This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
About Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.

Discussions

Start a conversation

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 2632 Views
  • 0 replies
  • 0 Likes

O365 Email integration question

Hi Anyone done o365 email ingestion with no adv email security license? having a hard time with the pan documentation as alot of the azure naming conventions seems to have changed. q1 - if just using the o365 datasource and enabling the 'exchange online' option, will this be enough or do i need a separate 0365 email collector to deploy (of whi...

PA_nts by L4 Transporter
  • 656 Views
  • 3 replies
  • 0 Likes

XSOAR Packs compatible with XSIAM

I have been digging into the marketplace more recently specifically with the TIM add-on. I noticed that the marketplace shows multiple different playbooks for the "TIM - Indicator Auto-Processing" pack on the marketplace website. However inside of the xsiam console. The marketplace only shows one playbook. Are the playbooks cross compatible? Are...

Cortex XSIAM XQL: How to find incidents where playbook failed / errored?

I’m new to Cortex XSIAM and XQL, and I’m still learning how things work. I need some help with an XQL query. I’m trying to create an XQL query where I can see: Incident ID, Incident name , Playbook execution status (failed / error), Playbook name, Error message or failure reason (if available). I checked the incidents dataset, but I couldn’t f...

R_BhlpMe by L0 Member
  • 1635 Views
  • 1 replies
  • 1 Likes

Resolved! XSIAM Dashboard

Hi, I'm working on creating a dashboard for the concept below. Has anyone already tried this or have any insights they can share? sudden spike for data ingestions Data ingestion exceeded threshold Data source with correlation rules per source

How to Configure XQL to detect logs not reporting rule

I am able to retrieve logs successfully using XQL in Cortex XSIAM.However, I need to configure an analytics rule that triggers when any single expected source stops sending logs (for 10 minute,1 hours,4 hours). Detect when any one host / source stops reporting logs Alert should be raised per missing entity Should work with Scheduled Analyt...

Cortex Pop-ups Triggered for StoreDesktopExtension.exe Despite Being Blocklisted

Users are continuing to receive Cortex alert pop-ups for StoreDesktopExtension.exe even after the executable was added to the Cortex block list. Observations: The file is already present in the Cortex block list. Alerts/pop-ups are still being triggered on user endpoints Is it related to Windows Security Update? Restarting the machine is re...

AI Created SOC SOP's Base on Detection/Playbook Title

Hi All, I’ve developed a script that takes a list of SOC detections and/or playbook titles, analyses associated metadata, and automatically generates full Standard Operating Procedures — ready for upload into Confluence or as a simple text file for import elsewhere. SOPs matter because they provide clear, consistent instructions, ensure stan...

N.Hook by L0 Member
  • 1894 Views
  • 4 replies
  • 1 Likes

Why do the same Windows Server data collected using XDRC and WEC agents show different statuses in the following fields?

Why do the same Windows Server 2022 std (Traditional Chinese) data collected using XDRC and WEC agents show different statuses in the following fields? _Collector_type = `WEC` ,Event Log display is 【`English`】,Fields have 【Message】、【 _RAW_LOG】。 _Collector_type = `XDR Collector` ,Event Log display is 【`Traditional Chinese`】,Fields Only have 【Mes...

jchen644219_0-1768787166072.png
jchen644219_3-1768788509185.png
jchen644219_2-1768787586281.png

Resolved! [Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

Currently, I'm using the default templates. Despite trying many tests, this error message persists. Am I missing any information? XDR Collectors Administration Status display "Error". Error Message : Exiting: no modules or inputs enabled and configuration reloading disabled.What files do you want me to watch? XDR Collectors Administration ...

jchen644219_0-1765245869642.png
jchen644219_2-1765246646357.png
jchen644219_3-1765246972416.png

Broker Helath Checking

Hello everyone! I working in a environment that have some broker clusters and local brokers as well, I would like know how I can implement some way to have a daily health checking for these brokers, like if the broker is need a reboot to update, if I don't have any Gaps in receiving logs (for example the last logs received was one day ago) etc...

Problem with Conditional Task Not Matching XQL Output in Cortex XSIAM Playbook

Hello everyone, I am building a simple playbook in Cortex XSIAM to check whether an endpoint is CONNECTED or DISCONNECTED using an XQL query on the endpoints dataset. The XQL query works correctly and returns the expected output: {"results": [{"endpoint_name": "ENDPOINT_089","endpoint_status": "DISCONNECTED"}],"status": "SUCCESS"} However, in ...

AAliyev094633_0-1763915838126.png
AAliyev094633_1-1763915877982.png
AAliyev094633_2-1763915894257.png
AAliyev094633_3-1763915924145.png

Vulnerability Assessment in XSIAM 3.3

Does anyone know what happened to the Vulnerability Assessment in XSIAM after upgrading to 3.3? I used to be able to do Inventory → Endpoints+Host Inventory → Vulnerability Assessment, select Endpoints on the upper-right bar and then search by Endpoint Name and view vulnerabilities. This is no longer present in XSIAM 3.3 after the updated Vuln...

Resolved! Use case BIOC Creation

Hi Live Community, Please I want to create BIOC with GUI for this use case Process name = svchost.exe and (Path not C:\Windows\WinSxS\* OR C:\windows\system32\* ) BR.

Bouzeghoub_0-1767003982011.png
  • 152 Posts
  • 42 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks