diff --git a/.gitignore b/.gitignore index 7df7349..f73a7db 100644 --- a/.gitignore +++ b/.gitignore @@ -51,4 +51,5 @@ input_tsv/ # Generated config assets from release workflow ############################################################################### # END OF FILE -############################################################################### \ No newline at end of file +############################################################################### +/output/ diff --git a/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM SOC Value Metrics V3.json b/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM SOC Value Metrics V3.json deleted file mode 100644 index 3b835ff..0000000 --- a/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM SOC Value Metrics V3.json +++ /dev/null @@ -1 +0,0 @@ -{"dashboards_data": [{"name": "XSIAM SOC Value Metrics V3", "description": "Actions taken by XSIAM for the SOC", "status": "ENABLED", "layout": [{"id": "row-3521", "data": [{"key": "xql_1745755921627", "data": {"type": "Custom XQL", "width": 50, "height": 405, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_category"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_minutes,total_soc_hours"}}, {"func": {"args": ["total_soc_minutes", "#23ae4f"], "name": "seriescolor"}}, {"func": {"args": ["total_soc_hours", "#7cb5ec"], "name": "seriescolor"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Time\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Category\""}}, {"func": {"args": ["total_soc_minutes", "Total SOC Minutes"], "name": "seriestitle"}}, {"func": {"args": ["total_soc_hours", "Total SOC Hours"], "name": "seriestitle"}}]}}}, {"key": "xql_1745755883243", "data": {"type": "Custom XQL", "width": 50, "height": 405, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_tag"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_minutes,total_soc_hours"}}, {"func": {"args": ["total_soc_hours", "#7cb5ec"], "name": "seriescolor"}}, {"func": {"args": ["total_soc_minutes", "#23ae4f"], "name": "seriescolor"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Time\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Category\""}}, {"func": {"args": ["total_soc_minutes", "Total SOC Minutes"], "name": "seriestitle"}}, {"func": {"args": ["total_soc_hours", "Total SOC Hours"], "name": "seriestitle"}}]}}}]}, {"id": "row-8840", "data": [{"key": "xql_1745756085465", "data": {"type": "Custom XQL", "width": 33.333333333333336, "height": 352, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product , value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| sort desc total_soc_hours\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_hours ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "funnel", "commands": [{"command": {"op": "=", "name": "header", "value": "\"Most Used Vendors\""}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "show_callouts_names", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_vendor"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}}, {"key": "xql_1745755968440", "data": {"type": "Custom XQL", "width": 33.333333333333336, "height": 352, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product, value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| alter tool = concat(concat(value_vendor , \" \"), value_product )\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full header = \"Tool Usage in Hours\" xaxis = tool yaxis = total_soc_hours ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "subtype", "value": "full"}}, {"command": {"op": "=", "name": "header", "value": "\"Tool Usage in Hours\""}}, {"command": {"op": "=", "name": "xaxis", "value": "tool"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}}, {"key": "xql_1745756273220", "data": {"type": "Custom XQL", "width": 33.333333333333336, "height": 352, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| filter value_scriptid = \"Custom\"\n| comp count() as tasknameCount by value_taskname \n| fields value_taskname , taskNameCount\n| sort desc taskNameCount\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full xaxis = taskName yaxis = taskNameCount legend_percentage = `true` seriestitle(\"taskNameCount\",\"Custom Scripts Used\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "subtype", "value": "full"}}, {"command": {"op": "=", "name": "xaxis", "value": "taskName"}}, {"command": {"op": "=", "name": "yaxis", "value": "taskNameCount"}}, {"command": {"op": "=", "name": "legend_percentage", "value": "true"}}, {"func": {"args": ["taskNameCount", "Custom Scripts Used"], "name": "seriestitle"}}]}}}]}, {"id": "row-7484", "data": [{"key": "xql_1745756305970", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->playbookId\n\n// Filter for just automation\n| filter taskType = \"playbook\"\n| filter taskState = \"Completed\"\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (taskName = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "header", "value": "\"Use Case Time\""}}, {"command": {"op": "=", "name": "xaxis", "value": "value_tag"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}}, {"key": "xql_1745756046680", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "header", "value": "\"Hours Saved by XSIAM\""}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}, {"command": {"op": "=", "name": "dataunit", "value": "\"Hours\""}}, {"command": {"op": "=", "name": "headcolor", "value": "\"#f1f7f0\""}}, {"command": {"op": "=", "name": "font", "value": "\"Arial\""}}, {"command": {"op": "=", "name": "headerfontsize", "value": "6"}}]}}}, {"key": "xql_1750429941149", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "config case_sensitive = false\n| dataset = issues \n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.issue.id) as total_issues\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter issues_per_day = round(divide(total_issues, days_selected))\n| alter issues_per_hour = round(divide(issues_per_day, 24))\n| alter analyst_required = round(divide(issues_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "analyst_required"}}]}}}, {"key": "xql_1750429903480", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "config case_sensitive = false\n| dataset = incidents \n| filter status contains \"new\" or status contains \"investigation\"\n| comp count_distinct(incident_id) as total_incidents\n| alter incidents_per_day = round(divide(total_incidents, 7))\n| alter incidents_per_hour = round(divide(incidents_per_day, 8))\n| alter analyst_required = round(divide(incidents_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "analyst_required"}}]}}}]}, {"id": "row-1296", "data": [{"key": "xql_1745756206179", "data": {"type": "Custom XQL", "width": 50, "height": 400, "phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "header", "value": "\"Total Alerts\""}}, {"command": {"op": "=", "name": "xaxis", "value": "original_tags"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_alerts"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Alerts\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Data Sources\""}}, {"func": {"args": ["total_alerts", "Alerts by Data Source"], "name": "seriestitle"}}]}}}, {"key": "xql_1745756167461", "data": {"type": "Custom XQL", "width": 50, "height": 400, "phrase": "dataset = alerts \n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by alert_source \n| sort desc total_alerts\n\n\n| view graph type = pie show_callouts = `true` show_callouts_names = `true` xaxis = alert_source yaxis = total_alerts ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "show_callouts_names", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "alert_source"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_alerts"}}]}}}]}, {"id": "row-9104", "data": [{"key": "xql_1750692388012", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = incidents \n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_incidents"}}]}}}, {"key": "xql_1750243294068", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = incidents \n| filter (status = ENUM.RESOLVED_OTHER and (resolve_comment = \"Resolved by the Auto Triage Job\")) or status = ENUM.RESOLVED_AUTO_RESOLVE or status = ENUM.RESOLVED_AUTO_RESOLVE\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n| view graph type = single subtype = standard yaxis = total_incidents ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_incidents"}}]}}}, {"key": "xql_1750429296483", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = incidents \n| filter (status = ENUM.NEW or status = ENUM.UNDER_INVESTIGATION)\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_incidents"}}]}}}, {"key": "xql_1750429437464", "data": {"type": "Custom XQL", "width": 25, "height": 400, "phrase": "dataset = incidents \n| filter (status = ENUM.NEW or status = ENUM.UNDER_INVESTIGATION)\n| filter starred = 1\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_incidents"}}]}}}]}], "default_dashboard_id": 1, "global_id": "XSIAM SOC Value Metrics V3", "metadata": {"params": []}}], "widgets_data": [{"widget_key": "xql_1750692388012", "title": "Total Cases", "creation_time": 1770245296602, "description": "", "data": {"phrase": "dataset = cases \n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", "time_frame": {"relativeTime": 2592000000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_cases"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["cases"], "query_uses_library": false}, "creator_mail": "sbrumley@paloaltonetworks.com"}, {"widget_key": "xql_1745755968440", "title": "Tools used by XSIAM by Hour", "creation_time": 1770245291127, "description": "Which tools is XSIAM uniquely automating most of the time by number of hours", "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product, value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| alter tool = concat(concat(value_vendor , \" \"), value_product )\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full header = \"Tool Usage in Hours\" xaxis = tool yaxis = total_soc_hours ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "subtype", "value": "full"}}, {"command": {"op": "=", "name": "header", "value": "\"Tool Usage in Hours\""}}, {"command": {"op": "=", "name": "xaxis", "value": "tool"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1750429903480", "title": "Analysts Required post-XSIAM (EPH 8 to 13)", "creation_time": 1770245294279, "description": "Given the total number of manual incidents post-XSIAM and using the Palo SOC benchmark of 8 to 13 events per hour per analyst, how many analysts would be required to handle all incidents?", "data": {"phrase": "config case_sensitive = false\n| dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| filter xdm.case.starred = true\n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.case.id) as total_cases\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter incidents_per_day = round(divide(total_cases, days_selected))\n| alter incidents_per_hour = round(divide(incidents_per_day, 24))\n| alter analyst_required = round(divide(incidents_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", "time_frame": {"relativeTime": 2592000000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "analyst_required"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["cases"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756305970", "title": "Common Use Cases", "creation_time": 1770245292203, "description": "Which Use Cases are most often being executed", "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->playbookId\n\n// Filter for just automation\n| filter taskType = \"playbook\"\n| filter taskState = \"Completed\"\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (taskName = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "header", "value": "\"Use Case Time\""}}, {"command": {"op": "=", "name": "xaxis", "value": "value_tag"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756206179", "title": "Total Alerts", "creation_time": 1770245291870, "description": "All alerts firing by alert type", "data": {"phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "header", "value": "\"Total Alerts\""}}, {"command": {"op": "=", "name": "xaxis", "value": "original_tags"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_alerts"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Alerts\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Data Sources\""}}, {"func": {"args": ["total_alerts", "Alerts by Data Source"], "name": "seriestitle"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["alerts"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756273220", "title": "Custom