Learn about the widgets that you can use on your Cortex XDR custom dashboards.
Cortex XDR provides the following list of widgets to help you create dashboards and reports displaying summarized information about your endpoints.
Widget Name | Description |
---|---|
Agent Content Version Breakdown | Displays the total number of registered Cortex XDR agents and the distribution of agents by content update version. |
Agent Status Breakdown | Displays the total number of Cortex XDR by the agent status. |
Agent Upgrade Failure Reasons | Displays the reasons for upgrade failures. Clickable links provide more details for each one. |
Agent Upgrade Statuses | Displays the number of agents currently reporting each upgrade status category. Clickable links provide more details for each one. |
Agent Version Breakdown | Displays the total number of registered Cortex XDR agents and the distribution of agents by agent version. |
Failed Agent Upgrades over Time | Displays failed upgrade trends over time (last 24 hours, 7 days, or 30 days); agent status (connected, disconnected, connection lost, uninstalled); or agent groups scope. |
Number of Installed Agents | Displays a timeline of the number of agents installed on endpoints over the last 24 hours, 7 days, or 30 days. |
Operating System Type Distribution | Displays the total number of registered agents and their distribution according to the operating system. |
Successful Agent Upgrades over Time | Displays successful upgrade trends over time (last 24 hours, 7 days, or 30 days); agent status (connected, disconnected, connection lost, uninstalled); or agent groups scope. |
Widget Name | Description |
---|---|
Managed Assets vs Unmanaged Assets | Displays a detailed breakdown of your active managed and unmanaged assets. |
Number of Installed Agents | Displays a timeline of the number of agents installed on endpoints over the last 24 hours, 7 days, or 30 Days. |
Operating System Type Distribution | Displays the total number of registered agents and their distribution according to the operating system. |
Top 5 Notable Users | Displays the top 5 users with the highest User Score. Select a user to pivot to the User View. |
Widget Name | Description |
---|---|
Accounts by Cloud Provider | Displays the number of accounts held in each cloud provider. Refreshes every two hours. |
Assets by Cloud Provider | Displays the number of assets stored in each cloud provider. Refreshes every two hours. |
Assets by Geo Region | Displays a breakdown of assets in each geographic region. Refreshes every two hours. |
Assets by Region | Displays a breakdown of assets in each region. Refreshes every two hours. |
Assets by Responsive Port Number | Displays the number of exposed cloud assets by port number. Refreshes every two hours. |
Assets by Sub-Type | Displays a breakdown of cloud assets by sub-type. Refreshes every two hours. |
Assets by Type | Displays a breakdown of cloud assets by type. Refreshes every two hours. |
Compute Instances Over Time | Displays the number of times a virtual machine instance is used over time. Select the time scope in the upper right to view the number of Compute Instances over the last 24 hours, 7 days, or 30 days. |
Responsive Assets Over Time | Displays the number of exposed cloud assets over time. Select the time scope in the upper right to view the number of exposed cloud assets over the last 24 hours, 7 days, or 30 days. |
Widget Name | Description |
---|---|
Custom Widget | Displays visualization (such as chart, graph, or additional visualization types) for the results of an XQL Search. See the XQL Language Reference guide for detailed information about creating an XQL Search Query. |
(Requires a Cortex XDR Host Insights Add-on)
Widget Name | Description |
---|---|
CVEs By Severity | Provides a summary of the total number of existing CVEs in your network according to critical, high, medium, and low severity. Click a severity to open a filtered view of the CVEs. |
Top CVEs By Affected Endpoints | Displays the top Critical, High, and Medium severity CVEs currently existing in your network according to the total number of endpoints affected by each CVE. Click a CVE to open a filtered view of all affected endpoints. |
Top Vulnerable Applications | Displays the most vulnerable applications with the highest number of Critical, High, and Medium severity CVEs. Cortex XDR calculates the vulnerabilities for different application versions running on different operating systems. Click an application to open a filtered view of all existing CVEs for the selected application. |
Top Vulnerable Endpoints | Displays the most vulnerable endpoints with the highest number of critical, high, and medium CVEs. Click a host to open a filtered view of all existing CVEs for the selected host. |
Vulnerabilities On All Endpoints Over Time | Displays CVEs over time across your network. Select the time scope in the upper right to view the number of CVEs over the last 24 hours, 7 days, or 30 Days. Hover over the graph to view the number of existing CVEs on a specific day. |
Widget Name | Description |
---|---|
Incidents By Assignee | Displays the top 10 users that are assigned the highest number of incidents over the last 30 days. For each assignee, the widget displays the distribution of Aged and Total Open incidents. Aged incidents are older than one week which have remained unresolved. Select an assignee to open the incidents table filtered to display incidents that are assigned to the selected assignee. |
Incidents By MITRE ATT&CK | Display a breakdown of the number of incidents involved with each MITRE ATT&CK tactic and technique over the last 30 days, 7 days, 24 hours, or custom time range according to the incidents creation time. Select a tactic or technique to pivot to the Incidents Table filtered according to the tactic/technique and creation time. |
Incidents By Status | Provides a summary of the total current number of open incidents according to status. Click a status to open a filtered view of the incidents. |
Incidents by Status Duration (Last 30 Days) | Displays the average, maximum, and minimum time that incidents stayed in a given status over the last 30 days. You can click a maximum or minimum time for a status to open the incident related to the max/min time. |
Incidents Status Board | Displays the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time:
For further investigation, select each of the available breakdowns to pivot to the Incident table sorted according to the incident creation time and selected breakdown. |
Incidents Over Time | Displays the following information over the past 14 days:
For further investigation, select each of the bars to pivot to the Incident table sorted according to the creation date within the selected 24 hours. |
My Incidents | Displays all active incidents assigned to the logged-in user, sorted according to the creation date. You can sort the list by age, severity or score. |
My Incidents Over Time | Displays the daily number of new and resolved incidents assigned to the logged-in user for the past 14 days. |
My Open Incidents by Severity | Displays a breakdown of open incidents assigned to the logged-in user, grouped by severity, over the last 30 days. Click a severity level to open a list of incidents filtered by that severity level. |
My MTTR | Displays the Mean Time to Resolve (MTTR) incidents assigned to the logged-in user, compared to the defined Target MTTR. Available date filters are 24 hours, 7 days, and 30 days. |
Newest Incidents | Displays the following details for the 5 most recent incidents:
|
Overdue Incidents of top 5 Assignees | Displays the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time:
For further investigation, select a user to pivot to the Incident table filtered according to the incident creation time and assignee. |
Resolved Incidents by Assignee | Displays a breakdown of the top five users with the most resolved incidents assigned to them according to the incident creation time. For further investigation, select an assignee to pivot to the Incidents table filtered according to the assignee and the resolved incident resolution time. |
Resolved Incidents MTTR | Displays either the last 30 days, 7 days, or 24 hours of the following information according to incident creation time and resolved statuses:
For further investigation, select a severity bar to pivot to the Incident table filtered according to the incident creation time and severity. |
Widget Name | Description |
---|---|
Data Usage Breakdown | Displays a timeline of the consumption of Cortex XDR data in TB. Hover over the graph to see the amount at a specific time. |
Detection By Actions | Displays the top five actions performed on alerts or incidents. In the upper right corner:
|
Detections By Category | Displays the top five categories of alerts or incidents. In the upper right corner:
|
Detection By Source | Displays the top five sources of alerts or incidents. In the upper right corner:
|
Open Incidents | Displays a timeline of aged versus open incidents, or open alerts. Aged incidents and alerts are older than one week and remain unresolved. Refine the data in the graph from the widget menu. You can select the time frame, detection type, and group the data by hour, day, or week. Hover over the graph to view additional details. |
Open Incidents by Assignee Over Time (Top 10) | Displays the top ten assignees with the highest number of assigned incidents over a selected time frame. Refine the data in the graph from the widget menu. You can select the time frame, group the data by hour, day, or week, and select specific assignees or unassigned incidents. |
Open Incidents by Severity | Displays the total open incidents over the last 30 days according to severity. Select a severity to open a filtered view of incidents by the selected severity. |
Response Action Breakdown | Displays the top response actions taken in the Action Center over the last 24 hours, 7 days, or 30 Days. |
Top Hosts (Top 10) | Displays the top ten hosts with the highest number of incidents in order of severity over the last 30 days. Incidents are color-coded: red for high severity and yellow for medium severity. Click a host to open a filtered view of all open incidents for the selected host. |
Top Incidents (Top 10) | Displays the top ten current incidents with the highest number of alerts according to severity over the last 30 days, and each incident's score. Alerts are color-coded; red for high and yellow for medium. Click a severity to open a filtered view of all open alerts for the selected incident. Top incidents can be sorted by score. |
Widget Name | Description |
---|---|
Hosts NoteTo view this widget, you must have the Identity Threat Module add-on enabled. | Displays the number of hosts associated with identity threats tagged by Identity Analytics or the Identity Threat module. |
Identity Alerts and Insights NoteTo view this widget, you must have the Identity Threat Module add-on enabled. | Displays the number of anomalies associated with identity threats tagged by Identity Analytics or the Identity Threat module. To see the list of alerts and insights, click the number. |
Score Trend Timeline NoteTo view this widget, you must have the Identity Threat Module add-on enabled. | Displays the organizational risk score trend over time. The organizational risk score is calculated using the score and the number of users whose risk score is greater than 0. Each bubble indicates the number of alerts and incidents created per day. Bigger bubbles represent more alerts and incidents, and a possible risk. |
Top 5 Hosts at Risk NoteTo view this widget, you must have the Identity Threat Module add-on enabled. | Displays the hosts that are most vulnerable to potential security threats. |
Top 5 Users at Risk NoteTo view this widget, you must have the Identity Threat Module add-on enabled. | Displays the users that are most vulnerable to potential security threats. |
Top 10 Incidents NoteTo view this widget, you must have the Identity Threat Module add-on enabled. | Displays the top 10 identity related incidents ordered by score. |
Users NoteTo view this widget, you must have the Identity Threat Module add-on enabled. | Displays the number of users associated with identity threats tagged by Identity Analytics or the Identity Threat module. |
Watchlist NoteTo view this widget, you must have the Identity Threat Module add-on enabled. | Displays the users who are most vulnerable to potential security threats. |
Widget Name | Description |
---|---|
Actions | Pie chart displaying the number of network traffic actions that occurred over the last 24 hours. For example; block-url, drop-packet, and alert. |
Daily DNS Queries | Line graph displaying the number of DNS queries executed over the last 24 hours. |
Daily Threats | Area graph displaying the number of threats detected over that last 24 hours. |
DNS Response Codes | Pie chard displaying the number of DNS response codes over the last 24 hours. For example; Server Failure, Not Implemented, and No Error. |
From Zone | Bar graph displaying the amount of traffic over the last 24 hours from each type of network zone. For example; lan-tap, TAP, and internet. |
GB Sent and Received | Line graph displaying the GB sent and received over the last 24 hours. |
Geo Locations | World map displaying the amount of network traffic according to geographical area. |
HTTP Content Type | Pie chart displaying the amount of a HTTP content type running over the network over the last 24 hours. For example; text/xml and application/ocsp-request. |
HTTP Method | Pie chart displaying the how many HTTP method types were running over the network over the last 24 hours. For example; PCHE, CPID, and UHDJ. |
HTTP Response Codes | Pie chart displaying the how many HTTP response codes were returned over the network over the last 24 hours. For example; 200, 404, and 301. |
HTTP User Agent | Bar chart displaying how many HTTP user agent types were used over the last 24 hours. For example; curl and Go-http-client. |
Recent Threats | Table displaying Cortex XDR collected data of the threats detected over the last 24 hours. For example; Source IP, Severity, and ID of the threat. |
Transport Protocols | Pie chart displaying the amount of transport protocol types used over the last 24 hours. For example; TCP, UDP, and ICMP. |
Threat Category | Pie chart displaying the number of threat category types detected over the last 24 hours. For example; dns-ddns, spyware, and brute-force. |
Threat Severity | Pie chart displaying the total number and breakdown of threat severity types detected over the last 24 hours. For example; Informational, Medium, and Critical. |
Threat Sources | Pie chart displaying the number of IP addresses from which the threats were detected over the last 24 hours. For example; dns-ddns, spyware, and brute-force. |
Top App-IDs | Pie chart displaying the number of App-IDs that accessed the network over the last 24 hours |
Top Geo Locations | Pie chart displaying the number of network accesses from specific Geo locations. |
To Zone | Bar graph displaying the amount of traffic over the last 24 hours to each type of network zone. For example; lan-tap, TAP, and internet. |
URL Categories | Word Cloud graph displaying type of URLs that accessed the network over the last 24 hours. |
URL Risk | Pie chart displaying the number of unknown URLs over the last 24 hours. |
Zones | Bar graph displaying the amount of traffic over the last 24 hours of each type of network zone. For example; lan-tap, TAP, and internet. |
Widget Name | Description |
---|---|
Ingestion Rate | Displays the rate at which Cortex XDR consumes data ingested from a specific vendor or product over the past 24 hours, 7 days, or 30 days. All ingestion rates are measured by bytes per second. |
Daily Consumption | A breakdown comparing the product/vendor consumption versus your allowed daily limit over the past 24 hours, displayed in UTC. The Daily limit is calculated according to your license: Amount of TB / 30 days NoteIf the ingestion rate has exceeded your daily limit, Cortex XDR will issue a notification through the Notification Center and email. After 3 continuous days of exceeding the ingestion rate, Cortex XDR will stop ingesting data that exceeds the daily limit. |
Detailed Ingestion | Breakdown of ingestion data per vendor or product over the past 30 days. Filter the following information for each source:
|
Widget Name | Description |
---|---|
Free Text | Displays a text box allowing to insert free text. |
Header | Displays a title containing the free text. For example, name and description of a report or dashboard, customer name, tenant ID, or date. |
Widget Name | Description |
---|---|
XQL Query | Displays visualization (such as chart, graph, or additional visualization types) for the results of an query over the past 24 hours, 7 days, or 30 days. By default, the query runs every 24 hours . Update Now to rerun the query immediately.XQL Search See the XQL Language Reference guide for detailed information about creating an XQL query. |