Predefined Dashboards - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-21
Category
Administrator Guide
Abstract

Cortex XSIAM comes with predefined dashboards for common reports that enable you to monitor the status of your deployment.

Cortex XSIAM provides predefined dashboards that display widgets tailored to the dashboard type. To access your default dashboard select Dashboards & ReportsDashboard. From the dashboard header, a drop-down menu lists the available Predefined and Custom dashboards. The available dashboards depend on your license type.

You can rename and customize a predefined dashboard in the Dashboard Builder. For more information, see Build a Custom Dashboard.Build a Custom Dashboard

Agent Management Dashboard
Abstract

Use the Agent Management dashboard to view information about the agents and endpoints in your system.

The Agent Management dashboard displays at-a-glance information about the endpoints and agents in your deployment.

agent-management-dashboard.png

The dashboard includes the following Dashboard Widgets:

  • Agent Status Breakdown

  • Agent Content Version Breakdown (Top 5)

  • Agent Version Breakdown (Top 5)

  • Operating Type Distribution

  • Top Hosts (Top 10 | Last 30 days)

Asset Inventory dashboard

Note

This dashboard is a part of the unified asset inventory and is only available when the toggle is set to the Unified Inventory view on the Asset Inventory page.

When customizing a dashboard in the Dashboard Manager, Unified Asset Inventory widgets should not be mixed with widgets from the existing inventory.

The Asset Inventory dashboard provides a detailed breakdown of assets categorized by account, type, location, and other parameters. Click on data points to access the corresponding filtered data source on the Unified Asset Inventory page.

Attack Surface Management Dashboard
Abstract

Use the Attack Surface Management dashboard to get an overview of assets exposed to the internet, and a breakdown of relevance incidents.

Note

Attack Surface Management requires the Attack Surface Management add-on.

The Attack Surface Management dashboard displays an overview of assets that are exposed to the Internet and a breakdown of incidents related to attack surface exposure.

attack-surface-management-dashboard.png

The dashboard is comprised of the following Dashboard Widgets.

  • Open Attack Surface Incidents by Severity

  • Attack Surface Incidents By Status

  • Attack Surface Incidents Over Time

  • Total External Assets

  • Assets by Externally Detected Provider

Cloud Inventory Dashboard
Abstract

Use the Cloud Inventory dashboard to get an overview of your cloud-based assets.

The Cloud Inventory dashboard displays an overview of all your assets on the cloud.

cloud-inventory-dashboard.png

The dashboard is comprised of the following Dashboard Widgets:

  • Accounts by Cloud Provider

  • Compute Instances Over Time

  • Assets by Cloud Provider

  • Assets by Type

  • Assets by Sub-Type

  • Assets by Geo Region

  • Assets by Region

  • Assets by Responsive Port Number

  • Responsive Assets Over Time

Data Ingestion Dashboard
Abstract

Use the Data Ingestion dashboard to view information about the type and amount of data being ingested by Cortex XSIAM.

The Data Ingestion dashboard displays an overview and detailed information regarding the type and amount of data ingested by Cortex XSIAM according to the Products and Vendors used. For example, Syslog Collector, Check Point logs, and authentication logs.

data-ingestion-dashboard.png

The dashboard is comprised of the following Dashboard Widgets:

  • Daily Consumption—Stacked graphs measuring your daily data consumption, according to either Vendors (default) or Products, versus your daily consumption limit. Each bar indicates a 24 hour range over the past 14 days. Cortex XSIAM measures and enforces the 24 hour rage according to UTC, but the graph displays the 24 hour rage according to the selected tenant timezone.

  • Ingestion Rate—Displays your data ingestion rate, measured in Traffic/ Sec, over the past 24 hours, 7 days, or 30 days filtered according to the type of Vendors (default), Products, or All Sources.

  • Detailed Ingestion—Table listing for the different Products (default) or Vendors, the LAST SEEN date and time, LAST DAY INGESTED for the amount of data ingested over the last 24 hour range, and the CURRENT DAY INGESTED for the current amount ingested in the past 24 hours. Detailed ingestion for the current 24 hours is updated in 5 minute intervals.

