Cortex XSIAM Discussions | Palo Alto Networks

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Resolved! What field has the creation of the alert in "Alerts" dataset in XSIAM

Hello Everyone, We wanted to calculate the Mean time to detection in XSIAM. Hence we require fields name which has creation time of the alert and actual event generated time of event related to that alert. I believe the difference between these two will provide us the expected result. Reagrds, Vinay

Incident catagories (manual vs automated)

The XSIAM dashboard view splits incidents based on whether they are manual or automated. What field(s) does the dashboard use to determine an incident was automated?

Playbook| XSIAM

How to check if a particular integration is enabled using a playbook? for example I want a conditional task that checks if AD is enabled. What filters can I use ?

Custom Alert Types

Can we create custom Alert Types ?

any way to have multiple counts within same xql query

I need query about status of incidents. I have to all status count in same query. For example in april have 25 auto-resolved, 20 FP, 20 TP but I dont know how can i count in same query. Does anyone have any ideas on this topic?

IBM AS400, AIX Logs, integration XSIAM

Hi, How does Palo Alto Networks propose integrating logs from IBM AS400 and AIX servers? Also, are there any new integrations or IBM features being ported from Qradar SaaS to XSIAM? Thanks, Geethika Wijesuriya

XDR Agent Reconnecting

Agent Version: 8.6.0.3704Last Seen: 01 January 2025 We had to remove the protection since it is cutting off connection via SSH for Backup purposes. Moreover, with protection off, it is able to backup consistently. My question is, we have I already raised a ticket to TAC but they are unsure on what module that is cutting connection via SSH. W...

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Dynamic Parsing of JSON to fields in XQL

Hi everyone, I’m working with a dataset in Cortex XSIAM, where I have a field containing JSON data. I want to dynamically parse this JSON so that each key becomes a field and the corresponding value is populated as its value. Is there a way in XQL to dynamically create columns from JSON keys without explicitly defining each key using alter? Ho...

Custom logo in XSIAM

Do we have an option to change/add the custom logo in XSIAM UI

Broker VM rejects SSL certificate

Hello PAN community, I am trying to import a SSL certificate into our #BrokerVMI can upload the private key, but the Server Certificate gets rejected with the Error: "failed to set custom ssl certificate" I tried .cer and .pem files and none were accepted. The guide only mentions the cipher as an error source, but SHA256 was used. (Configure t...

XSIAM Assets / Network Mapper - How to identify unknown assets

We configured network mapper in the BrokerVM settings and using multiple ports for network identification. Of course, on the firewalls we allow all traffic from them to make a full visibility internally. However, the scan doesn't resolve the hostname or open ports on the machine that can support with OS identification, like 22/ssh - potential Li...

Forwarding event to XSIAM

hi , how can i forward special event id to xsiam . For example i want to send 4624 id event log from active directory to cortex xsiam

XQL Query for a Correlation Rules

I am trying to write a xql query for a correlation rule in which alert or incident will trigger for below condition.Condition: Threshold: Only once on match 2 Detect on unique values of: hostnameSo, my question is. how to write "Detect on unique values of: hostname" in a xql query? Please help me with a sample XQL search or syntax in XSIAM.Best ...

What part of the network did an alert generate from?

Within XSIAM, an enterprises' network asset ranges are defined at Assets > Network Configuration. On adding a network, you are able to assign the network a range name and and IP address range. When an alert is generated within XSIAM, where is the range name found within the alert? We want easily be able to see from which part of the ente...

Discussions

Welcome to the Cortex XSIAM Discussions!

Resolved! What field has the creation of the alert in "Alerts" dataset in XSIAM

Incident catagories (manual vs automated)

Playbook| XSIAM

Custom Alert Types

any way to have multiple counts within same xql query

IBM AS400, AIX Logs, integration XSIAM

XDR Agent Reconnecting

Welcome to the Cortex XSIAM Discussions!

Dynamic Parsing of JSON to fields in XQL

Custom logo in XSIAM

Broker VM rejects SSL certificate

XSIAM Assets / Network Mapper - How to identify unknown assets

Forwarding event to XSIAM

XQL Query for a Correlation Rules

What part of the network did an alert generate from?

UEBA Capabilities

XSIAM - API Get Correlation Rules - Least Priviledge

Broker VM cluster - syslog ingestion

How to filter process_file_info in a BIOC

XSIAM API pagination

Re: UEBA Capabilities

Re: XSIAM - API Get Correlation Rules - Least Priviledge

Unlock your full community experience!

Resolved! What field has the creation of the alert in "Alerts" dataset in XSIAM