Dashboard Widgets - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2023-10-30
Last date published
2024-03-28
Category
Administrator Guide
Abstract

Learn about the widgets that you can use on your Cortex XSIAM custom dashboards.

Cortex XSIAM provides the following list of widgets to help you create dashboards and reports displaying summarized information about your endpoints.

Widget Name

Description

Agent Content Version Breakdown

Displays the total number of registered Cortex XSIAM agents and the distribution of agents by content update version.

Agent Status Breakdown

Displays the total number of Cortex XSIAM by the agent status.

Agent Upgrade Failure Reasons

Displays the reasons for upgrade failures. Clickable links provide more details for each one.

Agent Upgrade Statuses

Displays the number of agents currently reporting each upgrade status category. Clickable links provide more details for each one.

Agent Version Breakdown

Displays the total number of registered Cortex XSIAM agents and the distribution of agents by agent version.

Failed Agent Upgrades over Time

Displays failed upgrade trends over time (last 24 hours, 7 days, or 30 days); agent status (connected, disconnected, connection lost, uninstalled); or agent groups scope.

Number of Installed Agents

Displays a timeline of the number of agents installed on endpoints over the last 24 hours, 7 days, or 30 days.

Operating System Type Distribution

Displays the total number of registered agents and their distribution according to the operating system.

Successful Agent Upgrades over Time

Displays successful upgrade trends over time (last 24 hours, 7 days, or 30 days); agent status (connected, disconnected, connection lost, uninstalled); or agent groups scope.

Widget Name

Description

Managed Assets vs Unmanaged Assets

Displays a detailed breakdown of your active managed and unmanaged assets.

Assets by Externally Detected Provider

Displays a breakdown of all externally detected providers of internet-exposed assets.

Number of Installed Agents

Displays a timeline of the number of agents installed on endpoints over the last 24 hours, 7 days, or 30 Days.

Operating System Type Distribution

Displays the total number of registered agents and their distribution according to the operating system.

Top 5 Notable Users

Displays the top 5 users with the highest User Score. Select a user to pivot to the User View.

Total External Assets

Displays a breakdown of all internet-exposed assets.

Widget Name

Description

Accounts by Cloud Provider

Displays the number of accounts held in each cloud provider. Refreshes every two hours.

Assets by Cloud Provider

Displays the number of assets stored in each cloud provider. Refreshes every two hours.

Assets by Geo Region

Displays a breakdown of assets in each geographic region. Refreshes every two hours.

Assets by Region

Displays a breakdown of assets in each region. Refreshes every two hours.

Assets by Responsive Port Number

Displays the number of exposed cloud assets by port number. Refreshes every two hours.

Assets by Sub-Type

Displays a breakdown of cloud assets by sub-type. Refreshes every two hours.

Assets by Type

Displays a breakdown of cloud assets by type. Refreshes every two hours.

Compute Instances Over Time

Displays the number of times a virtual machine instance is used over time.

Select the time scope in the upper right to view the number of Compute Instances over the last 24 hours, 7 days, or 30 days.

Responsive Assets Over Time

Displays the number of exposed cloud assets over time.

Select the time scope in the upper right to view the number of exposed cloud assets over the last 24 hours, 7 days, or 30 days.

Widget Name

Description

Custom Widget

Displays visualization (such as chart, graph, or additional visualization types) for the results of an XQL Search.

See the XQL Language Reference guide for detailed information about creating an XQL Search Query.

Widget Name

Description

CVEs By Severity

Provides a summary of the total number of existing CVEs in your network according to critical, high, medium, and low severity.

Click a severity to open a filtered view of the CVEs.

Top CVEs By Affected Endpoints

Displays the top Critical, High, and Medium severity CVEs currently existing in your network according to the total number of endpoints affected by each CVE.

Click a CVE to open a filtered view of all affected endpoints.

Top Vulnerable Applications

Displays the most vulnerable applications with the highest number of Critical, High, and Medium severity CVEs. Cortex XSIAM calculates the vulnerabilities for different application versions running on different operating systems.

