https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/reg-display-callouts-for-cortex-xdr-graph/m-p/568436#M5662 <P><FONT face="arial,helvetica,sans-serif">Hi&nbsp;Kavurisowmya,<BR /></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">You may try this query using the <STRONG><FONT face="andale mono,times">dataset=alerts</FONT></STRONG> which will provide a list of alerts that are only a part&nbsp;of an incident. You may also filter by the desired Actions:</FONT></P> <P>&nbsp;</P> <P><FONT face="andale mono,times">dataset = alerts </FONT><BR /><FONT face="andale mono,times">| fields alert_id, incident_id, severity, alert_source, action </FONT><BR /><FONT face="andale mono,times">| filter incident_id != null // only show alerts that are part of incidents</FONT><BR /><FONT face="andale mono,times">| filter (action != N_A) </FONT></P> <P>&nbsp;</P> <P>You may also use <STRONG><FONT face="andale mono,times">top</FONT> </STRONG>stage to return the approximate count as shown in your screenshot:</P> <P><FONT face="andale mono,times">| top action top_count as Alerts, top_percent as Percentage_of_XDR_Agent_Alerts</FONT><BR /><FONT face="andale mono,times">| alter Percentage_of_XDR_Agent_Alerts = divide(to_integer(multiply(Percentage_of_XDR_Agent_Alerts, 100)), 100)</FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jtalton_0-1701791276993.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55670iF462D719CB1A601D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jtalton_0-1701791276993.png" alt="jtalton_0-1701791276993.png" /></span></P> <P>&nbsp;</P> <P>Please note that XQL training is available in Beacon:</P> <UL> <LI style="font-weight: 400;" aria-level="3"><SPAN>Cortex XDR: XQL Syntax Basics - (</SPAN><A href="https://beacon.paloaltonetworks.com/student/collection/666205/path/1469524" target="_blank" rel="noopener"><SPAN>Link</SPAN></A><SPAN>)</SPAN></LI> <LI style="font-weight: 400;" aria-level="3"><SPAN>Cortex XDR: XQL Building Blocks - (</SPAN><A href="https://beacon.paloaltonetworks.com/student/collection/666205/path/1472045" target="_blank" rel="noopener"><SPAN>Link</SPAN></A><SPAN>)</SPAN></LI> <LI style="font-weight: 400;" aria-level="3">Cortex XDR: XQL Functions - (<A style="font-family: inherit; background-color: #ffffff;" href="https://beacon.paloaltonetworks.com/student/collection/666205/path/1559611" target="_blank" rel="noopener">Link</A><SPAN>)</SPAN></LI> </UL> <P>If you found this answer helpful, please select<SPAN>&nbsp;</SPAN><STRONG>Accept as Solution</STRONG>.</P> <P>&nbsp;</P> <P>Thank you</P> Tue, 05 Dec 2023 15:51:13 GMT jtalton 2023-12-05T15:51:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/reg-display-callouts-for-cortex-xdr-graph/m-p/567934#M5656 <P>How can I get callout values in front of the row (count Example:1478)like below for a graph while creating an Xql query in Cortex XDR?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Kavurisowmya_0-1701413986585.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55551i44B0E07D1301E85B/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Kavurisowmya_0-1701413986585.png" alt="Kavurisowmya_0-1701413986585.png" /></span></P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</P> Fri, 01 Dec 2023 07:01:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/reg-display-callouts-for-cortex-xdr-graph/m-p/567934#M5656 Kavurisowmya 2023-12-01T07:01:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/reg-display-callouts-for-cortex-xdr-graph/m-p/568436#M5662 <P><FONT face="arial,helvetica,sans-serif">Hi&nbsp;Kavurisowmya,<BR /></FONT></P> <P>&nbsp;</P> <P><FONT face="arial,helvetica,sans-serif">You may try this query using the <STRONG><FONT face="andale mono,times">dataset=alerts</FONT></STRONG> which will provide a list of alerts that are only a part&nbsp;of an incident. You may also filter by the desired Actions:</FONT></P> <P>&nbsp;</P> <P><FONT face="andale mono,times">dataset = alerts </FONT><BR /><FONT face="andale mono,times">| fields alert_id, incident_id, severity, alert_source, action </FONT><BR /><FONT face="andale mono,times">| filter incident_id != null // only show alerts that are part of incidents</FONT><BR /><FONT face="andale mono,times">| filter (action != N_A) </FONT></P> <P>&nbsp;</P> <P>You may also use <STRONG><FONT face="andale mono,times">top</FONT> </STRONG>stage to return the approximate count as shown in your screenshot:</P> <P><FONT face="andale mono,times">| top action top_count as Alerts, top_percent as Percentage_of_XDR_Agent_Alerts</FONT><BR /><FONT face="andale mono,times">| alter Percentage_of_XDR_Agent_Alerts = divide(to_integer(multiply(Percentage_of_XDR_Agent_Alerts, 100)), 100)</FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jtalton_0-1701791276993.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55670iF462D719CB1A601D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jtalton_0-1701791276993.png" alt="jtalton_0-1701791276993.png" /></span></P> <P>&nbsp;</P> <P>Please note that XQL training is available in Beacon:</P> <UL> <LI style="font-weight: 400;" aria-level="3"><SPAN>Cortex XDR: XQL Syntax Basics - (</SPAN><A href="https://beacon.paloaltonetworks.com/student/collection/666205/path/1469524" target="_blank" rel="noopener"><SPAN>Link</SPAN></A><SPAN>)</SPAN></LI> <LI style="font-weight: 400;" aria-level="3"><SPAN>Cortex XDR: XQL Building Blocks - (</SPAN><A href="https://beacon.paloaltonetworks.com/student/collection/666205/path/1472045" target="_blank" rel="noopener"><SPAN>Link</SPAN></A><SPAN>)</SPAN></LI> <LI style="font-weight: 400;" aria-level="3">Cortex XDR: XQL Functions - (<A style="font-family: inherit; background-color: #ffffff;" href="https://beacon.paloaltonetworks.com/student/collection/666205/path/1559611" target="_blank" rel="noopener">Link</A><SPAN>)</SPAN></LI> </UL> <P>If you found this answer helpful, please select<SPAN>&nbsp;</SPAN><STRONG>Accept as Solution</STRONG>.</P> <P>&nbsp;</P> <P>Thank you</P> Tue, 05 Dec 2023 15:51:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/reg-display-callouts-for-cortex-xdr-graph/m-p/568436#M5662 jtalton 2023-12-05T15:51:13Z