This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

XSIAM - Data Patterns

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XSIAM - Data Patterns

Go to solution
oatienza86
L0 Member

‎05-08-2026 02:47 AM

Hi.

 

Please, a question about Data Patterns in Cortex XSIAM. Once the connection from the Broker VM to the Windows server (SMB) is configured, the connection is verified and displayed under Modules -> Data Security -> Storage Buckets, how is it linked to previously created Data Patterns and Data Profiles?.

 

Thank you in advanced.

Regards.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
susekar
L5 Sessionator

‎05-15-2026 02:07 AM

Hello  @oatienza86 ,

 

Greetings for the day.

 

In Cortex XSIAM, the linkage between your configured Storage Buckets (onboarded via the Broker VM SMB connection) and your Data Patterns or Data Profiles is established through the Data Classification engine.

 

There is no manual "mapping" step where you assign specific profiles to specific buckets; instead, the system utilizes all enabled patterns and profiles globally during the scanning process once classification is activated for the asset.

 

  1. Enabling Classification on the SMB Connection:

For the linkage to take effect, you must explicitly enable the classification feature within the Broker VM applet settings for that specific SMB connection:

  • Navigate to Settings → Configurations → Data Broker → Broker VMs.
  • Locate the DSPM Fileshare applet and click to edit the configuration.
  • In the File Share Connection list, find your SMB connection.
  • Turn on the Classification toggle.
  • Select the scan cadence (e.g., scan every day, week, or a custom interval) and click Save.

Once enabled, Cortex XSIAM will scan a sample of files (by default, up to 2,500 random files) during each scheduled scan to identify sensitive records.

 

  1. How Data Patterns and Profiles are Applied:

The "link" is automated based on your global Data Classification configuration:

  • Global Pool of Patterns: The scanning engine uses all enabled data patterns found under Settings → Configurations → Data Classification → Data Patterns to inspect the files in your storage buckets.
  • Automatic Categorization: If a file matches a pattern (e.g., a Credit Card Number), it is automatically associated with the corresponding Data Profile (e.g., PCI or Financial) that contains that pattern.
  • Customization: If you want to exclude certain types of data from being flagged in your SMB shares, you must disable those specific Data Patterns in the Data Classification management screen.
  1. Viewing the Linked Results

Once the scan is complete, the linkage becomes visible in the Data Security module:

  • Navigate to Modules → Data Security → Storage Buckets.
  • Select the bucket corresponding to your SMB share.
  • The Data or Object tabs will display which Data Patterns and Profiles were discovered within the files of that specific bucket.

If classification results are not appearing, ensure that the Broker VM has the necessary permissions to read the files on the SMB share and that the "Classification" toggle is correctly saved in the Broker VM settings.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

View solution in original post

(1)
2 REPLIES 2

Go to solution
susekar
L5 Sessionator

‎05-15-2026 02:07 AM

Hello  @oatienza86 ,

 

Greetings for the day.

 

In Cortex XSIAM, the linkage between your configured Storage Buckets (onboarded via the Broker VM SMB connection) and your Data Patterns or Data Profiles is established through the Data Classification engine.

 

There is no manual "mapping" step where you assign specific profiles to specific buckets; instead, the system utilizes all enabled patterns and profiles globally during the scanning process once classification is activated for the asset.

 

  1. Enabling Classification on the SMB Connection:

For the linkage to take effect, you must explicitly enable the classification feature within the Broker VM applet settings for that specific SMB connection:

  • Navigate to Settings → Configurations → Data Broker → Broker VMs.
  • Locate the DSPM Fileshare applet and click to edit the configuration.
  • In the File Share Connection list, find your SMB connection.
  • Turn on the Classification toggle.
  • Select the scan cadence (e.g., scan every day, week, or a custom interval) and click Save.

Once enabled, Cortex XSIAM will scan a sample of files (by default, up to 2,500 random files) during each scheduled scan to identify sensitive records.

 

  1. How Data Patterns and Profiles are Applied:

The "link" is automated based on your global Data Classification configuration:

  • Global Pool of Patterns: The scanning engine uses all enabled data patterns found under Settings → Configurations → Data Classification → Data Patterns to inspect the files in your storage buckets.
  • Automatic Categorization: If a file matches a pattern (e.g., a Credit Card Number), it is automatically associated with the corresponding Data Profile (e.g., PCI or Financial) that contains that pattern.
  • Customization: If you want to exclude certain types of data from being flagged in your SMB shares, you must disable those specific Data Patterns in the Data Classification management screen.
  1. Viewing the Linked Results

Once the scan is complete, the linkage becomes visible in the Data Security module:

  • Navigate to Modules → Data Security → Storage Buckets.
  • Select the bucket corresponding to your SMB share.
  • The Data or Object tabs will display which Data Patterns and Profiles were discovered within the files of that specific bucket.

If classification results are not appearing, ensure that the Broker VM has the necessary permissions to read the files on the SMB share and that the "Classification" toggle is correctly saved in the Broker VM settings.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

(1)

Go to solution
oatienza86
L0 Member
In response to susekar

‎05-18-2026 01:41 AM

Hello Susekar.

 

Thank you very much for your response.

 

After following all the steps and knowing that the user has read permissions on the files, do you have any clue why there are no matches with either the patterns or the created profiles, even though the files themselves contain the pattern searched?.

 

Regards.

0 Likes Likes
  • 1 accepted solution
  • 354 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks