Cortex XSIAM Discussions | Palo Alto Networks

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Resolved! XSIAM V3.4 upgrade - anyone having issues?

Having reports from xsiam engineers/analysts that some cases are not visible in xsiam.. one particular case detail is fortinet cases where the 'case name = utm:ips signature' anyone seen similar to date?

Fortigate Correlation rules thread

Hi All, With Fortigate FW logs ingesting into XSIAM, even with the forti content pack installed, there is no real method for detection apart from the analytics engine that will use the '3rd party firewalls' analytic rules to natively detect issues/alerts on Fortigate FWs that i am aware off.. As such one will be required to do additional corre...

How do you handle Low Severity alerts/issues?

want to know how you guys deal with low severity alerts.. do you monitor/analyze them or only focus on incidents with medium/high/critical severity? do you run any playbook automation against these low sev alerts? are there any best practices from PAN around handling of low severity alerts? i cannot seem to find any. thanks in adv

XSIAM Email Communication

In XSIAM, we need a way for analysts to send email updates at different stages of an incident — like when it is received, contained, and recovered. Each case should have its own email chain that includes all previous emails for that case. To support this, we have added a button in the case template where analysts can write and send emails. When ...

Cortex XDR Host Firewall Rule evaluation

Hi Team, I have a doubt about Host Firewall rule evaluation. Let say i have a rule created to allow all internal application inbound traffic on specific port / Remote IP. In the same rule group if i create another outbound rule and action type : allow all outbound traffic on any port/IP how it will evaluate the rule. It means it will allow all o...

Monitoring Bluetooth

Hi, We are using Cortex XSIAM. Now we want to perform monitoring of Bluetooth in Microsoft Windows 10 and 11 computers. The reason we want to check whether our users are connecting their mobile phones, like iPhone and Androids, through their office laptop using Bluetooth Cortex XSIAM Cortex XDR

Resolved! Do you backup your custom content?

Hi, I’m looking for a way to back up my custom content - such as playbooks, lists, scripts, correlation rules, and more, to an external repository (GitHub, GitLab, Azure DevOps, etc.). So far, I’ve had partial success with playbooks using Python scripts and API calls, but I’m having difficulty backing up the other content types. Has anyone tried...

Mapping of Cortex XSIAM fields with ServiceNow

Please can you suggest how can you map more than the set fields with ServiceNow for an incident? Currently only limited fields are able to map.

Resolved! Parsing Rule and Data Model Rule

I'm new to Cortex XSIAM..Wanted to understand how effectively parsing rule and Data model rule can be used for a particular data source and how it works?

Identify Manual Cases Using Filter - Layout Rules

Hello Livecomm, I am working on the XSIAM platform and I want to provide a default layout for cases that are manually opened. The classic fields that contain this info such as _product and tags cannot be filtered on. Does anyone have a solution for this? Many thanks, MSysec Cortex XSIAM

CPU and Memory Usage

Hello everyone, I’m looking for an XQL query that shows CPU and memory usage.For example, I want to visualize something like: the XDR service consumes an average of X% memory and Y% CPU per hour, preferably as a graph. Could you please help with this?

XSIAM Parsing Success Rate Metrics

Hi Team, Is it possible to calculate Parsing Success Rate Metrics in XSIAM i.e., % of events successfully parsed into SIEM schema. Regards, Wincy

Resolved! Triggering XDR Defender, how?

Hi Everyone! Does anyone have any idea how I can trigger XDR detection capabilities for 100% sure without Windows Defender coming first? Thanks. Günnie

Export Issues and Cases from XSIAM

Hi, I'm trying to export issues and cases from XSIAM but i don't see any options available to do this. This is our client requirement. can anybody help on this. I should be able to fully export any issue. Appreciate your help

XSIAM Dynamic filtering in exclusions

Hi, I was told by someone from our Palo team (cant remember who and we recently had a team change) that dynamic group exclusions would be a new feature in the 3.2 release. An example of this is retrieving a list of IPs and saving it to a table or dataset. Then, for a specific issue exclusion (e.g. Abnormal amount of port scanning) we exclude ...

Discussions

Welcome to the Cortex XSIAM Discussions!

Resolved! XSIAM V3.4 upgrade - anyone having issues?

Fortigate Correlation rules thread

How do you handle Low Severity alerts/issues?

XSIAM Email Communication

Cortex XDR Host Firewall Rule evaluation

Monitoring Bluetooth

Resolved! Do you backup your custom content?

Mapping of Cortex XSIAM fields with ServiceNow

Resolved! Parsing Rule and Data Model Rule

Identify Manual Cases Using Filter - Layout Rules

CPU and Memory Usage

XSIAM Parsing Success Rate Metrics

Resolved! Triggering XDR Defender, how?

Export Issues and Cases from XSIAM

XSIAM Dynamic filtering in exclusions

UEBA Capabilities

XSIAM - API Get Correlation Rules - Least Priviledge

Broker VM cluster - syslog ingestion

How to filter process_file_info in a BIOC

XSIAM API pagination

Re: UEBA Capabilities

Re: XSIAM - API Get Correlation Rules - Least Priviledge

Unlock your full community experience!

Resolved! XSIAM V3.4 upgrade - anyone having issues?

Resolved! Do you backup your custom content?

Resolved! Parsing Rule and Data Model Rule

Resolved! Triggering XDR Defender, how?