Create a Widget Using the Widget Builder Examples - Administrator Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Widget use cases when creating a new widget.

Average Time to Close Incidents per Day

In this example we want to create a bar chart widget that shows the following:

  • The average time it takes to close incidents per day

  • Classified according to incident types

  • Incidents that occurred during the previous seven days

  1. In the Widgets Library click the add button.

  2. Select Incident data.

  3. In the Query tab, define the following:

    • Data Type: Incidents

    • Data query: -category:job and -status:Closed.

    • Time frame: Last 7 days

    • Type: Bar chart

  4. In the Operations tab:

    • Change Count to Average.

    • From the dropdown list, select Custom calculations on fields.

    • Type remediationsla.startDate-detectionsla.startDate

    • Group by: Data Occurred

    • Second Group by: Type

How Many Incidents Occurred in the Last 7 Days

In this example, we want to view the following data:

  • How many incidents occurred in the last 7 days

  • Closed vs not closed (pending or active)

  • Line chart.

  1. In the Quick Chart definitions window, use the following data:

  2. In the Operations tab, the first group is Date Occurred.

  3. In the second group, from the dropdown list, select status.

  4. Click Custom Group by to add the following data:

Average Time for Open Incidents That are Late

In this example, we want to create the following incident type widget:

  • The average time for open incidents that are late.

  • Grouped by two groups (group A and group B) and by type.

  • In a Bar Chart

  1. In the Query tab, type:

  2. In the Operations tab, add the following information:

    1. In the Values section, select Average.

    2. From the dropdown list, click Custom calculations on fields.

    3. Type {now}-remediationsla.dueDate.

      We want to see the average time that incidents are late (from today’s date). We add a variable {now}, so that we do not have to change the date.

    4. In the Group by field, select Owner and then click Custom Group by.

    5. Add the following information:

    6. Select the Create and display a group for all remaining values checkbox.

      We have additional users that are not in the groups that we want to see.

    7. In the second group by field, from the dropdown list, select Type.

  3. In the Visuals tab, select the following:

    1. Horizontal options - Axis name: TEAM.

    2. Vertical options - Axis name: REMEDIATION TIME.