Create a widget in the Widgets Library in Cortex XSOAR and then add widget to a dashboard or report.
Widgets are visual components that populate dashboards and reports with specific data. Although there are various out-of-the-box system widgets available, you can create custom widgets in the Widgets Library. You can also create them from an incident or an indicator.
In the Widgets Library click the + button.
From the dropdown list, select one of the data type widgets, such as Incidents.
The relevant data is fetched into the data type. For example, when creating an incident type widget, the results are fetched. You can see a preview of the widget on the right hand side.
From the Quick chart definitions window, in the Query tab, define the widget data.
Add the following information:
Select one of the widget types, by clicking on one of the graphics, such as pie chart, line chart, etc.
Type a meaningful name for the widget.
The type of data to query.
War Room Entries
Threat Intel Reports
When selecting Scripts, if your script does not appear you need to add it to the Automation page and add the
Queries data in the Lucene query syntax form relating to the data source. For example when the data source is incidents and the query is:
-status:closed and owner:"", it queries all incidents that are not closed, which does not have an owner.
Select the script that you added when you created a custom widget using an automation script. Add the argument values, if required.
The time frame to retrieve data.
Select how you want to display the information, such as pie chart, timer widget, etc. You can see a preview of how the widget appears.
Configure the data as required, by clicking the Operations tab.
Not relevant for Script and Entries types.
In the Values section, select one of the following values:
(Not relevant for Count) Select one of the fields from the dropdown list or create your own custom calculations by selecting Custom calculations on fields.
If adding custom calculations, type the calculation as required.
The custom calculation modal suggests incident fields based on the widget data type, which are automatically validated. You can add your own fields (provided these fields exist), according to the widget data type, by using the CLI name. These fields are not validated.
In the Group by field, from the dropdown list, select the group you want to add.
By default the results are limited to the top 10 most popular results. If you want to change the top most popular to the least popular, change the number, or you want to see the remaining results that are not covered in one group (the Show ‘Others’ checkbox), click the edit button and update as required.
If you want to add a custom field, ensure that the Make data available for search field is checked, when editing or creating a new field.
(Optional) To define the groups (for example, you may want to define particular owners in the owner group):
Click Custom ‘Group by’.
In the Create Custom groups window, click Equals (String) to change the operator.
Select a value from the dropdown list.
Change the name as required.
If you want to create a second group, click Add custom group.
If you want to add a group for all other values that have not been defined, click the Create and display a group for all remaining values checkbox.
In the Second group by field, add the group as required. For example, to see data filtered by owner and severity, select Group By Owner and Second Group by Severity.
Define how the widget appears by clicking the Visuals tab.
Add the following information:
The name of the axis for both horizontal and vertical.
Select the format of the table for both horizontal and vertical axis. For example, hours, minutes, days, weeks, etc.
Whether you want a line showing the average, minimum, maximum, or custom line.
Whether you want to see the legend in your widget.
Show also percentage
Displays the percentage when selecting a pie chart.
Show values on the graph
Add the values on the chart widget.
Compares dates for a particular period in a number widget. For example, this week vs. last week, this year vs. last year, and so on. To change the comparison period, in the Time frame field from the dropdown list, select the relevant date.
Widget color threshold
Select the Widget color threshold in a number or duration widget to highlight the threshold data and define the threshold by selecting the Widget color threshold checkbox. For example, if less than 150 red, 100 yellow, 50 green. To add more thresholds, click Add new threshold. You can change the colors as required.
To change the color, in the preview section, hover next to the legend, click the ellipsis and then click Edit color.
The widget is added to the widgets library.
Add the widget to the dashboard or report.
When you add the widget, it automatically uses the date range of the dashboard or report. You can change it by clicking the settings icon and selecting Use widget’s date range. To revert, click the settings icon again and select Use dashboard’s date range