Dashboard Widgets - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Learn about the widgets that you can use on your Cortex XDR custom dashboards.

Cortex XDR provides the following list of widgets to help you create dashboards and reports displaying summarized information about your endpoints.

Widget Name

Description

Agent Content Version Breakdown

Displays the total number of registered Cortex XDR agents and the distribution of agents by content update version.

Agent Status Breakdown

Displays the total number of Cortex XDR by the agent status.

Agent Upgrade Failure Reasons

Displays the reasons for upgrade failures. Clickable links provide more details for each one.

Agent Upgrade Statuses

Displays the number of agents currently reporting each upgrade status category. Clickable links provide more details for each one.

Agent Version Breakdown

Displays the total number of registered Cortex XDR agents and the distribution of agents by agent version.

Failed Agent Upgrades over Time

Displays failed upgrade trends over time (last 24 hours, 7 days, or 30 days); agent status (connected, disconnected, connection lost, uninstalled); or agent groups scope.

Number of Installed Agents

Displays a timeline of the number of agents installed on endpoints over the last 24 hours, 7 days, or 30 days.

Operating System Type Distribution

Displays the total number of registered agents and their distribution according to the operating system.

Successful Agent Upgrades over Time

Displays successful upgrade trends over time (last 24 hours, 7 days, or 30 days); agent status (connected, disconnected, connection lost, uninstalled); or agent groups scope.

Widget Name

Description

Managed Assets vs Unmanaged Assets

Displays a detailed breakdown of your active managed and unmanaged assets.

Number of Installed Agents

Displays a timeline of the number of agents installed on endpoints over the last 24 hours, 7 days, or 30 Days.

Operating System Type Distribution

Displays the total number of registered agents and their distribution according to the operating system.

Top 5 Notable Users

Displays the top 5 users with the highest User Score. Select a user to pivot to the User View.

Widget Name

Description

Accounts by Cloud Provider

Displays the number of accounts held in each cloud provider. Refreshes every two hours.

Assets by Cloud Provider

Displays the number of assets stored in each cloud provider. Refreshes every two hours.

Assets by Geo Region

Displays a breakdown of assets in each geographic region. Refreshes every two hours.

Assets by Region

Displays a breakdown of assets in each region. Refreshes every two hours.

Assets by Responsive Port Number

Displays the number of exposed cloud assets by port number. Refreshes every two hours.

Assets by Sub-Type

Displays a breakdown of cloud assets by sub-type. Refreshes every two hours.

Assets by Type

Displays a breakdown of cloud assets by type. Refreshes every two hours.

Compute Instances Over Time

Displays the number of times a virtual machine instance is used over time.

Select the time scope in the upper right to view the number of Compute Instances over the last 24 hours, 7 days, or 30 days.

Responsive Assets Over Time

Displays the number of exposed cloud assets over time.

Select the time scope in the upper right to view the number of exposed cloud assets over the last 24 hours, 7 days, or 30 days.

Widget Name

Description

Custom Widget

Displays visualization (such as chart, graph, or additional visualization types) for the results of an XQL Search.

See the XQL Language Reference guide for detailed information about creating an XQL Search Query.

(Requires a Cortex XDR Host Insights Add-on)

Widget Name

Description

CVEs By Severity

Provides a summary of the total number of existing CVEs in your network according to critical, high, medium, and low severity.

Click a severity to open a filtered view of the CVEs.

Top CVEs By Affected Endpoints

Displays the top Critical, High, and Medium severity CVEs currently existing in your network according to the total number of endpoints affected by each CVE.

Click a CVE to open a filtered view of all affected endpoints.

Top Vulnerable Applications

Displays the most vulnerable applications with the highest number of Critical, High, and Medium severity CVEs. Cortex XDR calculates the vulnerabilities for different application versions running on different operating systems.

Click an application to open a filtered view of all existing CVEs for the selected application.

Top Vulnerable Endpoints

Displays the most vulnerable endpoints with the highest number of critical, high, and medium CVEs.

Click a host to open a filtered view of all existing CVEs for the selected host.

Vulnerabilities On All Endpoints Over Time

Displays CVEs over time across your network.

Select the time scope in the upper right to view the number of CVEs over the last 24 hours, 7 days, or 30 Days.

Hover over the graph to view the number of existing CVEs on a specific day.

Widget Name

Description

Incidents By Assignee

Displays the top 10 users that are assigned the highest number of incidents over the last 30 days. For each assignee, the widget displays the distribution of Aged and Total Open incidents. Aged incidents are older than one week which have remained unresolved.

Select an assignee to open the incidents table filtered to display incidents that are assigned to the selected assignee.

Incidents By MITRE ATT&CK

Display a breakdown of the number of incidents involved with each MITRE ATT&CK tactic and technique over the last 30 days, 7 days, 24 hours, or custom time range according to the incidents creation time.

Select a tactic or technique to pivot to the Incidents Table filtered according to the tactic/technique and creation time.

