Help permissions - Administrator Guide - Cortex XSIAM - Cortex - Security Operations
Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-11
Category
Administrator Guide
Learn about Cortex XSIAM
Get started with Cortex XSIAM
Cortex XSIAM architecture
Agentic AI in Cortex XSIAM
Agentic Assistant use cases
Compare Agentic Assistant with Cortex Assistant
Agentic Assistant security
Cortex XSIAM product licenses
Data retention
Data storage lifecycle
License allocation
License expiration
Upgrade your tenant
In-product support case creation
Supported web browsers
Use the interface
Manage API keys
Onboard Cortex XSIAM
Plan and prepare
Plan your agent deployment
Deployment steps
Cortex XSIAM onboarding checklist
Activate Cortex XSIAM
Bring your own keys
Cortex XSIAM supported regions
Enable access to required PANW resources
Regional egress resources
Engines IP addresses (outbound)
Inbound source resources
FedRamp and the US Federal Government required resources
Set up users, groups, and roles
User group management
Assign user roles and groups
Set up authentication
Authenticate users through the Customer Support Portal
Authenticate users using SSO
Set up Okta as the Identity Provider Using SAML 2.0
Set up Microsoft Entra ID as the Identity Provider Using SAML 2.0
Configure content
Set up Cloud Identity Engine
Install Cortex XDR agents
Create an agent installation package
Deploy agent installation packages
Endpoint data collection
Configure global agent settings
Define endpoint groups
Manage endpoint profiles
Guidelines for keeping Cortex XDR agents and content updated
Cortex XSIAM - Analytics
Configure Cortex XSIAM network parameters
Enable the Analytics Engine and Identity Analytics
FedRAMP overview
Cortex Cloud federal compliance
Onboarding & configuration
Limitations & supported regions
Post-deployment
Post-deployment checklist
Perform health checks
Monitor agent operational status in Cortex XSIAM
Cortex Marketplace
Content packs
Install content packs
Manage user roles and access management
Manage user roles
Manage user access
User access reference information
Manage user scope
Manage access to objects
Manage access to custom dashboards
Manage access to report templates
Manage access to playbooks and scripts
Manage access to saved queries
Dashboards and reports
Configure server settings
Configure security settings
Data and log forwarding
Forward logs and data from Cortex XSIAM to external services
Configure external applications for forwarding
Forward notifications to Amazon SQS
Forward notifications to Amazon S3
Forward notifications to Splunk
Forward notifications to webhook
Integrate a syslog receiver
Integrate Slack for outbound notifications
Configure notification forwarding
Monitor administrative activity
Data and log notification formats
Management audit log messages
Issue notification format
Agent Audit log notification format
Management Audit log notification format
Log format for IOC and BIOC issues
Analytics log format
Configure Cortex XSIAM
Data management
Optimize data management in Cortex XSIAM
Configure Cortex Data Lake tier
Broker VM
What is the Broker VM?
Set up and configure Broker VM
Broker VM image installations
Set up Broker VM on Alibaba Cloud
Set up Broker VM on Amazon Web Services
Set up Broker VM on Google Cloud Platform (GCP)
Set up Broker VM on KVM using Ubuntu
Set up Broker VM on Microsoft Azure
Set up Broker VM on Microsoft Hyper-V
Set up Broker VM on Nutanix Hypervisor
Set up Broker VM on VMware ESXi using vSphere Client
Broker VM data collector applets
Manage Broker VM
Edit Broker VM Configuration
Increase Broker VM storage allocated for data caching
Monitor Broker VM using Prometheus
Collect Broker VM Logs
Upgrade Broker VM
Import Broker VM Configuration
Open Live Terminal
Add Broker VM to cluster
Switchover Primary Node in Cluster
Remove from Cluster
Manage Broker VM data collector applets
Broker VM High Availability Cluster
Configure High Availability Cluster
Manage Broker VM clusters
View cluster details
Edit cluster
Add applet to cluster
Add Broker VM to cluster
Remove cluster
Broker VM notifications
Monitor Broker VM activity
Troubleshoot Broker VM applet errors
Dataset management
What are datasets?
