https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/issue-stitching/m-p/1257108#M437 <P>Hello everyone!</P> <P><BR />can someone explain me how the issues are stitched into cases in XSIAM?<BR />Please explain me in detail.</P> Tue, 23 Jun 2026 07:27:11 GMT B.kumar873690 2026-06-23T07:27:11Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/issue-stitching/m-p/1257108#M437 <P>Hello everyone!</P> <P><BR />can someone explain me how the issues are stitched into cases in XSIAM?<BR />Please explain me in detail.</P> Tue, 23 Jun 2026 07:27:11 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/issue-stitching/m-p/1257108#M437 B.kumar873690 2026-06-23T07:27:11Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/issue-stitching/m-p/1257135#M438 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1685304355">@B.kumar873690</a>&nbsp;</P> <P data-end="10" data-start="0">&nbsp;</P> <P data-end="690" data-start="12">In <STRONG data-end="31" data-start="15">Cortex XSIAM</STRONG>, the stitching of Alerts into Issues and Issues into Cases is driven by an AI/ML-based correlation engine designed to build a unified attack narrative from large-scale security telemetry. At the first level, multiple alerts are grouped into an <STRONG data-end="285" data-start="276">Issue</STRONG> when XSIAM identifies strong relationships such as shared entities (user, endpoint, IP address, cloud resource, or identity), temporal proximity, behavioral similarity, and process causality (parent-child process relationships). This ensures that individual alerts are not treated in isolation but are instead combined into a single meaningful security story segment representing part of an attack chain.</P> <P data-end="690" data-start="12">&nbsp;</P> <P data-end="1300" data-start="692">At the next level, multiple <STRONG data-end="755" data-start="720">Issues are stitched into a Case</STRONG>, which represents the full end-to-end security incident or attack campaign. This correlation is based on broader relationships such as common entities across issues, matching threat intelligence indicators (IOCs, malware families, attacker infrastructure), and continuity across the attack lifecycle stages like phishing, execution, persistence, lateral movement, and exfiltration. XSIAM uses its ML-driven data model and continuous telemetry enrichment to understand that these separate Issues are actually part of the same coordinated attack.</P> <P data-end="1300" data-start="692">&nbsp;</P> <P data-end="1676" data-start="1302">Overall, this approach transforms fragmented security data into a single unified Case, enabling SOC teams to investigate the complete attack lifecycle in one place instead of handling multiple disconnected alerts and issues. This significantly reduces alert fatigue, improves investigation efficiency, and supports faster detection and response in modern SOC environments.</P> <P data-end="1676" data-start="1302">&nbsp;</P> <P data-end="1676" data-start="1302">Reference:</P> <P data-end="1676" data-start="1302"><A href="https://www.paloaltonetworks.com/cyberpedia/what-is-extended-security-intelligence-and-automation-management-xsiam" target="_blank">https://www.paloaltonetworks.com/cyberpedia/what-is-extended-security-intelligence-and-automation-management-xsiam</A></P> <P data-end="1676" data-start="1302"><A href="https://www.paloaltonetworks.com/resources/ebooks/cortex-xsiam" target="_blank">https://www.paloaltonetworks.com/resources/ebooks/cortex-xsiam</A></P> <P data-end="1676" data-start="1302">&nbsp;</P> <P>Please help other users by clicking ‘Accept as Solution’ if a post helps solve your problem.</P> <P><SPAN><BR /><A href="https://live.paloaltonetworks.com/t5/blogs/how-and-why-to-accept-solutions/ba-p/553827" target="_blank">Read more about how and why to accept solutions.</A></SPAN></P> <P>&nbsp;</P> <P data-end="1676" data-start="1302">Best Regards,</P> <P data-end="1676" data-start="1302">Vinothkumar C&nbsp;</P> Tue, 23 Jun 2026 12:32:09 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/issue-stitching/m-p/1257135#M438 Vinothkumar_SBA 2026-06-23T12:32:09Z