Cortex Management Report

QuestionAb — Fri, 13 Feb 2026 22:13:21 GMT

I want to know if I can generate a report of Cortex's actions over the last year or 3 months, such as what he blocked, quarantined, isolated, etc., but in a graph format. I tried using a widget library, but I can't find a way to represent that action.

What can I do?

Re: Cortex Management Report

Debbie219Adams — Tue, 17 Feb 2026 04:14:53 GMT

Hello!

Cortex itself doesn’t generate graphs of actions, but you can export its logs (blocked, quarantined, isolated events) for the last year or 3 months and feed them into a visualization tool. Pull the data via AccuLynx com Cortex reports or API, aggregate it in a SIEM or database, then use Grafana, Kibana, Power BI, or Tableau to build charts showing counts and trends. In short, Cortex provides the raw event data, and an external dashboard tool is needed to turn it into the graph format you want.

Re: Cortex Management Report

susekar — Mon, 16 Feb 2026 14:04:01 GMT

Hello @QuestionAb,

Greetings for the day.

To generate a report of Cortex XDR's actions (such as blocked, quarantined, or isolated events) over a 3-month or 1-year period in graph format, you must use custom XQL queries within the Widget Library, as standard pre-defined widgets are often limited to shorter timeframes (typically 14 to 30 days).

1. Data Retention Constraints:

Before building the report, it is critical to understand that standard data retention periods may prevent you from seeing a full year of history for certain action types:

Action Center History: Automatically removed after 90 days (3 months). Manual removal of these records is not supported; they are only cleared by this 90-day process.
Alerts and Incidents: Standard retention is 180 to 186 days (approximately 6 months).
Audit Logs (Management/Agent): Default retention is 365 days (1 year). To report on actions taken a year ago, you may need to query the audit logs dataset.
Telemetry (Raw Ingested Data): Retained for only 30–31 days.

2. How to Create the Graph Report:

To visualize these actions, follow these steps:

Navigate to Dashboards & Reports → Customize → Widget Library.
Click + Create Custom XQL Widget.
Input an XQL query (see samples below) that aggregates the actions you want to report.
Configure the Visualization settings (e.g., Pie Chart, Column Chart, or Line Graph) and define the X and Y axes based on your query results.
Save the widget and add it to a Report Template under Customize → Report Templates to generate the final PDF or CSV.

3. Sample XQL Queries for Actions:

A. Blocked and Quarantined Actions (from Alerts):

This query identifies threats that were blocked or quarantined over the specified timeframe and groups them by month:

B. Isolation Actions (from Audit Logs)

Because "Isolated" is a response action rather than a threat detection, it is best tracked via Audit Logs for a 1-year view:

-Important Considerations

Timeframe Setting: When configuring the Report Template or running the query, ensure you set the timeframe to 3 months or 1 year. If data is missing beyond 6 months, it is likely due to standard retention limits.
Action Center History: If you specifically need history from the Action Center (e.g., file retrievals, scripts), you are limited to 90 days of history.
Licensing: Extended data retention (beyond 180 days for alerts) requires the purchase of additional retention add-on licenses. You can verify your retention limits in the console under Settings → Configurations → Dataset Management.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Re: Cortex Management Report in Cortex XDR Discussions

Cortex Management Report

Re: Cortex Management Report

Re: Cortex Management Report

1. Data Retention Constraints:

2. How to Create the Graph Report:

3. Sample XQL Queries for Actions:

A. Blocked and Quarantined Actions (from Alerts):

B. Isolation Actions (from Audit Logs)

-Important Considerations