Querying System Notifications in XSIAM/XDR

Lekshmi.gopinathannair — Mon, 02 Mar 2026 23:04:42 GMT

Hello,

Does anyone know the correct dataset to use for fetching system-based notifications? I need to track infrastructure alerts like Broker VM disk space and connectivity status via XQL. dataset = alerts isn't showing the same history I see in my UI notification centre. Any tips?

Thanks

Re: Querying System Notifications in XSIAM/XDR

susekar — Tue, 03 Mar 2026 17:23:48 GMT

Hello @Lekshmi.gopinathannair ,

Greetings for the day.

In Cortex XSIAM/XDR, infrastructure notifications and system-based alerts are distributed across different datasets depending on the specific type of event (e.g., hardware health vs. management status). The alerts dataset primarily contains security-related signals and specific built-in health alerts, which is why it may not match the full history seen in the UI Notification Center.

To track Broker VM disk space and connectivity, use the following datasets and queries:

1. Broker VM Disk Space (Health Alerts):

Built-in system health alerts, such as a Broker VM reaching the 90% disk usage threshold, are stored in the alerts dataset but are categorized under a specific domain. You must filter for the HEALTH domain to find them.

XQL Query:

dataset = alerts

| filter alert_domain contains "HEALTH"

2. Connectivity and Status (Audit Logs):

Infrastructure status changes, such as Broker VM disconnections, are primarily tracked in the auditing datasets.

Management Auditing:

Use this dataset for official disconnection/reconnection status. A "Disconnect" log entry is typically generated only after 60 continuous minutes of disconnection.

Query to identify Broker VM actions:

dataset = managementauditing 
| filter configtype = "Broker VMs"

Collection Auditing:

This dataset is more effective for monitoring shorter outages or specific applet failures (e.g., Syslog or WEC issues).

Query for applet status changes:

dataset = collection_auditing 
| filter classification in ("error", "warning")
 

Why XQL May Not Match the UI Notification Center:

There are several reasons for discrepancies between XQL results and the UI Notification Center:

UI-Only Notifications: Certain operational notifications, such as “Broker VM requires a reboot” or “Update Available,” are designed as UI-only features and are not always exposed in queryable datasets.
Logging Thresholds: Some status logs (such as disconnections in managementauditing) have time-based thresholds that prevent them from appearing in XQL unless the condition persists.
Performance Metrics: Historical resource utilization (CPU/RAM/Disk load over time) is not ingested into standard XQL datasets.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Re: Querying System Notifications in XSIAM/XDR in Cortex XSIAM Discussions