This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
About Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.

Discussions

Start a conversation

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 2771 Views
  • 0 replies
  • 0 Likes

Marketplace Content pack update - best practices

Hi All, How do you manage content updates in the market place currently? Any best practices to follow as it seems this is a manual process to review the release notes and plan updates accordingly. Is there a way to notify via email if new content packs become available? thanks in adv

PA_nts by L4 Transporter
  • 545 Views
  • 0 replies
  • 0 Likes

Collecting IIS Log

Hi, I have configured the filebeat to collect the IIS log, but I don't see any dataset related to the IIS log in the dataset table and also don't know how and in which dataset to get those logs. this the filebeat configuration ---filebeat.modules:- module: iisaccess:enabled: truevar.paths:- C:/inetpub/logs/LogFiles/W3SVC*/u_ex*.logerror:enabled:...

Inquiry About Third-Party VPN Logs and Analytics Alerts in XSIAM

Hi All, ■BackgroundI would like to inquire about the Ivanti VPN logs ingested into XSIAM.I have installed the data model rules from the content pack. However, I encountered the following issues: Analytics Alerts: No Analytics alerts related to third-party VPNs have been generated.Datasets: The logs are not displayed in the "vpn_logs" or "xdr_dat...

Guidance on Automating Alert Notifications in Cortex XSIAM Using Playbooks (Future SNOW Integration)

Hello everyone, I'm currently exploring Cortex XSIAM as part of my day-to-day responsibilities, and I’m working on automating alert notifications using native playbooks particularly for mail notifications triggered by specific alerts, like "port scan". The end goal is to reduce manual handling, potentially via email. As a first step, I’d like to...

API to get data from lookup dataset

Hi All, in XQL - i can run a query and dump the data into a lookup dataset, this works, then i can run a local query against this lookup dataset and i see all the data as expected. however, when i run an API request against (https://api-yourfqdn/public_api/v1/xql/lookups/get_data) to get the data i only see the following fields (in bold below)....

PA_nts by L4 Transporter
  • 562 Views
  • 0 replies
  • 0 Likes

Using Field change and SLA scripts in XSIAM

I am trying to create a custom Automation script in XSIAM which I aim to trigger on change of Alert status/field or when SLA is breached for a SLA field. Though the script is developed easily and tagged as 'field-change-triggered' or 'sla', I am unable to configure a trigger for the script. Can someone help me configure this? Thank you

Masking sensetive information before cloud upload

Hey Guys, I want to share an ability to mask or remove sensetive data before it being uploaded to xsiam you can do parse policy using collect stage on target broker with regex function and alter action to set regexes for sensetive info like credit cards and change it on the broker vm layer before it is being uploaded to the cloud

Alerting when Daily Ingestion Threshold reaches 80%

Just wanted to share this with everyone - i am sure it might be useful if not already deployed. Feel free to comment on possible enhancements/ recommendations. The Query below will calculate the daily ingestion per GB and will output 'TRUE' if it exceeds 80% of daily ingestion. dataset = metrics_source | comp sum(total_size_bytes ) as total...

PA_nts by L4 Transporter
  • 776 Views
  • 0 replies
  • 1 Likes

Unit 42 ATOM feeds into XSIAM tenant without TIM license

Hi All, Has anyone done this yet.. is it possible? It looks like a simple process to enable taxii2 feed for unit 42 threat intel - but not sure what the outcome i can expect if a client has a XSIAM tenant but no TIM (threat intel management) license. will it work and if so, what limitations would we have? thanks anton

PA_nts by L4 Transporter
  • 908 Views
  • 1 replies
  • 0 Likes

Adding an Error condition to a failed playbook run question

Hi All, so I have some playbooks that when triggered, sends my incident/alert json payloads to an external webhook every time a new incident is triggered. I have defined an error condition task that sends an email to an email addr when this fails (webhook url is unavail or someone changed something that breaks this process etc) - this works. but...

PA_nts by L4 Transporter
  • 619 Views
  • 0 replies
  • 0 Likes
  • 165 Posts
  • 43 Subscriptions
Top Solution Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks