topic Showing Malware incident in the Dashboard in Cortex XDR Discussions

Showing Malware incident in the Dashboard

SeanDeHarris — Fri, 30 Jun 2023 10:26:26 GMT

Hello, just want to showed the Malware incidents and the related-malware filename in the dashboard, what should i choose for the XQL.

thanks

Re: Showing Malware incident in the Dashboard

Fernando002 — Mon, 03 Jul 2023 04:45:22 GMT

To display malware incidents and their related malware filenames in a dashboard using XQL (Extended Query Language), you can use the following query: YourTexasBenefits

Find incidents with data.type = 'malware'

This query will retrieve all incidents that have a data type of "malware." You can then customize the dashboard to display the relevant information, such as the incident details and the associated malware filenames.

Please note that the exact implementation of XQL may vary depending on the specific security platform or tool you are using. Refer to the documentation or support resources provided by your security platform for more specific guidance on constructing queries and customizing dashboards.

Re: Showing Malware incident in the Dashboard

SeanDeHarris — Mon, 10 Jul 2023 07:08:11 GMT

Thanks for your reply.

I'm not sure where to locate data.type = "malware', is it under dataset = xdr_data or other dataset?

Re: Showing Malware incident in the Dashboard

neelrohit — Mon, 10 Jul 2023 09:55:27 GMT

Hi @SeanDeHarris ,

Not sure what @Fernando002 exactly means with XQL filters. However, we do not have incidents data exposed to XQL(XML query language) in Cortex XDR as of now. As a result, custom dashboard creation is not possible for the same. You can choose to create your own filters in alerts table under the Category: Malware and Module:<Enter Module of your choice(eg. Wildfire, Local Analysis, Behavioral Threat Protection etc.)> and then you can save the filter for the same.

Alternatively, if you want a consolidated dashboard, there is a widget which shows detections by category which should also list you the count of alerts/incidents generated as malware.

Hope this helps!

(view in My Videos)