Overview of the Issues page - The Issues page consolidates all non-informational issues from your detection sources. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation
Product
Cortex XDR
License
XDR + Cloud
Creation date
2025-07-13
Last date published
2026-06-11
Category
Administrator Guide
Abstract

The Issues page consolidates all non-informational issues from your detection sources.

The Issues page consolidates all non-informational issues from your detection sources. By default, the Issues page displays the security issues received over the last seven days. To access the Issues page, go to Cases & IssuesIssues.

Each issue is linked to one or more cases. A case provides the full story of a problem by linking related issues, assets, and artifacts in one place. To make sure that you understand the full picture of how an issue fits into the bigger picture, we recommend that you start your investigation from the Cases page. You can see the issues linked to a case in the Issues & Insights tab of the selected case. Click on an issue to open the Issue card. For more information, see Issue card.

For issues associated with the Health domain, these issues are not linked to cases and should be investigated individually. You can also see Health domain issues on the Health Issues page. For more information, see About health issues.

Note

Every 12 hours, the system enforces a cleanup policy to remove the oldest issues once the maximum limit is exceeded. The default issue retention period in Cortex XDR is 186 days.

Standardized format of user names in issues

Cortex XDR processes and displays the names of users in the following standardized format, also termed “normalized user”.

<company domain>\<username>

As a result, any issue triggered based on network, authentication, or login events displays the User Name in the standardized format in the Issues and Cases pages. This impacts every issue for Cortex XDR Analytics and Cortex XDR Analytics BIOC, including Correlation, BIOC, and IOC issues triggered on one of these event types.

Deduplicated FW issues

To reduce noise in your environment, if firewall issues with the same name and host are raised within 24 hours, the issues are deduplicated. A label indicates the number of deduplicated issues up to 1,000 issue counts, larger quantities display as 1000+.

For more information, see Issue deduplication.

Featured fields

You can highlight issues that are important to you by tagging specific issue attributes, such as host names, user names, IP addresses, and Active Directory, as featured fields. This can help you track issues. For more information, see Create a featured field.

Issue fields

To see a full list of issue fields and descriptions, run the following query in the Query Builder:

datamodel dataset = issues