Cortex XSOAR dashboards provide visual data from customizable widgets. Create, edit, import, share and delete Cortex XSOAR dashboards.
Default Dashboard Tabs
By default, the following dashboard tabs are available:
Note
If you install a content pack which contain dashboards, these can be added from the More Dashboards dropdown. To change the order of the dashboards, hover over the six block icon next to a dashboard name. When the cursor turns into a hand, drag and drop the dashboard into the required location.
Dashboard | Description |
|---|---|
My Dashboard | A personalized dashboard showing your incidents, tasks, etc. |
My Threat Landscape | Information about malicious/suspicious indicators in incidents, top 10 indicators in related incidents, Unit 42 feed (if enabled). |
SLA | Information about your Service Level Agreements. |
Troubleshooting Playbooks | Information about playbook run and execution errors. |
Incidents | Information about incidents, such as severity type, active incidents, unassigned incidents, etc. |
API Execution Metrics | Information about API calls. You can use the API Execution Metrics for Enrichment Command widget for troubleshooting and to make decisions about indicator enrichment. |
Cost Optimization Playbooks | Information about playbooks including task executions, average runtime, etc. |
Troubleshooting Instances | Information about integration instance errors. |
Threat Intelligence Feeds | Information about TIM feeds that are being ingested into Cortex XSOAR. |
Cost Optimization Instances | Information about commands that have been executed in Cortex XSOAR. |
MITRE ATT&CK | Information about MITRE ATT&CK techniques. Part of the MITRE ATT&CK content pack. NoteYou can add this to your displayed dashboards when clicking More dashboards. |
Threat Intel Management | Information about active indicators by reputation, type, expired indicators, etc. NoteYou can add this to your displayed dashboards when clicking More dashboards. |
VirusTotal API Execution Metrics | Information about VirusTotal API commands. Part of the VirusTotal content pack. NoteYou can add this to your displayed dashboards when clicking More dashboards. |
Dashboard Customization Options
In every dashboard, you can set the date range from which to return data and the refresh rate. In the DASHBOARDS tab, you can do the following:
Filter Data for all widgets
You can filter dashboard data by either typing the query in the query bar, or in the relevant widget, by clicking Filter In. When clicking Filter In the query is added to the query bar. To filter out, delete the query. For example, if you only want to see active incidents that are high severity, in the Active Incidents by Severity widget, hover over High and click Filter In.
To remove the filter, delete the query.
Note
If you want to see more information about the data, click the data to take you to the relevant page. For example, in the Active Incidents by Severity widget, to see only high incidents, click High. This takes you to the Incidents page, where you can see all the active critical incidents.
After you have created the filter, you can send the URL of the filtered dashboard to other users.
Change Color of Items in Widgets
You can change the color of items (such as indicator types, incident types, etc.) in some widgets, depending on the widget type and the chart/graph type. When editing a widget, click on the item within the legend in the preview window on the right. The Edit color option appears and you can select the color for the item.
If you edit the color after a widget has been added to a dashboard or report, the change only applies to the widget within that dashboard or report. If you edit the widget directly in the Widgets Library before adding it to a dashboard or report, the change is applied every time you add the widget to a dashboard or report. Changes to an item within a widget only apply within that widget. For example, changing the color for the
Phishingincident type within the Active Incidents widget only applies to Active Incidents, and not other widgets that contain incident types.Copy the value
While editing a widget, in the Quick chart definitions window, click on an item in the legend and select Copy value. This enables you to copy the value from the widget for commands in the War Room, etc.
Import and export a dashboard
The dashboard is exported as a JSON file. You can make any changes you require and then import the file. This is useful in a test and production environment.
Add default dashboards
In a production environment, an administrator defines the default dashboard for each user, which is dependent on a user’s role. If a user has not modified their dashboard, these dashboards are added automatically, otherwise users can add these dashboards to their existing dashboards. These default dashboards can be removed but not deleted, and can be added again if required.
Note
You cannot add default dashboards to out-of-the-box roles.
Duplicate, delete or remove (if shared) a dashboard.
Create a report
You can generate a report from the dashboard as is, or add new widgets as required. You can set the format, when to run, orientation, etc. To create a report, click the settings icon and select Create Report, After clicking Run Now, the Report is generated.For more information about creating reports, see Create a Report.