This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Querying System Notifications in XSIAM/XDR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Querying System Notifications in XSIAM/XDR

Lekshmi.gopinathannair
L0 Member

‎03-02-2026 03:04 PM

Hello,

Does anyone know the correct dataset to use for fetching system-based notifications? I need to track infrastructure alerts like Broker VM disk space and connectivity status via XQL. dataset = alerts isn't showing the same history I see in my UI notification centre. Any tips?
Thanks
0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎03-03-2026 09:23 AM

Hello @Lekshmi.gopinathannair ,

 

Greetings for the day.

 

In Cortex XSIAM/XDR, infrastructure notifications and system-based alerts are distributed across different datasets depending on the specific type of event (e.g., hardware health vs. management status). The alerts dataset primarily contains security-related signals and specific built-in health alerts, which is why it may not match the full history seen in the UI Notification Center.

To track Broker VM disk space and connectivity, use the following datasets and queries:

1. Broker VM Disk Space (Health Alerts):

Built-in system health alerts, such as a Broker VM reaching the 90% disk usage threshold, are stored in the alerts dataset but are categorized under a specific domain. You must filter for the HEALTH domain to find them.

XQL Query:

 

dataset = alerts
| filter alert_domain contains "HEALTH"
 

2. Connectivity and Status (Audit Logs):

Infrastructure status changes, such as Broker VM disconnections, are primarily tracked in the auditing datasets.

Management Auditing:

Use this dataset for official disconnection/reconnection status. A "Disconnect" log entry is typically generated only after 60 continuous minutes of disconnection.

 

Query to identify Broker VM actions:

dataset = managementauditing
| filter configtype = "Broker VMs"
Collection Auditing:

This dataset is more effective for monitoring shorter outages or specific applet failures (e.g., Syslog or WEC issues).

 

Query for applet status changes:
dataset = collection_auditing
| filter classification in ("error", "warning")
 
Why XQL May Not Match the UI Notification Center:

There are several reasons for discrepancies between XQL results and the UI Notification Center:

  • UI-Only Notifications: Certain operational notifications, such as “Broker VM requires a reboot” or “Update Available,” are designed as UI-only features and are not always exposed in queryable datasets.

  • Logging Thresholds: Some status logs (such as disconnections in managementauditing) have time-based thresholds that prevent them from appearing in XQL unless the condition persists.

  • Performance Metrics: Historical resource utilization (CPU/RAM/Disk load over time) is not ingested into standard XQL datasets. 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

0 Likes Likes
  • 386 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks