Dashboard Customization - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-02-21
Category
Administrator Guide
Abstract

Cortex XSOAR dashboards provide visual data from customizable widgets. Create, edit, import, share and delete Cortex XSOAR dashboards.

By default, the following dashboard tabs are added:

Dashboard

Description

My Dashboard

A personalized dashboard relating to your incidents, tasks, etc.

My Threat Landscape

Information about malicious/suspicious indicators in incidents, top 10 indicators in related incidents, Unit 42 feed (if enabled).

SLA

Information relating to your Service Level Agreements.

Troubleshooting Playbooks

Information relating to playbook run and execution errors.

Incidents

Information relating to incidents, such as severity type, active incidents, unassigned incidents, etc.

API Execution Metrics

Information about API calls. You can use the API Execution Metrics for Enrichment Command widget for troubleshooting and to make decisions about indicator enrichment.

Cost Optimization Playbooks

Information about playbooks including task executions, average runtime, etc.

Troubleshooting Instances

Information about integration instance errors.

Threat Intelligence Feeds

Information about TIM feeds that are being ingested into Cortex XSOAR.

Cost Optimization Instances

Information about commands that have been executed in Cortex XSOAR.

MITRE ATT&CK

Information about MITRE ATT&CK techniques. Part of the MITRE ATT&CK content pack.

Note

You can add this to your displayed dashboards when clicking More dashboards.

Threat Intel Management

Information about active indicators by reputation, type, expired indicators, etc.

Note

You can add this to your displayed dashboards when clicking More dashboards.

VirusTotal API Execution Metrics

Information about VirusTotal API commands. Part of the VirusTotal content pack.

Note

You can add this to your displayed dashboards when clicking More dashboards.

Note

If you install a content pack which contain dashboards, these can be added from the More Dashboards dropdown. To change the order of the dashboards, hover over the six block icon next to a dashboard name. When the cursor turns into a hand, drag and drop the dashboard into the required location.

Dashboard Options

In every dashboard, you can set the date range from which to return data and the refresh rate. In the DASHBOARDS tab, you can do the following:

  • Filter Data for all widgets

    You can filter dashboard data by either typing the query in the query bar, or in the relevant widget, by clicking Filter In. When clicking Filter In the query is added to the query bar. To filter out, delete the query. For example, if you only want to see active incidents by severity that are high, in the Active Incidents by Severity widget, hover over High and click Filter In.

    dashboards-pivot.png

    To remove the filter, delete the query.

    Note

    If you want to see more information about the data, click the data to take you to the relevant page. For example, in the Active Incidents by Severity widget, to see only high incidents, click High. This takes you to the Incidents page, where you can see all the active critical incidents.

    After you have created the filter, you can send the URL of the filtered dashboard to other users.

  • Change Color of Items in Widgets

    You can change the color of items (such as indicator types, incident types, etc.) in some widgets, depending on the widget type and the chart/graph type. When editing a widget, click on the item within the legend in the preview window on the right. The Edit color option appears and you can select the color for the item.

    If you edit the color after a widget has been added to a dashboard or report, the change only applies to the widget within that dashboard or report. If you edit the widget directly in the Widgets Library before adding it to a dashboard or report, the change is applied every time you add the widget to a dashboard or report. Changes to an item within a widget only apply within that widget. For example, changing the color for the Phishing incident type within the Active Incidents widget only applies to Active Incidents, and not other widgets that contain incident types.

  • Copy the value

    While editing a widget, in the Quick chart definitions window, click on an item in the legend and select Copy value. This enables you to copy the value from the widget for commands in the War Room, etc.

  • Create a Dashboard

  • Edit a Dashboard

  • Import and export a dashboard

    The dashboard is exported as a JSON file. You can make any changes you require and then import the file. This is useful in a test and production environment.

  • Add default dashboards

    In a production environment, an administrator defines the default dashboard for each user, which is dependent on a user’s role. If a user has not modified their dashboard, these dashboards are added automatically, otherwise users can add these dashboards to their existing dashboards. These default dashboards can be removed but not deleted, and can be added again if required.

    Note

    You cannot add default dashsboards to out-of-the-box roles.

  • Share a Dashboard

    Duplicate, delete or remove (if shared) a dashboard.

  • Create a report

    You can generate a report from the dashboard as is, or add new widgets as required. You can set the format, when to run, orientation, etc. To create a report, click the settings icon and select Create Report, After clicking Run Now, the Report is generated.For more information about creating reports, see Create a Report.