diff --git a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml index c7fd172..4aaa788 100644 --- a/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml +++ b/Packs/soc-framework-manager/Scripts/SOCFWPackManager.yml @@ -1,7 +1,7 @@ fromversion: 5.0.0 commonfields: id: SOCFWPackManager - version: 8 + version: 6 contentitemexportablefields: contentitemfields: packID: soc-framework-manager @@ -29,7 +29,9 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ JSON objects\n# (prevents \"Extra data: line 2 column 1 ...\")\n# - Dependencies: install custom pack dependencies from xsoar_config.json \"custom_packs\"\n# - Polling: timeout fallback checks for REAL pack id (not zip filename)\n# - Stream normalize: - handles stream-returned list containing list-of-dicts\n# ============================================================\n\nSCRIPT_NAME + handles stream-returned list containing list-of-dicts\n#\n# FIX NOW (minimal change):\n# + - Jobs: DO NOT configure/create/update if job already exists (prevents duplicates + on rerun)\n# ============================================================\n\nSCRIPT_NAME = \"SOCFWPackManager\"\n\n# ---------------------------\n# Basic helpers\n# ---------------------------\n\ndef _norm(s: Any) -> str:\n return (str(s) if s is not None else \"\").strip()\n\ndef _to_lower(s: Any) -> str:\n return _norm(s).lower()\n\ndef _parse_csv(val: Any) @@ -577,24 +579,30 @@ script: "import json\nimport time\nfrom typing import Any, Dict, List, Optional\ debug=debug)\n\n if not search_path:\n summary[\"failed\"] += 1\n summary[\"failed_items\"].append(\n {\"name\": name, \"error\": \"Jobs API verification unavailable; cannot confirm job creation/update.\"}\n - \ )\n continue\n\n try:\n _ = jobs_api_upsert(job, - using=using, search_path=search_path, debug=debug)\n\n verified = None\n - \ for _i in range(1, 8):\n verified = jobs_api_find_by_name(name, - using=using, search_path=search_path, debug=debug)\n if verified:\n - \ break\n time.sleep(2)\n\n if not verified:\n - \ raise Exception(\"Upsert ran but job still not visible via Jobs - API.\")\n\n summary[\"ok\"] += 1\n log(f\"✅ Job **{name}** - created/updated and verified.\", stage=\"configure.jobs.result\", debug=debug, always=True)\n\n - \ except Exception as e:\n summary[\"failed\"] += 1\n summary[\"failed_items\"].append({\"name\": - name, \"error\": str(e)})\n emit_progress(f\"Failed configuring job **{name}**.\\nError: - {e}\", stage=\"configure.jobs.error\")\n\n emit_progress(\n \"\\n\".join(\n - \ [\n \"Jobs summary:\",\n f\"- attempted: - {summary['attempted']}\",\n f\"- ok (verified): {summary['ok']}\",\n - \ f\"- failed: {summary['failed']}\",\n f\"- notes: - {', '.join(summary['notes']) if summary['notes'] else '(none)'}\",\n ]\n - \ ),\n stage=\"configure.jobs.summary\",\n )\n return summary\n\n# - ---------------------------\n# Main\n# ---------------------------\n\ndef main():\n - \ args = demisto.args()\n\n action = (args.get(\"action\") or \"apply\").strip().lower()\n + \ )\n continue\n\n # ✅ FIX: If the job already exists, + do nothing (prevents duplicates on rerun).\n existing = None\n for + _i in range(1, 6): # small settle loop for index propagation\n existing + = jobs_api_find_by_name(name, using=using, search_path=search_path, debug=debug)\n + \ if existing:\n break\n time.sleep(1)\n\n if + existing:\n summary[\"ok\"] += 1\n log(f\"⏭️ Job **{name}** + already exists — skipping.\", stage=\"configure.jobs.result\", debug=debug, always=True)\n + \ continue\n\n try:\n _ = jobs_api_upsert(job, using=using, + search_path=search_path, debug=debug)\n\n verified = None\n for + _i in range(1, 8):\n verified = jobs_api_find_by_name(name, using=using, + search_path=search_path, debug=debug)\n if verified:\n break\n + \ time.sleep(2)\n\n if not verified:\n raise + Exception(\"Upsert ran but job still not visible via Jobs API.\")\n\n summary[\"ok\"] + += 1\n log(f\"✅ Job **{name}** created and verified.\", stage=\"configure.jobs.result\", + debug=debug, always=True)\n\n except Exception as e:\n summary[\"failed\"] + += 1\n summary[\"failed_items\"].append({\"name\": name, \"error\": str(e)})\n + \ emit_progress(f\"Failed configuring job **{name}**.\\nError: {e}\", + stage=\"configure.jobs.error\")\n\n emit_progress(\n \"\\n\".join(\n [\n + \ \"Jobs summary:\",\n f\"- attempted: {summary['attempted']}\",\n + \ f\"- ok (verified/skip): {summary['ok']}\",\n f\"- + failed: {summary['failed']}\",\n f\"- notes: {', '.join(summary['notes']) + if summary['notes'] else '(none)'}\",\n ]\n ),\n stage=\"configure.jobs.summary\",\n + \ )\n return summary\n\n# ---------------------------\n# Main\n# ---------------------------\n\ndef + main():\n args = demisto.args()\n\n action = (args.get(\"action\") or \"apply\").strip().lower()\n \ pack_id = (args.get(\"pack_id\") or \"\").strip()\n include_hidden = arg_to_bool(args.get(\"include_hidden\"), False)\n dry_run = arg_to_bool(args.get(\"dry_run\"), False)\n\n install_marketplace_flag = arg_to_bool(args.get(\"install_marketplace\"), True)\n apply_configure = arg_to_bool(args.get(\"apply_configure\"), diff --git a/Packs/soc-framework-manager/pack_metadata.json b/Packs/soc-framework-manager/pack_metadata.json index c58dd53..06bb782 100644 --- a/Packs/soc-framework-manager/pack_metadata.json +++ b/Packs/soc-framework-manager/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-framework-manager", "description": "This will install and configure any of the SOC Framework packages.", "support": "xsoar", - "currentVersion": "1.0.10", + "currentVersion": "1.0.11", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-framework-manager/xsoar_config.json b/Packs/soc-framework-manager/xsoar_config.json index c1a0020..56d7f43 100644 --- a/Packs/soc-framework-manager/xsoar_config.json +++ b/Packs/soc-framework-manager/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-framework-manager.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.10/soc-framework-manager-v1.0.10.