Click an application to open a filtered view of all existing CVEs for the selected application.

Top Vulnerable Endpoints

Displays the most vulnerable endpoints with the highest number of critical, high, and medium CVEs.

Click a host to open a filtered view of all existing CVEs for the selected host.

Vulnerabilities On All Endpoints Over Time

Displays CVEs over time across your network.

Select the time scope in the upper right to view the number of CVEs over the last 24 hours, 7 days, or 30 Days.

Hover over the graph to view the number of existing CVEs on a specific day.

Widget Name

Description

Attack Surface Incidents By Status

Displays the breakdown of the attack surface incidents in the system by their status, at this moment in time.

Attack Surface Incidents Over Time

Displays the total count of new and resolved attack surface incidents per day.

Incidents By Assignee

Displays the top 10 users that are assigned the highest number of incidents over the last 30 days. For each assignee, the widget displays the distribution of Aged and Total Open incidents. Aged incidents are older than one week which have remained unresolved.

Select an assignee to open the incidents table filtered to display incidents that are assigned to the selected assignee.

Incidents By MITRE ATT&CK

Display a breakdown of the number of incidents involved with each MITRE ATT&CK tactic and technique over the last 30 days, 7 days, 24 hours, or custom time range according to the incidents creation time.

Select a tactic or technique to pivot to the Incidents Table filtered according to the tactic/technique and creation time.

Incidents By Status

Provides a summary of the total current number of open incidents according to status. Click a status to open a filtered view of the incidents.

Incidents by Status Duration (Last 30 Days)

Displays the average, maximum, and minimum time that incidents stayed in a given status over the last 30 days.

You can click a maximum or minimum time for a status to open the incident related to the max/min time.

Incidents Status Board

Displays the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time:

  • Total number of open incidents, how many are unassigned, and how many are overdue according to the incident severity.

  • Breakdown of open incidents according to the status New and Under Investigation.

  • Breakdown of resolved incidents according to resolved reason.

For further investigation, select each of the available breakdowns to pivot to the Incident table sorted according to the incident creation time and selected breakdown.

Incidents Over Time

Displays the following information over the past 14 days:

  • Number of new incidents created per day.

  • Number of resolved incidents per day.

For further investigation, select each of the bars to pivot to the Incident table sorted according to the creation date within the selected 24 hours.

My Incidents

Displays all active incidents assigned to the logged-in user, sorted according to the creation date. You can sort the list by age, severity or score.

My Incidents Over Time

Displays the daily number of new and resolved incidents assigned to the logged-in user for the past 14 days.

My Open Incidents by Severity

Displays a breakdown of open incidents assigned to the logged-in user, grouped by severity, over the last 30 days. Click a severity level to open a list of incidents filtered by that severity level.

My MTTR

Displays the Mean Time to Resolve (MTTR) incidents assigned to the logged-in user, compared to the defined Target MTTR. Available date filters are 24 hours, 7 days, and 30 days.

Newest Incidents

Displays the following details for the 5 most recent incidents:

  • Starred

  • Severity

  • ID

  • Score

  • Description

  • Creation time

Overdue Incidents of top 5 Assignees

Displays the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time:

  • Top 5 assignees, by assignee name, with the highest number of overdue incidents.

For further investigation, select a user to pivot to the Incident table filtered according to the incident creation time and assignee.

Resolved Incidents by Assignee

Displays a breakdown of the top five users with the most resolved incidents assigned to them according to the incident creation time.

For further investigation, select an assignee to pivot to the Incidents table filtered according to the assignee and the resolved incident resolution time.

Resolved Incidents MTTR

Displays either the last 30 days, 7 days, or 24 hours of the following information according to incident creation time and resolved statuses:

  • Total Mean Time to Resolve (MTTR) of all incidents, according to severity, created during the selected time frame and the average time it took to resolve the incidents compared to the defined Target MTTR.

