This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
About Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.

Discussions

Start a conversation

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 2756 Views
  • 0 replies
  • 0 Likes

Severity in correlations

Hello. Could you help me with the severity field of the correlation? I need to customize the severity of the alert based on the user who triggers the query. The query is already made. When I configure the correlation to get this severity, it ignores it and sets any alert as "Medium" whereas the severities were supposed to be "high" or "informati...

XQL to query Indicators

Hi , I want to create a Dashboard widget that shows a pie graph for indicators. There is the built in widget "indicatorsByVerdict" but I want to create something a bit different. I couldn't find a way to figure that out.

Resolved! Question on transaction stage in XQL

It doesn't appear that the documentation on the transaction stage in XQL is very clearly documented. Does anyone know what the transaction stage really does? Does, and what it uses to "find transactions"? Does it just find instances of contiguous events with the same value in the fields provided?

Automate changes to Incident and Alerts to send to backend system

So looking at a way for when an analyst is working on an incident/case in XSIAM so that, if they add any notes, change the assignment, change severity, run commands in warroom etc - that these changes are sent automatically to a backend webhook via http post or API. anyone done this before or know if possible? thanks in adv

PA_nts by L4 Transporter
  • 952 Views
  • 1 replies
  • 0 Likes

Broker-VM disconnet alert notification

Hi All, anyi dea how i can generate an alert when a broker-vm gets disconnected? Has anyone managed to create a correlation rule that will alert if a Broker-VM gets disconnected from XSIAM? the xsiam documentation states that 'To help you monitor your Broker VM version, connectivity, and high availability clusters, Cortex XSIAM sends notifi...

PA_nts by L4 Transporter
  • 1263 Views
  • 3 replies
  • 0 Likes

Sending alert data via http POST - http body is empty

Hi All, so i am trying to send alerts via a playbook using either http or httpv2 script to send my alert data to a webhook url where the soc analysts will have a common workbench for all alerts (multi xsiam tenant options) i can connect to the webhook but unable to get my http body to push data - tested against httpbin.org seems to work.. soo...

PA_nts by L4 Transporter
  • 1005 Views
  • 1 replies
  • 0 Likes

Resolved! Computers no longer showing in Console

Hi, We have staff members who work in the mining area and do not connect for a very long time; in some cases we have seen they came back from the sites after four months. Additionally, their computers do not appear on the Cortex XSIAM console, or I would use the word drops off. In this scenario, they reconnect to either our network or the inte...

O.Faheem by L1 Bithead
  • 2666 Views
  • 1 replies
  • 0 Likes

Azure Entra SSO for Cortex XSIAM/XDR

Hello LIVEcommunity, Seeking help on Azure Entra SSO integration for XSIAM/XDR. I've managed to setup the configuration according to the documentation. The SP-initiated login are working fine, but not the Idp-initiated login. Logged a case with Palo support and they claimed that it is unsupported. So the current outcome of the Idp-initiated au...

Antony_Chan_0-1747924966467.png

Linking Issues to Cases with Command

Hello Livecomm, I am trying to link an issue to a case using CLI/automation or similar. Right-clicking on an issue allows me to assign it to a case, but I have not found an option to do this programmatically. I have tried using the link incident and link alert command but i receive a response that these arent support on XSIAM. Does anyone have ...

Resolved! Creating a Custom Issue For a Case

Hello LiveComm, I have created a custom case with a single Issue for a Use-Case. I want to create more issues with a command or script in this custom case which will eventually be a playbook task. How does one do such an action? Many thanks, MSysec Cortex XSIAM

Working with Multi-Select Array Field with setParentIncidentFields

Hello all, I have an array of various IPs, and I want to set them to a case field using the setParentIncidentFields command. When defining the argument of values ${my.ips} only the last value is saved. I have tried join or split but to no success. Can anyone recommend what I can do to save multiple values here without overwriting the existing va...

Uploading files to Open Cloud Applications

HI Team, I'm running a test case in uploading test documents to open source Cloud applications. I was successful, but in xdr_data and Zscaler dataset; the file uploads and file names are being shown as blank or none. Please let me know 1. if this has happened and what is the remediation actions followed 2. any other dataset through which I c...

Querying Users Who Changed Incident Status to "Action Required"

Hi Team, We have a process where a user works on an incident and updates its status to "Action Required" for further investigation. While we can see the identity of the user who made this change in the Timeline tab of each incident, reviewing this individually for 500–800 incidents is not feasible. We would like to know if there is a way to filt...

Resolved! Cortex XDR Agent

Hi, We are using Cortex XSIAM. Currently, some Microsoft Windows 10 and 11 agents are not receiving updates, indicating that they will soon become outdated. I concur that the majority of the machines lack network connectivity. However, is it possible that the moment it gets connected to internet, the agent automatically gets updated either by pu...

O.Faheem by L1 Bithead
  • 2175 Views
  • 3 replies
  • 0 Likes

Jira and Teams XSIAM Integration

This is in XSIAM. When I create an instance in "Automation and Feed integrations" I can see that it creates one in the "Data sources" section as well. I do not want the logs from Teams in XSIAM and hence to not want an instance in the "Data sources" section. how do I turn off only the logs part? JIRA integration also beaves the same way. Is ther...

  • 164 Posts
  • 43 Subscriptions
Top Solution Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks