Cortex XSIAM Discussions | Palo Alto Networks

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Custom Alert Types

Can we create custom Alert Types ?

any way to have multiple counts within same xql query

I need query about status of incidents. I have to all status count in same query. For example in april have 25 auto-resolved, 20 FP, 20 TP but I dont know how can i count in same query. Does anyone have any ideas on this topic?

IBM AS400, AIX Logs, integration XSIAM

Hi, How does Palo Alto Networks propose integrating logs from IBM AS400 and AIX servers? Also, are there any new integrations or IBM features being ported from Qradar SaaS to XSIAM? Thanks, Geethika Wijesuriya

XDR Agent Reconnecting

Agent Version: 8.6.0.3704Last Seen: 01 January 2025 We had to remove the protection since it is cutting off connection via SSH for Backup purposes. Moreover, with protection off, it is able to backup consistently. My question is, we have I already raised a ticket to TAC but they are unsure on what module that is cutting connection via SSH. W...

Welcome to the Cortex XSIAM Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Dynamic Parsing of JSON to fields in XQL

Hi everyone, I’m working with a dataset in Cortex XSIAM, where I have a field containing JSON data. I want to dynamically parse this JSON so that each key becomes a field and the corresponding value is populated as its value. Is there a way in XQL to dynamically create columns from JSON keys without explicitly defining each key using alter? Ho...

Custom logo in XSIAM

Do we have an option to change/add the custom logo in XSIAM UI

Broker VM rejects SSL certificate

Hello PAN community, I am trying to import a SSL certificate into our #BrokerVMI can upload the private key, but the Server Certificate gets rejected with the Error: "failed to set custom ssl certificate" I tried .cer and .pem files and none were accepted. The guide only mentions the cipher as an error source, but SHA256 was used. (Configure t...

XSIAM Assets / Network Mapper - How to identify unknown assets

We configured network mapper in the BrokerVM settings and using multiple ports for network identification. Of course, on the firewalls we allow all traffic from them to make a full visibility internally. However, the scan doesn't resolve the hostname or open ports on the machine that can support with OS identification, like 22/ssh - potential Li...

Forwarding event to XSIAM

hi , how can i forward special event id to xsiam . For example i want to send 4624 id event log from active directory to cortex xsiam

XQL Query for a Correlation Rules

I am trying to write a xql query for a correlation rule in which alert or incident will trigger for below condition.Condition: Threshold: Only once on match 2 Detect on unique values of: hostnameSo, my question is. how to write "Detect on unique values of: hostname" in a xql query? Please help me with a sample XQL search or syntax in XSIAM.Best ...

What part of the network did an alert generate from?

Within XSIAM, an enterprises' network asset ranges are defined at Assets > Network Configuration. On adding a network, you are able to assign the network a range name and and IP address range. When an alert is generated within XSIAM, where is the range name found within the alert? We want easily be able to see from which part of the ente...

How to delete a shared Incident Filter View in XSIAM that was created by an inactive user

Hi I'm looking to find a way to remove a shared Incident Filter View that was created by someone who has now left. The filter is no longer needed and effectively an unrequired duplicate. The filter view is padlocked and there is no option to unshare or delete. Any suggestions please?

Resolved! Command to close alert in xsiam

Is there a command to close alert in XSIAM?

XSIAM and ITSM Integration question

Hi All, anyone successfully done this to date? my integration works in that I can communicate with ITSM ok. however, I have the following issue.. our ITSM Dev team have provided some fields that is required from XSIAM playbook to ingest the tickets successfully. These include fileds such as 'source' host' 'subject' details' etc.. however on the ...

Discussions

Welcome to the Cortex XSIAM Discussions!

Custom Alert Types

any way to have multiple counts within same xql query

IBM AS400, AIX Logs, integration XSIAM

XDR Agent Reconnecting

Welcome to the Cortex XSIAM Discussions!

Dynamic Parsing of JSON to fields in XQL

Custom logo in XSIAM

Broker VM rejects SSL certificate

XSIAM Assets / Network Mapper - How to identify unknown assets

Forwarding event to XSIAM

XQL Query for a Correlation Rules

What part of the network did an alert generate from?

How to delete a shared Incident Filter View in XSIAM that was created by an inactive user

Resolved! Command to close alert in xsiam

XSIAM and ITSM Integration question

life of a case

XSIAM Analytics rules Dashboard

bulk close issues

XSIAM Threat Intelligence Management Module

XSIAM - Data Patterns

Re: XSIAM Threat Intelligence Management Module

Re: DNS Analytical Logs

Re: life of a case

Re: bulk close issues

Re: bulk close issues

Unlock your full community experience!

Resolved! Command to close alert in xsiam