XDR Endpoint Visibility Dashboard

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XDR Endpoint Visibility Dashboard

L2 Linker

Hello, 

Let's assume I have 5 departments inside my organization. Each contains 6-7 endpoints. I want to create 5 dashbaords for each. In these dashboards, I want to see only organization specific endpoints ( 6-7 endpoints would be in each dashboard). I want to see incidents only related to specific organization. PS: I can filter endpoints according to froup names I have created before. For example:

Dashboard 1: Organization A, 6 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_a

Dashboard 2: Organization B, 5 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_b

Dashboard 3: Organization C, 6 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_c

Dashboard 4: Organization D, 5 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_d

Dashboard 5: Organization E, 5 endpoints, incidents (alerts) and logs only for these endpoints, PS: group_name = organization_e

If you help me, I would be so happy. 

 

 

Thanks in advance

2 REPLIES 2

L5 Sessionator

Hello @JahidAliyev ,

 

Thank you for reaching out to our live community

 

Could you please confirm which logs are you mentioning about?

Ashutosh Patil

L3 Networker

Hi JahidAliyev,

 

Although there are out of the box widgets available, you will need to create an XQL query to create a custom widget to add to a custom dashboard to monitor Incidents/Alerts and define the endpoint groups. The process to create a widget is outlined in a How-to Video located here.

 

You may also define SBAC roles when creating the dashboard. How to create a Dashboard and define SBAC is also outlined in a How-to Video located  here

 

To create the XQL queries you will need to utilize the dataset = incidents and dataset = alerts.  To view incidents and alerts by an endpoint group requires the use of the orginal_tag field to designate the endpoint group name. 

 

Here are some queries to get started that display the number of open and resolved incidents by endpoint group. 

 

\\Resolved Incidents

dataset = incidents 

| filter resolved_ts != null

| join type = left (dataset = alerts | fields alert_id, incident_id, local_insert_ts, original_tags) as join_alerts join_alerts.incident_id = incident_id 

| filter (original_tags contains """endpointgroup_tagname""")

| comp count_distinct(incident_id) as Incidents

 

\\Open Incidents

dataset = incidents 

| filter resolved_ts != null

| join type = left (dataset = alerts | fields alert_id, incident_id, local_insert_ts, original_tags) as join_alerts join_alerts.incident_id = incident_id 

| filter (original_tags contains """endpointgroup_tagname""")

| comp count_distinct(incident_id) as Incidents

 

Reference

LIVEcommunity - Cortex XDR Basic XQL Crash Course - LIVEcommunity - 544056 (paloaltonetworks.com)

 

Thank you

If you found this answer helpful, please select Accept as Solution.
  • 630 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!