09-05-2023 04:43 AM
Hi Communnity
,
I would like to know few things about Cortex XSIAM solution:
1. Auto Discovery feature: If any new log source is added, can the solution notify?
2. How the asset risk score is calculated?
3. In XSIAM, full raw logs of XDR/SIEM will be available or only parsed data?
4. Upgradation of XDR/SOAR/TIP/SIEM will be done all at once or one at a time?
5. How do the solution mimnimizes log delay? How often do we observe delays?
6. Where are the DC and DR placed?
7. Do we have any feature in XSIAM for forensics?
8. How does the licensing work? How much EPS is supported without slowness?
9. Need to know the exact flow of data.
10. How many conectors are available? (API). In case if connector is not available, how much time does it take for integration?
11. Any OOTB use cases/policies available?
09-05-2023 07:04 AM - edited 09-05-2023 07:05 AM
Hello Hrishikeshkale,
1) No, it is up to the administrator onboarding the logs to complete the process by properly parsing them to a dataset and then modeling the data as needed (either via marketplace content, or custom modeling rules)
2) Asset risk score is a summation of all alert scores involving an asset for the last seven days
3) Full raw logs are available for EDR data as well as any logs brought in as RAW format (syslog, json, etc.), other sources are currently only available in their parsed form
4) I believe you are referring to server-side upgrades of XSIAM itself? If so, there is no separation of "modules" within the product, XSIAM is a single solution incorporating components of other Cortex products. XSIAM upgrades are released quarterly, typically, and applied over the weekend when released.
5) XSIAM is a SaaS solution, resources are managed by Palo Alto Networks engineering teams, delays are not typical, however, there is log source monitoring available within the product.
6) Please contact your account team for detailed product architecture information
7) The forensics license add-on is available for the XDR agent, contact your account team for detailed information
8.Please contact your account team for licensing information and see #5 above
9) I cannot answer this without much more detailed information, please contact your account team to discuss your scenario(s)
10) Our in-product Marketplace has hundreds of content packs available including integrations to various 3rd party products and parsing/modeling rules for data retrieved from these solutions, please contact your account team for a detailed discussion of your integration needs and available out of the box content
11) This cannot be answered without a more detailed discussion of your needs/use cases, please contact your account team
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
