topic Re: XDR Endpoint Visibility Dashboard in Cortex XDR Discussions

XDR Endpoint Visibility Dashboard

JahidAliyev — Fri, 26 Jan 2024 07:41:03 GMT

Hello,

Let's assume I have 5 departments inside my organization. Each contains 6-7 endpoints. I want to create 5 dashbaords for each. In these dashboards, I want to see only organization specific endpoints ( 6-7 endpoints would be in each dashboard). I want to see incidents only related to specific organization. PS: I can filter endpoints according to froup names I have created before. For example:

Dashboard 1: Organization A, 6 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_a

Dashboard 2: Organization B, 5 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_b

Dashboard 3: Organization C, 6 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_c

Dashboard 4: Organization D, 5 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_d

Dashboard 5: Organization E, 5 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_e

If you help me, I would be so happy.

Thanks in advance

Re: XDR Endpoint Visibility Dashboard

aspatil — Wed, 31 Jan 2024 17:14:07 GMT

Hello @JahidAliyev ,

Thank you for reaching out to our live community

Could you please confirm which logs are you mentioning about?

Re: XDR Endpoint Visibility Dashboard

jtalton — Wed, 31 Jan 2024 17:29:23 GMT

Hi JahidAliyev,

Although there are out of the box widgets available, you will need to create an XQL query to create a custom widget to add to a custom dashboard to monitor Incidents/Alerts and define the endpoint groups. The process to create a widget is outlined in a How-to Video located here.

You may also define SBAC roles when creating the dashboard. How to create a Dashboard and define SBAC is also outlined in a How-to Video located here

To create the XQL queries you will need to utilize the dataset = incidents and dataset = alerts. To view incidents and alerts by an endpoint group requires the use of the orginal_tag field to designate the endpoint group name.

Here are some queries to get started that display the number of open and resolved incidents by endpoint group.

\\Resolved Incidents

dataset = incidents

| filter resolved_ts != null

| join type = left (dataset = alerts | fields alert_id, incident_id, local_insert_ts, original_tags) as join_alerts join_alerts.incident_id = incident_id

| filter (original_tags contains """endpointgroup_tagname""")

| comp count_distinct(incident_id) as Incidents

\\Open Incidents

dataset = incidents

| filter resolved_ts != null

| join type = left (dataset = alerts | fields alert_id, incident_id, local_insert_ts, original_tags) as join_alerts join_alerts.incident_id = incident_id

| filter (original_tags contains """endpointgroup_tagname""")

| comp count_distinct(incident_id) as Incidents

Reference

LIVEcommunity - Cortex XDR Basic XQL Crash Course - LIVEcommunity - 544056 (paloaltonetworks.com)

Thank you