Incidents By Status

Provides a summary of the total current number of open incidents according to status. Click a status to open a filtered view of the incidents.

Incidents by Status Duration (Last 30 Days)

Displays the average, maximum, and minimum time that incidents stayed in a given status over the last 30 days.

You can click a maximum or minimum time for a status to open the incident related to the max/min time.

Incidents Status Board

Displays the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time:

  • Total number of open incidents, how many are unassigned, and how many are overdue according to the incident severity.

  • Breakdown of open incidents according to the status New and Under Investigation.

  • Breakdown of resolved incidents according to resolved reason.

For further investigation, select each of the available breakdowns to pivot to the Incident table sorted according to the incident creation time and selected breakdown.

Incidents Over Time

Displays the following information over the past 14 days:

  • Number of new incidents created per day.

  • Number of resolved incidents per day.

For further investigation, select each of the bars to pivot to the Incident table sorted according to the creation date within the selected 24 hours.

My Incidents

Displays all active incidents assigned to the logged-in user, sorted according to the creation date. You can sort the list by age, severity or score.

My Incidents Over Time

Displays the daily number of new and resolved incidents assigned to the logged-in user for the past 14 days.

My Open Incidents by Severity

Displays a breakdown of open incidents assigned to the logged-in user, grouped by severity, over the last 30 days. Click a severity level to open a list of incidents filtered by that severity level.

My MTTR

Displays the Mean Time to Resolve (MTTR) incidents assigned to the logged-in user, compared to the defined Target MTTR. Available date filters are 24 hours, 7 days, and 30 days.

Newest Incidents

Displays the following details for the 5 most recent incidents:

  • Starred

  • Severity

  • ID

  • Score

  • Description

  • Creation time

Overdue Incidents of top 5 Assignees

Displays the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time:

  • Top 5 assignees, by assignee name, with the highest number of overdue incidents.

For further investigation, select a user to pivot to the Incident table filtered according to the incident creation time and assignee.

Resolved Incidents by Assignee

Displays a breakdown of the top five users with the most resolved incidents assigned to them according to the incident creation time.

For further investigation, select an assignee to pivot to the Incidents table filtered according to the assignee and the resolved incident resolution time.

Resolved Incidents MTTR

Displays either the last 30 days, 7 days, or 24 hours of the following information according to incident creation time and resolved statuses:

  • Total Mean Time to Resolve (MTTR) of all incidents, according to severity, created during the selected time frame and the average time it took to resolve the incidents compared to the defined Target MTTR.

For further investigation, select a severity bar to pivot to the Incident table filtered according to the incident creation time and severity.

Widget Name

Description

Data Usage Breakdown

Displays a timeline of the consumption of Cortex XDR data in TB. Hover over the graph to see the amount at a specific time.

Detection By Actions

Displays the top five actions performed on alerts or incidents. In the upper right corner:

  • Toggle between alerts and incidents

  • Select to view the number of alert/incidents per action over the last 24 hours, 7 days, or 30 Days

Detections By Category

Displays the top five categories of alerts or incidents. In the upper right corner:

  • Toggle between alerts and incidents

  • Select to view the number of alert/incidents per category over the last 24 hours, 7 days, or 30 Days

Detection By Source

Displays the top five sources of alerts or incidents. In the upper right corner:

  • Toggle between alerts and incidents

  • Select to view the number of alert/incidents per source over the last 24 hours, 7 days, or 30 Days

Open Incidents

Displays a timeline of aged versus open incidents, or open alerts. Aged incidents and alerts are older than one week and remain unresolved.

Refine the data in the graph from the widget menu. You can select the time frame, detection type, and group the data by hour, day, or week.

Hover over the graph to view additional details.

Open Incidents by Assignee Over Time (Top 10)

Displays the top ten assignees with the highest number of assigned incidents over a selected time frame.

Refine the data in the graph from the widget menu. You can select the time frame, group the data by hour, day, or week, and select specific assignees or unassigned incidents.

Open Incidents by Severity

Displays the total open incidents over the last 30 days according to severity.

Select a severity to open a filtered view of incidents by the selected severity.

Response Action Breakdown

Displays the top response actions taken in the Action Center over the last 24 hours, 7 days, or 30 Days.

Top Hosts (Top 10)

Displays the top ten hosts with the highest number of incidents in order of severity over the last 30 days. Incidents are color-coded: red for high severity and yellow for medium severity.

Click a host to open a filtered view of all open incidents for the selected host.

Top Incidents (Top 10)

Displays the top ten current incidents with the highest number of alerts according to severity over the last 30 days, and each incident's score. Alerts are color-coded; red for high and yellow for medium.

Click a severity to open a filtered view of all open alerts for the selected incident.

Top incidents can be sorted by score.

Widget Name

Description

Hosts

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the number of hosts associated with identity threats tagged by Identity Analytics or the Identity Threat module.

Identity Alerts and Insights

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the number of anomalies associated with identity threats tagged by Identity Analytics or the Identity Threat module. To see the list of alerts and insights, click the number.

