This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Cortex Management Report

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex Management Report

QuestionAb
L1 Bithead

‎02-13-2026 02:13 PM

I want to know if I can generate a report of Cortex's actions over the last year or 3 months, such as what he blocked, quarantined, isolated, etc., but in a graph format. I tried using a widget library, but I can't find a way to represent that action.

 

What can I do?

0 Likes Likes
2 REPLIES 2

Debbie219Adams
L0 Member

‎02-16-2026 02:04 AM - edited ‎02-16-2026 08:14 PM

Hello!

Cortex itself doesn’t generate graphs of actions, but you can export its logs (blocked, quarantined, isolated events) for the last year or 3 months and feed them into a visualization tool. Pull the data via AccuLynx com Cortex reports or API, aggregate it in a SIEM or database, then use Grafana, Kibana, Power BI, or Tableau to build charts showing counts and trends. In short, Cortex provides the raw event data, and an external dashboard tool is needed to turn it into the graph format you want. 

0 Likes Likes

susekar
L4 Transporter

‎02-16-2026 06:04 AM

Hello @QuestionAb,

 

Greetings for the day.

 

To generate a report of Cortex XDR's actions (such as blocked, quarantined, or isolated events) over a 3-month or 1-year period in graph format, you must use custom XQL queries within the Widget Library, as standard pre-defined widgets are often limited to shorter timeframes (typically 14 to 30 days).

 

1. Data Retention Constraints:

Before building the report, it is critical to understand that standard data retention periods may prevent you from seeing a full year of history for certain action types:

  • Action Center History: Automatically removed after 90 days (3 months). Manual removal of these records is not supported; they are only cleared by this 90-day process.

  • Alerts and Incidents: Standard retention is 180 to 186 days (approximately 6 months).

  • Audit Logs (Management/Agent): Default retention is 365 days (1 year). To report on actions taken a year ago, you may need to query the audit logs dataset.

  • Telemetry (Raw Ingested Data): Retained for only 30–31 days.

2. How to Create the Graph Report:

To visualize these actions, follow these steps:

  1. Navigate to Dashboards & Reports → Customize → Widget Library.

  2. Click + Create Custom XQL Widget.

  3. Input an XQL query (see samples below) that aggregates the actions you want to report.

  4. Configure the Visualization settings (e.g., Pie Chart, Column Chart, or Line Graph) and define the X and Y axes based on your query results.

  5. Save the widget and add it to a Report Template under Customize → Report Templates to generate the final PDF or CSV.

3. Sample XQL Queries for Actions:

A. Blocked and Quarantined Actions (from Alerts):

This query identifies threats that were blocked or quarantined over the specified timeframe and groups them by month:

dataset = alerts | filter action_enum in (ENUM.PREVENTED_BLOCKED, ENUM.PREVENTED_QUARANTINED) | alter month = format_timestamp("%Y-%m", creation_time) | comp count(alert_id) as total_actions by month, action_enum | view graph type = column subtype = grouped xaxis = month yaxis = total_actions
B. Isolation Actions (from Audit Logs)

Because "Isolated" is a response action rather than a threat detection, it is best tracked via Audit Logs for a 1-year view:

dataset = management_audit_logs | filter action_type = "Isolate" or action_type = "Unisolate" | alter month = format_timestamp("%Y-%m", _time) | comp count(action_type) as isolation_count by month, action_type | view graph type = column subtype = grouped xaxis = month yaxis = isolation_count

-Important Considerations

  • Timeframe Setting: When configuring the Report Template or running the query, ensure you set the timeframe to 3 months or 1 year. If data is missing beyond 6 months, it is likely due to standard retention limits.

  • Action Center History: If you specifically need history from the Action Center (e.g., file retrievals, scripts), you are limited to 90 days of history.

  • Licensing: Extended data retention (beyond 180 days for alerts) requires the purchase of additional retention add-on licenses. You can verify your retention limits in the console under Settings → Configurations → Dataset Management.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 49 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks