Vulnerability XQL Dashboard Creation - Mastering Asset Risk & CVE Tracking

Vulnerability XQL Dashboard

Learn how to build advanced vulnerability management dashboards in Cortex XDR using XQL. Track CVEs, assess asset risk, and visualize vulnerability distribution.

22nd Apr 2026

5 min read

CortexXQLVulnerabilityCVEDashboardSecurityOps

Effective vulnerability management requires more than just a list of CVEs; it requires visibility across your entire infrastructure. In Cortex, the issues dataset provides a centralized view of vulnerabilities discovered by various security modules.

In this blog, we will explore three advanced XQL queries designed to help you build a professional Vulnerability Management Dashboard. We will focus on severity distribution and asset-level risk analysis.

1. Vulnerability Severity Distribution by Asset

This query creates a Pie Chart that groups open vulnerabilities by their severity level. It includes a dynamic filter for specific asset names, making it perfect for "Asset Detail" dashboard views.

The Query:

dataset = issues
| alter 
    severity = xdm.issue.severity, 
    asset_name = json_extract_scalar(xdm.issue.extended_fields, "$.xdm_assets[0].xdm__asset__name")
| filter xdm.issue.status.progress != "RESOLVED" 
    and xdm.issue.category = "VULNERABILITY" 
    and asset_name in ($asset_name)
| comp count() as issues by severity

| view graph type = pie subtype = grouped xaxis = severity yaxis = issues headerfontsize = 14 seriestitle("issues","CVE")

Detailed Explanation:

  • json_extract_scalar: Vulnerability data often contains nested JSON objects. We use this function to pull the specific asset name from the extended_fields blob.
  • Filtering:
    • xdm.issue.status.progress != "RESOLVED": Ensures we only focus on active vulnerabilities that still require attention.
    • xdm.issue.category = "VULNERABILITY": Filters out other types of issues (like posture or policy violations) to focus purely on CVEs.
    • $asset_name: A dashboard variable that allows users to drill down into a specific machine.
  • Aggregation: comp count() as issues by severity counts the number of vulnerabilities for each risk level (Critical, High, etc.).
  • Visualization: seriestitle("issues","CVE") renames the data series in the legend for better clarity for SOC analysts.

2. Regional Vulnerability Heatmap (Severity by Realm)

Security posture often varies by business unit or cloud environment ("Realms"). This query helps you identify which parts of your infrastructure are most at risk by grouping severities by their asset realm.

The Query:

dataset = issues
| alter 
    severity = xdm.issue.severity, 
    asset_realm = json_extract_scalar(xdm.issue.extended_fields, "$.xdm_assets[0].xdm__asset__realm")
| filter xdm.issue.status.progress != "RESOLVED" 
    and xdm.issue.category = "VULNERABILITY" 
    and asset_realm in (to_string($asset_realm))
| comp count() as issues by severity

| view graph type = pie subtype = grouped xaxis = severity yaxis = issues headerfontsize = 14

Detailed Explanation:

  • Relational Context: By extracting xdm__asset__realm, we can see the vulnerability distribution across different cloud accounts or physical locations.
  • Dynamic Scope: The $asset_realm variable allows leadership to see the risk profile of a specific department or region.
  • Logic: Similar to the first query, this provides a breakdown of severity, but within the context of a wider organizational boundary.

3. Top Vulnerable Realms (Unique CVE Count)

Not all realms are created equal. Some might have many issues but only a few unique CVEs. This query identifies which asset realms have the highest diversity of vulnerabilities by counting unique CVE IDs.

The Query:

dataset = issues
| alter asset_realm = json_extract_scalar(xdm.issue.extended_fields, "$.xdm_assets[0].xdm__asset__realm")
| alter cve_id = json_extract_scalar(xdm.issue.extended_fields, "$.cve_id")
| filter xdm.issue.category = "VULNERABILITY"
    and asset_realm != null
    and cve_id != null
| comp count_distinct(cve_id) as unique_cves by asset_realm
| sort desc unique_cves

| view graph type = column subtype = grouped layout = horizontal xaxis = asset_realm yaxis = unique_cves headerfontsize = 14 legend = `false`

Detailed Explanation:

  • count_distinct(cve_id): This is the key metric. It ignores duplicate instances of the same vulnerability across multiple machines and tells you how many unique security flaws exist in that realm.
  • Data Cleaning: We explicitly filter for asset_realm != null and cve_id != null to ensure the resulting chart is clean and professional.
  • sort desc: Ranks the realms from "Most Vulnerable" to "Least Vulnerable," allowing for immediate prioritization.
  • Horizontal Column Chart: This layout is ideal for displaying long realm names or IDs clearly along the Y-axis.

Summary Table for Dashboard Builders

Dashboard WidgetDatasetKey MetricVisualization
Asset Severity Viewissuescount()Pie Chart
Regional Risk Profileissuescount()Pie Chart
Top Vulnerable Realmsissuescount_distinct(cve_id)Horizontal Column

Mastering these queries will transform your Cortex dashboard from a simple log viewer into a powerful strategic asset for your security team.

Happy Hunting!

Share this post: