topic Re: Cortex XDR - New Widget in Cortex XDR Discussions

Cortex XDR - New Widget

RamyashreeMada — Thu, 13 Oct 2022 10:24:16 GMT

Hello,

Can we create a widget with regards to endpoint tag and number of agents?

Re: Cortex XDR - New Widget

bbarmanroy — Fri, 14 Oct 2022 02:18:35 GMT

Share the XQL that you've written so far, and let us work together to fine-tune it for your needs.
Hint: you'll start off with

dataset = endpoints | alter server_tags = tags ->server_tags[]

Re: Cortex XDR - New Widget

Aiman_Fathima — Fri, 14 Oct 2022 05:20:48 GMT

Hi,

Currently, we need create a graph with X-axis as all the different tags and Y-axis as the number of endpoints. Now the tags we have is in the format "Team A: Product 1". In this we have to get numbers of endpoint for Team A tag + another widget for the different products in Team A tag. Currently, my SQL query looks like this

Dataset = Endpoints

| Tags contains "Team A"

It would be helpful if you guide us on how we proceed further.

Re: Cortex XDR - New Widget

bbarmanroy — Fri, 14 Oct 2022 06:25:01 GMT

Hi @Aiman_Fathima , you'll need to process it further to narrow down to the exact tag before you can count it (or at least cleanly). There are two ways to do it.

1. The recommended way is to change the tags from "TeamA:Product1" to two tags "TeamA, Product1". This will allow you to slice and dice more effectively, without requiring to use "contains".

2. If you want to keep the current tag format, you'll have to use a 'split' function to split the tags, and then continue.

Once you do that, you'll end up with an array of tags. Expand it (using arrayexpand), and tell me what you think the next step should be!

Re: Cortex XDR - New Widget

RamyashreeMada — Fri, 14 Oct 2022 12:05:16 GMT

Hello,

I tried to run this query . dataset = endpoints |filter tags contains "team A" |alter server_tags = tags -> server_tags[] | comp count(server_tags). I tried to display the tags in x axsis using the fields but it does not take tags or server_tags as a valid field.

Re: Cortex XDR - New Widget

bbarmanroy — Mon, 17 Oct 2022 06:03:39 GMT

Hi @RamyashreeMada you are almost there.

This is what you wrote:

dataset = endpoints |filter tags contains "team A" |alter server_tags = tags -> server_tags[] | comp count(server_tags)

Line 3 contains the results of extracting the server_tags[] and returns an array. You'll need to use 'arrayexpand' to get results with each row containing one instance of server_tags. I advised the same in my earlier post.

dataset = endpoints |filter tags contains "tag" |alter server_tags = tags -> server_tags[] | arrayexpand server_tags

The last step is to count the number of endpoints corresponding to each tag. Can you help us out here by telling how it should look like?

Re: Cortex XDR - New Widget

RamyashreeMada — Mon, 17 Oct 2022 06:23:37 GMT

Hello,

Thanks! Basically our x axis should be the tag name and y axis the count of endpoints having the tag.

Re: Cortex XDR - New Widget

bbarmanroy — Tue, 18 Oct 2022 04:21:09 GMT

That's right!

Can you share the final version of the query for everyone to be able to use it to their needs?