This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Reports no longer shows the source of an incident

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reports no longer shows the source of an incident

C.PAPET
L0 Member

‎06-03-2026 11:24 PM

Hello,

One of our customers pointed out that since the 5.0 update of the Cortex console, the report output has changed.
Before the update, the reports always displayed the source of the incident (as highlighted in the “Before.png” file).
Since the 5.0 update, as you can see in the “Now.png” file, the source of the incident is not always displayed in the report.

The customer would like to know if there is a way to make the source appear again when the reports are generated.


Thank you in advance for your response.

Preview file
38 KB
Preview file
34 KB
0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎06-05-2026 08:53 AM

Hello @C.PAPET ,

 

Greetings for the day.

 

The reported change in incident report output after the Cortex v5.0 update is primarily due to a combination of terminology changes, UI reorganization, and architectural performance optimizations.

 

(Key Factors for Missing "Source" Data)

Performance Decoupling:

In v5.0, Issues (formerly Alerts) are sent for notification immediately upon detection to ensure near real-time reporting.

This can occur before the backend completes grouping the issue into a Case (formerly Incident), which may result in some metadata fields appearing as blank or null in immediate outputs.

 

Widget Relocation:

The Alert Sources widget was relocated in v5.0 and is now available under the Alerts widget within the Incident Overview tab.

 

Predefined Template Limitations:

Built-in report templates are static. If the Source field is no longer included in a default report template after the upgrade, a custom report template may be required to ensure the field is displayed.

 
Steps to Restore the "Source" Field in Reports:

To ensure the Source (or Alert Source) field is included in generated reports:

  1. Navigate to:

    Dashboards & Reports → Customize → Report Templates

  2. Click + New Template and select Blank as the template type.
  3. Drag a Table Widget onto the report canvas.
  4. Set the Data Source to either:
    • Alerts
    • Incidents (Cases)
  5. In the widget's column configuration, manually add the following field:
    • Source
    • Alert Source
  6. (Optional) For raw data reporting, use a custom XQL query within the Attach CSV section:
dataset = alerts
| fields _time, alert_id, alert_source, severity
  1. Save the template and configure any required report schedules.

Important: Changes must be saved directly to the report template to ensure they are reflected in scheduled and recurring reports.

 
Additional Verification:

If the Source field continues to appear as null after configuring a custom report template:

  • Verify that the underlying alert data actually contains values for the alert_source field.
  • Confirm that the selected report dataset includes the required field.
  • Review any field visibility settings configured within the console.
  • Check whether an editable Incident/Case layout configuration affects which fields are exposed to report templates and PDF exports.

It may also be helpful to verify whether any report template, dashboard widget, or case layout customization introduced after the upgrade is affecting field visibility within exported reports.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 123 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks