https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-xsiam/m-p/555137#M5 <P>Hi,</P> <P>&nbsp;</P> <P>Could you please provide guidance on locating the raw log within the Cortex XSIAM tenant?</P> <P>&nbsp;</P> <P>--</P> <P>Anupama D.</P> Thu, 24 Aug 2023 19:00:42 GMT AnupamaD 2023-08-24T19:00:42Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-xsiam/m-p/555137#M5 <P>Hi,</P> <P>&nbsp;</P> <P>Could you please provide guidance on locating the raw log within the Cortex XSIAM tenant?</P> <P>&nbsp;</P> <P>--</P> <P>Anupama D.</P> Thu, 24 Aug 2023 19:00:42 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-xsiam/m-p/555137#M5 AnupamaD 2023-08-24T19:00:42Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-xsiam/m-p/555340#M6 <P>Hi AnupamaD.</P> <P>&nbsp;</P> <P>Can you please clarify, what do you mean by "locating the raw log"?&nbsp; Are you asking how to query log data that you are bringing in to XSIAM?</P> Fri, 25 Aug 2023 19:17:02 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-xsiam/m-p/555340#M6 afurze 2023-08-25T19:17:02Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-xsiam/m-p/555472#M8 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/219403">@afurze</a>&nbsp;</P> <P>I've attached a sample log message view, which is the view that I want to see in XSIAM. </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Log View.jpeg" style="width: 315px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53201i6D639F4EDE53A9A8/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Log View.jpeg" alt="Log View.jpeg" /></span></P> Mon, 28 Aug 2023 05:21:14 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-xsiam/m-p/555472#M8 AnupamaD 2023-08-28T05:21:14Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-xsiam/m-p/555522#M9 <P>Hi AnupamaD,</P> <P>&nbsp;</P> <P>If you want to query raw logs outside of an incident or alert context, you can use the Query Builder (Incident Response -&gt; Query Builder).&nbsp; You can pick one of the 'wizard' style query builders, Basic, Identity, Endpoint, Network, or Cloud, which all search using the&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-XQL-Language-Reference/Cortex-Data-Model" target="_self">Cortex Data Model</A>.&nbsp; If you want to write more complex queries or have more control over filtering and such, you can construct your own queries using XQL, either against a specific dataset, or, more commonly, using the same data model.</P> Mon, 28 Aug 2023 13:58:06 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/cortex-xsiam/m-p/555522#M9 afurze 2023-08-28T13:58:06Z