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-framework-manager-v1.0.11/soc-framework-manager-v1.0.11.zip", "system": "yes" } ], diff --git a/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM SOC Value Metrics V3.json b/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM SOC Value Metrics V3.json new file mode 100644 index 0000000..3b835ff --- /dev/null +++ b/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM SOC Value Metrics V3.json @@ -0,0 +1 @@ +{"dashboards_data": [{"name": "XSIAM SOC Value Metrics V3", "description": "Actions taken by XSIAM for the SOC", "status": "ENABLED", "layout": [{"id": "row-3521", "data": [{"key": "xql_1745755921627", "data": {"type": "Custom XQL", "width": 50, "height": 405, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_category"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_minutes,total_soc_hours"}}, {"func": {"args": ["total_soc_minutes", "#23ae4f"], "name": "seriescolor"}}, {"func": {"args": ["total_soc_hours", "#7cb5ec"], "name": "seriescolor"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Time\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Category\""}}, {"func": {"args": ["total_soc_minutes", "Total SOC Minutes"], "name": "seriestitle"}}, {"func": {"args": ["total_soc_hours", "Total SOC Hours"], "name": "seriestitle"}}]}}}, {"key": "xql_1745755883243", "data": {"type": "Custom XQL", "width": 50, "height": 405, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_tag"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_minutes,total_soc_hours"}}, {"func": {"args": ["total_soc_hours", "#7cb5ec"], "name": "seriescolor"}}, {"func": {"args": ["total_soc_minutes", "#23ae4f"], "name": "seriescolor"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Time\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Category\""}}, {"func": {"args": ["total_soc_minutes", "Total SOC Minutes"], "name": "seriestitle"}}, {"func": {"args": ["total_soc_hours", "Total SOC Hours"], "name": "seriestitle"}}]}}}]}, {"id": "row-8840", "data": [{"key": "xql_1745756085465", "data": {"type": "Custom XQL", "width": 33.333333333333336, "height": 352, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product , value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| sort desc total_soc_hours\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_hours ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "funnel", "commands": [{"command": {"op": "=", "name": "header", "value": "\"Most Used Vendors\""}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "show_callouts_names", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_vendor"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}}, {"key": "xql_1745755968440", "data": {"type": "Custom XQL", "width": 33.333333333333336, "height": 352, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product, value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| alter tool = concat(concat(value_vendor , \" \"), value_product )\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full header = \"Tool Usage in Hours\" xaxis = tool yaxis = total_soc_hours ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "subtype", "value": "full"}}, {"command": {"op": "=", "name": "header", "value": "\"Tool Usage in Hours\""}}, {"command": {"op": "=", "name": "xaxis", "value": "tool"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}}, {"key": "xql_1745756273220", "data": {"type": "Custom XQL", "width": 33.333333333333336, "height": 352, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| filter value_scriptid = \"Custom\"\n| comp count() as tasknameCount by value_taskname \n| fields value_taskname , taskNameCount\n| sort desc taskNameCount\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full xaxis = taskName yaxis = taskNameCount legend_percentage = `true` seriestitle(\"taskNameCount\",\"Custom Scripts Used\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "subtype", "value": "full"}}, {"command": {"op": "=", "name": "xaxis", "value": "taskName"}}, {"command": {"op": "=", "name": "yaxis", "value": "taskNameCount"}}, {"command": {"op": "=", "name": "legend_percentage", "value": "true"}}, {"func": {"args": ["taskNameCount", "Custom Scripts Used"], "name": "seriestitle"}}]}}}]}, {"id": "row-7484", "data": [{"key": "xql_1745756305970", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->playbookId\n\n// Filter for just automation\n| filter taskType = \"playbook\"\n| filter taskState = \"Completed\"\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (taskName = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "header", "value": "\"Use Case Time\""}}, {"command": {"op": "=", "name": "xaxis", "value": "value_tag"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}}, {"key": "xql_1745756046680", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "header", "value": "\"Hours Saved by XSIAM\""}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}, {"command": {"op": "=", "name": "dataunit", "value": "\"Hours\""}}, {"command": {"op": "=", "name": "headcolor", "value": "\"#f1f7f0\""}}, {"command": {"op": "=", "name": "font", "value": "\"Arial\""}}, {"command": {"op": "=", "name": "headerfontsize", "value": "6"}}]}}}, {"key": "xql_1750429941149", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "config case_sensitive = false\n| dataset = issues \n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.issue.id) as total_issues\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter issues_per_day = round(divide(total_issues, days_selected))\n| alter issues_per_hour = round(divide(issues_per_day, 24))\n| alter analyst_required = round(divide(issues_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "analyst_required"}}]}}}, {"key": "xql_1750429903480", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "config case_sensitive = false\n| dataset = incidents \n| filter status contains \"new\" or status contains \"investigation\"\n| comp count_distinct(incident_id) as total_incidents\n| alter incidents_per_day = round(divide(total_incidents, 7))\n| alter incidents_per_hour = round(divide(incidents_per_day, 8))\n| alter analyst_required = round(divide(incidents_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "analyst_required"}}]}}}]}, {"id": "row-1296", "data": [{"key": "xql_1745756206179", "data": {"type": "Custom XQL", "width": 50, "height": 400, "phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "header", "value": "\"Total Alerts\""}}, {"command": {"op": "=", "name": "xaxis", "value": "original_tags"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_alerts"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Alerts\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Data Sources\""}}, {"func": {"args": ["total_alerts", "Alerts by Data Source"], "name": "seriestitle"}}]}}}, {"key": "xql_1745756167461", "data": {"type": "Custom XQL", "width": 50, "height": 400, "phrase": "dataset = alerts \n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by alert_source \n| sort desc total_alerts\n\n\n| view graph type = pie show_callouts = `true` show_callouts_names = `true` xaxis = alert_source yaxis = total_alerts ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "show_callouts_names", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "alert_source"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_alerts"}}]}}}]}, {"id": "row-9104", "data": [{"key": "xql_1750692388012", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = incidents \n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_incidents"}}]}}}, {"key": "xql_1750243294068", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = incidents \n| filter (status = ENUM.RESOLVED_OTHER and (resolve_comment = \"Resolved by the Auto Triage Job\")) or status = ENUM.RESOLVED_AUTO_RESOLVE or status = ENUM.RESOLVED_AUTO_RESOLVE\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n| view graph type = single subtype = standard yaxis = total_incidents ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_incidents"}}]}}}, {"key": "xql_1750429296483", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = incidents \n| filter (status = ENUM.NEW or status = ENUM.UNDER_INVESTIGATION)\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_incidents"}}]}}}, {"key": "xql_1750429437464", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = incidents \n| filter (status = ENUM.NEW or status = ENUM.UNDER_INVESTIGATION)\n| filter starred = 1\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_incidents"}}]}}}]}], "default_dashboard_id": 1, "global_id": "XSIAM SOC Value Metrics V3", "metadata": {"params": []}}], "widgets_data": [{"widget_key": "xql_1750692388012", "title": "Total Cases", "creation_time": 1770245296602, "description": "", "data": {"phrase": "dataset = cases \n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", "time_frame": {"relativeTime": 2592000000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_cases"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["cases"], "query_uses_library": false}, "creator_mail": "sbrumley@paloaltonetworks.com"}, {"widget_key": "xql_1745755968440", "title": "Tools used by XSIAM by Hour", "creation_time": 1770245291127, "description": "Which tools is XSIAM uniquely automating most of the time by number of hours", "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product, value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| alter tool = concat(concat(value_vendor , \" \"), value_product )\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full header = \"Tool Usage in Hours\" xaxis = tool yaxis = total_soc_hours ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "subtype", "value": "full"}}, {"command": {"op": "=", "name": "header", "value": "\"Tool Usage in Hours\""}}, {"command": {"op": "=", "name": "xaxis", "value": "tool"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1750429903480", "title": "Analysts Required post-XSIAM (EPH 8 to 13)", "creation_time": 1770245294279, "description": "Given the total number of manual incidents post-XSIAM and using the Palo SOC benchmark of 8 to 13 events per hour per analyst, how many analysts would be required to handle all incidents?", "data": {"phrase": "config case_sensitive = false\n| dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| filter xdm.case.starred = true\n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.case.id) as total_cases\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter incidents_per_day = round(divide(total_cases, days_selected))\n| alter incidents_per_hour = round(divide(incidents_per_day, 24))\n| alter analyst_required = round(divide(incidents_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", "time_frame": {"relativeTime": 2592000000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "analyst_required"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["cases"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756305970", "title": "Common Use Cases", "creation_time": 1770245292203, "description": "Which Use Cases are most often being executed", "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->playbookId\n\n// Filter for just automation\n| filter taskType = \"playbook\"\n| filter taskState = \"Completed\"\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (taskName = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "header", "value": "\"Use Case Time\""}}, {"command": {"op": "=", "name": "xaxis", "value": "value_tag"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756206179", "title": "Total Alerts", "creation_time": 1770245291870, "description": "All alerts firing by alert type", "data": {"phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "header", "value": "\"Total Alerts\""}}, {"command": {"op": "=", "name": "xaxis", "value": "original_tags"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_alerts"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Alerts\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Data Sources\""}}, {"func": {"args": ["total_alerts", "Alerts by Data Source"], "name": "seriestitle"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["alerts"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756273220", "title": "Custom Scripts Usage", "creation_time": 1770245292050, "description": null, "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| filter value_scriptid = \"Custom\"\n| comp count() as tasknameCount by value_taskname \n| fields value_taskname , taskNameCount\n| sort desc taskNameCount\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full xaxis = taskName yaxis = taskNameCount legend_percentage = `true` seriestitle(\"taskNameCount\",\"Custom Scripts Used\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "subtype", "value": "full"}}, {"command": {"op": "=", "name": "xaxis", "value": "taskName"}}, {"command": {"op": "=", "name": "yaxis", "value": "taskNameCount"}}, {"command": {"op": "=", "name": "legend_percentage", "value": "true"}}, {"func": {"args": ["taskNameCount", "Custom Scripts Used"], "name": "seriestitle"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1750429941149", "title": "Analysts Required NO XSIAM (EPH 8 to 13)", "creation_time": 1770245295594, "description": "Given the total number of manual incidents and using the Palo SOC benchmark of 8 to 13 events per hour per analyst, how many analysts would be required to handle all incidents?", "data": {"phrase": "config case_sensitive = false\n| dataset = issues \n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.issue.id) as