01-22-2026 04:53 AM
Good day,
Please does anyone know how to setup email alerts for cloud agents warning (like the notifications on the notification tab on the UI) and outdated agents (which are not the latest release/version). thanks
01-22-2026 05:33 AM
Hello @K.Mgbachi ,
Greetings for the day.
Setting up email alerts for agent-related notifications in Cortex XDR/XSIAM is handled through three distinct mechanisms depending on the type of information you wish to receive.
To stay informed about new agent versions (outdated agents) and EOL warnings, you must configure administrative subscriptions. These notifications are sent globally and are not triggered per individual endpoint.
Palo Alto Networks Customer Support Portal (CSP):
Log into the Customer Support Portal.
Navigate to your user profile (click your name) and select Preferences.
Under My Support Notifications, enable:
Subscribe to Cortex XDR/XSIAM Software Update Emails
Subscribe to Cortex XDR/XSIAM Content Update Emails
Cortex XDR Server Settings:
Navigate to Settings → Configurations → General → Server Settings.
In the Email Contacts field, add the email addresses or distribution lists that should receive product maintenance, updates, and new version notifications.
If you specifically want to be notified when an agent fails to move to the latest version (remaining “outdated” due to failure), you can configure a Notification Forwarding rule:
Navigate to Settings → Configurations → General → Notifications.
Click + Add Forwarding Configuration.
Select Agent Audit Logs as the Log Type and click Next.
In the Scope section, apply the following filters:
Type: Installation
Sub-Type: Upgrade
Result: Fail
Add your email to the Distribution List and set the Grouping Time Frame to 0 for immediate alerts.
It is important to note that notifications appearing directly in the console’s Notification Center (the bell icon in the UI), such as specific system warnings or Broker VM connectivity events, cannot be forwarded via email by design.
To monitor general “outdated” status for a fleet, it is recommended to use the All Endpoints table and filter by the Operational Status or Agent Version columns periodically, as there is currently no direct “outdated agent” alert trigger in the notification forwarding settings.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
01-22-2026 06:05 AM
thanks for the response @susekar
However, I am already familiar with the notification types you listed above. Is there no other way to get this info on warnings (for connected datasources) and agents that are outdated (perhaps via api or another way)?
because there is not much from the agents endpoint in the api documentation
BR
Kingsley
01-22-2026 07:01 AM
Hello @K.Mgbachi ,
Thank you for the response.
Yes, there are alternative methods to receive notifications for outdated agents and data source warnings beyond the standard administrative subscriptions. These involve leveraging Cortex Query Language (XQL), Custom Correlation Rules, and the Public API.
Since there is no default “outdated agent” toggle in notification forwarding, you can create a custom detection logic using XQL to identify endpoints not running a specific version.
Create an XQL Query:
Use the endpoints or agent_auditing datasets to identify agents that are not on your target version. For example, you can query the endpoints table and filter for any agent_version that does not match your required release.
Establish a Correlation Rule:
Navigate to Detection → Detection Rules → Correlations. Create a new rule using your XQL query. This rule will trigger a security alert whenever an endpoint reports a version that violates your policy.
Forward the Alert:
Once the correlation rule generates an alert, you can use standard Notification Forwarding (Settings → Configurations → Notifications) to send these specific alerts to your email or Slack.
Warnings appearing in the UI Notification Center (bell icon) often relate to Broker VM connectivity or integration health. While these specific UI pop-ups cannot be forwarded directly, the underlying events are often logged elsewhere.
Management Audit Logs:
You can configure a Notification Forwarding rule for the Management Audit Logs type. Filter for events related to “Broker VM” to track connectivity issues and cluster events.
Cloud Health Auditing (XSIAM/Unified Platform):
For data source integration warnings, you can run XQL queries on the cloud_health_auditing dataset. This dataset tracks connector issues, such as missing permissions or connectivity errors.
Automation Rules:
You can create an automation rule that triggers a “Send Email” action when a specific health alert or audit log entry is generated.
If you prefer an external monitoring solution, you can use the Cortex REST API to pull health and version data periodically.
Endpoints Data:
Use the get_endpoints API to retrieve a list of all endpoints, including their agent_version, operational_status, and last_seen timestamps. You can then process this JSON output with an external script to identify agents that are outdated compared to the latest release./
XQL API:
You can programmatically run XQL queries against the agent_auditing, management_audit_logs, or cloud_health_auditing datasets using the API to feed into your own alerting dashboard or ticketing system.
Distributions:
To manage outdated agents, you can also use APIs like Get-Distribution-URL to automate the creation and downloading of the latest agent installers.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