Scripts Usage", "creation_time": 1770245292050, "description": null, "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| filter value_scriptid = \"Custom\"\n| comp count() as tasknameCount by value_taskname \n| fields value_taskname , taskNameCount\n| sort desc taskNameCount\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full xaxis = taskName yaxis = taskNameCount legend_percentage = `true` seriestitle(\"taskNameCount\",\"Custom Scripts Used\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "subtype", "value": "full"}}, {"command": {"op": "=", "name": "xaxis", "value": "taskName"}}, {"command": {"op": "=", "name": "yaxis", "value": "taskNameCount"}}, {"command": {"op": "=", "name": "legend_percentage", "value": "true"}}, {"func": {"args": ["taskNameCount", "Custom Scripts Used"], "name": "seriestitle"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1750429941149", "title": "Analysts Required NO XSIAM (EPH 8 to 13)", "creation_time": 1770245295594, "description": "Given the total number of manual incidents and using the Palo SOC benchmark of 8 to 13 events per hour per analyst, how many analysts would be required to handle all incidents?", "data": {"phrase": "config case_sensitive = false\n| dataset = issues \n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.issue.id) as total_issues\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter issues_per_day = round(divide(total_issues, days_selected))\n| alter issues_per_hour = round(divide(issues_per_day, 24))\n| alter analyst_required = round(divide(issues_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", "time_frame": {"relativeTime": 2592000000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "analyst_required"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["issues"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1750243294068", "title": "Cases Auto Resolved", "creation_time": 1770245292431, "description": "This includes deduping (Palo SOC Framework), auto triage, and auto-resolution by XSIAM", "data": {"phrase": "dataset = cases \n| filter xdm.case.status_progress = \"RESOLVED\" and (xdm.case.status.resolution_comment = \"Resolved by the Auto Triage Job\" or xdm.case.status.resolution_comment = \"Auto-resolved by Cortex XSIAM because all of the alerts contained in this incident are excluded or resolved\")\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n| view graph type = single subtype = standard yaxis = total_cases ", "time_frame": {"relativeTime": 2592000000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_cases"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["cases"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756167461", "title": "Total Alerts By Source", "creation_time": 1770245291767, "description": "How many alerts are native XSIAM alerts", "data": {"phrase": "dataset = alerts \n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by alert_source \n| sort desc total_alerts\n\n\n| view graph type = pie show_callouts = `true` show_callouts_names = `true` xaxis = alert_source yaxis = total_alerts ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "pie", "commands": [{"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "show_callouts_names", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "alert_source"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_alerts"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["alerts"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1750429437464", "title": "Total Starred Manual Cases", "creation_time": 1770245292868, "description": "", "data": {"phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| filter xdm.case.starred = true\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_cases"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["cases"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756046680", "title": "Total SOC Hours Worked by XSIAM", "creation_time": 1770245291342, "description": "The number of hours worked by XSIAM automations", "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "header", "value": "\"Hours Saved by XSIAM\""}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}, {"command": {"op": "=", "name": "dataunit", "value": "\"Hours\""}}, {"command": {"op": "=", "name": "headcolor", "value": "\"#f1f7f0\""}}, {"command": {"op": "=", "name": "font", "value": "\"Arial\""}}, {"command": {"op": "=", "name": "headerfontsize", "value": "6"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1750429296483", "title": "Total Manual Cases", "creation_time": 1770245292622, "description": "", "data": {"phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| comp count_distinct(xdm.case.id) as total_cases\n| sort desc total_cases\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", "time_frame": {"relativeTime": 604800000}, "viewOptions": {"type": "single", "commands": [{"command": {"op": "=", "name": "subtype", "value": "standard"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_cases"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["cases"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745755883243", "title": "Time Saved by XSIAM per Task", "creation_time": 1770245290172, "description": null, "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_tag"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_minutes,total_soc_hours"}}, {"func": {"args": ["total_soc_hours", "#7cb5ec"], "name": "seriescolor"}}, {"func": {"args": ["total_soc_minutes", "#23ae4f"], "name": "seriescolor"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Time\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Category\""}}, {"func": {"args": ["total_soc_minutes", "Total SOC Minutes"], "name": "seriestitle"}}, {"func": {"args": ["total_soc_hours", "Total SOC Hours"], "name": "seriestitle"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745756085465", "title": "XSIAM Vendor Usage", "creation_time": 1770245291562, "description": "Which Vendors are being most often automated by XSIAM.", "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product , value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| sort desc total_soc_hours\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_hours ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "funnel", "commands": [{"command": {"op": "=", "name": "header", "value": "\"Most Used Vendors\""}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "show_callouts_names", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_vendor"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_hours"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}, {"widget_key": "xql_1745755921627", "title": "Time Save by Category", "creation_time": 1770245290644, "description": "Total time saved by Category that XSIAM is helping SOC", "data": {"phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", "time_frame": {"relativeTime": 86400000}, "viewOptions": {"type": "column", "commands": [{"command": {"op": "=", "name": "subtype", "value": "grouped"}}, {"command": {"op": "=", "name": "layout", "value": "horizontal"}}, {"command": {"op": "=", "name": "show_callouts", "value": "true"}}, {"command": {"op": "=", "name": "xaxis", "value": "value_category"}}, {"command": {"op": "=", "name": "yaxis", "value": "total_soc_minutes,total_soc_hours"}}, {"func": {"args": ["total_soc_minutes", "#23ae4f"], "name": "seriescolor"}}, {"func": {"args": ["total_soc_hours", "#7cb5ec"], "name": "seriescolor"}}, {"command": {"op": "=", "name": "xaxistitle", "value": "\"Time\""}}, {"command": {"op": "=", "name": "yaxistitle", "value": "\"Category\""}}, {"func": {"args": ["total_soc_minutes", "Total SOC Minutes"], "name": "seriestitle"}}, {"func": {"args": ["total_soc_hours", "Total SOC Hours"], "name": "seriestitle"}}]}}, "support_time_range": true, "additional_info": {"query_tables": ["value_tags", "xsiam_playbookmetrics_raw"], "query_uses_library": false}, "creator_mail": "N/A"}]} \ No newline at end of file diff --git a/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_V3.json b/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_V3.json new file mode 100644 index 0000000..905842b --- /dev/null +++ b/Packs/soc-optimization-unified/XSIAMDashboards/XSIAM_SOC_Value_Metrics_V3.json @@ -0,0 +1,1729 @@ +{ + "dashboards_data": [ + { + "name": "XSIAM SOC Value Metrics V3", + "description": "Actions taken by XSIAM for the SOC", + "status": "ENABLED", + "layout": [ + { + "id": "row-3521", + "data": [ + { + "key": "xql_1745755921627", + "data": { + "type": "Custom XQL", + "width": 50, + "height": 405, + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_category" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes,total_soc_hours" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "#23ae4f" + ], + "name": "seriescolor" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "#7cb5ec" + ], + "name": "seriescolor" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Time\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Category\"" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "Total SOC Minutes" + ], + "name": "seriestitle" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "Total SOC Hours" + ], + "name": "seriestitle" + } + } + ] + } + } + }, + { + "key": "xql_1745755883243", + "data": { + "type": "Custom XQL", + "width": 50, + "height": 405, + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_tag" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes,total_soc_hours" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "#7cb5ec" + ], + "name": "seriescolor" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "#23ae4f" + ], + "name": "seriescolor" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Time\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Category\"" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "Total SOC Minutes" + ], + "name": "seriestitle" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "Total SOC Hours" + ], + "name": "seriestitle" + } + } + ] + } + } + } + ] + }, + { + "id": "row-8840", + "data": [ + { + "key": "xql_1745756085465", + "data": { + "type": "Custom XQL", + "width": 33.333333333333336, + "height": 352, + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product , value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| sort desc total_soc_hours\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_hours ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "funnel", + "commands": [ + { + "command": { + "op": "=", + "name": "header", + "value": "\"Most Used Vendors\"" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts_names", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_vendor" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + } + ] + } + } + }, + { + "key": "xql_1745755968440", + "data": { + "type": "Custom XQL", + "width": 33.333333333333336, + "height": 352, + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product, value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| alter tool = concat(concat(value_vendor , \" \"), value_product )\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full header = \"Tool Usage in Hours\" xaxis = tool yaxis = total_soc_hours ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "pie", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "full" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Tool Usage in Hours\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "tool" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + } + ] + } + } + }, + { + "key": "xql_1745756273220", + "data": { + "type": "Custom XQL", + "width": 33.333333333333336, + "height": 352, + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| filter value_scriptid = \"Custom\"\n| comp count() as tasknameCount by value_taskname \n| fields value_taskname , taskNameCount\n| sort desc taskNameCount\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full xaxis = taskName yaxis = taskNameCount legend_percentage = `true` seriestitle(\"taskNameCount\",\"Custom Scripts Used\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "pie", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "full" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "taskName" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "taskNameCount" + } + }, + { + "command": { + "op": "=", + "name": "legend_percentage", + "value": "true" + } + }, + { + "func": { + "args": [ + "taskNameCount", + "Custom Scripts Used" + ], + "name": "seriestitle" + } + } + ] + } + } + } + ] + }, + { + "id": "row-7484", + "data": [ + { + "key": "xql_1745756305970", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->playbookId\n\n// Filter for just automation\n| filter taskType = \"playbook\"\n| filter taskState = \"Completed\"\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (taskName = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Use Case Time\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_tag" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + } + ] + } + } + }, + { + "key": "xql_1745756046680", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Hours Saved by XSIAM\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + }, + { + "command": { + "op": "=", + "name": "dataunit", + "value": "\"Hours\"" + } + }, + { + "command": { + "op": "=", + "name": "headcolor", + "value": "\"#f1f7f0\"" + } + }, + { + "command": { + "op": "=", + "name": "font", + "value": "\"Arial\"" + } + }, + { + "command": { + "op": "=", + "name": "headerfontsize", + "value": "6" + } + } + ] + } + } + }, + { + "key": "xql_1750429941149", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "config case_sensitive = false\n| dataset = issues \n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.issue.id) as total_issues\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter issues_per_day = round(divide(total_issues, days_selected))\n| alter issues_per_hour = round(divide(issues_per_day, 24))\n| alter analyst_required = round(divide(issues_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "analyst_required" + } + } + ] + } + } + }, + { + "key": "xql_1750429903480", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "config case_sensitive = false\n| dataset = incidents \n| filter status contains \"new\" or status contains \"investigation\"\n| comp count_distinct(incident_id) as total_incidents\n| alter incidents_per_day = round(divide(total_incidents, 7))\n| alter incidents_per_hour = round(divide(incidents_per_day, 8))\n| alter analyst_required = round(divide(incidents_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "analyst_required" + } + } + ] + } + } + } + ] + }, + { + "id": "row-1296", + "data": [ + { + "key": "xql_1745756206179", + "data": { + "type": "Custom XQL", + "width": 50, + "height": 400, + "phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Total Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "original_tags" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_alerts" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Data Sources\"" + } + }, + { + "func": { + "args": [ + "total_alerts", + "Alerts by Data Source" + ], + "name": "seriestitle" + } + } + ] + } + } + }, + { + "key": "xql_1745756167461", + "data": { + "type": "Custom XQL", + "width": 50, + "height": 400, + "phrase": "dataset = alerts \n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by alert_source \n| sort desc total_alerts\n\n\n| view graph type = pie show_callouts = `true` show_callouts_names = `true` xaxis = alert_source yaxis = total_alerts ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "pie", + "commands": [ + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts_names", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "alert_source" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_alerts" + } + } + ] + } + } + } + ] + }, + { + "id": "row-9104", + "data": [ + { + "key": "xql_1750692388012", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = incidents \n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_incidents" + } + } + ] + } + } + }, + { + "key": "xql_1750243294068", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = incidents \n| filter (status = ENUM.RESOLVED_OTHER and (resolve_comment = \"Resolved by the Auto Triage Job\")) or status = ENUM.RESOLVED_AUTO_RESOLVE or status = ENUM.RESOLVED_AUTO_RESOLVE\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n| view graph type = single subtype = standard yaxis = total_incidents ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_incidents" + } + } + ] + } + } + }, + { + "key": "xql_1750429296483", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = incidents \n| filter (status = ENUM.NEW or status = ENUM.UNDER_INVESTIGATION)\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_incidents" + } + } + ] + } + } + }, + { + "key": "xql_1750429437464", + "data": { + "type": "Custom XQL", + "width": 25, + "height": 400, + "phrase": "dataset = incidents \n| filter (status = ENUM.NEW or status = ENUM.UNDER_INVESTIGATION)\n| filter starred = 1\n| comp count_distinct(incident_id) as total_incidents \n| sort desc total_incidents\n\n\n\n| view graph type = single subtype = standard yaxis = total_incidents ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_incidents" + } + } + ] + } + } + } + ] + } + ], + "default_dashboard_id": 1, + "global_id": "XSIAM_SOC_Value_Metrics_V3", + "metadata": { + "params": [] + } + } + ], + "widgets_data": [ + { + "widget_key": "xql_1750692388012", + "title": "Total Cases", + "creation_time": 1770245296602, + "description": "", + "data": { + "phrase": "dataset = cases \n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 2592000000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_cases" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "cases" + ], + "query_uses_library": false + }, + "creator_mail": "sbrumley@paloaltonetworks.com" + }, + { + "widget_key": "xql_1745755968440", + "title": "Tools used by XSIAM by Hour", + "creation_time": 1770245291127, + "description": "Which tools is XSIAM uniquely automating most of the time by number of hours", + "data": { + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product, value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| alter tool = concat(concat(value_vendor , \" \"), value_product )\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full header = \"Tool Usage in Hours\" xaxis = tool yaxis = total_soc_hours ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "pie", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "full" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Tool Usage in Hours\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "tool" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_playbookmetrics_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1750429903480", + "title": "Analysts Required post-XSIAM (EPH 8 to 13)", + "creation_time": 1770245294279, + "description": "Given the total number of manual incidents post-XSIAM and using the Palo SOC benchmark of 8 to 13 events per hour per analyst, how many analysts would be required to handle all incidents?", + "data": { + "phrase": "config case_sensitive = false\n| dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| filter xdm.case.starred = true\n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.case.id) as total_cases\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter incidents_per_day = round(divide(total_cases, days_selected))\n| alter incidents_per_hour = round(divide(incidents_per_day, 24))\n| alter analyst_required = round(divide(incidents_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", + "time_frame": { + "relativeTime": 2592000000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "analyst_required" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "cases" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756305970", + "title": "Common Use Cases", + "creation_time": 1770245292203, + "description": "Which Use Cases are most often being executed", + "data": { + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->playbookId\n\n// Filter for just automation\n| filter taskType = \"playbook\"\n| filter taskState = \"Completed\"\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category = \"use_case\"\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, PlaybookID as playbook_id\n) as vt (taskName = vt.value_taskname)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, playbook_id \n\n| fields value_time , value_tag , value_category\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = divide(total_soc_minutes,60)\n| sort desc total_soc_hours \n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Use Case Time\" xaxis = value_tag yaxis = total_soc_hours ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Use Case Time\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_tag" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_playbookmetrics_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756206179", + "title": "Total Alerts", + "creation_time": 1770245291870, + "description": "All alerts firing by alert type", + "data": { + "phrase": "dataset = alerts \n| arrayexpand original_tags\n| filter original_tags contains \"DS:\"\n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by original_tags \n| sort desc total_alerts\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal header = \"Total Alerts\" xaxis = original_tags yaxis = total_alerts xaxistitle = \"Alerts\" yaxistitle = \"Data Sources\" seriestitle(\"total_alerts\",\"Alerts by Data Source\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Total Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "original_tags" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_alerts" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Alerts\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Data Sources\"" + } + }, + { + "func": { + "args": [ + "total_alerts", + "Alerts by Data Source" + ], + "name": "seriestitle" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "alerts" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756273220", + "title": "Custom Scripts Usage", + "creation_time": 1770245292050, + "description": null, + "data": { + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| filter value_scriptid = \"Custom\"\n| comp count() as tasknameCount by value_taskname \n| fields value_taskname , taskNameCount\n| sort desc taskNameCount\n\n\n\n\n\n\n\n\n| view graph type = pie subtype = full xaxis = taskName yaxis = taskNameCount legend_percentage = `true` seriestitle(\"taskNameCount\",\"Custom Scripts Used\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "pie", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "full" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "taskName" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "taskNameCount" + } + }, + { + "command": { + "op": "=", + "name": "legend_percentage", + "value": "true" + } + }, + { + "func": { + "args": [ + "taskNameCount", + "Custom Scripts Used" + ], + "name": "seriestitle" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_playbookmetrics_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1750429941149", + "title": "Analysts Required NO XSIAM (EPH 8 to 13)", + "creation_time": 1770245295594, + "description": "Given the total number of manual incidents and using the Palo SOC benchmark of 8 to 13 events per hour per analyst, how many analysts would be required to handle all incidents?", + "data": { + "phrase": "config case_sensitive = false\n| dataset = issues \n| comp \n min(_time) as t_start, \n max(_time) as t_end,\n count_distinct(xdm.issue.id) as total_issues\n| alter days_selected = add(timestamp_diff(t_end, t_start, \"DAY\"), 1)\n| alter issues_per_day = round(divide(total_issues, days_selected))\n| alter issues_per_hour = round(divide(issues_per_day, 24))\n| alter analyst_required = round(divide(issues_per_hour, 13))\n| alter analyst_required = if(analyst_required < 1, 1, analyst_required )\n\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = analyst_required ", + "time_frame": { + "relativeTime": 2592000000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "analyst_required" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "issues" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1750243294068", + "title": "Cases Auto Resolved", + "creation_time": 1770245292431, + "description": "This includes deduping (Palo SOC Framework), auto triage, and auto-resolution by XSIAM", + "data": { + "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"RESOLVED\" and (xdm.case.status.resolution_comment = \"Resolved by the Auto Triage Job\" or xdm.case.status.resolution_comment = \"Auto-resolved by Cortex XSIAM because all of the alerts contained in this incident are excluded or resolved\")\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 2592000000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_cases" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "cases" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756167461", + "title": "Total