- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-25-2024 11:41 PM
Hello,
Let's assume I have 5 departments inside my organization. Each contains 6-7 endpoints. I want to create 5 dashbaords for each. In these dashboards, I want to see only organization specific endpoints ( 6-7 endpoints would be in each dashboard). I want to see incidents only related to specific organization. PS: I can filter endpoints according to froup names I have created before. For example:
Dashboard 1: Organization A, 6 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_a
Dashboard 2: Organization B, 5 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_b
Dashboard 3: Organization C, 6 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_c
Dashboard 4: Organization D, 5 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_d
Dashboard 5: Organization E, 5 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_e
If you help me, I would be so happy.
Thanks in advance
01-31-2024 09:14 AM
Hello @JahidAliyev ,
Thank you for reaching out to our live community
Could you please confirm which logs are you mentioning about?
01-31-2024 09:29 AM
Hi JahidAliyev,
Although there are out of the box widgets available, you will need to create an XQL query to create a custom widget to add to a custom dashboard to monitor Incidents/Alerts and define the endpoint groups. The process to create a widget is outlined in a How-to Video located here.
You may also define SBAC roles when creating the dashboard. How to create a Dashboard and define SBAC is also outlined in a How-to Video located here
To create the XQL queries you will need to utilize the dataset = incidents and dataset = alerts. To view incidents and alerts by an endpoint group requires the use of the orginal_tag field to designate the endpoint group name.
Here are some queries to get started that display the number of open and resolved incidents by endpoint group.
\\Resolved Incidents
dataset = incidents
| filter resolved_ts != null
| join type = left (dataset = alerts | fields alert_id, incident_id, local_insert_ts, original_tags) as join_alerts join_alerts.incident_id = incident_id
| filter (original_tags contains """endpointgroup_tagname""")
| comp count_distinct(incident_id) as Incidents
\\Open Incidents
dataset = incidents
| filter resolved_ts != null
| join type = left (dataset = alerts | fields alert_id, incident_id, local_insert_ts, original_tags) as join_alerts join_alerts.incident_id = incident_id
| filter (original_tags contains """endpointgroup_tagname""")
| comp count_distinct(incident_id) as Incidents
Reference
LIVEcommunity - Cortex XDR Basic XQL Crash Course - LIVEcommunity - 544056 (paloaltonetworks.com)
Thank you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!