Note

Due to a calculation change in NGFW log ingestion and improvements to data ingestion metrics, you cannot view data earlier than July 2023 on this dashboard. However, you can still view this data by running Cortex XQL Language (XQL) queries on the metrics_center data set.

Incident Management Dashboard
Abstract

Use the Incidents Management dashboard to view a summary of incidents in your environment.

The Incidents Management dashboard provides a graphical summary of incidents in your environment, with incidents prioritized and listed by severity, assignee, incident age, and affected hosts.

The dashboard includes the following Dashboard Widgets:

  • Incidents by Assignee (Top 10 | Last 30 days)

  • Open Incidents

  • Open Incidents By Severity (Last 30 days)

  • Open Incidents by Assignee Over Time (Top 10)

  • Top Hosts (Top 10 | Last 30 days)

  • Tasks By Assignee

  • Top Incidents (Top 10)

To filter a widget to display only incidents that match incident starring policies, select the star in the right corner. A purple star indicates that the widget is displaying only starred incidents. The starring filter is persistent and will continue to show the filtered results until you clear the star.

IT Metrics Dashboard
Abstract

Gain visibility into IT performance on your agent with the IT Metrics dashboard.

The IT Metrics dashboard displays an overview of IT performance on your Cortex XDR Agent. On the dashboard you can review CPU and memory performance data, connectivity data, and data about hard reboots and crashed applications.

The dashboard comprises the following widgets:

  • Current Internet Connectivity Status

  • Max CPU consumption (Top hosts | 24 hours)

  • Max Memory consumption (Top hosts | 24 hours)

  • Hard reboots

  • Applications Crashing (supported for Windows agents only)

  • Average CPU consumption (Top processes | 24 hours)

  • Average memory consumption (Top processes | 24 hours)

MITRE ATT&CK Framework Coverage Dashboard
Abstract

Learn more about the MITRE ATT&CK Coverage methods available in Cortex XSIAM.

The MITRE ATT&CK Framework Coverage dashboard displays a comprehensive overview of the Cortex XSIAM content and capabilities in context with the MITRE ATT&CK framework.

On this dashboard you can see a breakdown of the protection modules and detection rules in place for each MITRE tactic and technique. You can use the dashboard to review the elements that affect your coverage, and identify coverage gaps in your framework.

The dashboard is comprised of the following widgets:

  • Number of Detection Rules Per Tactic—Displays the number of detection rules that are available for each MITRE tactic.

  • MITRE ATT&CK Framework Coverage— Displays a MITRE matrix detailing the available coverage for each tactic and technique. By default, covered methods are displayed. Click on a tactic or technique for details about the available prevention and detection methods. Note that the Protection numbers represent modules, which are a grouping of several protections.

  • Contributing Data Source Types— Displays the connectivity status of the data sources that are contributing to a specific data source type on your system.

    Note

    When a contributing data source type is active, it does not imply that all the rules and detectors associated with the data source type are active. Rule applicability is dependent on the data source's context and configuration. To enable an active status, data source types require the following setup:

    • Endpoint— Installed Cortex XDR agent.

    • Network— A contributing network device that is configured to ingest logs as Cortex XSIAM network connection stories.

    • Cloud— A data source that is contributing the required cloud related information.

    • Identity— An identity application that is supported in IA (Identity Analytics) and the ITM (Identity Threat Module).

    For more information, contact your Customer Success representative.

Note

The Number of Detection Rules Per Tactic and MITRE ATT&CK Framework Coverage widgets display a static overview of the available protections. They do not reflect the protections that are currently active on the system.

My Dashboard
Abstract

Use My Dashboard to view incidents and MTTR for the logged-in user.

My Dashboard provides an overview of the incidents and MTTR for the logged-in user.

my-dashboard.png

The dashboard includes the following Dashboard Widgets:

  • My Incidents

  • My MTTR by Severity vs Target

  • My Open Incidents By Severity

  • My Incidents Over Time

Network Traffic Analysis (NTA) Dashboard
Abstract

Use the Network Traffic Analysis dashboard to visualize and track your network traffic.

The Network Traffic Analysis (NTA) dashboard helps you better visualize and track your Cortex XDR Network Traffic.