For further investigation, select a severity bar to pivot to the Incident table filtered according to the incident creation time and severity.

Widget Name

Description

Active Indicator Volumes by Feed

Displays which feeds bring the most number of indicators over the last 24 hours, 7 days or 30 days. Displays active indicators grouped by calculation time and by source. To view the data in this widget, you must have the View Integration Threat Intel permission.

Active Indicators by Type

Displays the breakdown of active indicators by type over the last 24 hours, 7 days or 30 days. Click a section of the chart to view the Indicator screen filtered by that type. To view the data in this widget, you must have the View Integration Threat Intel permission.

Active Indicators by Verdict

Displays the breakdown of active indicators by verdict over the last 24 hours, 7 days or 30 days. Click a section of the chart to view the Indicator screen filtered by that verdict.To view the data in this widget, you must have the View Integration Threat Intel permission.

Widget Name

Description

Data Usage Breakdown

Displays a timeline of the consumption of Cortex XSIAM data in TB. Hover over the graph to see the amount at a specific time.

Detection By Actions

Displays the top five actions performed on alerts or incidents. In the upper right corner:

  • Toggle between alerts and incidents

  • Select to view the number of alert/incidents per action over the last 24 hours, 7 days, or 30 Days

Detections By Category

Displays the top five categories of alerts or incidents. In the upper right corner:

  • Toggle between alerts and incidents

  • Select to view the number of alert/incidents per category over the last 24 hours, 7 days, or 30 Days

Detection By Source

Displays the top five sources of alerts or incidents. In the upper right corner:

  • Toggle between alerts and incidents

  • Select to view the number of alert/incidents per source over the last 24 hours, 7 days, or 30 Days

MITRE ATT&CK Framework Coverage

Displays a MITRE matrix detailing the available coverage for each tactic and technique in Cortex XSIAM. By default, covered methods are displayed. Click on a tactic or technique for details about the available protection and detection methods.

Note

  • This widget displays a static overview of the available protection and detection methods. It does not reflect the methods that are currently active on the system.

  • The protection numbers represent modules, which are a grouping of several protections.

MITRE Coverage Report

Displays information about MITRE ATT&CK coverage in Cortex XSIAM. The widget includes the number of techniques covered, and the number of protection modules and detection rules available for each tactic. This widget is suitable for reports.

Number of Detection Rules Per Tactic

Displays the number of detection rules that are available for each MITRE tactic, broken down by detection type.

Open Attack Surface Incidents by Severity

Displays the breakdown of open attack surface incidents by severity at this point in time.

Open Incidents

Displays a timeline of aged versus open incidents, or open alerts. Aged incidents and alerts are older than one week and remain unresolved.

Refine the data in the graph from the widget menu. You can select the time frame, detection type, and group the data by hour, day, or week.

Hover over the graph to view additional details.

Open Incidents by Assignee Over Time (Top 10)

Displays the top ten assignees with the highest number of assigned incidents over a selected time frame.

Refine the data in the graph from the widget menu. You can select the time frame, group the data by hour, day, or week, and select specific assignees or unassigned incidents.

Open Incidents by Severity

Displays the total open incidents over the last 30 days according to severity.

Select a severity to open a filtered view of incidents by the selected severity.

Response Action Breakdown

Displays the top response actions taken in the Action Center over the last 24 hours, 7 days, or 30 Days.

Top Hosts

Displays the top ten hosts with the highest number of incidents in order of severity over the last 30 days. Incidents are color-coded: red for high severity and yellow for medium severity.

Click a host to open a filtered view of all open incidents for the selected host.

Top Incidents

Displays the top ten current incidents with the highest number of alerts according to severity over the last 30 days, and each incident's score. Alerts are color-coded; red for high and yellow for medium.

Click a severity to open a filtered view of all open alerts for the selected incident.

Top incidents can be sorted by score.

Widget Name

Description

Applications Crashing

Displays applications that crashed during the selected time frame, the number of crashes per app, and the number of hosts on which the app crashed. This widget is supported for Windows agents only.

