Dashboard Customization - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Cortex XSOAR dashboards provide visual data from customizable widgets. Create, edit, import, share and delete Cortex XSOAR dashboards.

Default Dashboard Tabs

By default, the following dashboard tabs are available:


If you install a content pack which contain dashboards, these can be added from the More Dashboards dropdown. To change the order of the dashboards, hover over the six block icon next to a dashboard name. When the cursor turns into a hand, drag and drop the dashboard into the required location.



My Dashboard

A personalized dashboard showing your incidents, tasks, etc.

My Threat Landscape

Information about malicious/suspicious indicators in incidents, top 10 indicators in related incidents, Unit 42 feed (if enabled).


Information about your Service Level Agreements.

Troubleshooting Playbooks

Information about playbook run and execution errors.


Information about incidents, such as severity type, active incidents, unassigned incidents, etc.

API Execution Metrics

Information about API calls. You can use the API Execution Metrics for Enrichment Command widget for troubleshooting and to make decisions about indicator enrichment.

Cost Optimization Playbooks

Information about playbooks including task executions, average runtime, etc.

Troubleshooting Instances

Information about integration instance errors.

Threat Intelligence Feeds

Information about TIM feeds that are being ingested into Cortex XSOAR.

Cost Optimization Instances

Information about commands that have been executed in Cortex XSOAR.


Information about MITRE ATT&CK techniques. Part of the MITRE ATT&CK content pack.


You can add this to your displayed dashboards when clicking More dashboards.

Threat Intel Management

Information about active indicators by reputation, type, expired indicators, etc.


You can add this to your displayed dashboards when clicking More dashboards.

VirusTotal API Execution Metrics

Information about VirusTotal API commands. Part of the VirusTotal content pack.


You can add this to your displayed dashboards when clicking More dashboards.

Dashboard Customization Options

In every dashboard, you can set the date range from which to return data and the refresh rate. In the DASHBOARDS tab, you can do the following:

  • Filter Data for all widgets

    You can filter dashboard data by either typing the query in the query bar, or in the relevant widget, by clicking Filter In. When clicking Filter In the query is added to the query bar. To filter out, delete the query. For example, if you only want to see active incidents that are high severity, in the Active Incidents by Severity widget, hover over High and click Filter In.


    To remove the filter, delete the query.


    If you want to see more information about the data, click the data to take you to the relevant page. For example, in the Active Incidents by Severity widget, to see only high incidents, click High. This takes you to the Incidents page, where you can see all the active critical incidents.

    After you have created the filter, you can send the URL of the filtered dashboard to other users.

  • Change Color of Items in Widgets

    You can change the color of items (such as indicator types, incident types, etc.) in some widgets, depending on the widget type and the chart/graph type. When editing a widget, click on the item within the legend in the preview window on the right. The Edit color option appears and you can select the color for the item.

    If you edit the color after a widget has been added to a dashboard or report, the change only applies to the widget within that dashboard or report. If you edit the widget directly in the Widgets Library before adding it to a dashboard or report, the change is applied every time you add the widget to a dashboard or report. Changes to an item within a widget only apply within that widget. For example, changing the color for the Phishing incident type within the Active Incidents widget only applies to Active Incidents, and not other widgets that contain incident types.

  • Copy the value

    While editing a widget, in the Quick chart definitions window, click on an item in the legend and select Copy value. This enables you to copy the value from the widget for commands in the War Room, etc.

  • Create a Dashboard

  • Edit a Dashboard

  • Import and export a dashboard

    The dashboard is exported as a JSON file. You can make any changes you require and then import the file. This is useful in a test and production environment.

  • Add default dashboards

    In a production environment, an administrator defines the default dashboard for each user, which is dependent on a user’s role. If a user has not modified their dashboard, these dashboards are added automatically, otherwise users can add these dashboards to their existing dashboards. These default dashboards can be removed but not deleted, and can be added again if required.Role-based permissions


    You cannot add default dashboards to out-of-the-box roles.

  • Share a Dashboard

    Duplicate, delete or remove (if shared) a dashboard.

  • Create a report

    You can generate a report from the dashboard as is, or add new widgets as required. You can set the format, when to run, orientation, etc. To create a report, click the settings icon and select Create Report, After clicking Run Now, the Report is generated.For more information about creating reports, see Create a Report.