Cortex XDR Alerts

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR Alerts

L2 Linker



I can't seem to find what I'm looking for in the Cortex XDR console. I am trying to find a way to view all alerts generated whether it is from XDR or Analytics. The only way I can see this list is if I create an exclusion Investigation --> Exclusions --> Add Exclusion. Is there a more direct way to view these Alerts?





While incident/alert information is not currently accessible via XQL, we do offer a few OOTB widgets which could be similar to what you're looking to create.

If you'd go into your XDR tenant -> Dashboards & Reports -> Widget Library and type 'severity' in the search bar you should be able to find the 'Open Incidents By Severity' widget (screenshot attached below).



Let me know if you have any further questions.


OK - I'm not sure what " alert information is not currently accessible via XQL" means, since the Alert table is available and our's currently shows 3600 results.
Is it possible to allow us to add the ALERT TABLE as a favorite button? That way I can get into it with a single button, verses having to go into via the Incident screen?
Thank you,
Chris Smith

Had this issue today. I said the same thing when I found Alerts Table: "why isn't this an option indented under Incidents"
You can keep it where it is but add the direct link as well

Hey @NPTEChrisSmith and @Optimizer ,


I believe Alert Table is not in the navigation bar, because Palo wants you to steer your focus on more important Incidents.


Cortex XDR console will generate Incident for each alert with severity Medium, High and Critical. It will generate incident some Low severity alert, but not all of them.

Incidents are simple containers, which will consolidate/aggregate all alert that are somehow related.

So it should be more easy to focus on the Incidents and not overwhelm by avalanche of alerts


Now that being said there are two easy way to navigate to Alert table without jumping around:

- The easiest way would be to open URL https://<your-xdr-address>/alerts  You can bookmark this URL and just click on your bookmark after you authenticate (if open the link after authentication, you will be redirected to the dashboard)

- You can use the quick launcher and its "go to" search. Type "/alert" - / to enter go to search and "alert" for the string you want to search. You will see the results below, navigate with arrows and enter to select




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!