This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
About Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.

Discussions

Start a conversation

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 2635 Views
  • 0 replies
  • 0 Likes

Alerting when Daily Ingestion Threshold reaches 80%

Just wanted to share this with everyone - i am sure it might be useful if not already deployed. Feel free to comment on possible enhancements/ recommendations. The Query below will calculate the daily ingestion per GB and will output 'TRUE' if it exceeds 80% of daily ingestion. dataset = metrics_source | comp sum(total_size_bytes ) as total...

PA_nts by L4 Transporter
  • 717 Views
  • 0 replies
  • 1 Likes

Unit 42 ATOM feeds into XSIAM tenant without TIM license

Hi All, Has anyone done this yet.. is it possible? It looks like a simple process to enable taxii2 feed for unit 42 threat intel - but not sure what the outcome i can expect if a client has a XSIAM tenant but no TIM (threat intel management) license. will it work and if so, what limitations would we have? thanks anton

PA_nts by L4 Transporter
  • 826 Views
  • 1 replies
  • 0 Likes

Adding an Error condition to a failed playbook run question

Hi All, so I have some playbooks that when triggered, sends my incident/alert json payloads to an external webhook every time a new incident is triggered. I have defined an error condition task that sends an email to an email addr when this fails (webhook url is unavail or someone changed something that breaks this process etc) - this works. but...

PA_nts by L4 Transporter
  • 563 Views
  • 0 replies
  • 0 Likes

USB Flash Drives

Hi, We are using Cortex XSIAM. Now, the challenge we are facing is that if anyone connects a USB flash drive that has been allowed to use a USB, their computer gets infected with malware. What we want is for the user to connect to the USB, for a real-time scan to occur immediately after connection to the computer, and for a malware warning to ap...

O.Faheem by L1 Bithead
  • 876 Views
  • 2 replies
  • 0 Likes

Severity in correlations

Hello. Could you help me with the severity field of the correlation? I need to customize the severity of the alert based on the user who triggers the query. The query is already made. When I configure the correlation to get this severity, it ignores it and sets any alert as "Medium" whereas the severities were supposed to be "high" or "informati...

XQL to query Indicators

Hi , I want to create a Dashboard widget that shows a pie graph for indicators. There is the built in widget "indicatorsByVerdict" but I want to create something a bit different. I couldn't find a way to figure that out.

Resolved! Question on transaction stage in XQL

It doesn't appear that the documentation on the transaction stage in XQL is very clearly documented. Does anyone know what the transaction stage really does? Does, and what it uses to "find transactions"? Does it just find instances of contiguous events with the same value in the fields provided?

Automate changes to Incident and Alerts to send to backend system

So looking at a way for when an analyst is working on an incident/case in XSIAM so that, if they add any notes, change the assignment, change severity, run commands in warroom etc - that these changes are sent automatically to a backend webhook via http post or API. anyone done this before or know if possible? thanks in adv

PA_nts by L4 Transporter
  • 875 Views
  • 1 replies
  • 0 Likes

Broker-VM disconnet alert notification

Hi All, anyi dea how i can generate an alert when a broker-vm gets disconnected? Has anyone managed to create a correlation rule that will alert if a Broker-VM gets disconnected from XSIAM? the xsiam documentation states that 'To help you monitor your Broker VM version, connectivity, and high availability clusters, Cortex XSIAM sends notifi...

PA_nts by L4 Transporter
  • 1169 Views
  • 3 replies
  • 0 Likes

Sending alert data via http POST - http body is empty

Hi All, so i am trying to send alerts via a playbook using either http or httpv2 script to send my alert data to a webhook url where the soc analysts will have a common workbench for all alerts (multi xsiam tenant options) i can connect to the webhook but unable to get my http body to push data - tested against httpbin.org seems to work.. soo...

PA_nts by L4 Transporter
  • 950 Views
  • 1 replies
  • 0 Likes

Resolved! Computers no longer showing in Console

Hi, We have staff members who work in the mining area and do not connect for a very long time; in some cases we have seen they came back from the sites after four months. Additionally, their computers do not appear on the Cortex XSIAM console, or I would use the word drops off. In this scenario, they reconnect to either our network or the inte...

O.Faheem by L1 Bithead
  • 2582 Views
  • 1 replies
  • 0 Likes

Azure Entra SSO for Cortex XSIAM/XDR

Hello LIVEcommunity, Seeking help on Azure Entra SSO integration for XSIAM/XDR. I've managed to setup the configuration according to the documentation. The SP-initiated login are working fine, but not the Idp-initiated login. Logged a case with Palo support and they claimed that it is unsupported. So the current outcome of the Idp-initiated au...

Antony_Chan_0-1747924966467.png

Linking Issues to Cases with Command

Hello Livecomm, I am trying to link an issue to a case using CLI/automation or similar. Right-clicking on an issue allows me to assign it to a case, but I have not found an option to do this programmatically. I have tried using the link incident and link alert command but i receive a response that these arent support on XSIAM. Does anyone have ...

Resolved! Creating a Custom Issue For a Case

Hello LiveComm, I have created a custom case with a single Issue for a Use-Case. I want to create more issues with a command or script in this custom case which will eventually be a playbook task. How does one do such an action? Many thanks, MSysec Cortex XSIAM

Working with Multi-Select Array Field with setParentIncidentFields

Hello all, I have an array of various IPs, and I want to set them to a case field using the setParentIncidentFields command. When defining the argument of values ${my.ips} only the last value is saved. I have tried join or split but to no success. Can anyone recommend what I can do to save multiple values here without overwriting the existing va...

  • 153 Posts
  • 42 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks