Options to onboard Microsoft Message trace logs into XSIAM

As we have an option in Splunk to see the all the message tracking logs through Microsoft message trace app, do we have any similar app to integrate?

Cortex XSIAM 

Export Issues and Cases from XSIAM

Hi, I'm trying to export issues and cases from XSIAM but i don't see any options available to do this. This is our client requirement. can anybody help on this. 

I should be able to fully export any issue. Appreciate your help

O365 Email integration question

Hi

Anyone done o365 email ingestion with no adv email security license?

having a hard time with the pan documentation as alot of the azure naming conventions seems to have changed.

q1 - if just using the o365 datasource and enabling the 'exchange o

Cortex Pop-ups Triggered for StoreDesktopExtension.exe Despite Being Blocklisted

Users are continuing to receive Cortex alert pop-ups for StoreDesktopExtension.exe even after the executable was added to the Cortex block list.

Observations:

• The file is already present in the Cortex block list.

• Alerts/pop-ups are still being trig

AI Created SOC SOP's Base on Detection/Playbook Title

Hi All,

I’ve developed a script that takes a list of SOC detections and/or playbook titles, analyses associated metadata, and automatically generates full Standard Operating Procedures — ready for upload into Confluence or as a simple text file for

XSOAR Packs compatible with XSIAM

I have been digging into the marketplace more recently specifically with the TIM add-on. I noticed that the marketplace shows multiple different playbooks for the "TIM - Indicator Auto-Processing" pack on the marketplace website. However inside of th

Cortex XSIAM XQL: How to find incidents where playbook failed / errored?

I’m new to Cortex XSIAM and XQL, and I’m still learning how things work. I need some help with an XQL query.

I’m trying to create an XQL query where I can see: Incident ID, Incident name , Playbook execution status (failed / error), Playbook name, Er

How to Configure XQL to detect logs not reporting rule

I am able to retrieve logs successfully using XQL in Cortex XSIAM.

However,
I need to configure an analytics rule that triggers when any single expected source stops sending logs (for 10 minute,1 hours,4 hours).

• Detect when any one host / source stop

XSIAM Dashboard

Hi, I'm working on creating a dashboard for the concept below. Has anyone already tried this or have any insights they can share?

Why do the same Windows Server data collected using XDRC and WEC agents show different statuses in the following fields?

Why do the same Windows Server 2022 std (Traditional Chinese) data collected using XDRC and WEC agents show different statuses in the following fields?

1. _Collector_type = `WEC` ，Event Log display is 【`English`】，Fields have 【Message】、【 _RAW_LOG】。
2. _Colle

Broker Helath Checking

Hello everyone!

I working in a environment that have some broker clusters and local brokers as well, I would like know how I can implement some way to have a daily health checking for these brokers, like if the broker is need a reboot to update, if

Problem with Conditional Task Not Matching XQL Output in Cortex XSIAM Playbook

Hello everyone,

I am building a simple playbook in Cortex XSIAM to check whether an endpoint is CONNECTED or DISCONNECTED using an XQL query on the endpoints dataset.

The XQL query works correctly and returns the expected output:

{
"results": [
{
"endpo

Vulnerability Assessment in XSIAM 3.3

Does anyone know what happened to the Vulnerability Assessment in XSIAM after upgrading to 3.3?

I used to be able to do Inventory → Endpoints+Host Inventory → Vulnerability Assessment, select Endpoints on the upper-right bar and then search by Endp

Does lookup or snapshot type dataset contributes to Hot storage

Hello Everyone,

We have lot of lookup file and some snapshot type dataset in our environment. Does it contributes to hot storage. If so how can i verify its size. 

Also i wanted to how the snapshot type dataset are created in XSIAM. 

Thanks in