Do you backup your custom content?

Hi,

I’m looking for a way to back up my custom content - such as playbooks, lists, scripts, correlation rules, and more, to an external repository (GitHub, GitLab, Azure DevOps, etc.).

So far, I’ve had partial success with playbooks using Python scri

XSIAM Parsing Success Rate Metrics

Hi Team, 

Is it possible to calculate Parsing Success Rate Metrics  in XSIAM i.e., % of events successfully parsed into SIEM schema.

Regards,

Wincy

CPU and Memory Usage

Hello everyone,

I’m looking for an XQL query that shows CPU and memory usage.
For example, I want to visualize something like: the XDR service consumes an average of X% memory and Y% CPU per hour, preferably as a graph.

Could you please help with this

Identify Manual Cases Using Filter - Layout Rules

Hello Livecomm,

I am working on the XSIAM platform and I want to provide a default layout for cases that are manually opened. The classic fields that contain this info such as _product and tags cannot be filtered on.

Does anyone have a solution for t

Broker Helath Checking

Hello everyone!

I working in a environment that have some broker clusters and local brokers as well, I would like know how I can implement some way to have a daily health checking for these brokers, like if the broker is need a reboot to update, if

Vulnerability Assessment in XSIAM 3.3

Does anyone know what happened to the Vulnerability Assessment in XSIAM after upgrading to 3.3?

I used to be able to do Inventory → Endpoints+Host Inventory → Vulnerability Assessment, select Endpoints on the upper-right bar and then search by Endp

[Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

Currently, I'm using the default templates.

Despite trying many tests, this error message persists.

Am I missing any information?

XDR Collectors Administration Status display "Error".

Error Message : 
Exiting: no modules or inputs enabled and config

Problem with Conditional Task Not Matching XQL Output in Cortex XSIAM Playbook

Hello everyone,

I am building a simple playbook in Cortex XSIAM to check whether an endpoint is CONNECTED or DISCONNECTED using an XQL query on the endpoints dataset.

The XQL query works correctly and returns the expected output:

{
"results": [
{
"endpo

How do you handle Low Severity alerts/issues?

want to know how you guys deal with low severity alerts.. 

do you monitor/analyze them or only focus on incidents  with medium/high/critical severity?

do you run any playbook automation against these low sev alerts?

are there any best practices from

XSIAM - Vulnerability field (Issues)

Hi All.

Please, using "JSON Sample Incident Generator (Community Contribution)" app, is there any way to set "CATEGORY" field a value on Issues?.

Using "Classification & Mapping" and setting "Category" field to a specific value did not work.

Th

Preventing Access to "Resolve & Create Exclusion " based on Role

Hello Livecomm,

I have a trivial question. Does anyone know how to prevent users from a specific role to '"Resolve & Create Exclusion " when closing a case?

I have reviewed the various options the role provides but there is no mention of this feature

XSIAM V3.3 upgrade - anyone having issues?

Hi All, 

We have a XSIAM tenant running v3.2 and PAN upgraded to V3.3 yesterday (Nov 16th 2025) and since then we have a number of issues ie

- content pack updates (base/scripts etc) updates failing

- transformers missing as such custom playbook runs

Timeout issue - Health Issue/Alerts in XSIAM

Hello,

We are seeing multiple health issues under collection type.

For example: 

Issue name: Collection error in the instance AWS_***  collector

Description: timeout while waiting for server to answer: request ********-****-****-****-**********.

adding dataset fields to alert or incident context data

Hi All,

Using a custom parsing rule i am adding a custom field a dataset - this works all good i can see my new field in the dataset with values.

question - how can i get this field to show in my alert and/or incident context data?

thanks in adv