Cortex XSIAM XQL: How to find incidents where playbook failed / errored?

R_BhlpMe — Mon, 19 Jan 2026 16:36:13 GMT

I’m new to Cortex XSIAM and XQL, and I’m still learning how things work. I need some help with an XQL query.

I’m trying to create an XQL query where I can see: Incident ID, Incident name , Playbook execution status (failed / error), Playbook name, Error message or failure reason (if available).

I checked the incidents dataset, but I couldn’t find a clear field related to playbook status or errors.

Re: Cortex XSIAM XQL: How to find incidents where playbook failed / errored?

susekar — Tue, 10 Feb 2026 13:44:20 GMT

Hello @R_BhlpMe ,

Greetings for the day.

In Cortex XSIAM, playbook execution details such as failure reasons and error messages are not stored directly in the incidents dataset. Instead, this information is captured in the management_auditing dataset, which tracks automation and system events, or within the alerts dataset for alert-level playbook execution status.

To retrieve both playbook failure details and incident context, you must perform a join between the management_auditing dataset (playbook execution details) and the incidents dataset (incident metadata such as incident name).

XQL Query for Playbook Failures and Errors

The following query filters for automation events that did not complete successfully and joins them with the incidents dataset to provide full context:

dataset = management_auditing 
| filter subtype = "MANAGEMENT_AUDIT_CORTEX_AUTOMATION" 
| filter result != "SUCCESS" 
| join type = inner (dataset = incidents) as inc inc.incident_id = incident_id 
| fields incident_id, inc.name as incident_name, result as status, description as playbook_name, error_message
| sort desc _time

Alternative: Tracking via the Alerts Dataset

If you only need the playbook status and name for playbooks triggered by specific alerts, you can query the alerts dataset. Note that this dataset typically does not include the detailed error_message field found in audit logs.

dataset = alerts 
| filter playbook_run_status != null and playbook_run_status != "Success"
| join type = inner (dataset = incidents) as inc inc.incident_id = incident_id 
| fields incident_id, inc.name as incident_name, playbook_run_status, playbook as playbook_name, _time
| sort desc _time

Key Field Descriptions

management_auditing dataset:
Used for troubleshooting and metrics. Filter on
subtype = "MANAGEMENT_AUDIT_CORTEX_AUTOMATION" to isolate playbook execution events.
result:
Indicates the execution outcome (for example, Error, Failed, Partial Success).
error_message:
Provides the failure reason or technical error returned by the automation engine.
description:
Commonly contains the name of the playbook that was executed.
incidents dataset:
Stores core incident metadata such as incident_id and name.

Dataset Naming Note

In newer versions of XSIAM (3.x and later), the incidents dataset may be referred to as cases, and alerts may be referred to as issues.
If the queries above return no results, try the following substitutions:

Replace dataset = incidents with dataset = cases
Replace incident_id with case_id

Troubleshooting Common Failures

If you encounter errors such as “Failed to start query” when running these XQL queries from a playbook, ensure that your Core Content Pack is updated to version 3.4.38 or later, as earlier versions had known XQL execution stability issues in automation workflows.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar