topic Re: Email Notifications Setup in Cortex XDR Discussions

Email Notifications Setup

K.Mgbachi — Thu, 22 Jan 2026 12:53:41 GMT

Good day,

Please does anyone know how to setup email alerts for cloud agents warning (like the notifications on the notification tab on the UI) and outdated agents (which are not the latest release/version). thanks

Re: Email Notifications Setup

susekar — Thu, 22 Jan 2026 13:33:33 GMT

Hello @K.Mgbachi ,

Greetings for the day.

Setting up email alerts for agent-related notifications in Cortex XDR/XSIAM is handled through three distinct mechanisms depending on the type of information you wish to receive.

1. Notifications for New Agent Releases and End-of-Life (EOL)

To stay informed about new agent versions (outdated agents) and EOL warnings, you must configure administrative subscriptions. These notifications are sent globally and are not triggered per individual endpoint.

Palo Alto Networks Customer Support Portal (CSP):

Log into the Customer Support Portal.
Navigate to your user profile (click your name) and select Preferences.
Under My Support Notifications, enable:
- Subscribe to Cortex XDR/XSIAM Software Update Emails
- Subscribe to Cortex XDR/XSIAM Content Update Emails

Cortex XDR Server Settings:

Navigate to Settings → Configurations → General → Server Settings.
In the Email Contacts field, add the email addresses or distribution lists that should receive product maintenance, updates, and new version notifications.

2. Operational Alerts for Agent Upgrade Failures

If you specifically want to be notified when an agent fails to move to the latest version (remaining “outdated” due to failure), you can configure a Notification Forwarding rule:

Navigate to Settings → Configurations → General → Notifications.
Click + Add Forwarding Configuration.
Select Agent Audit Logs as the Log Type and click Next.
In the Scope section, apply the following filters:
- Type: Installation
- Sub-Type: Upgrade
- Result: Fail
Add your email to the Distribution List and set the Grouping Time Frame to 0 for immediate alerts.

3. UI Notification Center Limitations

It is important to note that notifications appearing directly in the console’s Notification Center (the bell icon in the UI), such as specific system warnings or Broker VM connectivity events, cannot be forwarded via email by design.

To monitor general “outdated” status for a fleet, it is recommended to use the All Endpoints table and filter by the Operational Status or Agent Version columns periodically, as there is currently no direct “outdated agent” alert trigger in the notification forwarding settings.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New year!!

Thanks & Regards,
S. Subashkar Sekar

Re: Email Notifications Setup

K.Mgbachi — Thu, 22 Jan 2026 14:05:11 GMT

thanks for the response @susekar
However, I am already familiar with the notification types you listed above. Is there no other way to get this info on warnings (for connected datasources) and agents that are outdated (perhaps via api or another way)?
because there is not much from the agents endpoint in the api documentation

BR
Kingsley

Re: Email Notifications Setup

susekar — Thu, 22 Jan 2026 15:01:53 GMT

Hello @K.Mgbachi ,

Thank you for the response.

Yes, there are alternative methods to receive notifications for outdated agents and data source warnings beyond the standard administrative subscriptions. These involve leveraging Cortex Query Language (XQL), Custom Correlation Rules, and the Public API.

1. Monitoring Outdated Agents via XQL and Correlation Rules

Since there is no default “outdated agent” toggle in notification forwarding, you can create a custom detection logic using XQL to identify endpoints not running a specific version.

Create an XQL Query:
Use the endpoints or agent_auditing datasets to identify agents that are not on your target version. For example, you can query the endpoints table and filter for any agent_version that does not match your required release.

Establish a Correlation Rule:
Navigate to Detection → Detection Rules → Correlations. Create a new rule using your XQL query. This rule will trigger a security alert whenever an endpoint reports a version that violates your policy.

Forward the Alert:
Once the correlation rule generates an alert, you can use standard Notification Forwarding (Settings → Configurations → Notifications) to send these specific alerts to your email or Slack.

2. Alerts for Connected Data Source Warnings

Warnings appearing in the UI Notification Center (bell icon) often relate to Broker VM connectivity or integration health. While these specific UI pop-ups cannot be forwarded directly, the underlying events are often logged elsewhere.

Management Audit Logs:
You can configure a Notification Forwarding rule for the Management Audit Logs type. Filter for events related to “Broker VM” to track connectivity issues and cluster events.

Cloud Health Auditing (XSIAM/Unified Platform):
For data source integration warnings, you can run XQL queries on the cloud_health_auditing dataset. This dataset tracks connector issues, such as missing permissions or connectivity errors.

Automation Rules:
You can create an automation rule that triggers a “Send Email” action when a specific health alert or audit log entry is generated.

3. Leveraging the Public API

If you prefer an external monitoring solution, you can use the Cortex REST API to pull health and version data periodically.

Endpoints Data:
Use the get_endpoints API to retrieve a list of all endpoints, including their agent_version, operational_status, and last_seen timestamps. You can then process this JSON output with an external script to identify agents that are outdated compared to the latest release./

XQL API:
You can programmatically run XQL queries against the agent_auditing, management_audit_logs, or cloud_health_auditing datasets using the API to feed into your own alerting dashboard or ticketing system.

Distributions:
To manage outdated agents, you can also use APIs like Get-Distribution-URL to automate the creation and downloading of the latest agent installers.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: Email Notifications Setup

K.Mgbachi — Mon, 23 Feb 2026 15:25:01 GMT

hi @susekar
we did try the above solution but nothing concrete. Is there a way to get the alerts on the notifications tabs aside from the UI (without logging in)?

BR
Kingsley

Re: Email Notifications Setup

susekar — Mon, 23 Feb 2026 15:58:28 GMT

Hello @K.Mgbachi ,

Thank you for the response.

The above are the options.