Alerts By Source", + "creation_time": 1770245291767, + "description": "How many alerts are native XSIAM alerts", + "data": { + "phrase": "dataset = alerts \n// Total Alerts\n| comp count_distinct(alert_id) as total_alerts by alert_source \n| sort desc total_alerts\n\n\n| view graph type = pie show_callouts = `true` show_callouts_names = `true` xaxis = alert_source yaxis = total_alerts ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "pie", + "commands": [ + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts_names", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "alert_source" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_alerts" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "alerts" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1750429437464", + "title": "Total Starred Manual Cases", + "creation_time": 1770245292868, + "description": "", + "data": { + "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| filter xdm.case.starred = true\n| comp count_distinct(xdm.case.id) as total_cases \n| sort desc total_cases\n\n\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_cases" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "cases" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756046680", + "title": "Total SOC Hours Worked by XSIAM", + "creation_time": 1770245291342, + "description": "The number of hours worked by XSIAM automations", + "data": { + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_mintutes = to_integer(value_time)\n| comp sum(soc_event_mintutes) as total_soc_minutes\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = single subtype = standard header = \"Hours Saved by XSIAM\" yaxis = total_soc_hours dataunit = \"Hours\" headcolor = \"#f1f7f0\" font = \"Arial\" headerfontsize = 6 ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "header", + "value": "\"Hours Saved by XSIAM\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + }, + { + "command": { + "op": "=", + "name": "dataunit", + "value": "\"Hours\"" + } + }, + { + "command": { + "op": "=", + "name": "headcolor", + "value": "\"#f1f7f0\"" + } + }, + { + "command": { + "op": "=", + "name": "font", + "value": "\"Arial\"" + } + }, + { + "command": { + "op": "=", + "name": "headerfontsize", + "value": "6" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_playbookmetrics_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1750429296483", + "title": "Total Manual Cases", + "creation_time": 1770245292622, + "description": "", + "data": { + "phrase": "dataset = cases \n| filter xdm.case.status_progress = \"NEW\" or xdm.case.status_progress = \"UNDER_INVESTIGATION\"\n| comp count_distinct(xdm.case.id) as total_cases\n| sort desc total_cases\n\n\n\n| view graph type = single subtype = standard yaxis = total_cases ", + "time_frame": { + "relativeTime": 604800000 + }, + "viewOptions": { + "type": "single", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "standard" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_cases" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "cases" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745755883243", + "title": "Time Saved by XSIAM per Task", + "creation_time": 1770245290172, + "description": null, + "data": { + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_tag\n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_tag , total_soc_minutes , total_soc_hours\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_tag yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_hours\",\"#7cb5ec\") seriescolor(\"total_soc_minutes\",\"#23ae4f\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_tag" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes,total_soc_hours" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "#7cb5ec" + ], + "name": "seriescolor" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "#23ae4f" + ], + "name": "seriescolor" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Time\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Category\"" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "Total SOC Minutes" + ], + "name": "seriestitle" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "Total SOC Hours" + ], + "name": "seriestitle" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_playbookmetrics_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745756085465", + "title": "XSIAM Vendor Usage", + "creation_time": 1770245291562, + "description": "Which Vendors are being most often automated by XSIAM.", + "data": { + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time, Product as value_product, Vendor as value_vendor\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time, value_product, value_vendor \n\n\n| alter soc_event_minutes = to_integer(value_time)\n| comp sum(soc_event_minutes) as total_soc_minutes by value_product , value_vendor \n| alter total_soc_hours = round(divide(total_soc_minutes , 60))\n| fields value_product , value_vendor , total_soc_minutes , total_soc_hours\n| sort desc total_soc_hours\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = funnel header = \"Most Used Vendors\" show_callouts = `true` show_callouts_names = `true` xaxis = value_vendor yaxis = total_soc_hours ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "funnel", + "commands": [ + { + "command": { + "op": "=", + "name": "header", + "value": "\"Most Used Vendors\"" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts_names", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_vendor" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_hours" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_playbookmetrics_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + }, + { + "widget_key": "xql_1745755921627", + "title": "Time Save by Category", + "creation_time": 1770245290644, + "description": "Total time saved by Category that XSIAM is helping SOC", + "data": { + "phrase": "dataset = xsiam_playbookmetrics_raw\n| alter Tasks = Tasks->[]\n| arrayexpand Tasks\n\n// TODO apply a datamodel to these two objects instead (Tasks and Alert)\n| alter\ntaskState = tasks->state,\ntaskType = tasks->type,\ntaskId = tasks->id,\ntaskName = tasks->name,\nscriptID = tasks->scriptId,\nincidentID = alert->[0].parentXDRIncident,\nalertID = alert->[0].id,\nalertName = alert->name,\nalertType = alert->type,\nplaybookId = alert->[0].playbookId\n\n| filter taskType not in (\"start\", \"title\", \"condition\")\n| filter scriptID != \"\" and scriptID != null\n\n\n// Since the job which posts this data runs every 15 min there may be duplicate data the more frequent it is run\n\n| alter dedupkey = concat(incidentID,taskId, alertID)\n| dedup dedupkey\n\n\n// Filter for just automation\n//| filter alerttype != \"Unclassified\"\n| filter taskState = \"Completed\"\n| filter tasktype = \"regular\"\n| alter ScriptID = if ( scriptID ~= \"^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89abAB][0-9a-f]{3}-[0-9a-f]{12}$\", \"Custom\", ScriptID )\n\n\n//TODO make this a lookup table and join instead to make it scalable\n| join type = inner (dataset = value_tags \n| filter Category != \"use_case\" and Time != \"\" and Time != null and ScriptID != \"\" and ScriptID != null\n| fields Category as value_category, ScriptID as value_scriptid, `Tag` as value_tag, TaskName as value_taskname, Time as value_time\n) as vt (scriptID contains vt.value_scriptid)\n| fields value_category, value_scriptid, value_tag, value_taskname, value_time, _time \n\n\n| fields value_time , value_category\n| alter soc_event_mintutes = to_integer(value_time )\n| comp sum(soc_event_mintutes) as total_soc_minutes by value_category\n| alter total_soc_hours = round(divide(total_soc_minutes,60))\n| sort desc total_soc_minutes\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = value_category yaxis = total_soc_minutes,total_soc_hours seriescolor(\"total_soc_minutes\",\"#23ae4f\") seriescolor(\"total_soc_hours\",\"#7cb5ec\") xaxistitle = \"Time\" yaxistitle = \"Category\" seriestitle(\"total_soc_minutes\",\"Total SOC Minutes\") seriestitle(\"total_soc_hours\",\"Total SOC Hours\") ", + "time_frame": { + "relativeTime": 86400000 + }, + "viewOptions": { + "type": "column", + "commands": [ + { + "command": { + "op": "=", + "name": "subtype", + "value": "grouped" + } + }, + { + "command": { + "op": "=", + "name": "layout", + "value": "horizontal" + } + }, + { + "command": { + "op": "=", + "name": "show_callouts", + "value": "true" + } + }, + { + "command": { + "op": "=", + "name": "xaxis", + "value": "value_category" + } + }, + { + "command": { + "op": "=", + "name": "yaxis", + "value": "total_soc_minutes,total_soc_hours" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "#23ae4f" + ], + "name": "seriescolor" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "#7cb5ec" + ], + "name": "seriescolor" + } + }, + { + "command": { + "op": "=", + "name": "xaxistitle", + "value": "\"Time\"" + } + }, + { + "command": { + "op": "=", + "name": "yaxistitle", + "value": "\"Category\"" + } + }, + { + "func": { + "args": [ + "total_soc_minutes", + "Total SOC Minutes" + ], + "name": "seriestitle" + } + }, + { + "func": { + "args": [ + "total_soc_hours", + "Total SOC Hours" + ], + "name": "seriestitle" + } + } + ] + } + }, + "support_time_range": true, + "additional_info": { + "query_tables": [ + "value_tags", + "xsiam_playbookmetrics_raw" + ], + "query_uses_library": false + }, + "creator_mail": "N/A" + } + ], + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/soc-optimization-unified/pack_metadata.json b/Packs/soc-optimization-unified/pack_metadata.json index e02a04e..440fa73 100644 --- a/Packs/soc-optimization-unified/pack_metadata.json +++ b/Packs/soc-optimization-unified/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-optimization-unified", "description": "This contents the content used to leverage processes that the Palo SOC uses including: Playbooks, integrations, layouts, etc.", "support": "xsoar", - "currentVersion": "3.0.27", + "currentVersion": "3.0.28", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-optimization-unified/xsoar_config.json b/Packs/soc-optimization-unified/xsoar_config.json index dafa7a9..31c8035 100644 --- a/Packs/soc-optimization-unified/xsoar_config.json +++ b/Packs/soc-optimization-unified/xsoar_config.json @@ -8,7 +8,7 @@ "custom_packs": [ { "id": "soc-optimization-unified.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.27/soc-optimization-unified-v3.0.27.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-optimization-unified-v3.0.28/soc-optimization-unified-v3.0.28.zip", "system": "yes" }, { diff --git a/Packs/soc-trendmicro-visionone/pack_metadata.json b/Packs/soc-trendmicro-visionone/pack_metadata.json index 80ddbf7..64d8295 100644 --- a/Packs/soc-trendmicro-visionone/pack_metadata.json +++ b/Packs/soc-trendmicro-visionone/pack_metadata.json @@ -3,7 +3,7 @@ "id": "soc-trendmicro-visionone", "description": "This contains enhancement content for Trend Micro Vision One including correlation rules, modeling rules, and layout for XSIAM.", "support": "xsoar", - "currentVersion": "1.0.23", + "currentVersion": "1.0.24", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/soc-trendmicro-visionone/xsoar_config.json b/Packs/soc-trendmicro-visionone/xsoar_config.json index 4070000..d36ee26 100644 --- a/Packs/soc-trendmicro-visionone/xsoar_config.json +++ b/Packs/soc-trendmicro-visionone/xsoar_config.json @@ -2,7 +2,7 @@ "custom_packs": [ { "id": "soc-trendmicro-visionone.zip", - "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-trendmicro-visionone-v1.0.23/soc-trendmicro-visionone-v1.0.23.zip", + "url": "https://github.com/Palo-Cortex/secops-framework/releases/download/soc-trendmicro-visionone-v1.0.24/soc-trendmicro-visionone-v1.0.24.zip", "system": "yes" } ], diff --git a/pack_catalog.json b/pack_catalog.json index 0012cf7..7208020 100644 --- a/pack_catalog.json +++ b/pack_catalog.json @@ -59,7 +59,7 @@ { "id": "soc-optimization-unified", "display_name": "SOC Framework Unified", - "version": "3.0.27", + "version": "3.0.28", "path": "Packs/soc-optimization-unified", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-optimization-unified/xsoar_config.json" @@ -75,7 +75,7 @@ { "id": "soc-trendmicro-visionone", "display_name": "SOC Trend Micro Enhancement for Cortex XSIAM", - "version": "1.0.23", + "version": "1.0.24", "path": "Packs/soc-trendmicro-visionone", "visible": true, "xsoar_config": "https://raw.githubusercontent.com/Palo-Cortex/secops-framework/refs/heads/main/Packs/soc-trendmicro-visionone/xsoar_config.json"