Score Trend Timeline

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the organizational risk score trend over time. The organizational risk score is calculated using the score and the number of users whose risk score is greater than 0. Each bubble indicates the number of alerts and incidents created per day. Bigger bubbles represent more alerts and incidents, and a possible risk.

Top 5 Hosts at Risk

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the hosts that are most vulnerable to potential security threats.

Top 5 Users at Risk

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the users that are most vulnerable to potential security threats.

Top 10 Incidents

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the top 10 identity related incidents ordered by score.

Users

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the number of users associated with identity threats tagged by Identity Analytics or the Identity Threat module.

Watchlist

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the users who are most vulnerable to potential security threats.

Widget Name

Description

Actions

Pie chart displaying the number of network traffic actions that occurred over the last 24 hours. For example; block-url, drop-packet, and alert.

Daily DNS Queries

Line graph displaying the number of DNS queries executed over the last 24 hours.

Daily Threats

Area graph displaying the number of threats detected over that last 24 hours.

DNS Response Codes

Pie chard displaying the number of DNS response codes over the last 24 hours. For example; Server Failure, Not Implemented, and No Error.

From Zone

Bar graph displaying the amount of traffic over the last 24 hours from each type of network zone. For example; lan-tap, TAP, and internet.

GB Sent and Received

Line graph displaying the GB sent and received over the last 24 hours.

Geo Locations

World map displaying the amount of network traffic according to geographical area.

HTTP Content Type

Pie chart displaying the amount of a HTTP content type running over the network over the last 24 hours. For example; text/xml and application/ocsp-request.

HTTP Method

Pie chart displaying the how many HTTP method types were running over the network over the last 24 hours. For example; PCHE, CPID, and UHDJ.

HTTP Response Codes

Pie chart displaying the how many HTTP response codes were returned over the network over the last 24 hours. For example; 200, 404, and 301.

HTTP User Agent

Bar chart displaying how many HTTP user agent types were used over the last 24 hours. For example; curl and Go-http-client.

Recent Threats

Table displaying Cortex XDR collected data of the threats detected over the last 24 hours. For example; Source IP, Severity, and ID of the threat.

Transport Protocols

Pie chart displaying the amount of transport protocol types used over the last 24 hours. For example; TCP, UDP, and ICMP.

Threat Category

Pie chart displaying the number of threat category types detected over the last 24 hours. For example; dns-ddns, spyware, and brute-force.

Threat Severity

Pie chart displaying the total number and breakdown of threat severity types detected over the last 24 hours. For example; Informational, Medium, and Critical.

Threat Sources

Pie chart displaying the number of IP addresses from which the threats were detected over the last 24 hours. For example; dns-ddns, spyware, and brute-force.

Top App-IDs

Pie chart displaying the number of App-IDs that accessed the network over the last 24 hours

Top Geo Locations

Pie chart displaying the number of network accesses from specific Geo locations.

To Zone

Bar graph displaying the amount of traffic over the last 24 hours to each type of network zone. For example; lan-tap, TAP, and internet.

URL Categories

Word Cloud graph displaying type of URLs that accessed the network over the last 24 hours.

URL Risk

Pie chart displaying the number of unknown URLs over the last 24 hours.

Zones

Bar graph displaying the amount of traffic over the last 24 hours of each type of network zone. For example; lan-tap, TAP, and internet.

Widget Name

Description

Ingestion Rate

Displays the rate at which Cortex XDR consumes data ingested from a specific vendor or product over the past 24 hours, 7 days, or 30 days. All ingestion rates are measured by bytes per second.

Daily Consumption

A breakdown comparing the product/vendor consumption versus your allowed daily limit over the past 24 hours, displayed in UTC.

The Daily limit is calculated according to your license: Amount of TB / 30 days

Note

If the ingestion rate has exceeded your daily limit, Cortex XDR will issue a notification through the Notification Center and email. After 3 continuous days of exceeding the ingestion rate, Cortex XDR will stop ingesting data that exceeds the daily limit.

Detailed Ingestion

Breakdown of ingestion data per vendor or product over the past 30 days.

Filter the following information for each source:

  • Product/Vendor—Name of the selected product or vendor.

  • First Seen—Timestamp of when product/vendor were first ingested.

  • Last Seen—Timestamp of when product/vendor were last ingested.

  • Last Day Ingested—Amount of data ingested over the past 30 days.

  • Current Day Ingested—Amount of data ingested over the past 24 hours.

Widget Name

Description

Free Text

Displays a text box allowing to insert free text.

Header

Displays a title containing the free text. For example, name and description of a report or dashboard, customer name, tenant ID, or date.

Widget Name

Description

XQL Query

Displays visualization (such as chart, graph, or additional visualization types) for the results of an query over the past 24 hours, 7 days, or 30 days. By default, the query runs every 24 hours . Update Now to rerun the query immediately.XQL Search

See the XQL Language Reference guide for detailed information about creating an XQL query.