Using Field change and SLA scripts in XSIAM

I am trying to create a custom Automation script in XSIAM which I aim to trigger on change of Alert status/field or when SLA is breached for a SLA field. Though the script is developed easily and tagged as 'field-change-triggered' or 'sla', I am unab

Masking sensetive information before cloud upload

Hey Guys,

I want to share an ability to mask or remove sensetive data before it being uploaded to xsiam 

you can do parse policy using collect stage on target broker with regex function and alter action to set regexes for sensetive info like credit c

Is there any Slack space for XSIAM discussions?

Hi, 

I'm looking for any official Slack space for XSIAM discussions like the DFIR Community. That could be very useful for many people who using XSIAM.

Alerting when Daily Ingestion Threshold reaches 80%

Just wanted to share this with everyone - i am sure it might be useful if not already deployed. Feel free to comment on possible enhancements/ recommendations.

The Query below will calculate the daily ingestion per GB and will output 'TRUE' if it e

Unit 42 ATOM feeds into XSIAM tenant without TIM license

Hi All,

Has anyone done this yet.. is it possible?

It looks like a simple process to enable taxii2 feed for unit 42 threat intel - but not sure what the outcome i can expect if a client has a XSIAM tenant but no TIM (threat intel management) license.

Adding an Error condition to a failed playbook run question

Hi All,

so I have some playbooks that when triggered, sends my incident/alert json payloads to an external webhook every time a new incident is triggered.

I have defined an error condition task that sends an email to an email addr when this fails (we

USB Flash Drives

Hi, We are using Cortex XSIAM. Now, the challenge we are facing is that if anyone connects a USB flash drive that has been allowed to use a USB, their computer gets infected with malware.
 
What we want is for the user to connect to the USB, for a real

Severity in correlations

Hello.

Could you help me with the severity field of the correlation?

I need to customize the severity of the alert based on the user who triggers the query.
The query is already made. When I configure the correlation to get this severity, it ignores

XQL to query Indicators

Hi , 
I want to create a Dashboard widget that shows a pie graph for indicators. There is the built in widget "indicatorsByVerdict" but I want to create something a bit different. I couldn't find a way to figure that out.

Automate changes to Incident and Alerts to send to backend system

So looking at a way for when an analyst is working on an incident/case in XSIAM so that, if they add any notes, change the assignment, change severity, run commands in warroom etc - that these changes are sent automatically to a backend webhook via h

Broker-VM disconnet alert notification

Hi All,

anyi dea how i can generate an alert when a broker-vm gets disconnected?

Has anyone managed to create a correlation rule that will alert if a Broker-VM gets disconnected from XSIAM?

the xsiam documentation states that 'To help you monito

Sending alert data via http POST - http body is empty

Hi All,

so i am trying to send alerts via a playbook using either http or httpv2 script to send my alert data to a webhook url where the soc analysts will have a common workbench for all alerts (multi xsiam tenant options)

i can connect to the web

XSIAM Integration Web Server

Hi,
I want to create an Integration that start a simple web server with a single button for example that print "Hello World".
There is the out of the box integration "Generic Export Indicators Service" I want it to be based on that (With Long Running i