This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.
About Cortex XSIAM Discussions
Cortex XSIAM, the autonomous security platform powering the Modern SOC, operates across cloud and enterprise security operations, providing true end-to-end management of threats wherever they originate.

Discussions

Start a conversation

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 2758 Views
  • 0 replies
  • 0 Likes

Extract Incident context data using 'set' script

Hi All very simple task running the 'set' script in a very basic playbook in xsiam i am trying to pull the 'xsiam url link to the incident' from the incident context data ${parentIncidentFields.xdr_url} into a set task.. but it keeps showing as empty. any idea how i can pull an incident field into the playbook task? if i do ${alert.name} for exa...

PA_nts by L4 Transporter
  • 1724 Views
  • 2 replies
  • 0 Likes

Agent Not updating

Hi, We have Windows clients which are sometimes not on the network nor connected to the internet. Their agent does not get updated. Tell me what other solutions we have to get it updated

O.Faheem by L1 Bithead
  • 1358 Views
  • 3 replies
  • 0 Likes

Forcepoint proxy integration with XSIAM

Hi Palo Team, I am trying to onboard Forcepoint proxy logs into XSIAM, but i couldn't found any marketplace app/supporting datamodel.Could someone help/guide to onboard the forcepoint proxy logs.additionally referring to Splunk where we have a option to onboard through script(Python based) in data inputs , do we have any similar functionality i...

T.Sode by L0 Member
  • 1313 Views
  • 1 replies
  • 0 Likes

How to group related alerts in XSIAM and create a unique incident

Hi dear community :): I have a question Several alerts are forwarding in my Cortex XSIAM system coming from Microsoft Defender, these alerts have different names but all of them are part of a unique incident in MDefender and have a unique event ID. I want to group them in Cortex XSIAM and create a unique incident. So, can you tell me what is t...

IngridS by L0 Member
  • 1582 Views
  • 1 replies
  • 0 Likes

Create Dataset XSIAM

I want to create a dataset to send certain types of logs to this dataset. For example, I want to create a dataset linux_facility_1 for example. Then I want to create a pharse with Ingest that "throws" all the logs of type facilty=1 to this dataset. I have already tried to create a dataset using:dataset = linux_linux_raw| filter syslog_facility =...

Output of prevalence commands

Hi I have been searching around online, both on https://xsoar.pan.dev/ and looking at looking at the source code on github, for the Core - Investigation & Response integration. In order to figure what the values returned by the analytic prevalence commands mean, but have not found anything with much value. Anyone in here that can help shin...

Context polling playbook

In XSIAM playbook,I’m trying to fetch the incident status. When the incident status is changed to for eg under_investigation I want to my playbook to run a certain task. for this I want use context polling sub playbook key : parentIncidentFields.status now for value it is asking for a regex. Need help with the regex format

How to write a data model to map to an authentication story

We are creating a data model and have questions like: ============================================== We are aware that the method of mapping to an authentication story requires defining the following, as described in the documentation. However, we are experiencing issues where the authentication story is not mapped.Specifically, We have crea...

XSIAM Incidents notes and messenger

Hi everyone, I am trying to get all the information added to the Notepad or Messenger fields (Incident Discussion) from the incidents.I do not need the information contained in the RESOLVE_COMMENT column of the incidents table.Would it be possible to get this information using XQL?

About cross-tabulation in XQL

Hi Is it possible to execute PIVOT on the results of XQL execution? For example, if I execute an XQL query on the following table 1/1/2025 allow hostname1/1/2025 deny hostname1/2/2025 allow hostname1/2/2025 allow hostname1/3/2025 deny hostname1/3/2025 deny hostname I want to get the following output allow deny1/1/2025  ...

Playbook| XSIAM

How to check if a particular integration is enabled using a playbook? for example I want a conditional task that checks if AD is enabled. What filters can I use ?

  • 164 Posts
  • 43 Subscriptions
Top Solution Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks