This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
About Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.

Discussions

Start a conversation

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 2627 Views
  • 0 replies
  • 0 Likes

Querying Users Who Changed Incident Status to "Action Required"

Hi Team, We have a process where a user works on an incident and updates its status to "Action Required" for further investigation. While we can see the identity of the user who made this change in the Timeline tab of each incident, reviewing this individually for 500–800 incidents is not feasible. We would like to know if there is a way to filt...

Resolved! Cortex XDR Agent

Hi, We are using Cortex XSIAM. Currently, some Microsoft Windows 10 and 11 agents are not receiving updates, indicating that they will soon become outdated. I concur that the majority of the machines lack network connectivity. However, is it possible that the moment it gets connected to internet, the agent automatically gets updated either by pu...

O.Faheem by L1 Bithead
  • 2010 Views
  • 3 replies
  • 0 Likes

Jira and Teams XSIAM Integration

This is in XSIAM. When I create an instance in "Automation and Feed integrations" I can see that it creates one in the "Data sources" section as well. I do not want the logs from Teams in XSIAM and hence to not want an instance in the "Data sources" section. how do I turn off only the logs part? JIRA integration also beaves the same way. Is ther...

Extract Incident context data using 'set' script

Hi All very simple task running the 'set' script in a very basic playbook in xsiam i am trying to pull the 'xsiam url link to the incident' from the incident context data ${parentIncidentFields.xdr_url} into a set task.. but it keeps showing as empty. any idea how i can pull an incident field into the playbook task? if i do ${alert.name} for exa...

PA_nts by L4 Transporter
  • 1595 Views
  • 2 replies
  • 0 Likes

Agent Not updating

Hi, We have Windows clients which are sometimes not on the network nor connected to the internet. Their agent does not get updated. Tell me what other solutions we have to get it updated

O.Faheem by L1 Bithead
  • 1222 Views
  • 3 replies
  • 0 Likes

Forcepoint proxy integration with XSIAM

Hi Palo Team, I am trying to onboard Forcepoint proxy logs into XSIAM, but i couldn't found any marketplace app/supporting datamodel.Could someone help/guide to onboard the forcepoint proxy logs.additionally referring to Splunk where we have a option to onboard through script(Python based) in data inputs , do we have any similar functionality i...

T.Sode by L0 Member
  • 1245 Views
  • 1 replies
  • 0 Likes

How to group related alerts in XSIAM and create a unique incident

Hi dear community :): I have a question Several alerts are forwarding in my Cortex XSIAM system coming from Microsoft Defender, these alerts have different names but all of them are part of a unique incident in MDefender and have a unique event ID. I want to group them in Cortex XSIAM and create a unique incident. So, can you tell me what is t...

IngridS by L0 Member
  • 1449 Views
  • 1 replies
  • 0 Likes

Create Dataset XSIAM

I want to create a dataset to send certain types of logs to this dataset. For example, I want to create a dataset linux_facility_1 for example. Then I want to create a pharse with Ingest that "throws" all the logs of type facilty=1 to this dataset. I have already tried to create a dataset using:dataset = linux_linux_raw| filter syslog_facility =...

Output of prevalence commands

Hi I have been searching around online, both on https://xsoar.pan.dev/ and looking at looking at the source code on github, for the Core - Investigation & Response integration. In order to figure what the values returned by the analytic prevalence commands mean, but have not found anything with much value. Anyone in here that can help shin...

Context polling playbook

In XSIAM playbook,I’m trying to fetch the incident status. When the incident status is changed to for eg under_investigation I want to my playbook to run a certain task. for this I want use context polling sub playbook key : parentIncidentFields.status now for value it is asking for a regex. Need help with the regex format

How to write a data model to map to an authentication story

We are creating a data model and have questions like: ============================================== We are aware that the method of mapping to an authentication story requires defining the following, as described in the documentation. However, we are experiencing issues where the authentication story is not mapped.Specifically, We have crea...

XSIAM Incidents notes and messenger

Hi everyone, I am trying to get all the information added to the Notepad or Messenger fields (Incident Discussion) from the incidents.I do not need the information contained in the RESOLVE_COMMENT column of the incidents table.Would it be possible to get this information using XQL?

About cross-tabulation in XQL

Hi Is it possible to execute PIVOT on the results of XQL execution? For example, if I execute an XQL query on the following table 1/1/2025 allow hostname1/1/2025 deny hostname1/2/2025 allow hostname1/2/2025 allow hostname1/3/2025 deny hostname1/3/2025 deny hostname I want to get the following output allow deny1/1/2025  ...

  • 152 Posts
  • 42 Subscriptions
Top Solution Authors
View All
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks