Run or schedule reports - You can run reports that are based on dashboard templates, or you can create reports from scratch. - Administrator Guide - Cortex XSIAM - Cortex

Run or schedule reports - You can run reports that are based on dashboard templates, or you can create reports from scratch. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-11

Note

Report templates that are based on custom infrastructure cannot be exported.
If you import a report template that already exists in the system, the imported template will overwrite the existing template. If you do not want to overwrite the existing template, duplicate and rename the existing template before importing the new template.
You can also quickly create a report template from an existing dashboard by right-clicking the dashboard in the Dashboard Manager and selecting Save as report template.

Role permissions: Your ability to run and schedule reports is set by your administrator through your user role.
Widget visibility in reports: Reports can include both Public and Restricted widgets. When you add a widget to a report template, the report will display the data from that widget to all report recipients, regardless of whether the recipients have access to that specific widget in their own Widget Library.
Data scoping: Reports pre-fetch data based on the scope of the user who last saved the template. Ensure the template creator has the appropriate data permissions to provide the intended results for the report recipients.

The following icons in the Dashboard Manager (under the Source column) and in the Dashboards page header menu help you identify the security access of your dashboards:

:
- A Restricted custom dashboard you created (Owner) that is not currently shared with anyone else.
- A custom dashboard you created that is currently shared with other users or user groups.
: A custom dashboard created by another user that has been shared with you (either individually or through a user group).
: A standard system dashboard provided by Palo Alto Networks. These are always Public and can't be deleted, or have their ownership transferred.

Run a report based on a dashboard

You can generate a report based on an existing dashboard.

Select Dashboards & Reports → Dashboard Manager.
Right-click the dashboard you want to use, and select Save as report template.
Enter a unique name for the report and an optional description, and click Save.
Select Dashboards & Reports → Report Templates.
Locate your new report template, right-click it, and select:
- Generate Report: To run the report immediately.
- Edit: To modify parameters or configure a schedule.
After your report completes, you can download it from the Dashboards & Reports → Reports page.

Create a new report template

You can base your report on an existing template, or you can start with a blank template.

Select Dashboards & Reports → Report Templates, and click New Template.
Enter a unique name for the report and an optional description.
Note
The report name and description will be displayed in the report header and are not editable during customization.
Under Data Timeframe, select the duration for the report. Custom time frames are limited to one month.
Choose a Report Type (a built-in template or blank) and click Next.
Customize your report.
Cortex XSIAM offers mock data to help you visualize the data's appearance (default view). To see how the report would look with real data in your environment, switch to Real Data. Select the Preview in A4 icon to see how the report is displayed in an A4 format.
Add or remove widgets to the report. From the widget library, drag widgets on to the report layout. You can add both standard system widgets and your custom (Public or Restricted) widgets.
Note
- For agent-related widgets, you can apply an endpoint scope to refine the displayed data to only show results from specific endpoint groups.
  Select the menu on the top right corner of the widget, select Groups, and select one or more endpoint groups.
- For case-related widgets, you can refine the displayed data to only show results from cases that match a case starring configuration. A purple star indicates that the widget is displaying only starred cases. For more information, see Case starring.
(Optional) Add filters to the report. Adding filters and inputs to the report gives you the flexibility to filter report data based on default values that you define.
If you selected a report template with default filters, the filters are displayed at the top of the dashboard. To edit the filters, click Add Filters & Inputs.
You can configure basic filters that provide predefined static values, as explained in the following steps. Alternatively you can define dynamic filters that are based on predefined parameters in custom XQL widgets, as explained in Configure filters and inputs for custom XQL widgets.
1. Click Add Filters & Inputs to define parameters for the report data.
2. On the FILTERS & INPUTS panel, select a parameter for which to configure a filter.
3. Under Value, select one or more filter values.
  If no values are selected, the filter name shows an error symbol and you cannot save the filter.
4. Add more filters as required. You can drag the filters to change the priority.
5. Click Save Filters & Inputs.
Click Next.
Configure the report execution:
- Generate now: To run a single instance immediately.
- Schedule: Define a recurring timeframe for automatic generation.
(Optional) Configure Email Distribution or Slack recipients for the PDF.
Note
To send reports to Slack, Slack must be configured as an external application in Cortex XSIAM. For more information, see Integrate Slack for outbound notifications
(Optional) Select Attach CSV to include raw data from XQL widgets.
From the menu, select one or more of your custom widgets to attach to the report. The CSV files of the widgets are attached to the report along with the report PDF. Depending on how you selected to send the report, the CSV file is attached as follows:
- Email: Sent as separate attachments for each widget. The total size of the attachment in the email cannot exceed 20 MB.
- Slack: Sent within a ZIP file that includes the PDF file.
Click Save Template.
When you save a new report template, you are automatically designated as the Owner. By default, the report template is set to Restricted access, meaning it is only visible to you and Administrators until you manually configure sharing settings or set the General access to Public.
After your report completes, you can download it from the Dashboards & Reports → Reports page.
In the Name field, icons indicate the number of attached files for each report. Reports with multiple PDF and CSV files are marked with a zip icon. Reports with a single PDF are marked with a PDF icon.

Configure the notification rule for a failed report

You can receive an email or send a notification to a syslog server if a report fails to run due to a timeout or fails to upload to the GCP bucket.

Under Settings → Configurations → General → Notifications, click + Add Forwarding Configuration.
Enter a name and a description for your rule, and under Log Type, select Management Audit Logs.
Use a filter to select the Type as Reporting, Subtype as Run Report, and Result as Fail.
Enter a distribution list to receive notifications by email or select a syslog server.
Click Next.
Review settings and click Create.

Change owner of a report template

To ensure continuity when personnel changes occur, only administrators can change the ownership of a custom report template.

Note

When ownership is transferred, any existing report schedules associated with the report template are automatically removed. The new Owner must manually redefine the schedule to resume automated report generation.

Right-click the custom report template in the table and select Change owner.
Select the new owner from the list of users.
Review the warning regarding deleted schedules and click Change.

Import and export report templates

You can move report templates between different Cortex XSIAM tenants using import and export functionality. Access and ownership are handled as follows during this process:

Export: You must have at least Viewer access to a report template to export it. The exported file contains the configuration of the report template but does not include the original access list or ownership data.
Import: When you import a report template, you are automatically designated as the Owner of the report template in the new tenant. The report template is imported with Restricted General access by default, and you must manually configure sharing for other users to see it.