?device_name \|timeChart(function=count())`	`Single Value`
Non-Company User Logons	Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \| event.reason="CHROMEOS_UNAFFILIATED_LOGIN" \|device.name=?device_name \|timeChart(function=count())`	`Single Value`
Chrome Remote Desktop Usage		`Note`
Host Connection Started	Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_CRD_HOST_STARTED" \|device.model.name=?device_name \| user.name=?device_user \|rename(device.model.name, as="Device Name") \|rename(user.name, as="Device User") \|select(["@timestamp", "Device Name", "Device User"])`	`Table`
USB Drive Usage		`Note`
User Logons	Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \| event.reason="CHROMEOS_AFFILIATED_LOGIN" \| device.name=?device_name \| user.name=?device_user \|timeChart(function=count())`	`Single Value`
Client Connected	Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_CRD_CLIENT_CONNECTED" \|device.name=?device_name \| user.name=?device_user \|rename(device.name, as="Device Name") \|rename(user.name, as="Device User") \|select(["@timestamp", "Device Name", "Device User"])`	`Table`
Recent Guest Account Logons	Hide Query Show Query logscale `#Vendor="google" \|event.action="CHROME_OS_LOGIN_EVENT" \|event.reason="CHROMEOS_GUEST_SESSION_LOGIN" \|device.name=?device_name \|rename(device.name, as="Device Name") \|select(["@timestamp", "Device Name"])`	`Table`
Logons		`Note`

Event Information

Widget	Description	Type
Events	Hide Query Show Query logscale #Vendor="google" \|Vendor.client_type = ?client_type \|event.action = ?event \|host.os.type = ?os_platform \|event.reason = ?reason \|rename(device.id, as="Device ID") \|rename(user.name, as="Device User") \|rename(Vendor.client_type, as="Client Type") \|rename(event.action, as="Event") \|rename(Vendor.content_name, as="Content Name") \|rename(Vendor.browser_version, as="Browser Version") \|rename(host.os.type, as="OS Platform") \|rename(host.os.version, as="OS Version") \|rename(Vendor.reason, as="Reason") \|rename(Vendor.reason, as="Result") \|rename(Vendor.trigger_type, as="Trigger Type") \|rename(Vendor.agents.crowdstrike.agentId, as="CrowdStrike Agent ID") \|rename(Vendor.agents.crowdstrike.customerId, as="CrowdStrike Customer ID") \|select([@timestamp, "Device ID", "Device User", "Client Type", "Event", "Content Name", "Browser Version", "OS Platform", "OS Version", "Reason", "Result", "Trigger Type", "CrowdStrike Agent ID", "CrowdStrike Customer ID"])	`Table`
Chrome Browser Crash Events	Hide Query Show Query logscale #Vendor="google" \|event.action = "browserCrashEvent" \| device.id=?device_id \| device.model.name=?device_name \| user.name=?device_user \| Vendor.browser_version=?{browser_version=} \| Vendor.browser_channel=?{browser_channel=} \|rename(device.id, as="Device ID") \|rename(device.model.name, as="Device Name") \|rename(user.name, as="Device User") \|rename(Vendor.browser_version, as="Browser Version") \|rename(Vendor.browser_channel, as="Browser Channel") \|select(["Device Name","Device ID", "Device User", "Profile User", "Browser Version", "Browser Channel"])	`Table`
Security Events by Reason Timechart	Hide Query Show Query logscale `#Vendor="google" \|event.reason=?reason \|timeChart(event.reason,limit=10)`	`Time Chart`
Security Events Timechart	Hide Query Show Query logscale `#Vendor="google" \|event.action=?event \|timeChart(event.action,limit=10)`	`Time Chart`

Extension Monitoring

Widget	Description	Type
Recent Blocklisted Extension Installations	Hide Query Show Query logscale #Vendor="google" \|event.action="browserExtensionInstallEvent" \|match(file="chrome_extensions_blocklist.csv", field="extension_id") \|Vendor.extension_id=?extension_id \|Vendor.extension_name=?extension_name \|rename(Vendor.extension_id, as="Extension ID") \|rename(Vendor.extension_name, as="Extension Name") \|rename(device.id, as="Device ID") \|rename(user.name, as="Device User") \|rename(host.os.type, as="OS Platform") \|select(["Extension Name", "Extension ID", "@timestamp", "Device User", "Device ID", "OS Platform"])	`Table`
Least Installed Extensions over the last 30 Days	Hide Query Show Query logscale `#Vendor="google" \|event.action="browserExtensionInstallEvent" \|Vendor.extension_id=?extension_id \|Vendor.extension_name=?extension_name \|groupby([Vendor.extension_id, Vendor.extension_name], function=count(as=Count)) \| sort(Count, order=asc) \|rename(Vendor.extension_id, as="Extension ID") \|rename(Vendor.extension_name, as="Extension Name") \|select(["Extension Name", "Extension ID", "Count"])`	`Table`
Recent Extension Intallations	Hide Query Show Query logscale `#Vendor="google" \|event.action="browserExtensionInstallEvent" \|Vendor.extension_id=?extension_id \|Vendor.extension_name=?extension_name \|rename(Vendor.extension_id, as="Extension ID") \|rename(Vendor.extension_name, as="Extension Name") \|rename(device.id, as="Device ID") \|rename(Vendor.profile_user, as="Profile User") \|select(["@timestamp", "Device ID", "Profile User", "Extension Name", "Extension ID"])`	`Table`
Note for Extension Blocklist	Extension Blocklist can be added in the Files tab with the file name chrome_extensions_blocklist.csv and column header extension_id. The query is matching the unique ID of the extension from the Chrome web store. The ID can be found in the URL of the extension in the Chrome web store. Eg: kchfmpdcejfkipopnolndinkeoipnoia for User-Agent Switcher	`Note`

