Is there a difference between issues and alerts in XQL queries?

.522643 — Fri, 01 May 2026 06:50:06 GMT

When querying events with dataset=alerts and dataset=issues, the number of results comes out the same.

What is the difference between the two? In which cases is it better to use alerts or issues? Does anyone know?

Re: Is there a difference between issues and alerts in XQL queries?

susekar — Fri, 01 May 2026 13:29:46 GMT

Greetings for the day.

In Cortex XDR/XSIAM, while both dataset=alerts and dataset=issues represent security detections, they differ primarily in their underlying data schema and their role in the platform's evolution.

(Key Differences)

Schema and Architecture:
dataset=alerts is the legacy dataset that provides raw, granular alert records. It includes specific technical fields such as action (e.g., blocked vs. detected) and incident_id that are critical for detailed monitoring.

dataset=issues is the modern, XDM-based (Cortex Data Model) dataset introduced in newer versions (XDR 4.x/5.0+). It provides aggregated and deduplicated views used primarily by the management console's dashboard.

Informational Severity:
Official documentation states that "Informational" (INFO) severity alerts are not included in the alerts dataset.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Query-incident-and-alert-data

Historically, the issues dataset included "INFO" alerts in XQL queries, even though they were filtered out of the "Issues" UI page. However, engineering has moved toward removing "INFO" alerts from the issues dataset in newer versions to reduce noise.

Field Availability:
Some granular fields like DeviceAction, IncidentID, and ActorProcessID may be missing from the issues dataset schema by design, as the XDM schema is still evolving.

When to Use Each Dataset:

Granular technical analysis of blocked vs. monitored actions: dataset = alerts
Legacy automation or scripts relying on specific field names like action: dataset = alerts
General security monitoring aligned with the modern UI/dashboard: dataset = issues
XDM-based reporting and custom widgets in newer XDR/XSIAM versions: dataset = issues

Why the Results Come Out the Same:

If your query results are identical, it typically means:

No "Informational" Alerts: Both datasets are currently returning only Low, Medium, High, and Critical alerts for your selected timeframe. Since alerts excludes INFO by default and newer versions of issues have also begun excluding them, the counts will match.
Version Parity: In Unified Platform (v5.0+) environments, the underlying data for "Alerts" and "Issues" has been largely unified in the backend database.

How to Verify:

You can check for differences in your environment with:

dataset = issues 
| filter severity = "INFO"

If this returns zero results, the datasets will appear identical in count for standard queries.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".