01-21-2026 09:17 AM
I have been digging into the marketplace more recently specifically with the TIM add-on. I noticed that the marketplace shows multiple different playbooks for the "TIM - Indicator Auto-Processing" pack on the marketplace website. However inside of the xsiam console. The marketplace only shows one playbook. Are the playbooks cross compatible? Are they redundant? Why is there such a disconnect?
02-10-2026 05:48 AM
Hello @I.Schisel ,
Greetings for the day.
The disconnect you observed between the Cortex Marketplace website and the internal XSIAM console is intentional and relates to how Cortex XSIAM handles Threat Intelligence Management (TIM) compared to Cortex XSOAR.
The Cortex Marketplace website is a universal catalog that serves multiple products, including Cortex XSOAR and Cortex XSIAM. Because these platforms have different underlying architectures, the marketplace within the XSIAM console automatically filters content to display only what is relevant and supported for the XSIAM platform.
Yes, for most XSIAM users, the playbooks within the “TIM – Indicator Auto-Processing” content pack are redundant.
Native Engine:
In Cortex XSIAM, TIM processing—including indicator scoring, expiration, enrichment, and stitching—is handled by a built-in native engine.
XSOAR Requirement:
In Cortex XSOAR, these tasks often require playbook-based automation to manage the indicator lifecycle. Since XSIAM performs these actions automatically in the backend, the TIM processing playbooks available in the marketplace are not required for standard XSIAM operations.
Although XSIAM is built on XSOAR foundations and can execute many XSOAR playbooks, TIM-specific processing playbooks are commonly hidden or excluded in XSIAM to avoid conflicts with the native TIM engine. Using these playbooks in XSIAM is generally discouraged unless you have a highly customized use case that cannot be addressed by native functionality.
Rely on Native Features:
Use the built-in Threat Management capabilities within the XSIAM console for indicator handling rather than external processing playbooks.
Focus on Feed Integrations:
Prioritize installing Feed integrations from the Marketplace. These feeds supply raw threat intelligence data that the XSIAM engine processes automatically.
Check “Show Adopted”:
If you expect to see a playbook in the Playbook Catalog, ensure the Show Adopted option is enabled, as the catalog defaults to displaying only unadopted content.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
