Cortex XSIAM Discussions | Palo Alto Networks

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Resolved! High Memory usage of Cortex Agent

Hi Team, Currently we are currently using XSIAM Agent v8.4, and it is consuming 300+mb of memory. How can we minimize its memory usage? Please see attached photo as reference. Thank you!

Context polling playbook

In XSIAM playbook,I’m trying to fetch the incident status. When the incident status is changed to for eg under_investigation I want to my playbook to run a certain task. for this I want use context polling sub playbook key : parentIncidentFields.status now for value it is asking for a regex. Need help with the regex format

How to write a data model to map to an authentication story

We are creating a data model and have questions like: ============================================== We are aware that the method of mapping to an authentication story requires defining the following, as described in the documentation. However, we are experiencing issues where the authentication story is not mapped.Specifically, We have crea...

XSIAM Incidents notes and messenger

Hi everyone, I am trying to get all the information added to the Notepad or Messenger fields (Incident Discussion) from the incidents.I do not need the information contained in the RESOLVE_COMMENT column of the incidents table.Would it be possible to get this information using XQL?

About cross-tabulation in XQL

Hi Is it possible to execute PIVOT on the results of XQL execution? For example, if I execute an XQL query on the following table 1/1/2025 allow hostname1/1/2025 deny hostname1/2/2025 allow hostname1/2/2025 allow hostname1/3/2025 deny hostname1/3/2025 deny hostname I want to get the following output allow　deny1/1/2025　　...

Resolved! What field has the creation of the alert in "Alerts" dataset in XSIAM

Hello Everyone, We wanted to calculate the Mean time to detection in XSIAM. Hence we require fields name which has creation time of the alert and actual event generated time of event related to that alert. I believe the difference between these two will provide us the expected result. Reagrds, Vinay

Incident catagories (manual vs automated)

The XSIAM dashboard view splits incidents based on whether they are manual or automated. What field(s) does the dashboard use to determine an incident was automated?

Playbook| XSIAM

How to check if a particular integration is enabled using a playbook? for example I want a conditional task that checks if AD is enabled. What filters can I use ?

Custom Alert Types

Can we create custom Alert Types ?

any way to have multiple counts within same xql query

I need query about status of incidents. I have to all status count in same query. For example in april have 25 auto-resolved, 20 FP, 20 TP but I dont know how can i count in same query. Does anyone have any ideas on this topic?

IBM AS400, AIX Logs, integration XSIAM

Hi, How does Palo Alto Networks propose integrating logs from IBM AS400 and AIX servers? Also, are there any new integrations or IBM features being ported from Qradar SaaS to XSIAM? Thanks, Geethika Wijesuriya

XDR Agent Reconnecting

Agent Version: 8.6.0.3704Last Seen: 01 January 2025 We had to remove the protection since it is cutting off connection via SSH for Backup purposes. Moreover, with protection off, it is able to backup consistently. My question is, we have I already raised a ticket to TAC but they are unsure on what module that is cutting connection via SSH. W...

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Dynamic Parsing of JSON to fields in XQL

Hi everyone, I’m working with a dataset in Cortex XSIAM, where I have a field containing JSON data. I want to dynamically parse this JSON so that each key becomes a field and the corresponding value is populated as its value. Is there a way in XQL to dynamically create columns from JSON keys without explicitly defining each key using alter? Ho...

Custom logo in XSIAM

Do we have an option to change/add the custom logo in XSIAM UI

Discussions

Welcome to the Cortex XSIAM Discussions!

Resolved! High Memory usage of Cortex Agent

Context polling playbook

How to write a data model to map to an authentication story

XSIAM Incidents notes and messenger

About cross-tabulation in XQL

Resolved! What field has the creation of the alert in "Alerts" dataset in XSIAM

Incident catagories (manual vs automated)

Playbook| XSIAM

Custom Alert Types

any way to have multiple counts within same xql query

IBM AS400, AIX Logs, integration XSIAM

XDR Agent Reconnecting

Welcome to the Cortex XSIAM Discussions!

Dynamic Parsing of JSON to fields in XQL

Custom logo in XSIAM

XSIAM Threat Intelligence Management Module

XSIAM - Data Patterns

UEBA Capabilities

XSIAM - API Get Correlation Rules - Least Priviledge

Broker VM cluster - syslog ingestion

Re: XSIAM Threat Intelligence Management Module

XSIAM Analytics rules Dashboard

XSIAM Threat Intelligence Management Module

Re: XSIAM - Data Patterns

Re: Options to onboard Microsoft Message trace logs into XSIAM

Unlock your full community experience!

Resolved! High Memory usage of Cortex Agent

Resolved! What field has the creation of the alert in "Alerts" dataset in XSIAM