https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cloud-identity-engine-cie/m-p/1255630#M421 <P data-end="650" data-start="647">Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1401872841">@A.Velusamy</a>&nbsp;</P> <P data-end="650" data-start="647">&nbsp;</P> <P data-end="938" data-start="652">We are currently using <STRONG data-end="706" data-start="675">Cloud Identity Engine (CIE)</STRONG> in our XSIAM environment, and it has been very useful. One of the main benefits is the additional identity context that becomes visible within incidents and alerts, which helps analysts investigate security events more efficiently.</P> <P data-end="1267" data-start="940">We have integrated CIE with <STRONG data-end="988" data-start="968">Active Directory</STRONG>, and it provides valuable visibility into user identities, group memberships, authentication activities, and associated assets. We have also developed correlation rules based on identity-related logs, which help us better understand user activity and improve detection coverage.</P> <P data-end="1267" data-start="940">&nbsp;</P> <P data-end="1573" data-start="1269">In addition to Active Directory, CIE supports integrations with cloud identity providers such as <STRONG data-end="1399" data-start="1366">Microsoft Entra ID (Azure AD)</STRONG>, <STRONG data-end="1409" data-start="1401">Okta</STRONG>, and other identity sources. This enables XSIAM to correlate user activity across both on-premises and cloud environments, providing a more complete identity view.</P> <P data-end="1573" data-start="1269">&nbsp;</P> <P data-end="1727" data-start="1575">The identity data collected through CIE is leveraged by XSIAM analytics and detection logic to identify suspicious and anomalous user behavior, such as:</P> <UL data-end="1943" data-start="1728"> <LI data-end="1761" data-start="1728" data-section-id="k0dfrq">Unusual authentication patterns</LI> <LI data-end="1795" data-start="1762" data-section-id="fn4wux">Privilege escalation activities</LI> <LI data-end="1821" data-start="1796" data-section-id="n8p8je">Excessive failed logins</LI> <LI data-end="1851" data-start="1822" data-section-id="1ubbar8">Impossible travel scenarios</LI> <LI data-end="1892" data-start="1852" data-section-id="bbronm">Abnormal access to sensitive resources</LI> <LI data-end="1943" data-start="1893" data-section-id="1qwr3oa">Suspicious account usage across multiple systems</LI> </UL> <P data-end="1991" data-start="1945">Overall, we have found CIE to be valuable for:</P> <UL data-end="2477" data-start="1993"> <LI data-end="2044" data-start="1993" data-section-id="4iivmc">Enhanced incident visibility and identity context</LI> <LI data-end="2108" data-start="2045" data-section-id="eijrxi">Active Directory, Entra ID, and Okta user activity monitoring</LI> <LI data-end="2158" data-start="2109" data-section-id="11hignk">Identity-based correlation rules and detections</LI> <LI data-end="2191" data-start="2159" data-section-id="a5ddxc">Improved user-to-asset mapping</LI> <LI data-end="2247" data-start="2192" data-section-id="bmna3j">Better detection of suspicious and anomalous behavior</LI> <LI data-end="2299" data-start="2248" data-section-id="htrpzd">Faster and more effective incident investigations</LI> <LI data-end="2356" data-start="2300" data-section-id="19ax6nn">Improved identity threat detection and response (ITDR)</LI> <LI data-end="2417" data-start="2357" data-section-id="e2wtcl">Better risk-based analysis and user-centric investigations</LI> <LI data-end="2477" data-start="2418" data-section-id="htakb8">Centralized visibility across multiple identity providers</LI> </UL> <P data-end="2771" data-start="2479">In our experience, enabling CIE significantly improves the quality of investigations by providing richer identity context and helping analysts quickly understand who is behind an activity, what systems they have access to, and whether the observed behavior is normal or potentially malicious.</P> <P data-end="2771" data-start="2479">&nbsp;</P> <P><SPAN>Please help out other users and “Accept as Solution” if a post helps solve your problem !</SPAN></P> <P><SPAN><BR /><A href="https://live.paloaltonetworks.com/t5/blogs/how-and-why-to-accept-solutions/ba-p/553827" target="_blank">Read more about how and why to accept solutions.</A></SPAN></P> <P data-end="2771" data-start="2479">&nbsp;</P> <P data-end="2771" data-start="2479"><SPAN>Best Regards,<BR />Vinothkumar.C</SPAN></P> <P data-end="2771" data-start="2479">SBA Info Solutions pvt ltd - Chennai.</P> Mon, 08 Jun 2026 11:40:07 GMT Vinothkumar_SBA 2026-06-08T11:40:07Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cloud-identity-engine-cie/m-p/1255525#M419 <P>Hi,</P> <P>&nbsp;</P> <P><SPAN>Is anyone using Cloud Identity Engine in XSIAM? How useful is it, and could you share your use case and experience?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks</SPAN></P> Fri, 05 Jun 2026 18:18:59 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cloud-identity-engine-cie/m-p/1255525#M419 A.Velusamy 2026-06-05T18:18:59Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cloud-identity-engine-cie/m-p/1255630#M421 <P data-end="650" data-start="647">Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1401872841">@A.Velusamy</a>&nbsp;</P> <P data-end="650" data-start="647">&nbsp;</P> <P data-end="938" data-start="652">We are currently using <STRONG data-end="706" data-start="675">Cloud Identity Engine (CIE)</STRONG> in our XSIAM environment, and it has been very useful. One of the main benefits is the additional identity context that becomes visible within incidents and alerts, which helps analysts investigate security events more efficiently.</P> <P data-end="1267" data-start="940">We have integrated CIE with <STRONG data-end="988" data-start="968">Active Directory</STRONG>, and it provides valuable visibility into user identities, group memberships, authentication activities, and associated assets. We have also developed correlation rules based on identity-related logs, which help us better understand user activity and improve detection coverage.</P> <P data-end="1267" data-start="940">&nbsp;</P> <P data-end="1573" data-start="1269">In addition to Active Directory, CIE supports integrations with cloud identity providers such as <STRONG data-end="1399" data-start="1366">Microsoft Entra ID (Azure AD)</STRONG>, <STRONG data-end="1409" data-start="1401">Okta</STRONG>, and other identity sources. This enables XSIAM to correlate user activity across both on-premises and cloud environments, providing a more complete identity view.</P> <P data-end="1573" data-start="1269">&nbsp;</P> <P data-end="1727" data-start="1575">The identity data collected through CIE is leveraged by XSIAM analytics and detection logic to identify suspicious and anomalous user behavior, such as:</P> <UL data-end="1943" data-start="1728"> <LI data-end="1761" data-start="1728" data-section-id="k0dfrq">Unusual authentication patterns</LI> <LI data-end="1795" data-start="1762" data-section-id="fn4wux">Privilege escalation activities</LI> <LI data-end="1821" data-start="1796" data-section-id="n8p8je">Excessive failed logins</LI> <LI data-end="1851" data-start="1822" data-section-id="1ubbar8">Impossible travel scenarios</LI> <LI data-end="1892" data-start="1852" data-section-id="bbronm">Abnormal access to sensitive resources</LI> <LI data-end="1943" data-start="1893" data-section-id="1qwr3oa">Suspicious account usage across multiple systems</LI> </UL> <P data-end="1991" data-start="1945">Overall, we have found CIE to be valuable for:</P> <UL data-end="2477" data-start="1993"> <LI data-end="2044" data-start="1993" data-section-id="4iivmc">Enhanced incident visibility and identity context</LI> <LI data-end="2108" data-start="2045" data-section-id="eijrxi">Active Directory, Entra ID, and Okta user activity monitoring</LI> <LI data-end="2158" data-start="2109" data-section-id="11hignk">Identity-based correlation rules and detections</LI> <LI data-end="2191" data-start="2159" data-section-id="a5ddxc">Improved user-to-asset mapping</LI> <LI data-end="2247" data-start="2192" data-section-id="bmna3j">Better detection of suspicious and anomalous behavior</LI> <LI data-end="2299" data-start="2248" data-section-id="htrpzd">Faster and more effective incident investigations</LI> <LI data-end="2356" data-start="2300" data-section-id="19ax6nn">Improved identity threat detection and response (ITDR)</LI> <LI data-end="2417" data-start="2357" data-section-id="e2wtcl">Better risk-based analysis and user-centric investigations</LI> <LI data-end="2477" data-start="2418" data-section-id="htakb8">Centralized visibility across multiple identity providers</LI> </UL> <P data-end="2771" data-start="2479">In our experience, enabling CIE significantly improves the quality of investigations by providing richer identity context and helping analysts quickly understand who is behind an activity, what systems they have access to, and whether the observed behavior is normal or potentially malicious.</P> <P data-end="2771" data-start="2479">&nbsp;</P> <P><SPAN>Please help out other users and “Accept as Solution” if a post helps solve your problem !</SPAN></P> <P><SPAN><BR /><A href="https://live.paloaltonetworks.com/t5/blogs/how-and-why-to-accept-solutions/ba-p/553827" target="_blank">Read more about how and why to accept solutions.</A></SPAN></P> <P data-end="2771" data-start="2479">&nbsp;</P> <P data-end="2771" data-start="2479"><SPAN>Best Regards,<BR />Vinothkumar.C</SPAN></P> <P data-end="2771" data-start="2479">SBA Info Solutions pvt ltd - Chennai.</P> Mon, 08 Jun 2026 11:40:07 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cloud-identity-engine-cie/m-p/1255630#M421 Vinothkumar_SBA 2026-06-08T11:40:07Z