https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/broker-vm-disconnet-alert-notification/m-p/1231057#M203 <P>Hi Vinay</P> <P>thanks.. yes I have tried that also.. however I find it is not very efficient.. ie when a broker vm gets disconnected.. it can take some time for this correlation rule to pick this up.. i guess the disconnect only gets updated in the audit logs once the timeout threshold has been received. so in this case.. both queries seems give me the same result.</P> <P>was hoping for something with less time delay.. but can work with it as is.</P> <P>&nbsp;</P> <P>thanks</P> <P>&nbsp;</P> Thu, 05 Jun 2025 07:07:57 GMT PA_nts 2025-06-05T07:07:57Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/broker-vm-disconnet-alert-notification/m-p/1229484#M192 <P>Hi All,</P> <P>&nbsp;</P> <P>anyi dea how i can generate an alert when a broker-vm gets disconnected?</P> <P>&nbsp;</P> <P>Has anyone managed to create a correlation rule that will alert if a Broker-VM gets disconnected from XSIAM? </P> <P>the xsiam documentation states that 'To help you monitor your Broker VM version, connectivity, and high availability clusters, <SPAN class="phrase">Cortex XSIAM</SPAN> sends notifications to your <SPAN class="phrase">Cortex XSIAM</SPAN> console Notification Center' but this does not help me much.&nbsp;</P> <P>Additionally you can setup email notification but i don't want that.. instead we have an integration to a backend helpdesk ticket system, so that when an alert is created in xsiam, it sends the incident/alert payload and it then generates a ticket on our backend helpdesk and engineers will be assigned. </P> <P>we use this currently for datasources and ngfw devices that stops sending logs.</P> <P>thanks in adv</P> Tue, 20 May 2025 06:48:52 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/broker-vm-disconnet-alert-notification/m-p/1229484#M192 PA_nts 2025-05-20T06:48:52Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/broker-vm-disconnet-alert-notification/m-p/1229486#M193 <P>To Add.. </P> <P>If i create a xql query as per below.. it shows me the applets within the broker-vm if they are in an ERROR state</P> <P>note i did this as case sensitive to filter out unwanted error alerts from other datasources.. i am specifically looking for 'broker-vm' issues.</P> <P>&nbsp;</P> <P>config case_sensitive = true |<BR />dataset = collection_auditing<BR />| filter classification = "ERROR"<BR />| comp latest(_time) by collector_type , instance , classification ,description, _broker_ip_address, _broker_device_name, _broker_device_id</P> <P>&nbsp;</P> <P>however.. this will not alert if the broker-vm is disconnected. so still working on that portion.</P> <P>cheers</P> <P>&nbsp;</P> Tue, 20 May 2025 08:36:56 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/broker-vm-disconnet-alert-notification/m-p/1229486#M193 PA_nts 2025-05-20T08:36:56Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/broker-vm-disconnet-alert-notification/m-p/1230546#M201 <P>Hello,</P> <P>&nbsp;</P> <P>You can identify disconnected Broker VMs by creating a correlation rule with the following query.</P> <P>&nbsp;</P> <P><EM>dataset = management_auditing </EM><BR /><EM>| filter description contains "Broker VM"</EM><BR /><EM>| filter subtype = "Disconnect"</EM></P> <P>&nbsp;</P> <P>Confirm if this works as expected.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Vinay</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 30 May 2025 16:15:25 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/broker-vm-disconnet-alert-notification/m-p/1230546#M201 Vinay-AS 2025-05-30T16:15:25Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/broker-vm-disconnet-alert-notification/m-p/1231057#M203 <P>Hi Vinay</P> <P>thanks.. yes I have tried that also.. however I find it is not very efficient.. ie when a broker vm gets disconnected.. it can take some time for this correlation rule to pick this up.. i guess the disconnect only gets updated in the audit logs once the timeout threshold has been received. so in this case.. both queries seems give me the same result.</P> <P>was hoping for something with less time delay.. but can work with it as is.</P> <P>&nbsp;</P> <P>thanks</P> <P>&nbsp;</P> Thu, 05 Jun 2025 07:07:57 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/broker-vm-disconnet-alert-notification/m-p/1231057#M203 PA_nts 2025-06-05T07:07:57Z