https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/alerting-when-daily-ingestion-threshold-reaches-80/m-p/1233133#M220 <P>Just wanted to share this with everyone - i am sure it might be useful if not already deployed. Feel free to comment on possible enhancements/ recommendations.</P> <P>&nbsp;</P> <P>The Query below will calculate the daily ingestion per GB and will output 'TRUE' if it exceeds 80% of daily ingestion.</P> <P>&nbsp;</P> <P>&nbsp;dataset = metrics_source <BR />| comp sum(total_size_bytes ) as total_ingestion_gb<BR />| alter total_ingested_gb = divide(round(multiply(divide(total_ingestion_gb, pow(to_number(1024), to_number(3))), 100)), 100)<BR />| alter is_exceeding_80_percent = if(total_ingested_gb &lt;XX&gt;, "TRUE", "FALSE") <BR />| fields total_ingested_gb, is_exceeding_80_percent <BR />| filter is_exceeding_80_percent = "TRUE"</P> <P>&nbsp;</P> <P>(just replace &lt;XX&gt; with your 80% value in GB)</P> <P>&nbsp;</P> <P>In the above example, if Daily ingestion is above &lt;XX&gt;GB per day, it should output as TRUE.</P> <P>Then create a correlation rule that runs once a day if if exceeded,&nbsp; will generate an Alert if TRUE.</P> <P>Then set a Trigger condition/automation to notify (in my case via email) the persons responsible.</P> <P>&nbsp;</P> <P>tested seems to work</P> <P>rgds<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 03 Jul 2025 11:06:32 GMT PA_nts 2025-07-03T11:06:32Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/alerting-when-daily-ingestion-threshold-reaches-80/m-p/1233133#M220 <P>Just wanted to share this with everyone - i am sure it might be useful if not already deployed. Feel free to comment on possible enhancements/ recommendations.</P> <P>&nbsp;</P> <P>The Query below will calculate the daily ingestion per GB and will output 'TRUE' if it exceeds 80% of daily ingestion.</P> <P>&nbsp;</P> <P>&nbsp;dataset = metrics_source <BR />| comp sum(total_size_bytes ) as total_ingestion_gb<BR />| alter total_ingested_gb = divide(round(multiply(divide(total_ingestion_gb, pow(to_number(1024), to_number(3))), 100)), 100)<BR />| alter is_exceeding_80_percent = if(total_ingested_gb &lt;XX&gt;, "TRUE", "FALSE") <BR />| fields total_ingested_gb, is_exceeding_80_percent <BR />| filter is_exceeding_80_percent = "TRUE"</P> <P>&nbsp;</P> <P>(just replace &lt;XX&gt; with your 80% value in GB)</P> <P>&nbsp;</P> <P>In the above example, if Daily ingestion is above &lt;XX&gt;GB per day, it should output as TRUE.</P> <P>Then create a correlation rule that runs once a day if if exceeded,&nbsp; will generate an Alert if TRUE.</P> <P>Then set a Trigger condition/automation to notify (in my case via email) the persons responsible.</P> <P>&nbsp;</P> <P>tested seems to work</P> <P>rgds<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 03 Jul 2025 11:06:32 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/alerting-when-daily-ingestion-threshold-reaches-80/m-p/1233133#M220 PA_nts 2025-07-03T11:06:32Z