Average CPU Consumption (Top 30 Processes)

Displays the average CPU consumption for the processes with highest average consumption.

Average Memory Consumption (Top 30 Processes)

Displays the average mem consumption for the processes with highest average consumption.

Current Internet Connectivity Status

Displays the current internet connectivity status for all endpoints.

Hard Reboots

Displays the total amount of hard reboots that occurred in the time frame.

Max CPU Consumption (Top 10 Hosts)

Displays the maximum percentage of CPU consumption for the top 10 hosts.

Max Memory Consumption (Top 10 Hosts)

Displays the maximum percentage of memory consumption for the top 10 hosts.

Widget Name

Description

Average Runtime per Playbook

Displays a breakdown of the average runtime of Playbooks over the last 24 hours, 7 days or 30 days. To view the data in this widget, you must have the permission to view Playbooks.

Average Runtime per Automation

Displays a breakdown of the average script execution grouped by script name duration per Automation over the last 24 hours, 7 days or 30 days. To view the data in this widget, you must have the permission to view Scripts.

Command Executions by Type

Displays a breakdown of command executions by Incident type over the last 24 hours, 7 days or 30 days. To view the data in this widget, you must have the permission to view Integrations.

Command Executions Per Integration Category

Displays a breakdown of command executions per Integration category over the last 24 hours, 7 days or 30 days. To view the data in this widget, you must have the permission to view Integrations.

Hosts

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the number of hosts associated with identity threats tagged by Identity Analytics or the Identity Threat module.

Identity Alerts and Insights

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the number of anomalies associated with identity threats tagged by Identity Analytics or the Identity Threat module. To see the list of alerts and insights, click the number.

Playbook Runs

Displays a breakdown of Playbook executions grouped by Playbook names over the last 24 hours, 7 days or 30 days. To view the data in this widget, you must have the permission to view Playbooks.

Score Trend Timeline

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the organizational risk score trend over time. The organizational risk score is calculated using the score and the number of users whose risk score is greater than 0. Each bubble indicates the number of alerts and incidents created per day. Bigger bubbles represent more alerts and incidents, and a possible risk.

Task Executions

Displays a breakdown of Task executions by command execution type over the last 24 hours, 7 days or 30 days.

Top 5 Hosts at Risk

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the hosts that are most vulnerable to potential security threats.

Top 5 Users at Risk

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the users that are most vulnerable to potential security threats.

Top 10 Incidents

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the top 10 identity related incidents ordered by score.

Users

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the number of users associated with identity threats tagged by Identity Analytics or the Identity Threat module.

Watchlist

Note

To view this widget, you must have the Identity Threat Module add-on enabled.

Displays the users who are most vulnerable to potential security threats.

Widget Name

Description

Actions

Pie chart displaying the number of network traffic actions that occurred over the last 24 hours. For example; block-url, drop-packet, and alert.

Daily DNS Queries

Line graph displaying the number of DNS queries executed over the last 24 hours.

Daily Threats

Area graph displaying the number of threats detected over that last 24 hours.

DNS Response Codes

Pie chard displaying the number of DNS response codes over the last 24 hours. For example; Server Failure, Not Implemented, and No Error.

From Zone

Bar graph displaying the amount of traffic over the last 24 hours from each type of network zone. For example; lan-tap, TAP, and internet.

GB Sent and Received

Line graph displaying the GB sent and received over the last 24 hours.

Geo Locations

World map displaying the amount of network traffic according to geographical area.

HTTP Content Type

Pie chart displaying the amount of a HTTP content type running over the network over the last 24 hours. For example; text/xml and application/ocsp-request.

HTTP Method

Pie chart displaying the how many HTTP method types were running over the network over the last 24 hours. For example; PCHE, CPID, and UHDJ.

HTTP Response Codes

Pie chart displaying the how many HTTP response codes were returned over the network over the last 24 hours. For example; 200, 404, and 301.

HTTP User Agent

Bar chart displaying how many HTTP user agent types were used over the last 24 hours. For example; curl and Go-http-client.

Recent Threats

Table displaying Cortex XDR collected data of the threats detected over the last 24 hours. For example; Source IP, Severity, and ID of the threat.

Transport Protocols

Pie chart displaying the amount of transport protocol types used over the last 24 hours. For example; TCP, UDP, and ICMP.

Threat Category

Pie chart displaying the number of threat category types detected over the last 24 hours. For example; dns-ddns, spyware, and brute-force.

Threat Severity

Pie chart displaying the total number and breakdown of threat severity types detected over the last 24 hours. For example; Informational, Medium, and Critical.

Threat Sources

Pie chart displaying the number of IP addresses from which the threats were detected over the last 24 hours. For example; dns-ddns, spyware, and brute-force.

Top App-IDs

Pie chart displaying the number of App-IDs that accessed the network over the last 24 hours

Top Geo Locations

Pie chart displaying the number of network accesses from specific Geo locations.

To Zone

Bar graph displaying the amount of traffic over the last 24 hours to each type of network zone. For example; lan-tap, TAP, and internet.

URL Categories

Word Cloud graph displaying type of URLs that accessed the network over the last 24 hours.

URL Risk

Pie chart displaying the number of unknown URLs over the last 24 hours.

Zones

Bar graph displaying the amount of traffic over the last 24 hours of each type of network zone. For example; lan-tap, TAP, and internet.

Widget Name

Description

Connected Data Sources

Displays the connectivity status of the data sources that are contributing to a specific data source type on your system.

Note

When a data source type shows an active status, it does not imply that all detectors associated with the data source are active. For more information about the requirements to activate a data source type, see MITRE ATT&CK Framework Coverage Dashboard.

Ingestion Rate

Displays the rate at which Cortex XSIAM consumes data ingested from a specific vendor or product over the past 24 hours, 7 days, or 30 days. All ingestion rates are measured by bytes per second.

Daily Consumption

A breakdown comparing the product/vendor consumption versus your allowed daily limit over the past 24 hours, displayed in UTC.

The Daily limit is calculated according to your license: Amount of TB / 30 days

Note

If the ingestion rate has exceeded your daily limit, Cortex XSIAM will issue a notification through the Notification Center and email. After 3 continuous days of exceeding the ingestion rate, Cortex XSIAM will stop ingesting data that exceeds the daily limit.

Detailed Ingestion

Breakdown of ingestion data per vendor or product over the past 30 days.

Filter the following information for each source:

  • Product/Vendor—Name of the selected product or vendor.

  • First Seen—Timestamp of when product/vendor were first ingested.

  • Last Seen—Timestamp of when product/vendor were last ingested.

  • Last Day Ingested—Amount of data ingested over the past 30 days.

  • Current Day Ingested—Amount of data ingested over the past 24 hours.

Widget Name

Description

My Tasks

Displays all active Playbook and To-Do tasks assigned to the logged-in user, sorted by alert ID and then by task ID. Click the task to view the alert and the task details in the Work Plan.

Return on Investment

Displays the amount saved in dollars based on actions carried out by all users in XSIAM across all incidents.

Tasks By Assignee

Displays the top 10 users that are assigned the highest number of tasks over the last 30 days. For each assignee, the widget displays the distribution of Aged and Total Open tasks. Aged tasks are incomplete tasks older than one week.

Widget Name

Description

Free Text

Displays a text box allowing to insert free text.

Header

Displays a title containing the free text. For example, name and description of a report or dashboard, customer name, tenant ID, or date.

Widget Name

Description

XQL Query

Displays visualization (such as chart, graph, or additional visualization types) for the results of an XQL Search query over the past 24 hours, 7 days, or 30 days. By default, the query runs every 24 hours . Update Now to rerun the query immediately.XQL Search

See the XQL Language Reference guide for detailed information about creating an XQL query.