total_issues\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter issues_per_day = round(divide(total_issues, days_selected))\n| alter issues_per_hour = round(divide(issues_per_day, 24))\n| alter analyst_required = round(divide(issues_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", "time_frame": {"relativeTime": 2592000000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "analyst_required"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["issues"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1750243294068", "title": "Cases Auto Resolved", "creation_time": 1770245292431, "description": "This includes deduping (Palo SOC Framework), auto triage, and auto-resolution by XSIAM", "data": {"phrase": "dataset = cases \n| filter xdm.case.status_progress = \"RESOLVED\" and (xdm.case.status.resolution_comment = \"Resolved by the Auto Triage Job\" or xdm.case.status.resolution_comment = \"Auto-resolved by Cortex XSIAM because all of the alerts contained in this incident are excluded or resolved\")\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n| view graph type = single subtype = standard yaxis = total_cases ", "time_frame": {"relativeTime": 2592000000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_cases"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["cases"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756167461", "title": "Total Alerts By Source", "creation_time": 1770245291767, "description": "How many alerts are native XSIAM alerts", "data": {"phrase": "dataset = alerts \n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by alert_source \n| sort desc total_alerts\n\n\n| view graph type = pie show_callouts = `true` show_callouts_names = `true` xaxis = alert_source yaxis = total_alerts ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "show_callouts_names", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "alert_source"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_alerts"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["alerts"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1750429437464", "title": "Total Starred Manual Cases", "creation_time": 1770245292868, "description": "", "data": {"phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| filter xdm.case.starred = true\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_cases"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["cases"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756046680", "title": "Total SOC Hours Worked by XSIAM", "creation_time": 1770245291342, "description": "The number of hours worked by XSIAM automations", "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "header", "value": "\"Hours Saved by XSIAM\""}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}, {"command": {"op": "=", "name": "dataunit", "value": "\"Hours\""}}, {"command": {"op": "=", "name": "headcolor", "value": "\"#f1f7f0\""}}, {"command": {"op": "=", "name": "font", "value": "\"Arial\""}}, {"command": {"op": "=", "name": "headerfontsize", "value": "6"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1750429296483", "title": "Total Manual Cases", "creation_time": 1770245292622, "description": "", "data": {"phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| comp count_distinct(xdm.case.id) as total_cases\n| sort desc total_cases\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_cases"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["cases"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745755883243", "title": "Time Saved by XSIAM per Task", "creation_time": 1770245290172, "description": null, "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_tag"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_minutes,total_soc_hours"}}, {"func": {"args": ["total_soc_hours", "#7cb5ec"], "name": "seriescolor"}}, {"func": {"args": ["total_soc_minutes", "#23ae4f"], "name": "seriescolor"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Time\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Category\""}}, {"func": {"args": ["total_soc_minutes", "Total SOC Minutes"], "name": "seriestitle"}}, {"func": {"args": ["total_soc_hours", "Total SOC Hours"], "name": "seriestitle"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756085465", "title": "XSIAM Vendor Usage", "creation_time": 1770245291562, "description": "Which Vendors are being most often automated by XSIAM.", "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product , value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| sort desc total_soc_hours\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_hours ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "funnel", "commands": [{"command": {"op": "=", "name": "header", "value": "\"Most Used Vendors\""}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "show_callouts_names", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_vendor"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745755921627", "title": "Time Save by Category", "creation_time": 1770245290644, "description": "Total time saved by Category that XSIAM is helping SOC", "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_category"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_minutes,total_soc_hours"}}, {"func": {"args": ["total_soc_minutes", "#23ae4f"], "name": "seriescolor"}}, {"func": {"args": ["total_soc_hours", "#7cb5ec"], "name": "seriescolor"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Time\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Category\""}}, {"func": {"args": ["total_soc_minutes", "Total SOC Minutes"], "name": "seriestitle"}}, {"func": {"args": ["total_soc_hours", "Total SOC Hours"], "name": "seriestitle"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}]} \ No newline at end of file diff --git a/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_Dashboard.json b/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_Dashboard.json deleted file mode 100644 index 232ae27..0000000 --- a/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_Dashboard.json +++ /dev/null @@ -1,1731 +0,0 @@ -{ - "dashboards_data": [ - { - "name": "XSIAM SOC Value Metrics V3", - "description": "Actions taken by XSIAM for the SOC", - "status": "ENABLED", - "layout": [ - { - "id": "row-3521", - "data": [ - { - "key": "xql_1745755921627", - "data": { - "type": "Custom XQL", - "width": 50, - "height": 405, - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "column", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "grouped" - } - }, - { - "command": { - "op": "=", - "name": "layout", - "value": "horizontal" - } - }, - { - "command": { - "op": "=", - "name": "show_callouts", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "value_category" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_minutes,total_soc_hours" - } - }, - { - "func": { - "args": [ - "total_soc_minutes", - "#23ae4f" - ], - "name": "seriescolor" - } - }, - { - "func": { - "args": [ - "total_soc_hours", - "#7cb5ec" - ], - "name": "seriescolor" - } - }, - { - "command": { - "op": "=", - "name": "xaxistitle", - "value": "\"Time\"" - } - }, - { - "command": { - "op": "=", - "name": "yaxistitle", - "value": "\"Category\"" - } - }, - { - "func": { - "args": [ - "total_soc_minutes", - "Total SOC Minutes" - ], - "name": "seriestitle" - } - }, - { - "func": { - "args": [ - "total_soc_hours", - "Total SOC Hours" - ], - "name": "seriestitle" - } - } - ] - } - } - }, - { - "key": "xql_1745755883243", - "data": { - "type": "Custom XQL", - "width": 50, - "height": 405, - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "column", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "grouped" - } - }, - { - "command": { - "op": "=", - "name": "layout", - "value": "horizontal" - } - }, - { - "command": { - "op": "=", - "name": "show_callouts", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "value_tag" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_minutes,total_soc_hours" - } - }, - { - "func": { - "args": [ - "total_soc_hours", - "#7cb5ec" - ], - "name": "seriescolor" - } - }, - { - "func": { - "args": [ - "total_soc_minutes", - "#23ae4f" - ], - "name": "seriescolor" - } - }, - { - "command": { - "op": "=", - "name": "xaxistitle", - "value": "\"Time\"" - } - }, - { - "command": { - "op": "=", - "name": "yaxistitle", - "value": "\"Category\"" - } - }, - { - "func": { - "args": [ - "total_soc_minutes", - "Total SOC Minutes" - ], - "name": "seriestitle" - } - }, - { - "func": { - "args": [ - "total_soc_hours", - "Total SOC Hours" - ], - "name": "seriestitle" - } - } - ] - } - } - } - ] - }, - { - "id": "row-8840", - "data": [ - { - "key": "xql_1745756085465", - "data": { - "type": "Custom XQL", - "width": 33.333333333333336, - "height": 352, - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product , value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| sort desc total_soc_hours\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_hours ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "funnel", - "commands": [ - { - "command": { - "op": "=", - "name": "header", - "value": "\"Most Used Vendors\"" - } - }, - { - "command": { - "op": "=", - "name": "show_callouts", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "show_callouts_names", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "value_vendor" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_hours" - } - } - ] - } - } - }, - { - "key": "xql_1745755968440", - "data": { - "type": "Custom XQL", - "width": 33.333333333333336, - "height": 352, - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product, value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| alter tool = concat(concat(value_vendor , \" \"), value_product )\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full header = \"Tool Usage in Hours\" xaxis = tool yaxis = total_soc_hours ", - "time_frame": { - "relativeTime": 604800000 - }, - "viewOptions": { - "type": "pie", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "full" - } - }, - { - "command": { - "op": "=", - "name": "header", - "value": "\"Tool Usage in Hours\"" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "tool" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_hours" - } - } - ] - } - } - }, - { - "key": "xql_1745756273220", - "data": { - "type": "Custom XQL", - "width": 33.333333333333336, - "height": 352, - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| filter value_scriptid = \"Custom\"\n| comp count() as tasknameCount by value_taskname \n| fields value_taskname , taskNameCount\n| sort desc taskNameCount\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full xaxis = taskName yaxis = taskNameCount legend_percentage = `true` seriestitle(\"taskNameCount\",\"Custom Scripts Used\") ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "pie", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "full" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "taskName" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "taskNameCount" - } - }, - { - "command": { - "op": "=", - "name": "legend_percentage", - "value": "true" - } - }, - { - "func": { - "args": [ - "taskNameCount", - "Custom Scripts Used" - ], - "name": "seriestitle" - } - } - ] - } - } - } - ] - }, - { - "id": "row-7484", - "data": [ - { - "key": "xql_1745756305970", - "data": { - "type": "Custom XQL", - "width": 25, - "height": 400, - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->playbookId\n\n// Filter for just automation\n| filter taskType = \"playbook\"\n| filter taskState = \"Completed\"\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (taskName = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "column", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "grouped" - } - }, - { - "command": { - "op": "=", - "name": "layout", - "value": "horizontal" - } - }, - { - "command": { - "op": "=", - "name": "header", - "value": "\"Use Case Time\"" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "value_tag" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_hours" - } - } - ] - } - } - }, - { - "key": "xql_1745756046680", - "data": { - "type": "Custom XQL", - "width": 25, - "height": 400, - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "header", - "value": "\"Hours Saved by XSIAM\"" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_hours" - } - }, - { - "command": { - "op": "=", - "name": "dataunit", - "value": "\"Hours\"" - } - }, - { - "command": { - "op": "=", - "name": "headcolor", - "value": "\"#f1f7f0\"" - } - }, - { - "command": { - "op": "=", - "name": "font", - "value": "\"Arial\"" - } - }, - { - "command": { - "op": "=", - "name": "headerfontsize", - "value": "6" - } - } - ] - } - } - }, - { - "key": "xql_1750429941149", - "data": { - "type": "Custom XQL", - "width": 25, - "height": 400, - "phrase": "config case_sensitive = false\n| dataset = issues \n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.issue.id) as total_issues\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter issues_per_day = round(divide(total_issues, days_selected))\n| alter issues_per_hour = round(divide(issues_per_day, 24))\n| alter analyst_required = round(divide(issues_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "analyst_required" - } - } - ] - } - } - }, - { - "key": "xql_1750429903480", - "data": { - "type": "Custom XQL", - "width": 25, - "height": 400, - "phrase": "config case_sensitive = false\n| dataset = incidents \n| filter status contains \"new\" or status contains \"investigation\"\n| comp count_distinct(incident_id) as total_incidents\n| alter incidents_per_day = round(divide(total_incidents, 7))\n| alter incidents_per_hour = round(divide(incidents_per_day, 8))\n| alter analyst_required = round(divide(incidents_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "analyst_required" - } - } - ] - } - } - } - ] - }, - { - "id": "row-1296", - "data": [ - { - "key": "xql_1745756206179", - "data": { - "type": "Custom XQL", - "width": 50, - "height": 400, - "phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "column", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "grouped" - } - }, - { - "command": { - "op": "=", - "name": "layout", - "value": "horizontal" - } - }, - { - "command": { - "op": "=", - "name": "header", - "value": "\"Total Alerts\"" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "original_tags" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_alerts" - } - }, - { - "command": { - "op": "=", - "name": "xaxistitle", - "value": "\"Alerts\"" - } - }, - { - "command": { - "op": "=", - "name": "yaxistitle", - "value": "\"Data Sources\"" - } - }, - { - "func": { - "args": [ - "total_alerts", - "Alerts by Data Source" - ], - "name": "seriestitle" - } - } - ] - } - } - }, - { - "key": "xql_1745756167461", - "data": { - "type": "Custom XQL", - "width": 50, - "height": 400, - "phrase": "dataset = alerts \n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by alert_source \n| sort desc total_alerts\n\n\n| view graph type = pie show_callouts = `true` show_callouts_names = `true` xaxis = alert_source yaxis = total_alerts ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "pie", - "commands": [ - { - "command": { - "op": "=", - "name": "show_callouts", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "show_callouts_names", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "alert_source" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_alerts" - } - } - ] - } - } - } - ] - }, - { - "id": "row-9104", - "data": [ - { - "key": "xql_1750692388012", - "data": { - "type": "Custom XQL", - "width": 25, - "height": 400, - "phrase": "dataset = incidents \n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", - "time_frame": { - "relativeTime": 604800000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_incidents" - } - } - ] - } - } - }, - { - "key": "xql_1750243294068", - "data": { - "type": "Custom XQL", - "width": 25, - "height": 400, - "phrase": "dataset = incidents \n| filter (status = ENUM.RESOLVED_OTHER and (resolve_comment = \"Resolved by the Auto Triage Job\")) or status = ENUM.RESOLVED_AUTO_RESOLVE or status = ENUM.RESOLVED_AUTO_RESOLVE\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n| view graph type = single subtype = standard yaxis = total_incidents ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_incidents" - } - } - ] - } - } - }, - { - "key": "xql_1750429296483", - "data": { - "type": "Custom XQL", - "width": 25, - "height": 400, - "phrase": "dataset = incidents \n| filter (status = ENUM.NEW or status = ENUM.UNDER_INVESTIGATION)\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", - "time_frame": { - "relativeTime": 604800000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_incidents" - } - } - ] - } - } - }, - { - "key": "xql_1750429437464", - "data": { - "type": "Custom XQL", - "width": 25, - "height": 400, - "phrase": "dataset = incidents \n| filter (status = ENUM.NEW or status = ENUM.UNDER_INVESTIGATION)\n| filter starred = 1\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", - "time_frame": { - "relativeTime": 604800000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_incidents" - } - } - ] - } - } - } - ] - } - ], - "default_dashboard_id": 1, - "global_id": "XSIAM SOC Value Metrics V3", - "metadata": { - "params": [] - } - } - ], - "widgets_data": [ - { - "widget_key": "xql_1745755883243", - "title": "Time Saved by XSIAM per Task", - "creation_time": 1758895672392, - "description": null, - "data": { - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "column", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "grouped" - } - }, - { - "command": { - "op": "=", - "name": "layout", - "value": "horizontal" - } - }, - { - "command": { - "op": "=", - "name": "show_callouts", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "value_tag" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_minutes,total_soc_hours" - } - }, - { - "func": { - "args": [ - "total_soc_hours", - "#7cb5ec" - ], - "name": "seriescolor" - } - }, - { - "func": { - "args": [ - "total_soc_minutes", - "#23ae4f" - ], - "name": "seriescolor" - } - }, - { - "command": { - "op": "=", - "name": "xaxistitle", - "value": "\"Time\"" - } - }, - { - "command": { - "op": "=", - "name": "yaxistitle", - "value": "\"Category\"" - } - }, - { - "func": { - "args": [ - "total_soc_minutes", - "Total SOC Minutes" - ], - "name": "seriestitle" - } - }, - { - "func": { - "args": [ - "total_soc_hours", - "Total SOC Hours" - ], - "name": "seriestitle" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "value_tags", - "xsiam_playbookmetrics_raw" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1745755921627", - "title": "Time Save by Category", - "creation_time": 1758895672538, - "description": "Total time saved by Category that XSIAM is helping SOC", - "data": { - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "column", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "grouped" - } - }, - { - "command": { - "op": "=", - "name": "layout", - "value": "horizontal" - } - }, - { - "command": { - "op": "=", - "name": "show_callouts", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "value_category" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_minutes,total_soc_hours" - } - }, - { - "func": { - "args": [ - "total_soc_minutes", - "#23ae4f" - ], - "name": "seriescolor" - } - }, - { - "func": { - "args": [ - "total_soc_hours", - "#7cb5ec" - ], - "name": "seriescolor" - } - }, - { - "command": { - "op": "=", - "name": "xaxistitle", - "value": "\"Time\"" - } - }, - { - "command": { - "op": "=", - "name": "yaxistitle", - "value": "\"Category\"" - } - }, - { - "func": { - "args": [ - "total_soc_minutes", - "Total SOC Minutes" - ], - "name": "seriestitle" - } - }, - { - "func": { - "args": [ - "total_soc_hours", - "Total SOC Hours" - ], - "name": "seriestitle" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "value_tags", - "xsiam_playbookmetrics_raw" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1745755968440", - "title": "Tools used by XSIAM by Hour", - "creation_time": 1758895672736, - "description": "Which tools is XSIAM uniquely automating most of the time by number of hours", - "data": { - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product, value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| alter tool = concat(concat(value_vendor , \" \"), value_product )\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full header = \"Tool Usage in Hours\" xaxis = tool yaxis = total_soc_hours ", - "time_frame": { - "relativeTime": 604800000 - }, - "viewOptions": { - "type": "pie", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "full" - } - }, - { - "command": { - "op": "=", - "name": "header", - "value": "\"Tool Usage in Hours\"" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "tool" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_hours" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "value_tags", - "xsiam_playbookmetrics_raw" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1745756046680", - "title": "Total SOC Hours Worked by XSIAM", - "creation_time": 1758895673189, - "description": "The number of hours worked by XSIAM automations", - "data": { - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "header", - "value": "\"Hours Saved by XSIAM\"" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_hours" - } - }, - { - "command": { - "op": "=", - "name": "dataunit", - "value": "\"Hours\"" - } - }, - { - "command": { - "op": "=", - "name": "headcolor", - "value": "\"#f1f7f0\"" - } - }, - { - "command": { - "op": "=", - "name": "font", - "value": "\"Arial\"" - } - }, - { - "command": { - "op": "=", - "name": "headerfontsize", - "value": "6" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "value_tags", - "xsiam_playbookmetrics_raw" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1745756085465", - "title": "XSIAM Vendor Usage", - "creation_time": 1758895673789, - "description": "Which Vendors are being most often automated by XSIAM.", - "data": { - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product , value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| sort desc total_soc_hours\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_hours ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "funnel", - "commands": [ - { - "command": { - "op": "=", - "name": "header", - "value": "\"Most Used Vendors\"" - } - }, - { - "command": { - "op": "=", - "name": "show_callouts", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "show_callouts_names", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "value_vendor" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_hours" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "value_tags", - "xsiam_playbookmetrics_raw" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1745756167461", - "title": "Total Alerts By Source", - "creation_time": 1758895674347, - "description": "How many alerts are native XSIAM alerts", - "data": { - "phrase": "dataset = alerts \n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by alert_source \n| sort desc total_alerts\n\n\n| view graph type = pie show_callouts = `true` show_callouts_names = `true` xaxis = alert_source yaxis = total_alerts ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "pie", - "commands": [ - { - "command": { - "op": "=", - "name": "show_callouts", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "show_callouts_names", - "value": "true" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "alert_source" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_alerts" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "alerts" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1745756206179", - "title": "Total Alerts", - "creation_time": 1758895674820, - "description": "All alerts firing by alert type", - "data": { - "phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "column", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "grouped" - } - }, - { - "command": { - "op": "=", - "name": "layout", - "value": "horizontal" - } - }, - { - "command": { - "op": "=", - "name": "header", - "value": "\"Total Alerts\"" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "original_tags" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_alerts" - } - }, - { - "command": { - "op": "=", - "name": "xaxistitle", - "value": "\"Alerts\"" - } - }, - { - "command": { - "op": "=", - "name": "yaxistitle", - "value": "\"Data Sources\"" - } - }, - { - "func": { - "args": [ - "total_alerts", - "Alerts by Data Source" - ], - "name": "seriestitle" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "alerts" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1745756273220", - "title": "Custom Scripts Usage", - "creation_time": 1758895675532, - "description": null, - "data": { - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| filter value_scriptid = \"Custom\"\n| comp count() as tasknameCount by value_taskname \n| fields value_taskname , taskNameCount\n| sort desc taskNameCount\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full xaxis = taskName yaxis = taskNameCount legend_percentage = `true` seriestitle(\"taskNameCount\",\"Custom Scripts Used\") ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "pie", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "full" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "taskName" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "taskNameCount" - } - }, - { - "command": { - "op": "=", - "name": "legend_percentage", - "value": "true" - } - }, - { - "func": { - "args": [ - "taskNameCount", - "Custom Scripts Used" - ], - "name": "seriestitle" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "value_tags", - "xsiam_playbookmetrics_raw" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1745756305970", - "title": "Common Use Cases", - "creation_time": 1758895676296, - "description": "Which Use Cases are most often being executed", - "data": { - "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->playbookId\n\n// Filter for just automation\n| filter taskType = \"playbook\"\n| filter taskState = \"Completed\"\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (taskName = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", - "time_frame": { - "relativeTime": 86400000 - }, - "viewOptions": { - "type": "column", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "grouped" - } - }, - { - "command": { - "op": "=", - "name": "layout", - "value": "horizontal" - } - }, - { - "command": { - "op": "=", - "name": "header", - "value": "\"Use Case Time\"" - } - }, - { - "command": { - "op": "=", - "name": "xaxis", - "value": "value_tag" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_soc_hours" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "value_tags", - "xsiam_playbookmetrics_raw" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1750243294068", - "title": "Cases Auto Resolved", - "creation_time": 1758895677018, - "description": "This includes deduping (Palo SOC Framework), auto triage, and auto-resolution by XSIAM", - "data": { - "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"RESOLVED\" and (xdm.case.status.resolution_comment = \"Resolved by the Auto Triage Job\" or xdm.case.status.resolution_comment = \"Auto-resolved by Cortex XSIAM because all of the alerts contained in this incident are excluded or resolved\")\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n| view graph type = single subtype = standard yaxis = total_cases ", - "time_frame": { - "relativeTime": 2592000000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_cases" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "cases" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1750429296483", - "title": "Total Manual Cases", - "creation_time": 1758895677493, - "description": "", - "data": { - "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| comp count_distinct(xdm.case.id) as total_cases\n| sort desc total_cases\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", - "time_frame": { - "relativeTime": 604800000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_cases" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "cases" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1750429437464", - "title": "Total Starred Manual Cases", - "creation_time": 1758895677854, - "description": "", - "data": { - "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| filter xdm.case.starred = true\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", - "time_frame": { - "relativeTime": 604800000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_cases" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "cases" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1750429903480", - "title": "Analysts Required post-XSIAM (EPH 8 to 13)", - "creation_time": 1758895678310, - "description": "Given the total number of manual incidents post-XSIAM and using the Palo SOC benchmark of 8 to 13 events per hour per analyst, how many analysts would be required to handle all incidents?", - "data": { - "phrase": "config case_sensitive = false\n| dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| filter xdm.case.starred = true\n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.case.id) as total_cases\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter incidents_per_day = round(divide(total_cases, days_selected))\n| alter incidents_per_hour = round(divide(incidents_per_day, 24))\n| alter analyst_required = round(divide(incidents_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", - "time_frame": { - "relativeTime": 2592000000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "analyst_required" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "cases" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1750429941149", - "title": "Analysts Required NO XSIAM (EPH 8 to 13)", - "creation_time": 1758895678626, - "description": "Given the total number of manual incidents and using the Palo SOC benchmark of 8 to 13 events per hour per analyst, how many analysts would be required to handle all incidents?", - "data": { - "phrase": "config case_sensitive = false\n| dataset = issues \n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.issue.id) as total_issues\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter issues_per_day = round(divide(total_issues, days_selected))\n| alter issues_per_hour = round(divide(issues_per_day, 24))\n| alter analyst_required = round(divide(issues_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", - "time_frame": { - "relativeTime": 2592000000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "analyst_required" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "cases" - ], - "query_uses_library": false - }, - "creator_mail": "N/A" - }, - { - "widget_key": "xql_1750692388012", - "title": "Total Cases", - "creation_time": 1758895678786, - "description": "", - "data": { - "phrase": "dataset = cases \n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", - "time_frame": { - "relativeTime": 2592000000 - }, - "viewOptions": { - "type": "single", - "commands": [ - { - "command": { - "op": "=", - "name": "subtype", - "value": "standard" - } - }, - { - "command": { - "op": "=", - "name": "yaxis", - "value": "total_cases" - } - } - ] - } - }, - "support_time_range": true, - "additional_info": { - "query_tables": [ - "cases" - ], - "query_uses_library": false - }, - "creator_mail": "sbrumley@paloaltonetworks.com" - } - ], - "id": "SOCFrameworkValueDashboard_V3", - "name": "XSIAM SOC Value Metrics V3", - "adopted": true -} diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index 033e4ca..c3094a6 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.25", + "currentVersion": "3.0.26", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index 9d24350..f628c68 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.25/soc-optimization-unified-v3.0.25.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.26/soc-optimization-unified-v3.0.26.zip", "system": "yes" }, { diff --git a/pack_catalog.json b/pack_catalog.json index 489d7e8..f2fc772 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -27,7 +27,7 @@ { "id": "soc-framework-manager", "display_name": "SOC Framework Package Manager", - "version": "1.0.10", + "version": "1.0.11", "path": "Packs/soc-framework-manager", "visible": false, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-framework-manager/xsoar_config.json" @@ -59,7 +59,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.25", + "version": "3.0.26", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json"