Cortex XSIAM Discussions

How to group related alerts in XSIAM and create a unique incident

Hi dear community :):  I have a question

Several alerts are forwarding in my Cortex XSIAM system coming from Microsoft Defender, these alerts have different names but all of them are part of a unique incident in MDefender and have a unique event ID. 

Context polling playbook

In XSIAM playbook,I’m trying to fetch the incident status. When the incident status is changed to for eg under_investigation I want to my playbook to run a certain task. 
for this I want use context polling sub playbook 

key : parentIncidentFields.sta

Forcepoint proxy integration with XSIAM

Hi Palo Team, I am trying to onboard Forcepoint proxy logs into XSIAM, but i couldn't found any marketplace app/supporting datamodel.

Could someone help/guide to onboard the forcepoint proxy logs.

additionally referring to Splunk where we have a option

How to write a data model to map to an authentication story

We are creating a data model and have questions like:

==============================================

We are aware that the method of mapping to an authentication story requires defining the following,
as described in the documentation.

However, w

XSIAM Incidents notes and messenger

Hi everyone,

I am trying to get all the information added to the Notepad or Messenger fields (Incident Discussion) from the incidents.
I do not need the information contained in the RESOLVE_COMMENT column of the incidents table.
Would it be possible

About cross-tabulation in XQL

Hi

Is it possible to execute PIVOT on the results of XQL execution?

For example, if I execute an XQL query on the following table

1/1/2025 allow hostname
1/1/2025 deny hostname
1/2/2025 allow hostname
1/2/2025 allow hostname
1/3/2025 deny hostname
1/3/2

Incident catagories (manual vs automated)

The XSIAM dashboard view splits incidents based on whether they are manual or automated.  What field(s) does the dashboard use to determine an incident was automated?

Severity in correlations

Hello.

Could you help me with the severity field of the correlation?

I need to customize the severity of the alert based on the user who triggers the query.
The query is already made. When I configure the correlation to get this severity, it ignores

Playbook| XSIAM

How to check if a particular integration is enabled using a playbook?

for example I want a conditional task that checks if AD is enabled. What filters can I use ?

Custom Alert Types

Can we create custom Alert Types ?

any way to have multiple counts within same xql query

I need query about status of incidents. I have to all status count in same query. For example in april have 25 auto-resolved, 20 FP, 20 TP but I dont know how can i count in same query. Does anyone have any ideas on this topic?

IBM AS400, AIX Logs, integration XSIAM

Hi,

How does Palo Alto Networks propose integrating logs from IBM AS400 and AIX servers?

Also, are there any new integrations or IBM features being ported from Qradar SaaS to XSIAM?

Thanks,

Geethika Wijesuriya

XDR Agent Reconnecting

Agent Version: 8.6.0.3704
Last Seen: 01 January 2025

We had to remove the protection since it is cutting off connection via SSH for Backup purposes. Moreover, with protection off, it is able to backup consistently.

My question is, we have I al