XSIAM XQL Query help needed

Hi All,

So i need some xql query help please..

Example : I have 2 datasets in xsiam, one called 'xdr_data', and another called 'ioc',
In my 'ioc' dataset I have a field called 'indicator' with different values ie 4.4.4.4; 1.2.3.4 for example.. these

XSIAM Engineer Certification

Has anyone completed the Cortex XSIAM Engineer certification? If so, could you share your experience? Also share your guidance on how to prepare for it.

Marketplace Content pack update - best practices

Hi All,

How do you manage content updates in the market place currently?

Any best practices to follow as it seems this is a manual process to review the release notes and plan updates accordingly.

Is there a way to notify via email if new content pac

XSIAM Always Request Generate a New API Token from Trend Micro Vision One

Hello Everyone, I have a problem integrating with Trend Micro Vision One in the marketplace. It seems that XSIAM always requests a new API token from Vision One. Is there any solution? 

Thank You !

Saving XSIAM Command Center as Template

Hi,

Anyone know if possible to save the 'XSIAM command center dashboard' as a report template? the option for me is greyed out 

i have a feeling not possible.. but guess worth asking.

thanks in adv

Collecting IIS Log

Hi,

I have configured the filebeat to collect the IIS log,

but I don't see any dataset related to the IIS log in the dataset table and also don't know how and in which dataset to get those logs.

this the filebeat configuration

---
filebeat.modules:
- m

Inquiry About Third-Party VPN Logs and Analytics Alerts in XSIAM

Hi All,

■Background
I would like to inquire about the Ivanti VPN logs ingested into XSIAM.
I have installed the data model rules from the content pack. However, I encountered the following issues:

Analytics Alerts: No Analytics alerts related to third-

Possible to View the XQL Query of Widgets?

Hi All,

So XSIAM has a bunch of built in widgets and I want to amend some of these.. is there a way to determine the Query used within so that i can use this to adapt to my custom query?

thanks in adv

Guidance on Automating Alert Notifications in Cortex XSIAM Using Playbooks (Future SNOW Integration)

Hello everyone,

I'm currently exploring Cortex XSIAM as part of my day-to-day responsibilities, and I’m working on automating alert notifications using native playbooks particularly for mail notifications triggered by specific alerts, like "port scan

API to get data from lookup dataset

Hi All,

in XQL - i can run a query and dump the data into a lookup dataset, this works, then i can run a local query against this lookup dataset and i see all the data as expected.

however, when i run an API request against (https://api-yourfqdn/publ

XQL Query for calculating XDR log ingestion

Hi, 
As this is covered by the XDR license and not visible in the data ingestion widgets..

Does anyone have a query to look at data ingestion for XDR agents only?

thanks in adv

Using Field change and SLA scripts in XSIAM

I am trying to create a custom Automation script in XSIAM which I aim to trigger on change of Alert status/field or when SLA is breached for a SLA field. Though the script is developed easily and tagged as 'field-change-triggered' or 'sla', I am unab

Masking sensetive information before cloud upload

Hey Guys,

I want to share an ability to mask or remove sensetive data before it being uploaded to xsiam 

you can do parse policy using collect stage on target broker with regex function and alter action to set regexes for sensetive info like credit c

Is there any Slack space for XSIAM discussions?

Hi, 

I'm looking for any official Slack space for XSIAM discussions like the DFIR Community. That could be very useful for many people who using XSIAM.

Alerting when Daily Ingestion Threshold reaches 80%

Just wanted to share this with everyone - i am sure it might be useful if not already deployed. Feel free to comment on possible enhancements/ recommendations.

The Query below will calculate the daily ingestion per GB and will output 'TRUE' if it e