The dashboard is comprised of the following sections:

  • Overview

  • Threats

  • Network Zones

  • Geo Locations

  • DNS Activity

  • HTTP Activity

  • URL Activity

NGFW Ingestion Dashboard
Abstract

Use the NGFW Ingestion dashboard to see an overview of ingestion status for all log types, the daily quota consumption for NGFW, and a breakdown by log type.

The NGFW Ingestion Dashboard provides an overview of ingestion status for all log types, the daily quota consumption for NGFW, and a breakdown by log type.

The dashboard includes the following Dashboard Widgets:

  • NGFW Daily Consumption

  • NGFW Ingestion Rate

  • NGFW Detailed Ingestion by log type

Playbook Optimization Dashboard
Abstract

Use the Playbook Optimization dashboard to get an overview of Playbook, script, and command metrics for optimization.

The Playbook Optimization dashboard provides an overview of Playbook, script, and command metrics for optimization.

The dashboard is comprised of the following Dashboard Widgets:

  • Playbook Runs

  • Task Executions

  • Average Runtime per Playbook

  • Average Runtime per Automation

  • Command Executions Per Integration Category

  • Command Executions by Type

Risk Management Dashboard
Abstract

Use the Risk Management dashboard to view alert and incident information against the background of baseline information, to aid in risk assessment.

Note

This dashboard is available only when the Identity Threat Module add-on is enabled.

The Risk Management dashboard presents alert and incident information against the background of baseline information. The widgets in the dashboard enable you to asses the risk your organization faces from compromised accounts and insider threats. The alerts are included in this dashboard if they are tagged by the research as Identity Threat alerts or Identity Analytics alerts. An incident is included in the widgets even if only one alert in the incident is tagged as an Identity threat or an Identity Analytics threat.

Note

The Risk Management dashboard is provided as part of the Identity Threat Module add-on.

risk-management-dashboard.png

The dashboard includes the following Dashboard Widgets, detailed under Metrics Widgets.

  • Users

  • Hosts

  • Identity Alerts and Insights

  • Score Trend Timeline

  • Top 10 Incidents

  • Top 5 Hosts at Risk

  • Top 5 Users at Risk

  • Watchlist

Security Admin Dashboard
Abstract

Use the Security Admin dashboard to view information about incidents, and the status of resolved and overdue ones.

The Security Admin Dashboard displays an overview and detailed information regarding the incidents across your organization and the status of resolved and overdue incidents.

security-admin-dashboard.png

The dashboard includes the following Dashboard Widgets:

  • Incident Status Board—Displays a breakdown of the incidents over the last 30 days, 7 days, or 24 hours.

  • Resolved Incident MTTR—Displays the overall MTTR of all incidents created by severity and the average time it took to resolve the incidents compared to the defined Target MTTR over the last 30 days, 7 days, or 24 hours.

  • Overdue Incidents of Top 5 Assignees—Displays the top 5 assignees by assignee name with the highest number of overdue incidents over the last 30 days, 7 days, or 24 hours according to the incidents creation time.

  • Incidents Over Time—Displays the number of new incidents and resolved incidents over 14 days.

  • Newest Incidents— Display incidents details of the 5 most recent incidents.

Security Manager Dashboard
Abstract

Use the Security Manager dashboard to view general information about incidents and agents.

The Security Manager Dashboard widgets display general information about Cortex XSIAM incidents and agents.

The dashboard includes the following Dashboard Widgets:

  • Agent Status Breakdown

  • Agent Version Breakdown (Top 5)

  • Incidents by Assignee (Top 10 | Last 30 days)

  • Open Incidents By Severity (Last 30 days)

  • Top Incidents (Top 10)

  • Open Incidents

Threat Intel Management Dashboard
Abstract

Use the Threat Intel Management dashboard to view information about malicious or suspicious indicators in incidents.

The Threat Intel Management dashboard provides information about malicious or suspicious indicators in incidents.

The dashboard is comprised of the following Dashboard Widgets.

  • Active Indicator Volumes by Feed

  • Active Indicators by Type

  • Active Indicators by Verdict