This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
About Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.

Discussions

Start a conversation

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 2759 Views
  • 0 replies
  • 0 Likes

Cortex XSIAM XQL: How to find incidents where playbook failed / errored?

I’m new to Cortex XSIAM and XQL, and I’m still learning how things work. I need some help with an XQL query. I’m trying to create an XQL query where I can see: Incident ID, Incident name , Playbook execution status (failed / error), Playbook name, Error message or failure reason (if available). I checked the incidents dataset, but I couldn’t f...

R_BhlpMe by L0 Member
  • 1793 Views
  • 1 replies
  • 1 Likes

Resolved! XSIAM Dashboard

Hi, I'm working on creating a dashboard for the concept below. Has anyone already tried this or have any insights they can share? sudden spike for data ingestions Data ingestion exceeded threshold Data source with correlation rules per source

How to Configure XQL to detect logs not reporting rule

I am able to retrieve logs successfully using XQL in Cortex XSIAM.However, I need to configure an analytics rule that triggers when any single expected source stops sending logs (for 10 minute,1 hours,4 hours). Detect when any one host / source stops reporting logs Alert should be raised per missing entity Should work with Scheduled Analyt...

Cortex Pop-ups Triggered for StoreDesktopExtension.exe Despite Being Blocklisted

Users are continuing to receive Cortex alert pop-ups for StoreDesktopExtension.exe even after the executable was added to the Cortex block list. Observations: The file is already present in the Cortex block list. Alerts/pop-ups are still being triggered on user endpoints Is it related to Windows Security Update? Restarting the machine is re...

AI Created SOC SOP's Base on Detection/Playbook Title

Hi All, I’ve developed a script that takes a list of SOC detections and/or playbook titles, analyses associated metadata, and automatically generates full Standard Operating Procedures — ready for upload into Confluence or as a simple text file for import elsewhere. SOPs matter because they provide clear, consistent instructions, ensure stan...

N.Hook by L0 Member
  • 2041 Views
  • 4 replies
  • 1 Likes

Why do the same Windows Server data collected using XDRC and WEC agents show different statuses in the following fields?

Why do the same Windows Server 2022 std (Traditional Chinese) data collected using XDRC and WEC agents show different statuses in the following fields? _Collector_type = `WEC` ,Event Log display is 【`English`】,Fields have 【Message】、【 _RAW_LOG】。 _Collector_type = `XDR Collector` ,Event Log display is 【`Traditional Chinese`】,Fields Only have 【Mes...

jchen644219_0-1768787166072.png
jchen644219_3-1768788509185.png
jchen644219_2-1768787586281.png

Resolved! [Cortex XSIAM ] XDR Collector Collect Windows Security Log。XDR Collectors Administration Status display "Error".

Currently, I'm using the default templates. Despite trying many tests, this error message persists. Am I missing any information? XDR Collectors Administration Status display "Error". Error Message : Exiting: no modules or inputs enabled and configuration reloading disabled.What files do you want me to watch? XDR Collectors Administration ...

jchen644219_0-1765245869642.png
jchen644219_2-1765246646357.png
jchen644219_3-1765246972416.png

Broker Helath Checking

Hello everyone! I working in a environment that have some broker clusters and local brokers as well, I would like know how I can implement some way to have a daily health checking for these brokers, like if the broker is need a reboot to update, if I don't have any Gaps in receiving logs (for example the last logs received was one day ago) etc...

Problem with Conditional Task Not Matching XQL Output in Cortex XSIAM Playbook

Hello everyone, I am building a simple playbook in Cortex XSIAM to check whether an endpoint is CONNECTED or DISCONNECTED using an XQL query on the endpoints dataset. The XQL query works correctly and returns the expected output: {"results": [{"endpoint_name": "ENDPOINT_089","endpoint_status": "DISCONNECTED"}],"status": "SUCCESS"} However, in ...

AAliyev094633_0-1763915838126.png
AAliyev094633_1-1763915877982.png
AAliyev094633_2-1763915894257.png
AAliyev094633_3-1763915924145.png

Vulnerability Assessment in XSIAM 3.3

Does anyone know what happened to the Vulnerability Assessment in XSIAM after upgrading to 3.3? I used to be able to do Inventory → Endpoints+Host Inventory → Vulnerability Assessment, select Endpoints on the upper-right bar and then search by Endpoint Name and view vulnerabilities. This is no longer present in XSIAM 3.3 after the updated Vuln...

Resolved! Use case BIOC Creation

Hi Live Community, Please I want to create BIOC with GUI for this use case Process name = svchost.exe and (Path not C:\Windows\WinSxS\* OR C:\windows\system32\* ) BR.

Bouzeghoub_0-1767003982011.png

XSIAM - Vulnerability field (Issues)

Hi All. Please, using "JSON Sample Incident Generator (Community Contribution)" app, is there any way to set "CATEGORY" field a value on Issues?. Using "Classification & Mapping" and setting "Category" field to a specific value did not work. Thank you.

Preventing Access to "Resolve & Create Exclusion " based on Role

Hello Livecomm, I have a trivial question. Does anyone know how to prevent users from a specific role to '"Resolve & Create Exclusion " when closing a case? I have reviewed the various options the role provides but there is no mention of this feature. We want to prevent low level analysts from using this feature. Many thanks, MSysec Cortex ...

XSIAM V3.3 upgrade - anyone having issues?

Hi All, We have a XSIAM tenant running v3.2 and PAN upgraded to V3.3 yesterday (Nov 16th 2025) and since then we have a number of issues ie - content pack updates (base/scripts etc) updates failing - transformers missing as such custom playbook runs affected. have a TAC logged.. want to see if anyone else having issues since yesterday. thanks

PA_nts by L4 Transporter
  • 2648 Views
  • 1 replies
  • 0 Likes
  • 164 Posts
  • 43 Subscriptions
Top Solution Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks