topic Re: I'm looking to create a report template with some detailed information in Cortex XDR Discussions

I'm looking to create a report template with some detailed information

${userLoginName} — Tue, 11 Apr 2023 21:21:31 GMT

What I've found in the information available in the Reports of XDR seems to be fairly high level data.

I'm looking to get some more detailed information.

Kind of like what I can get by filtering my Endpoints and manually saving to file.

Is this possible?

Re: I'm looking to create a report template with some detailed information

anlynch — Tue, 11 Apr 2023 21:32:49 GMT

Hi!

Thanks for reaching out to LIVEcommunity!

I'm looking into this and I'll get back with you shortly.

Have a great day!

Re: I'm looking to create a report template with some detailed information

MarvinC — Wed, 12 Apr 2023 01:25:01 GMT

Hello @${userLoginName} ,

Yes. You can do this by utilizing XQL widgets.

XQL widgets results can be attached to a report template and will be sent to your email or generated via console as CSV once successfully generated.

Utilize the XQL queries to get the data that you are looking for.

Here are helpful articles.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-with-XQL

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Your-Widget-Library

Re: I'm looking to create a report template with some detailed information

${userLoginName} — Wed, 12 Apr 2023 14:02:14 GMT

@MarvinC

Can you give me an example XQL query that would find endpoints and their agent version?

Re: I'm looking to create a report template with some detailed information

timurphy — Wed, 12 Apr 2023 15:00:48 GMT

Hi @${userLoginName},

This should help you get started:

dataset = endpoints | fields endpoint_name, agent_version, operating_system | sort desc agent_version

Regards,

Tim

Re: I'm looking to create a report template with some detailed information

${userLoginName} — Wed, 12 Apr 2023 15:06:57 GMT

@timurphy thanks for that... is there a way to have the XQL widget (when added to a report template) show as a graph and not just a list?

Re: I'm looking to create a report template with some detailed information

timurphy — Wed, 12 Apr 2023 15:28:03 GMT

@${userLoginName},

Sure, you can definitely display it as a graph. After you run the query, if you select the "Graph" tab you can use the Chart Editor and adjust everything as you see fit.

Once you are satisfied with the preview, you can save it directly to your Widget Library, or click "Add to query" and a view stage will be added to your query.

Your use case sounds very similar to the out of the box widget titled "Agent Version Breakdown" - so you may want to give that a look first, if you are looking for a count of agents broken out by version. The graph could get pretty messy if you are trying to display version information alongside every hostname versus a count, for example.

Re: I'm looking to create a report template with some detailed information

${userLoginName} — Wed, 12 Apr 2023 15:36:01 GMT

@timurphy

I found that just before you replied.

I was able to create a query but not a graph, it keeps saying "could not visualize"

Something is wrong with my final line... it works without it.

dataset = endpoints | fields endpoint_name, agent_version, domain | comp count_distinct(endpoint_name) as count by domain, agent_version | view graph type = column subtype = grouped layout = horizontal xaxis = count yaxis = domain

I'm assuming that I will need some extra grouping to group the version and the domain together to be the y-axis value?

Re: I'm looking to create a report template with some detailed information

timurphy — Wed, 12 Apr 2023 17:39:25 GMT

@${userLoginName},

The count should be on the y-axis, with agent version being on the x-axis. If I'm understanding correctly, it seems you want a count of agent versions broken out by domain. Give this a try and see if it helps:

dataset = endpoints | filter endpoint_status in(ENUM.CONNECTED, ENUM.DISCONNECTED) | alter version_and_domain = if(domain != "", concat(agent_version, " (", domain, ")" ), concat(agent_version, " (", "Domain not available", ")")) | fields endpoint_name, agent_version, domain, version_and_domain, endpoint_id | comp count(endpoint_id) as num_agents by version_and_domain | sort asc version_and_domain | view graph type = column subtype = grouped header = "Agent Versions by Domain" xaxis = version_and_domain yaxis = num_agents

Using the alter stage, you can create a new field. Here I created version_and_domain which is a combination of the two fields with some simple logic in case the domain field is empty. What you will end up with is <agent_version> (<domain>), e.g., 8.0.0.30814 (example.com)

I hope this helps!

Re: I'm looking to create a report template with some detailed information

${userLoginName} — Wed, 12 Apr 2023 20:18:45 GMT

@timurphy

Perfect! (almost)

Alter is what I was missing...

I've swapped the graph to horizontal (which is why I thought I had to switch the x and y axis) and now it only shows every third agent_and_domain... can I make it show them all?

dataset = endpoints | filter endpoint_status in(ENUM.CONNECTED, ENUM.DISCONNECTED) | alter version_and_domain = if(domain != "", concat(agent_version, " (", domain, ")" ), concat(agent_version, " (", "Domain not available", ")")) | fields endpoint_name, agent_version, domain, version_and_domain, endpoint_id | comp count(endpoint_id) as num_agents by version_and_domain | sort asc version_and_domain | view graph type = column subtype = grouped layout = horizontal header = "Agent Versions by Domain" xaxis = version_and_domain yaxis = num_agents

Re: I'm looking to create a report template with some detailed information

timurphy — Wed, 12 Apr 2023 20:15:57 GMT

@${userLoginName},

If you're referring to the labels for each item, this looks to me like a rendering issue. If there was more vertical screen real estate they should all be shown - the query itself isn't governing how many labels are being displayed. This is why many built-in widgets limit how many results are shown, otherwise the view can be crowded. You might want to consider adjusting the graph type to something else that will fit better with your screen's resolution.

This is what your query looks like to me without any changes:

Re: I'm looking to create a report template with some detailed information

${userLoginName} — Wed, 12 Apr 2023 20:19:22 GMT

@timurphy

thanks for your help with this
i've decided to stick with the vertical layout and added in some more filters to restrict versions (and created separate widgets for those versions)

this way I can stay under the 15 result limit for the charts

have a great day