This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

I'm looking to create a report template with some detailed information

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

I'm looking to create a report template with some detailed information

Go to solution
ChrisHeath
L1 Bithead

‎04-11-2023 02:21 PM

What I've found in the information available in the Reports of XDR seems to be fairly high level data.

I'm looking to get some more detailed information.

Kind of like what I can get by filtering my Endpoints and manually saving to file.

Is this possible?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
timurphy
L3 Networker
In response to ChrisHeath

‎04-12-2023 10:39 AM

@ChrisHeath,

 

The count should be on the y-axis, with agent version being on the x-axis. If I'm understanding correctly, it seems you want a count of agent versions broken out by domain. Give this a try and see if it helps:

 

 

dataset = endpoints 
| filter endpoint_status in(ENUM.CONNECTED, ENUM.DISCONNECTED)
| alter version_and_domain = if(domain != "", concat(agent_version, " (", domain, ")" ), concat(agent_version, " (", "Domain not available", ")")) 
| fields endpoint_name, agent_version, domain, version_and_domain, endpoint_id  
| comp count(endpoint_id) as num_agents by version_and_domain 
| sort asc version_and_domain 
| view graph type = column subtype = grouped header = "Agent Versions by Domain" xaxis = version_and_domain yaxis = num_agents

 

 

Using the alter stage, you can create a new field. Here I created version_and_domain which is a combination of the two fields with some simple logic in case the domain field is empty. What you will end up with is <agent_version> (<domain>), e.g., 8.0.0.30814 (example.com)

 

I hope this helps!

View solution in original post

0 Likes Likes
11 REPLIES 11

Go to solution
anlynch
L4 Transporter

‎04-11-2023 02:32 PM

Hi!

 

Thanks for reaching out to LIVEcommunity!

 

I'm looking into this and I'll get back with you shortly.

 

Have a great day!

0 Likes Likes

Go to solution
MarvinC
L2 Linker

‎04-11-2023 06:25 PM

Hello @ChrisHeath ,

 

Yes. You can do this by utilizing XQL widgets. 

XQL widgets results can be attached to a report template and will be sent to your email or generated via console as CSV once successfully generated.

 

Utilize the XQL queries to get the data that you are looking for.

 

Here are helpful articles.

 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-...

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Your...

Let's have a seat and talk for a while.
0 Likes Likes

Go to solution
ChrisHeath
L1 Bithead
In response to MarvinC

‎04-12-2023 07:02 AM

@MarvinC

Can you give me an example XQL query that would find endpoints and their agent version?

0 Likes Likes

Go to solution
timurphy
L3 Networker
In response to ChrisHeath

‎04-12-2023 08:00 AM

Hi @ChrisHeath,

 

This should help you get started:

 

dataset = endpoints 
| fields endpoint_name, agent_version, operating_system 
| sort desc agent_version

 

Regards,

Tim

0 Likes Likes

Go to solution
ChrisHeath
L1 Bithead
In response to timurphy

‎04-12-2023 08:06 AM

@timurphy thanks for that... is there a way to have the XQL widget (when added to a report template) show as a graph and not just a list?

0 Likes Likes

Go to solution
timurphy
L3 Networker
In response to ChrisHeath

‎04-12-2023 08:28 AM

@ChrisHeath,

 

Sure, you can definitely display it as a graph. After you run the query, if you select the "Graph" tab you can use the Chart Editor and adjust everything as you see fit.

 

timurphy_0-1681312807913.png

 

Once you are satisfied with the preview, you can save it directly to your Widget Library, or click "Add to query" and a view stage will be added to your query.

 

Your use case sounds very similar to the out of the box widget titled "Agent Version Breakdown" - so you may want to give that a look first, if you are looking for a count of agents broken out by version. The graph could get pretty messy if you are trying to display version information alongside every hostname versus a count, for example.

0 Likes Likes

Go to solution
ChrisHeath
L1 Bithead
In response to timurphy

‎04-12-2023 08:36 AM

@timurphy 

I found that just before you replied.

I was able to create a query but  not a graph, it keeps saying "could not visualize"

Something is wrong with my final line... it works without it.

dataset = endpoints 
| fields endpoint_name, agent_version, domain 
| comp count_distinct(endpoint_name) as count by domain, agent_version
| view graph type = column subtype = grouped layout = horizontal xaxis = count yaxis = domain

 

I'm assuming that I will need some extra grouping to group the version and the domain together to be the y-axis value?

0 Likes Likes

Go to solution
timurphy
L3 Networker
In response to ChrisHeath

‎04-12-2023 10:39 AM

@ChrisHeath,

 

The count should be on the y-axis, with agent version being on the x-axis. If I'm understanding correctly, it seems you want a count of agent versions broken out by domain. Give this a try and see if it helps:

 

 

dataset = endpoints 
| filter endpoint_status in(ENUM.CONNECTED, ENUM.DISCONNECTED)
| alter version_and_domain = if(domain != "", concat(agent_version, " (", domain, ")" ), concat(agent_version, " (", "Domain not available", ")")) 
| fields endpoint_name, agent_version, domain, version_and_domain, endpoint_id  
| comp count(endpoint_id) as num_agents by version_and_domain 
| sort asc version_and_domain 
| view graph type = column subtype = grouped header = "Agent Versions by Domain" xaxis = version_and_domain yaxis = num_agents

 

 

Using the alter stage, you can create a new field. Here I created version_and_domain which is a combination of the two fields with some simple logic in case the domain field is empty. What you will end up with is <agent_version> (<domain>), e.g., 8.0.0.30814 (example.com)

 

I hope this helps!

0 Likes Likes

Go to solution
ChrisHeath
L1 Bithead
In response to timurphy

‎04-12-2023 10:50 AM - edited ‎04-12-2023 01:18 PM

@timurphy 

Perfect! (almost)

Alter is what I was missing...

I've swapped the graph to horizontal (which is why I thought I had to switch the x and y axis) and now it only shows every third agent_and_domain...  can I make it show them all?

 

 

dataset = endpoints 
| filter endpoint_status in(ENUM.CONNECTED, ENUM.DISCONNECTED)
| alter version_and_domain = if(domain != "", concat(agent_version, " (", domain, ")" ), concat(agent_version, " (", "Domain not available", ")")) 
| fields endpoint_name, agent_version, domain, version_and_domain, endpoint_id  
| comp count(endpoint_id) as num_agents by version_and_domain 
| sort asc version_and_domain
| view graph type = column subtype = grouped layout = horizontal header = "Agent Versions by Domain" xaxis = version_and_domain yaxis = num_agents

 

 

 

 

0 Likes Likes

Go to solution
timurphy
L3 Networker
In response to ChrisHeath

‎04-12-2023 01:15 PM

@ChrisHeath

 

If you're referring to the labels for each item, this looks to me like a rendering issue. If there was more vertical screen real estate they should all be shown - the query itself isn't governing how many labels are being displayed. This is why many built-in widgets limit how many results are shown, otherwise the view can be crowded. You might want to consider adjusting the graph type to something else that will fit better with your screen's resolution.

 

This is what your query looks like to me without any changes:

 

timurphy_0-1681330456751.png

 

0 Likes Likes

Go to solution
ChrisHeath
L1 Bithead

‎04-12-2023 01:19 PM

@timurphy 

thanks for your help with this
i've decided to stick with the vertical layout and added in some more filters to restrict versions (and created separate widgets for those versions)

this way I can stay under the 15 result limit for the charts

have a great day

0 Likes Likes
  • 1 accepted solution
  • 3729 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks