Run or schedule reports - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

You can run reports that are based on dashboard templates, or you can create reports from scratch.

You can generate reports using pre-designed dashboard templates, or create custom reports from scratch with widgets from the Widget Library. You can also schedule your reports to run regularly or just once.

All reports are saved under Dashboards & ReportsReports. From this page you can download reports, and take actions on existing report templates.

You can generate a report based on an existing dashboard.

  1. Select Dashboards & ReportsCustomizeDashboards Manager.

  2. Right-click the dashboard from which you want to generate a report, and select Save as report template.

  3. Enter a unique name for the report and an optional description, and click Save.

  4. Select Dashboards & ReportsCustomizeReport Templates.

  5. Locate your report and take one of the following actions:

    • To run the report without make any modifications, hover over the report name, and select Generate Report.

    • To modify or schedule the report, hover over the report name, and select Edit.

  6. After your report completes, you can download it from the Dashboards & ReportsReports page.

You can base your report on an existing template, or you can start with a blank template.

  1. Select Dashboards & ReportsCustomizeReports Templates+ New Template.

  2. Enter a unique name for the report and an optional description.

  3. Under Data Timeframe, select the time frame from which to run the report. Custom time frames are limited to one month.

  4. Under Report Type select the report template on which to base the report, or select a blank template to build the report from scratch.

  5. Customize your report.

    Cortex XSIAM offers mock data to help you visualize the data's appearance. To see how the report would look with real data in your environment, switch to Real Data. Select Preview in A4 to see how the report is displayed in an A4 format.

  6. Add or remove widgets to the report. From the widget library, drag widgets on to the report.

  7. (Optional) Include filters in the report.


    Filters are supported only in Cortex XDR Pro and Cortex XSIAM.

    For reports that include Custom XQL widgets with predefined parameters, the FILTERS & INPUTS option is displayed. Defining filters and inputs for the report gives you the flexibility to filter the report data based on default values that you define.

    For information about adding parameters to XQL widgets, see Create custom XQL widgets.

  8. When you have finished customizing your report template, click Next.

  9. If you are ready to run the report select Generate now, or define options for scheduling the report.

  10. (Optional) Under Email Distribution and Slack workspace add the recipients that you want to receive a PDF version of your report.

    Select Add password used to access report sent by email and Slack to set password encryption. Password encryption is only available in PDF format.

  11. (Optional) Select Attach CSV to attach CSV files of your XQL query widgets to the report.

    From the menu, select one or more of your custom widgets to attach to the report. The CSV files of the widgets are attached to the report along with the report PDF. Depending on how you selected to send the report, the CSV file is attached as follows:

    • Email: Sent as separate attachments for each widget. The total size of the attachment in the email cannot exceed 20 MB.

    • Slack: Sent within a ZIP file that includes the PDF file.

  12. Click Save Template.

  13. After your report completes, you can download it from the Dashboards & ReportsReports page.

    In the Name field, icons indicate the number of attached files for each report. Reports with multiple PDF and CSV files are marked with a zip icon. Reports with a single PDF are marked with a PDF icon.

You can receive an email alert if a report fails to run due to a timeout or fails to upload to the GCP bucket.

  1. Under SettingsConfigurationsGeneralNotifications, click + Add Forwarding Configuration.

  2. Enter a name and a description for your rule, and under Log Type, select Management Audit Logs.

  3. Use a filter to select the Type as Reporting, Subtype as Run Report, and Result as Fail.

  4. Under Distribution List, select the email address to send the notification to.

  5. Click Done.