Create a Custom Widget

Views:

Create custom widgets from XDR Data Explorer search results to visualize and analyze your data through configurable aggregations and groupings.

Custom widgets allow you to visualize and analyze your search data through configurable aggregations and groupings. Use custom widgets to create personalized dashboards that highlight the metrics most important to your security operations.

Note

Custom widget functionality is currently limited to query results from XDR Data Explorer.

Create a custom widget from XDR Data Explorer search results

Go to AGENTIC SIEM AND XDR → XDR Data Explorer.
Select your desired drop-down options (data source / processor, log type, and time period), enter a string in the search field, and click Run Query to obtain results.
Click the Custom Widget icon () to open the Custom Widget editor.
Expand the Query section to review your search parameters:
- Data source / processor: Lists all selected products grouped by layer (Cloud, Email, Endpoint, Network, Identity, Others, Third-Party Logs)
- Time Range: The time range for the query
- LogType: Type of logs (Activity or Detection)
- Query: Search query string

Configure the Data Settings:

Under Aggregation, specify how to calculate your metric:

Field	Description	Required
Function	The aggregation function to apply: Count: Count the total number of events matching the query Sum: Calculate the total sum of values in a numeric field Average: Calculate the mean (average) value of a numeric field Min: Find the smallest value in a numeric field Max: Find the largest value in a numeric field Distinct Count: Count the number of unique values in a field	Yes
Field	The numeric field to aggregate (only for Sum, Average, Min, Max, Distinct Count functions). Start typing to search available fields.	Yes (except for Count)
Metric Name	Optional alias for the metric. Must start with a letter or underscore and contain only alphanumeric characters and underscores. If not specified, a default name will be generated.	No

Under Group By, specify how to group your results:

Field	Description	Required
Method	The grouping method: Field: Group by a specific field value Time Binning: Group by time intervals Time Binning and Field: Group by both time intervals and field values	Yes
Time Interval	The time interval for grouping (only for Time Binning methods): Minute: Group by minute Hour: Group by hour Day: Group by day	Yes (for Time Binning)
Field	The field to group by (only for Field-based methods). Start typing to search available fields.	Yes (for Field-based methods)

Under Result Settings, configure how to display results:

Field	Description	Required
Type	Number of top results to display: Top 5: Show top 5 results Top 10: Show top 10 results Top 20: Show top 20 results Top 50: Show top 50 results Top 100: Show top 100 results Top 500: Show top 500 results Top 1000: Show top 1000 results All Records: Show all results (automatic for time-based grouping)	Yes
Sort By	Sort order for results: For Time Binning methods: Oldest First: Sort by time ascending Newest First: Sort by time descending For Field method: {Function} Highest First: Sort by metric value descending (e.g., "Count Highest First") {Function} Lowest First: Sort by metric value ascending (e.g., "Count Lowest First")	Yes

Field

Description

Required

Type

Number of top results to display:

Top 5: Show top 5 results
Top 10: Show top 10 results
Top 20: Show top 20 results
Top 50: Show top 50 results
Top 100: Show top 100 results
Top 500: Show top 500 results
Top 1000: Show top 1000 results
All Records: Show all results (automatic for time-based grouping)

Yes

Sort By

Sort order for results:

For Time Binning methods:

Oldest First: Sort by time ascending
Newest First: Sort by time descending

For Field method:

{Function} Highest First: Sort by metric value descending (e.g., "Count Highest First")
{Function} Lowest First: Sort by metric value ascending (e.g., "Count Lowest First")

Yes

Under Time Range, select when the widget should query data:

Field	Description	Required
Range	The time range for widget data: Use Query Time Range: Use the time range from your original search (maximum 7 days) Last 10 Minutes: Query the last 10 minutes Last 30 Minutes: Query the last 30 minutes Last 60 Minutes: Query the last 60 minutes Last 12 Hours: Query the last 12 hours Last 24 Hours: Query the last 24 hours Last 7 Days: Query the last 7 days	Yes

Click Fetch Data to preview your widget with the configured settings.

Note

The Fetch Data button is disabled if required fields are missing or invalid. Ensure all required fields are filled with valid values.
Review the widget preview on the dashboard panel.

Tip

If you adjust your configuration, click Fetch Data again to update the preview.
Click Save to add the custom widget to your dashboard.

Chart types

The chart types available for a custom widget depend on the Group By method:

Group By method selected	Chart types available
Field	Bar Chart, Pie Chart, Table
Time Binning	Bar Chart, Line Chart, Time Series Chart, Table
Time Binning and Field	Bar Chart, Line Chart, Time Series Chart, Table

Tips

Use descriptive metric names: A clear metric name helps you identify the widget's purpose at a glance on your dashboard.
Start with simple aggregations: Begin with Count or simple Sum functions before moving to complex multi-field groupings.
Preview before saving: Always click Fetch Data to verify your widget displays the expected data before saving.
Choose appropriate time intervals: For Time Binning, select intervals that match your analysis needs:
- Use Minute for real-time monitoring and immediate event tracking
- Use Hour for short-term trend analysis and recent activity patterns
- Use Day for long-term trend analysis and historical data overview
Limit top results for clarity: When grouping by fields which contain many unique values, use Top 5 or Top 10 to keep visualizations readable.