01-19-2026 08:36 AM
I’m new to Cortex XSIAM and XQL, and I’m still learning how things work. I need some help with an XQL query.
I’m trying to create an XQL query where I can see: Incident ID, Incident name , Playbook execution status (failed / error), Playbook name, Error message or failure reason (if available).
I checked the incidents dataset, but I couldn’t find a clear field related to playbook status or errors.
02-10-2026 05:44 AM
Hello @R_BhlpMe ,
Greetings for the day.
In Cortex XSIAM, playbook execution details such as failure reasons and error messages are not stored directly in the incidents dataset. Instead, this information is captured in the management_auditing dataset, which tracks automation and system events, or within the alerts dataset for alert-level playbook execution status.
To retrieve both playbook failure details and incident context, you must perform a join between the management_auditing dataset (playbook execution details) and the incidents dataset (incident metadata such as incident name).
The following query filters for automation events that did not complete successfully and joins them with the incidents dataset to provide full context:
dataset = management_auditing
| filter subtype = "MANAGEMENT_AUDIT_CORTEX_AUTOMATION"
| filter result != "SUCCESS"
| join type = inner (dataset = incidents) as inc inc.incident_id = incident_id
| fields incident_id, inc.name as incident_name, result as status, description as playbook_name, error_message
| sort desc _time
If you only need the playbook status and name for playbooks triggered by specific alerts, you can query the alerts dataset. Note that this dataset typically does not include the detailed error_message field found in audit logs.
dataset = alerts
| filter playbook_run_status != null and playbook_run_status != "Success"
| join type = inner (dataset = incidents) as inc inc.incident_id = incident_id
| fields incident_id, inc.name as incident_name, playbook_run_status, playbook as playbook_name, _time
| sort desc _time
management_auditing dataset:
Used for troubleshooting and metrics. Filter onsubtype = "MANAGEMENT_AUDIT_CORTEX_AUTOMATION" to isolate playbook execution events.
result:
Indicates the execution outcome (for example, Error, Failed, Partial Success).
error_message:
Provides the failure reason or technical error returned by the automation engine.
description:
Commonly contains the name of the playbook that was executed.
incidents dataset:
Stores core incident metadata such as incident_id and name.
In newer versions of XSIAM (3.x and later), the incidents dataset may be referred to as cases, and alerts may be referred to as issues.
If the queries above return no results, try the following substitutions:
Replace dataset = incidents with dataset = cases
Replace incident_id with case_id
If you encounter errors such as “Failed to start query” when running these XQL queries from a playbook, ensure that your Core Content Pack is updated to version 3.4.38 or later, as earlier versions had known XQL execution stability issues in automation workflows.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
