This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

susekar
L5 Sessionator

‎02-16-2026 06:04 AM

Hello @QuestionAb,

 

Greetings for the day.

 

To generate a report of Cortex XDR's actions (such as blocked, quarantined, or isolated events) over a 3-month or 1-year period in graph format, you must use custom XQL queries within the Widget Library, as standard pre-defined widgets are often limited to shorter timeframes (typically 14 to 30 days).

 

1. Data Retention Constraints:

Before building the report, it is critical to understand that standard data retention periods may prevent you from seeing a full year of history for certain action types:

  • Action Center History: Automatically removed after 90 days (3 months). Manual removal of these records is not supported; they are only cleared by this 90-day process.

  • Alerts and Incidents: Standard retention is 180 to 186 days (approximately 6 months).

  • Audit Logs (Management/Agent): Default retention is 365 days (1 year). To report on actions taken a year ago, you may need to query the audit logs dataset.

  • Telemetry (Raw Ingested Data): Retained for only 30–31 days.

2. How to Create the Graph Report:

To visualize these actions, follow these steps:

  1. Navigate to Dashboards & Reports → Customize → Widget Library.

  2. Click + Create Custom XQL Widget.

  3. Input an XQL query (see samples below) that aggregates the actions you want to report.

  4. Configure the Visualization settings (e.g., Pie Chart, Column Chart, or Line Graph) and define the X and Y axes based on your query results.

  5. Save the widget and add it to a Report Template under Customize → Report Templates to generate the final PDF or CSV.

3. Sample XQL Queries for Actions:

A. Blocked and Quarantined Actions (from Alerts):

This query identifies threats that were blocked or quarantined over the specified timeframe and groups them by month:

dataset = alerts | filter action_enum in (ENUM.PREVENTED_BLOCKED, ENUM.PREVENTED_QUARANTINED) | alter month = format_timestamp("%Y-%m", creation_time) | comp count(alert_id) as total_actions by month, action_enum | view graph type = column subtype = grouped xaxis = month yaxis = total_actions
B. Isolation Actions (from Audit Logs)

Because "Isolated" is a response action rather than a threat detection, it is best tracked via Audit Logs for a 1-year view:

dataset = management_audit_logs | filter action_type = "Isolate" or action_type = "Unisolate" | alter month = format_timestamp("%Y-%m", _time) | comp count(action_type) as isolation_count by month, action_type | view graph type = column subtype = grouped xaxis = month yaxis = isolation_count

-Important Considerations

  • Timeframe Setting: When configuring the Report Template or running the query, ensure you set the timeframe to 3 months or 1 year. If data is missing beyond 6 months, it is likely due to standard retention limits.

  • Action Center History: If you specifically need history from the Action Center (e.g., file retrievals, scripts), you are limited to 90 days of history.

  • Licensing: Extended data retention (beyond 180 days for alerts) requires the purchase of additional retention add-on licenses. You can verify your retention limits in the console under Settings → Configurations → Dataset Management.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

View solution in original post

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks