Cortex XSIAM Discussions | Palo Alto Networks

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

XSIAM - Data Patterns

Hi. Please, a question about Data Patterns in Cortex XSIAM. Once the connection from the Broker VM to the Windows server (SMB) is configured, the connection is verified and displayed under Modules -> Data Security -> Storage Buckets, how is it linked to previously created Data Patterns and Data Profiles?. Thank you in advanced. Regards.

Username Generalization Playbook

Hey all, i'm hoping that someone has already started something like this and can get me a few steps past the starting line but as we know, in a corporate environment, there are various ways that usernames come across (abc123, first.last, domain/abc123, domain/first.last, fqdn....etc) from different log sources. This creates complexity for playbo...

XSIAM Content Update Notifications pack

Hi, has anyone deployed this to date and have it working? just started looking at this as a means to notify our platform team when we need to perform content updates etc as we manage a number of xsiam tenants.. and out the box both the playbooks fails, so would imagine some customization is needed. the deployment documentation is sparse at bes...

XSIAM Integration Web Server

Hi,I want to create an Integration that start a simple web server with a single button for example that print "Hello World".There is the out of the box integration "Generic Export Indicators Service" I want it to be based on that (With Long Running instance, Nginx etc..)I have tried to do so but I couldnt make it work.Would love to get some help...

Resolved! XSIAM - API Get Correlation Rules - Least Priviledge

In the API reference, it states that you must have Instance Administrator permissions to run the endpoint /public_api/v1/correlations/get. Is it possible to create a custom role for the API key that has sufficient permissions to execute this endpoint? Do you know any other way to retrieve the query from a specific correlation rule? Cortex XSI...

Resolved! UEBA Capabilities

Hi All, I'm looking for some guidance around UEBA capabilities in XSIAM. Currently, we are using the free trial version of the ITDR module in XSIAM. If we do not have ITDR module license , what are the ways to enhance UEBA capabilities in XSIAM?. Should we manually develop UEBA pattern-related use cases using telemetry logs? Appreciate your...

XQL Query for calculating XDR log ingestion

Hi, As this is covered by the XDR license and not visible in the data ingestion widgets.. Does anyone have a query to look at data ingestion for XDR agents only? thanks in adv

AI Prompt Feature | XSIAM Version 3.4

Hi All, Does anyone tested the AI prompt feature in XSIAM version 3.4? From our experience, only generic prompts seem to be working. When we try to use specific real-time case or issue data, it doesn't respond as expected. We haven't been able to test out-of-the-box or custom prompts using input data like Issue ID or Issue Name, as the AI prompt...

Resolved! Broker VM cluster - syslog ingestion

Hi We have activated the Syslog Collector for the broker VM cluster. Do you have any recommendations on how to verify that it is functioning correctly? Thanks!

XDRC Connection Error

Hello experts, I have two XDRC installed on W2016 server, both are connected through same BrokerVM. Even tried test if the BVM and XDRC connection was fine, I did a test to run "uninstall collector" from Console, it was successful. From XDRC Adminsitration, The status shown :Warning, however, the last seen was up to date. From XQL queries...

XSIAM Playbook

Hi, I want to run one basic playbook automation on every new issue trigged. For example, I have specific conditions where, if a new issue meets those conditions, its severity should be updated. Currently, only one automation rule can be applied to each issue. While using a Job is an option, I am interested to know if there are any other solution...

Resolved! How to filter process_file_info in a BIOC

Hi everyone, I’m working on a BIOC of type Process, and I’m trying to use the process_file_info field as a filter. When I run a search, this field shows up as a JSON object containing details like product name, version, etc. The problem is:BIOC filters only seem to support exact string matching, and since process_file_info is JSON, I can’t match...

Resolved! ServiceNow CMDB data to XSIAM

Hi, We have integrated XSIAM with ServiceNow CMDB. We want to pull critical assets from the CMDB into XSIAM using an API and we have to do feature field configuration for these critical assets. Currently, I only see an option to upload a static file in the feature field configuration ( Host/ User/IPaddress) Could someone please help with the fol...

XSIAM custom widget with custom timeframe

Need help in creating a custom dashboard like "incident status board" but need a custom time frame to select the dates and time,1.find MTTR in that time frame 2. find the resolution category type for the same time frame dataThanks for assisting

Querying System Notifications in XSIAM/XDR

Hello, Does anyone know the correct dataset to use for fetching system-based notifications? I need to track infrastructure alerts like Broker VM disk space and connectivity status via XQL. dataset = alerts isn't showing the same history I see in my UI notification centre. Any tips? Thanks