This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

jtalton
L3 Networker

‎04-16-2024 07:28 AM - edited ‎04-16-2024 07:29 AM

Good morning, 

 

That is an OOTB widget, so you will need to create an XQL query to create the pie chart. Please note that using the XQL API consumes your daily free quota of query units. Each XQL Query consumes query units based on the number of responses from the API results. Queries called without enough quota will fail. Additional units can be purchased through your account team. 


Here is an XQL query to get started:

 

config case_sensitive = false timeframe = 30d
|dataset = incidents_assets
| fields incident_id, agent_id
| join type = left (dataset = alerts | filter excluded = FALSE and host_name != null | dedup incident_id, host_name | fields host_name, endpoint_id, incident_id, alert_arrival_timestamp, original_tags, alert_source ) as join_alerts join_alerts.incident_id = incident_id
| join type = left (dataset = scheduled_endpoints_dataset ) as endpoint_id endpoint_id.endpoint_id = endpoint_id
| join type = left (dataset = incidents | fields incident_id, severity, status ) as join_incidents join_incidents.incident_id = incident_id
| filter status in(ENUM.NEW, ENUM.UNDER_INVESTIGATION)
| comp count_distinct(incident_id ) as Incidents by severity
|
view graph type = pie header = "Open Incidents by Severity" xaxis = severity yaxis = Incidents valuecolor("LOW","#3f8aff") valuecolor("MEDIUM","#ffb43e") valuecolor("HIGH","rgba(255,0,0,0.99)")

 

The instructions are outlined in this Live Community webinar LIVEcommunity - On-Demand Webinar: "How To Use XQL APIs With Cortex XDR" - LIVEcommunity - 459696 (p...

 

The following is a request example to help you build your query based on the information generated.

  • Take note of the required parameters
    • URI /public_api/v1/xql/start_xql_query/
      HTTP Method POST
    • Required License Cortex XDR Pro per Endpoint or Cortex XDR Pro per TB

Sample
curl -X POST https://api-{fqdn}/public_api/v1/xql/start_xql_query/ \
-H "x-xdr-auth-id:{key_id}" \
-H "Authorization:{key}" \
-H "Content-Type:application/json" \
-d '{
"request_data": {
"query": "dataset=xdr_data | fields event_id, event_type, event_sub_type | limit 3",
"tenants": ["tenantID", "tenantID"],
"timeframe": {"from": 1598907600000, "to": 1599080399000}
}
}'

 

Also, if you are unfamiliar with XQL, training is provided in Live Community as well as Beacon. 

 

LIVEcommunity - Cortex XDR Basic XQL Crash Course - LIVEcommunity - 544056 (paloaltonetworks.com)

 

Thank you

If you found this answer helpful, please select Accept as Solution.
0 Likes Likes
(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks