This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Is there a difference between issues and alerts in XQL queries?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is there a difference between issues and alerts in XQL queries?

Go to solution
.522643
L0 Member

‎04-30-2026 11:50 PM

When querying events with dataset=alerts and dataset=issues, the number of results comes out the same.

What is the difference between the two? In which cases is it better to use alerts or issues? Does anyone know?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
susekar
L5 Sessionator

‎05-01-2026 06:29 AM

Hello  @.522643 ,

 

Greetings for the day.

 

In Cortex XDR/XSIAM, while both dataset=alerts and dataset=issues represent security detections, they differ primarily in their underlying data schema and their role in the platform's evolution.

(Key Differences)

Schema and Architecture:
dataset=alerts is the legacy dataset that provides raw, granular alert records. It includes specific technical fields such as action (e.g., blocked vs. detected) and incident_id that are critical for detailed monitoring.

dataset=issues is the modern, XDM-based (Cortex Data Model) dataset introduced in newer versions (XDR 4.x/5.0+). It provides aggregated and deduplicated views used primarily by the management console's dashboard.

Informational Severity:
Official documentation states that "Informational" (INFO) severity alerts are not included in the alerts dataset.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Query-incident-an...

Historically, the issues dataset included "INFO" alerts in XQL queries, even though they were filtered out of the "Issues" UI page. However, engineering has moved toward removing "INFO" alerts from the issues dataset in newer versions to reduce noise.

 

Field Availability:
Some granular fields like DeviceAction, IncidentID, and ActorProcessID may be missing from the issues dataset schema by design, as the XDM schema is still evolving.

When to Use Each Dataset:

  • Granular technical analysis of blocked vs. monitored actions: dataset = alerts
  • Legacy automation or scripts relying on specific field names like action: dataset = alerts
  • General security monitoring aligned with the modern UI/dashboard: dataset = issues
  • XDM-based reporting and custom widgets in newer XDR/XSIAM versions: dataset = issues

Why the Results Come Out the Same:

If your query results are identical, it typically means:

  1. No "Informational" Alerts: Both datasets are currently returning only Low, Medium, High, and Critical alerts for your selected timeframe. Since alerts excludes INFO by default and newer versions of issues have also begun excluding them, the counts will match.
  2. Version Parity: In Unified Platform (v5.0+) environments, the underlying data for "Alerts" and "Issues" has been largely unified in the backend database.

How to Verify:

You can check for differences in your environment with:

 

dataset = issues 
| filter severity = "INFO"
If this returns zero results, the datasets will appear identical in count for standard queries.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

View solution in original post

1 REPLY 1

Go to solution
susekar
L5 Sessionator

‎05-01-2026 06:29 AM

Hello  @.522643 ,

 

Greetings for the day.

 

In Cortex XDR/XSIAM, while both dataset=alerts and dataset=issues represent security detections, they differ primarily in their underlying data schema and their role in the platform's evolution.

(Key Differences)

Schema and Architecture:
dataset=alerts is the legacy dataset that provides raw, granular alert records. It includes specific technical fields such as action (e.g., blocked vs. detected) and incident_id that are critical for detailed monitoring.

dataset=issues is the modern, XDM-based (Cortex Data Model) dataset introduced in newer versions (XDR 4.x/5.0+). It provides aggregated and deduplicated views used primarily by the management console's dashboard.

Informational Severity:
Official documentation states that "Informational" (INFO) severity alerts are not included in the alerts dataset.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-3.x-Documentation/Query-incident-an...

Historically, the issues dataset included "INFO" alerts in XQL queries, even though they were filtered out of the "Issues" UI page. However, engineering has moved toward removing "INFO" alerts from the issues dataset in newer versions to reduce noise.

 

Field Availability:
Some granular fields like DeviceAction, IncidentID, and ActorProcessID may be missing from the issues dataset schema by design, as the XDM schema is still evolving.

When to Use Each Dataset:

  • Granular technical analysis of blocked vs. monitored actions: dataset = alerts
  • Legacy automation or scripts relying on specific field names like action: dataset = alerts
  • General security monitoring aligned with the modern UI/dashboard: dataset = issues
  • XDM-based reporting and custom widgets in newer XDR/XSIAM versions: dataset = issues

Why the Results Come Out the Same:

If your query results are identical, it typically means:

  1. No "Informational" Alerts: Both datasets are currently returning only Low, Medium, High, and Critical alerts for your selected timeframe. Since alerts excludes INFO by default and newer versions of issues have also begun excluding them, the counts will match.
  2. Version Parity: In Unified Platform (v5.0+) environments, the underlying data for "Alerts" and "Issues" has been largely unified in the backend database.

How to Verify:

You can check for differences in your environment with:

 

dataset = issues 
| filter severity = "INFO"
If this returns zero results, the datasets will appear identical in count for standard queries.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

  • 1 accepted solution
  • 100 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks