Visualize Query Results - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide
Product
Cortex XDR
License
Pro
Creation date
2023-03-27
Last date published
2023-03-27

To help you better understand your XQL query results and share your insights with others, Cortex XDR enables you to generate visualizations of your query data directly from the XQL Search page.

  1. In the Cortex XDR console, navigate to .

  2. Run an XQL query.

    For example, enter dataset = xdr_data | fields action_total_upload, _time | limit 10. The query returns the action_total_upload, a number field, and _time, a string field, for up to 10 results.

    While the query is running, you can always navigate away from the page and a notification is sent when the query completes. You can also Cancel the query or run a new query, where you have the option to Run only new query (cancel previous) or Run both queries.

  3. In the Query Results section, to visualize the results either:

    1. Navigate to Query ResultsChart Editor (visualizing-query-results-chart-editor.png) to manually build and view the graph using the selected visualization parameters.

      • Main

        • Graph Type—Type of visualization; Area, Bubble, Column, Funnel, Gauge, Line, Map, Pie, Scatter, Single Value, or Word Cloud.

        • Subtype and Layout—Depending on the selected type of graph, choose from the available display options.

        • Header—Title your graph.

        • Show Callouts—Display numeric values on graph.

      • Data

        • X-axis—Select a field with a string value.

        • Y-axis—Select a a field with a numeric value.

      • Depending on the selected type of graph, customize the Color, Font, and Legend.

    2. Enter the visualization parameters in the XQL query section.

      You can express any chart preferences in XQL. This is helpful when you want to save your chart preferences in a query and generate a chart every time that you run it. To define the parameters, either:

      • Manually enter the parameters, for example, view graph type = column subtype = grouped header = “Test 1” xaxis = _time yaxis = _product,action_total_upload.

      • Select ADD TO QUERY to insert your chart preferences into the query itself.

  4. (Optional) Create a custom widget.

    To easily track your query results, you can create custom widgets based on the query results in the Widget Library. The custom widgets you create can be used in your custom dashboards and reports.

    Select Save to Widget Library to pivot to the Widget Library and generate a custom widget based on the query results.