I'm looking to create a report template with some detailed information

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

I'm looking to create a report template with some detailed information

L1 Bithead

What I've found in the information available in the Reports of XDR seems to be fairly high level data.

I'm looking to get some more detailed information.

Kind of like what I can get by filtering my Endpoints and manually saving to file.

Is this possible?

1 accepted solution

Accepted Solutions

@ChrisHeath,

 

The count should be on the y-axis, with agent version being on the x-axis. If I'm understanding correctly, it seems you want a count of agent versions broken out by domain. Give this a try and see if it helps:

 

 

dataset = endpoints 
| filter endpoint_status in(ENUM.CONNECTED, ENUM.DISCONNECTED)
| alter version_and_domain = if(domain != "", concat(agent_version, " (", domain, ")" ), concat(agent_version, " (", "Domain not available", ")")) 
| fields endpoint_name, agent_version, domain, version_and_domain, endpoint_id  
| comp count(endpoint_id) as num_agents by version_and_domain 
| sort asc version_and_domain 
| view graph type = column subtype = grouped header = "Agent Versions by Domain" xaxis = version_and_domain yaxis = num_agents 

 

 

Using the alter stage, you can create a new field. Here I created version_and_domain which is a combination of the two fields with some simple logic in case the domain field is empty. What you will end up with is <agent_version> (<domain>), e.g., 8.0.0.30814 (example.com)

 

I hope this helps!

View solution in original post

11 REPLIES 11

L4 Transporter

Hi!

 

Thanks for reaching out to LIVEcommunity!

 

I'm looking into this and I'll get back with you shortly.

 

Have a great day!

L2 Linker

Hello @ChrisHeath ,

 

Yes. You can do this by utilizing XQL widgets. 

XQL widgets results can be attached to a report template and will be sent to your email or generated via console as CSV once successfully generated.

 

Utilize the XQL queries to get the data that you are looking for.

 

Here are helpful articles.

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-...

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Your...

Let's have a seat and talk for a while.

@MarvinC

Can you give me an example XQL query that would find endpoints and their agent version?

Hi @ChrisHeath,

 

This should help you get started:

 

dataset = endpoints 
| fields endpoint_name, agent_version, operating_system 
| sort desc agent_version 

 

Regards,

Tim

@timurphy thanks for that... is there a way to have the XQL widget (when added to a report template) show as a graph and not just a list?

@ChrisHeath,

 

Sure, you can definitely display it as a graph. After you run the query, if you select the "Graph" tab you can use the Chart Editor and adjust everything as you see fit.

 

timurphy_0-1681312807913.png

 

Once you are satisfied with the preview, you can save it directly to your Widget Library, or click "Add to query" and a view stage will be added to your query.

 

Your use case sounds very similar to the out of the box widget titled "Agent Version Breakdown" - so you may want to give that a look first, if you are looking for a count of agents broken out by version. The graph could get pretty messy if you are trying to display version information alongside every hostname versus a count, for example.

@timurphy 

I found that just before you replied.

I was able to create a query but  not a graph, it keeps saying "could not visualize"

Something is wrong with my final line... it works without it.

dataset = endpoints 
| fields endpoint_name, agent_version, domain 
| comp count_distinct(endpoint_name) as count by domain, agent_version
| view graph type = column subtype = grouped layout = horizontal xaxis = count yaxis = domain 

 

I'm assuming that I will need some extra grouping to group the version and the domain together to be the y-axis value?

@ChrisHeath,

 

The count should be on the y-axis, with agent version being on the x-axis. If I'm understanding correctly, it seems you want a count of agent versions broken out by domain. Give this a try and see if it helps:

 

 

dataset = endpoints 
| filter endpoint_status in(ENUM.CONNECTED, ENUM.DISCONNECTED)
| alter version_and_domain = if(domain != "", concat(agent_version, " (", domain, ")" ), concat(agent_version, " (", "Domain not available", ")")) 
| fields endpoint_name, agent_version, domain, version_and_domain, endpoint_id  
| comp count(endpoint_id) as num_agents by version_and_domain 
| sort asc version_and_domain 
| view graph type = column subtype = grouped header = "Agent Versions by Domain" xaxis = version_and_domain yaxis = num_agents 

 

 

Using the alter stage, you can create a new field. Here I created version_and_domain which is a combination of the two fields with some simple logic in case the domain field is empty. What you will end up with is <agent_version> (<domain>), e.g., 8.0.0.30814 (example.com)

 

I hope this helps!

@timurphy 

Perfect! (almost)

Alter is what I was missing...

I've swapped the graph to horizontal (which is why I thought I had to switch the x and y axis) and now it only shows every third agent_and_domain...  can I make it show them all?

 

 

dataset = endpoints 
| filter endpoint_status in(ENUM.CONNECTED, ENUM.DISCONNECTED)
| alter version_and_domain = if(domain != "", concat(agent_version, " (", domain, ")" ), concat(agent_version, " (", "Domain not available", ")")) 
| fields endpoint_name, agent_version, domain, version_and_domain, endpoint_id  
| comp count(endpoint_id) as num_agents by version_and_domain 
| sort asc version_and_domain
| view graph type = column subtype = grouped layout = horizontal header = "Agent Versions by Domain" xaxis = version_and_domain yaxis = num_agents 

 

 

 

 

@ChrisHeath

 

If you're referring to the labels for each item, this looks to me like a rendering issue. If there was more vertical screen real estate they should all be shown - the query itself isn't governing how many labels are being displayed. This is why many built-in widgets limit how many results are shown, otherwise the view can be crowded. You might want to consider adjusting the graph type to something else that will fit better with your screen's resolution.

 

This is what your query looks like to me without any changes:

 

timurphy_0-1681330456751.png

 

L1 Bithead

@timurphy 

thanks for your help with this
i've decided to stick with the vertical layout and added in some more filters to restrict versions (and created separate widgets for those versions)

this way I can stay under the 15 result limit for the charts

have a great day

  • 1 accepted solution
  • 3751 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!