Security Overview

Widget	Description	Type
Security Event Counts by OS Platform	Hide Query Show Query logscale `#Vendor="google" \|host.os.type=?os_platform \|groupBy(host.os.type) \|rename(host.os.type,as="OS Platform")`	`Pie Chart`
Potential Credential Leak Websites	Hide Query Show Query logscale `#Vendor="google" \|event.action=/^(badNavigationEvent\|passwordReuseEvent)$/ \|event.reason="SOCIAL_ENGINEERING" \|url.original=?url \|rename(url.original, as="URL") \|top(["URL"],limit=10,rest=others,as="Count")`	`Table`
Unique Device IDs	Hide Query Show Query logscale `#Vendor="google" \|device.id=?device_id \|count("device.id", distinct=true, as="Count")`	`Single Value`
Security Events by Reason	Hide Query Show Query logscale `#Vendor="google" \|groupBy("event.reason")`	`Bar Chart`
Trigger Types		`Note`
Problematic Hostnames	Hide Query Show Query logscale `#Vendor="google" \|event.action=/^(badNavigationEvent\|passwordReuseEvent\|dangerousDownloadEvent)$/ \|url.original=?url \|rename(url.domain, as="Hostname") \|top(["Hostname"],limit=10,rest=others,as="Count")`	`Table`
Unique Trigger Types	Hide Query Show Query logscale `count(Vendor.trigger_type, distinct=true)`	`Single Value`
Unique Users with Security Events	Hide Query Show Query logscale `count(user.name, distinct=true)`	`Single Value`
Devices		`Note`
Top Security Event Results	Hide Query Show Query logscale `#Vendor="google" \|top(Vendor.result,limit=10,rest=others,as="Count") \|rename(Vendor.result,as="Result") \|select(["Result","Count"])`	`Table`
Security Events by Trigger Type	Displays a list of vendor security events by trigger type. Hide Query Show Query logscale `#Vendor="google" \|top(Vendor.trigger_type, as="Count") \|rename(Vendor.trigger_type,as="Trigger Type") \|select(["Trigger Type","Count"])`	`Table`
Users with Events	Hide Query Show Query logscale `#Vendor="google" \|top(user.name, as="Count") \|rename(user.name,as="Device User")`	`Table`
Websites		`Note`
Device User to Device Mapping	Hide Query Show Query logscale `#Vendor="google" \|user.name=?device_user \|device.id=?device_id \|rename(user.name, as="Device User") \|rename(device.id, as="Device ID") \|sankey(source="Device User", target="Device ID")`	`Sankey`
Device ID to Host Mapping	Hide Query Show Query logscale `#Vendor="google" \|device.id=?device_id \| device.model.name=?device_name \| user.name=?device_user \| Vendor.profile_user=?profile_user \|groupBy(["device.id", "device.model.name", "user.name", "Vendor.profile_user"]) \|rename(device.id, as="Device ID") \|rename(device.model.name, as="Device Name") \|rename(user.name, as="Device User") \|rename(Vendor.profile_user, as="Profile User") \|select(["Device Name","Device ID", "Device User", "Profile User"])`	`Table`
Security Events by Event Type	Hide Query Show Query logscale `#Vendor="google" \|event.action=?{event=*} \|top(event.action,limit=10,rest=others,as="Count") \|rename(event.action, as="Event Type") \|select(["Event Type","Count"])`	`Table`
Security Events by Chrome User	Hide Query Show Query logscale `#Vendor="google" \|Vendor.profile_user!="" \|Vendor.profile_user=?profile_user \|top(Vendor.profile_user,limit=10,rest=others,as="Count") \|rename(Vendor.profile_user,as="Profile User") \|select(["Profile User", "Count"])`	`Table`
Unique OSs with Security Events	Hide Query Show Query logscale `#Vendor="google" \|host.os.type=?os_platform \|count(host.os.type, distinct=true, as="OS Platform")`	`Single Value`
Events by Chrome Browser Version	Hide Query Show Query logscale `#Vendor="google" \|groupBy(Vendor.browser_version)`	`Pie Chart`
User Events and Browser Summary		`Note`
Top OS Platforms with Security Events	Hide Query Show Query logscale `#Vendor="google" \|host.os.type=?os_platform \|top(host.os.type,limit=10,rest=others,as="Count") \|rename(host.os.type,as="OS Platform") \|select(["OS Platform","Count"])`	`Table`
Potential Malware Websites	Hide Query Show Query logscale `#Vendor="google" \|event.action=/^(badNavigationEvent\|passwordReuseEvent\|dangerousDownloadEvent)$/ \|event.reason="MALWARE" \|url.original=?url \|rename(url.original, as="URL") \|top(["URL"],limit=10,rest=others,as="Count")`	`Table`
Top Device Users with Events	Hide Query Show Query logscale `#Vendor="google" \|user.name=?device_user \|top(user.name,limit=10,rest=others,as="Count") \|rename(user.name,as="Device User") \|select(["Device User","Count"])`	`Table`
Operating System		`Note`

Enter search term