Run or Schedule Reports - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

You can run ad-hoc reports or create reports that are to be distributed as scheduled.

There are two ways to create a report template:

Run a Report Based on a Dashboard

You can generate a report based on an existing dashboard.

  1. Select Dashboards & ReportsCustomizeDashboards Manager.

  2. Right-click the dashboard from which you want to generate a report, and select Save as report template.

  3. Enter a unique Report Name and an optional Description of the report, then Save the template.

  4. Select ReportingReport Templates.

  5. Run the report.

    You can either Generate Report to run the report on-demand, or you can Edit the report template to define a schedule.

  6. After your report completes, you can download it from the ReportingReports page.

Create a Report from Scratch

You can create a new report, using an existing or new template.

  1. Select Dashboards & ReportsCustomizeDashboards Manager+ New Template.

  2. Enter a unique Report Name and an optional Description of the report.

  3. Select the Data Timeframe for your report.

    You can choose Last 24H (day), Last 7D (week), Last 1M (month), or you can choose a custom time frame.


    The custom time frame is limited to one month.

  4. Choose the Report Type.

    You can use an existing template, or you can build a new report from scratch.

  5. Click Next.

  6. Customize your report.

    To get a feel for how the data will look, Cortex XDR provides mock data. To see how the report would look with real data in your environment, you can use the toggle above the report to use Real Data. Select Preview A4 to view how the report is displayed in an A4 format.

    Drag and drop widgets from the widget library to their desired position.

    If necessary, remove unwanted widgets from the template. To remove a widget, select the menu in the top right corner, and select Remove widget.

    For incident-related widgets, you can also select the star to include only incidents that match an incident starring configuration in your report. A purple star indicates that the widget is displaying only starred incidents.

  7. When you have finished customizing your report template, click Next.

  8. If you are ready to run the report, select Generate now.

  9. To run the report on a regular Schedule, you can specify the time and frequency that Cortex XDR will run the report.

  10. (Optional) Enter an Email Distribution list or Slack workspace to send a PDF version of your report.

    Select Add password used to access report sent by email and Slack to set password encryption.


    Password encryption is only available in PDF format.

  11. (Optional) Attach CSV file of your Cortex Query Language (XQL) query widget to a report.

    From the drop-down menu, search and select one or more of your custom widgets to attach to the report. The XQL query widget is attached to the report as a CSV file along with the customized PDF. Depending on how you selected to send the report, the CSV file is attached as follows:

    • Email—Sent as separate attachments for each widget. The total size of the attachment in the email cannot exceed 20MB.

    • Slack—Sent within a ZIP file that includes the PDF file.

  12. Save Template.

  13. After your report completes, you can download it from the ReportingReports page.

    In the Name field, reports with multiple files, PDF and CSV files, are marked with a report-zip.png icon, while reports with a single PDF are marked with a report-pdf.png icon.


You can receive an email alert if a report fails to run due to timeout or fails to upload to the GCP bucket.

Configure the notification rule for a failed report.

  1. Under SettingsConfigurationsGeneralNotifications , + Add Forwarding Configuration.

  2. Select a Name and a Description for your rule, and under Log Type, select Management Audit Logs.

  3. Use a filter to select the Type as Reporting, Subtype as Run Report, and Result as Fail.

  4. Under Distribution List, select the email address to send the notification to.

  5. Click Done.