Dashboard Widgets - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2023-10-31
Last date published
2024-02-28
Category
Administrator Guide
Abstract

Learn about the widgets that you can use on your Cortex XDR custom dashboards.

Cortex XDR provides the following list of widgets to help you create dashboards and reports displaying summarized information about your endpoints.

Widget Name

Description

Agent Content Version Breakdown

Displays the total number of registered Cortex XDR agents and the distribution of agents by content update version.

Agent Status Breakdown

Displays the total number of Cortex XDR by the agent status.

Agent Upgrade Failure Reasons

Displays the reasons for upgrade failures. Clickable links provide more details for each one.

Agent Upgrade Statuses

Displays the number of agents currently reporting each upgrade status category. Clickable links provide more details for each one.

Agent Version Breakdown

Displays the total number of registered Cortex XDR agents and the distribution of agents by agent version.

Failed Agent Upgrades over Time

Displays failed upgrade trends over time (last 24 hours, 7 days, or 30 days); agent status (connected, disconnected, connection lost, uninstalled); or agent groups scope.

Number of Installed Agents

Displays a timeline of the number of agents installed on endpoints over the last 24 hours, 7 days, or 30 days.

Operating System Type Distribution

Displays the total number of registered agents and their distribution according to the operating system.

Successful Agent Upgrades over Time

Displays successful upgrade trends over time (last 24 hours, 7 days, or 30 days); agent status (connected, disconnected, connection lost, uninstalled); or agent groups scope.

Widget Name

Description

Managed Assets vs Unmanaged Assets

Displays a detailed breakdown of your active managed and unmanaged assets.

Number of Installed Agents

Displays a timeline of the number of agents installed on endpoints over the last 24 hours, 7 days, or 30 Days.

Operating System Type Distribution

Displays the total number of registered agents and their distribution according to the operating system.

Top 5 Notable Users

Displays the top 5 users with the highest User Score. Select a user to pivot to the User View.

Widget Name

Description

Custom Widget

Displays visualization (such as chart, graph, or additional visualization types) for the results of an XQL Search.

See the XQL Language Reference guide for detailed information about creating an XQL Search Query.

(Requires a Cortex XDR Host Insights Add-on)

Widget Name

Description

CVEs By Severity

Provides a summary of the total number of existing CVEs in your network according to critical, high, medium, and low severity.

Click a severity to open a filtered view of the CVEs.

Top CVEs By Affected Endpoints

Displays the top Critical, High, and Medium severity CVEs currently existing in your network according to the total number of endpoints affected by each CVE.

Click a CVE to open a filtered view of all affected endpoints.

Top Vulnerable Applications

Displays the most vulnerable applications with the highest number of Critical, High, and Medium severity CVEs. Cortex XDR calculates the vulnerabilities for different application versions running on different operating systems.

Click an application to open a filtered view of all existing CVEs for the selected application.

Top Vulnerable Endpoints

Displays the most vulnerable endpoints with the highest number of critical, high, and medium CVEs.

Click a host to open a filtered view of all existing CVEs for the selected host.

Vulnerabilities On All Endpoints Over Time

Displays CVEs over time across your network.

Select the time scope in the upper right to view the number of CVEs over the last 24 hours, 7 days, or 30 Days.

Hover over the graph to view the number of existing CVEs on a specific day.

Widget Name

Description

Incidents By Assignee

Displays the top 10 users that are assigned the highest number of incidents over the last 30 days. For each assignee, the widget displays the distribution of Aged and Total Open incidents. Aged incidents are older than one week which have remained unresolved.

Select an assignee to open the incidents table filtered to display incidents that are assigned to the selected assignee.

Incidents By MITRE ATT&CK

Display a breakdown of the number of incidents involved with each MITRE ATT&CK tactic and technique over the last 30 days, 7 days, 24 hours, or custom time range according to the incidents creation time.

Select a tactic or technique to pivot to the Incidents Table filtered according to the tactic/technique and creation time.

Incidents By Status

Provides a summary of the total current number of open incidents according to status. Click a status to open a filtered view of the incidents.

Incidents by Status Duration (Last 30 Days)

Displays the average, maximum, and minimum time that incidents stayed in a given status over the last 30 days.

You can click a maximum or minimum time for a status to open the incident related to the max/min time.

Incidents Status Board

Displays the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time:

  • Total number of open incidents, how many are unassigned, and how many are overdue according to the incident severity.

  • Breakdown of open incidents according to the status New and Under Investigation.

  • Breakdown of resolved incidents according to resolved reason.

For further investigation, select each of the available breakdowns to pivot to the Incident table sorted according to the incident creation time and selected breakdown.

Incidents Over Time

Displays the following information over the past 14 days:

  • Number of new incidents created per day.

  • Number of resolved incidents per day.

For further investigation, select each of the bars to pivot to the Incident table sorted according to the creation date within the selected 24 hours.

My Incidents

Displays all active incidents assigned to the logged-in user, sorted according to the creation date. You can sort the list by age, severity or score.

My Incidents Over Time

Displays the daily number of new and resolved incidents assigned to the logged-in user for the past 14 days.

My Open Incidents by Severity

Displays a breakdown of open incidents assigned to the logged-in user, grouped by severity, over the last 30 days. Click a severity level to open a list of incidents filtered by that severity level.

My MTTR

Displays the Mean Time to Resolve (MTTR) incidents assigned to the logged-in user, compared to the defined Target MTTR. Available date filters are 24 hours, 7 days, and 30 days.

Newest Incidents

Displays the following details for the 5 most recent incidents:

  • Starred

  • Severity

  • ID

  • Score

  • Description

  • Creation time

Overdue Incidents of top 5 Assignees

Displays the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time:

  • Top 5 assignees, by assignee name, with the highest number of overdue incidents.

For further investigation, select a user to pivot to the Incident table filtered according to the incident creation time and assignee.

Resolved Incidents by Assignee

Displays a breakdown of the top five users with the most resolved incidents assigned to them according to the incident creation time.

For further investigation, select an assignee to pivot to the Incidents table filtered according to the assignee and the resolved incident resolution time.

Resolved Incidents MTTR

Displays either the last 30 days, 7 days, or 24 hours of the following information according to incident creation time and resolved statuses:

  • Total Mean Time to Resolve (MTTR) of all incidents, according to severity, created during the selected timeframe and the average time it took to resolve the incidents compared to the defined Target MTTR.

For further investigation, select a severity bar to pivot to the Incident table filtered according to the incident creation time and severity.

Widget Name

Description

Data Usage Breakdown

Displays a timeline of the consumption of Cortex XDR data in TB. Hover over the graph to see the amount at a specific time.

Detection By Actions

Displays the top five actions performed on alerts or incidents. In the upper right corner:

  • Toggle between alerts and incidents

  • Select to view the number of alert/incidents per action over the last 24 hours, 7 days, or 30 Days

Detections By Category

Displays the top five categories of alerts or incidents. In the upper right corner:

  • Toggle between alerts and incidents

  • Select to view the number of alert/incidents per category over the last 24 hours, 7 days, or 30 Days

Detection By Source

Displays the top five sources of alerts or incidents. In the upper right corner:

  • Toggle between alerts and incidents

  • Select to view the number of alert/incidents per source over the last 24 hours, 7 days, or 30 Days

Open Incidents

Displays a timeline of aged versus open incidents, or open alerts. Aged incidents and alerts are older than one week and remain unresolved.

Refine the data in the graph from the widget menu. You can select the timeframe, detection type, and group the data by hour, day, or week.

Hover over the graph to view additional details.

Open Incidents by Assignee Over Time (Top 10)

Displays the top ten assignees with the highest number of assigned incidents over a selected timeframe.

Refine the data in the graph from the widget menu. You can select the timeframe, group the data by hour, day, or week, and select specific assignees or unassigned incidents.

Open Incidents by Severity

Displays the total open incidents over the last 30 days according to severity.

Select a severity to open a filtered view of incidents by the selected severity.

Response Action Breakdown

Displays the top response actions taken in the Action Center over the last 24 hours, 7 days, or 30 Days.

Top Hosts

Displays the top ten hosts with the highest number of incidents in order of severity over the last 30 days. Incidents are color-coded: red for high severity and yellow for medium severity.

Click a host to open a filtered view of all open incidents for the selected host.

Top Incidents

Displays the top ten current incidents with the highest number of alerts according to severity over the last 30 days, and each incident's score. Alerts are color-coded; red for high and yellow for medium.

Click a severity to open a filtered view of all open alerts for the selected incident.

Top incidents can be sorted by score.

Widget Name

Description

Ingestion Rate

Displays the rate at which Cortex XDR consumes data ingested from a specific vendor or product over the past 24 hours, 7 days, or 30 days. All ingestion rates are measured by bytes per second.

Daily Consumption

A breakdown comparing the product/vendor consumption versus your allowed daily limit over the past 24 hours, displayed in UTC.

The Daily limit is calculated according to your license: Amount of TB / 30 days

Note

If the ingestion rate has exceeded your daily limit, Cortex XDR will issue a notification through the Notification Center and email. After 3 continuous days of exceeding the ingestion rate, Cortex XDR will stop ingesting data that exceeds the daily limit.

Detailed Ingestion

Breakdown of ingestion data per vendor or product over the past 30 days.

Filter the following information for each source:

  • Product/Vendor—Name of the selected product or vendor.

  • First Seen—Timestamp of when product/vendor were first ingested.

  • Last Seen—Timestamp of when product/vendor were last ingested.

  • Last Day Ingested—Amount of data ingested over the past 30 days.

  • Current Day Ingested—Amount of data ingested over the past 24 hours.

Widget Name

Description

Free Text

Displays a text box allowing to insert free text.

Header

Displays a title containing the free text. For example, name and description of a report or dashboard, customer name, tenant ID, or date.