09-20-2023 07:55 AM
I'm creating a widget so I can have a report run returning certain Managment Audit log information. One of the fields, "Management_Auditing_type" has values that are quite long that I would like to truncate. For example, have "MANAGEMENT_AUDIT_ACTION_CENTER" changed to "Action Center", and "Management_Audit_Policy_Profiles" changed to just "Policy Profiles". The same goes for the fields for the results and severity. They all start with "Management_Audit_......".
I've been able to change the field names but I can't figure out how to change the values that get returned.
-------------------------------------------------------------------------------------------------------------------------------------------------
dataset = management_auditing
|Fields timestamp, user_name as username, management_auditing_type as type, subtype, management_auditing_result as result, management_auditing_severity as severity, description
| filter (type in (MANAGEMENT_AUDIT_ACTION_CENTER, MANAGEMENT_AUDIT_AGENT_EXCEPTION_RULES, MANAGEMENT_AUDIT_ENDPOINT_ADMINISTRATION, MANAGEMENT_AUDIT_LICENSING, MANAGEMENT_AUDIT_POLICY_PROFILES, MANAGEMENT_AUDIT_RESPONSE))
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Thanks in advance!
09-28-2023 02:07 PM - edited 09-28-2023 02:09 PM
Hi Barnettml,
Happy to assist! I'm trying to replicate your issue, but I'm trying to understand what widget type you are editing to use that filter. Additionally, if you could provide all the steps you've taken so far to try and accomplish this so I can follow your flow better.
My understanding is that you have data in the Management Audit Log that you are trying to expose in a report using a custom widget. Knowing the widget type in the report that you are using and the field you're inputing those filters into would help as well. Lastly, I'm assuming you are using XSOAR 8 since you're using the Management Audit Log.
Thanks and have a great day!
09-28-2023 09:08 PM
Hi @barnettml, That might not be possible through the basic widget. You will need to build your own script based widget, modify the data as required then return the data is widget type format.
Refer - https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.12/Cortex-XSOAR-Administrator-Guide/Create... for more information.
09-29-2023 03:40 AM
o I had initially put this under "General Discussion".....not sure how it ended up under XSOAR but I am in Cortex XDR.....we do not have XSOAR......yet...... As far as how it was created I simply went to create a custom XQL widget and created the code shown above. The problem is that I'm not sure how in XQL to change how VALUES appear. You can see in the screenshot here that the data in the results is quite large.
I know this information in the data can be shortened because I see it when
I go to settings -->management audit logs as seen to the right.
My reasoning for creating this widget is so that I can have it on my dashboard as well as I've created a weekly report based off of the widget but it is truncated because these values are so big.
I hope this explanation helps. I just need help getting the XQL right
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