Lookup datasets
Import a lookup dataset
Download JSON file of lookup dataset
Set time to live for lookup datasets
Monitor datasets and dataset views activity
Archived data
Import historical data into cold storage
Building XQL archived data queries
Success and failure code responses to your HTTP POST requests
Parsing Rules
What are Parsing Rules?
Parsing Rules editor views
Parsing Rules file structure and syntax
INGEST
parse_cisco
COLLECT
CONST
RULE
EXTEND
Create Parsing Rules
Troubleshooting Parsing rules errors
Parsing Rules Raw Dataset
Data Model Rules
What are Data Model Rules?
Data Model Rules editor views
Data Model Rules file structure and syntax
MODEL
RULE
Field structure
How to map authentication story events?
Create Data Model Rules
Troubleshooting Data Model Rules
Using data enrichment
Data Model Rules notifications
Monitor Data Model Rules activity
Manage Event Forwarding
Endpoints Event Forwarding - included/excluded fields by event type
Manage compute units
Compute units usage
Cortex XSIAM Data Sources
What are Cortex XSIAM data sources?
Complete data source catalog
Vendor-specific data sources
Amazon CloudWatch
Ingest logs from Amazon CloudWatch
Amazon S3
Ingest audit logs from AWS Cloud Trail
Ingest network flow logs from Amazon S3
Ingest generic logs from Amazon S3
Ingest network Route 53 logs from Amazon S3
Create an assumed role
Configure data collection from Amazon S3 manually
Amazon Web Services
API Security
Ingest data for API security
Ingest AWS API Gateway
Ingest Azure APIM
Ingest Apigee Proxy
Ingest Kong
Ingest-F5
Azure Event Hub
Ingest logs from Microsoft Azure Event Hub
Azure Network Watcher
Ingest network flow logs from Microsoft Azure Network Watcher
BeyondTrust Privilege Management Cloud
Ingest logs from BeyondTrust Privilege Management Cloud
Box
Ingest logs and data from Box
Check Point FW1/VPN1
Cisco ASA firewalls and AnyConnect
Corelight Zeek
Cribl
Ingest data from Cribl
Disable or delete Cribl integration
Data source UUIDs
Collect Windows Event Logs for Cortex XSIAM via Cribl
CrowdStrike APIs
Ingest alerts and metadata from CrowdStrike APIs
CrowdStrike Falcon Data Replicator
Ingest raw EDR events from CrowdStrike Falcon Data Replicator
Databricks
How to onboard Databricks
Dropbox
Ingest logs and data from Dropbox
Elasticsearch Filebeat
Ingest logs from Elasticsearch Filebeat
Forcepoint DLP
Fortinet Fortigate
Google Cloud Platform
Ingest logs and data from a GCP Pub/Sub
Google Workspace
Ingest logs and data from Google Workspace
Google Kubernetes Engine
Ingest logs from Google Kubernetes Engine
HTTP log collector
Set up an HTTP log collector to receive logs
Kubernetes
Onboard the Kubernetes Connector
What's new in Kubernetes Connector?
Supported Kubernetes distributions
Microsoft Azure
Microsoft Defender for Endpoint Events
Ingest raw EDR events from Microsoft Defender for Endpoint
Microsoft Office 365
Ingest logs from Microsoft Office 365
Microsoft Office 365 (email)
Ingest logs and data from Microsoft 365
Microsoft 365 (Posture)
How to onboard Microsoft 365
Okta
Ingest logs and data from Okta
OneLogin
Ingest logs and data from OneLogin
Oracle Cloud Infrastructure
PingFederate
PingOne
Ingest authentication logs and data from PingOne
Proofpoint Targeted Attack Protection
Ingest logs from Proofpoint Targeted Attack Protection
Salesforce
Ingest logs and data from Salesforce
Ingest and run Salesforce automation and remediation
SentinelOne DeepVisibility
Ingest raw EDR events from SentinelOne DeepVisibility
ServiceNow CMDB
Ingest data from ServiceNow CMDB
Windows DHCP via Elasticsearch Filebeat
Ingest logs from Windows DHCP using Elasticsearch Filebeat
Workday
Ingest report data from Workday
Snowflake
How to onboard Snowflake
Zscaler Internet Access
Zscaler Private Access
Cloud service provider (CSP) onboarding
Cloud service provider onboarding
Understand CSP onboarding tiers and licensing
Amazon Web Services cloud onboarding
Security capabilities and deployment planning
Resource inventory
Security model and authentication
Cortex XSIAM and AWS audit log collection architecture
Onboard Amazon Web Services
Prerequisites
How to onboard Amazon Web Services
How to onboard Amazon Web Services with foundational configuration
Deploy the CloudFormation template in AWS
AWS post-deployment verification
Microsoft Azure cloud onboarding
Onboard Microsoft Azure
Prerequisites
How to onboard Microsoft Azure
How to onboard Microsoft Azure with foundational configuration
Finalize Microsoft Azure onboarding by executing the authentication template
GCP cloud onboarding
Onboard Google Cloud Platform
Prerequisites
How to onboard Google Cloud Platform
How to onboard GCP with foundational configuration
Deploy the Terraform authentication template in GCP
Connect Google Workspace with your GCP cloud instance
Oracle Cloud Infrastructure cloud onboarding
Onboard Oracle Cloud Infrastructure
Prerequisites
How to onboard Oracle Cloud Infrastructure
How to onboard Oracle Cloud Infrastructure with foundational configuration
Deploy the Terraform authentication template in OCI
Alibaba Cloud cloud onboarding
Security capabilities and deployment planning
Resource inventory
Security model and authentication
Onboard Alibaba Cloud
Prerequisites
How to onboard Alibaba Cloud
Alibaba Cloud post-deployment verification
Manually connect a cloud instance
Manage cloud instances
Pending cloud instances
Edit your onboarded CSP configuration
Update cloud permissions after Cortex release updates
Troubleshoot errors on cloud instances
Outposts
Outpost fundamentals and planning
Create an outpost
Amazon Web Services provider outpost permissions
Microsoft Azure provider outpost permissions
Google Cloud Platform provider outpost permissions
Introduction to Terraform for Cloud service provider (CSP) onboarding
Cloud service provider permissions
Amazon Web Services provider permissions
Microsoft Azure provider permissions
Google Cloud Platform provider permissions
Oracle Cloud Infrastructure provider permissions
Container Registry Scanning
Overview of container registry scanning
Registry Components
How Container Registry Scanning Works
Configure registry scanning for cloud accounts
Modify the container registry scanning scope
Scan re-evaluation process
Connect Docker Hub registry
Manage a Docker Hub connector
Connect Docker V2 compliant container registry
Manage a Docker V2 connector
Connect GitLab container registry
Manage a Gitlab Container Registry connector
Connect Harbor registry
Manage a Harbor connector
Connect JFrog container registry
Manage a JFrog connector
Connect Sonatype Nexus registry
Manage a Sonatype connector
Generic on-premise data collectors
Broker VM data collector applets
Activate Apache Kafka Collector
Activate Cortex Network Scanner
Activate CSV Collector
Activate Database Collector
Activate DSPM Fileshare
Activate Files and Folders Collector
Activate FTP Collector
Activate Local Agent Settings
Activate NetFlow Collector
Activate Network Mapper
Activate Registry Scanner
Syslog Collector applet
Activate Syslog Collector
Ingest logs from a Syslog receiver
Check Point FW1/VPN1
Ingest logs from Check Point firewalls
Cisco ASA firewalls and AnyConnect
Ingest logs from Cisco ASA firewalls and AnyConnect
Corelight Zeek
Ingest logs from Corelight Zeek
Forcepoint DLP
Ingest logs from Forcepoint DLP
Fortinet Fortigate
Ingest logs from Fortinet Fortigate firewalls
Next-Generation Firewall
Ingest Next-Generation Firewall logs using the Syslog collector
PingFederate
Ingest authentication logs from PingFederate
Zscaler Internet Access
Ingest logs from Zscaler Internet Access
Zscaler Private Access
Ingest logs from Zscaler Private Access
Activate Transporter
Activate Windows Event Collector
Activate Windows Event Collector on Windows Core
Renew WEC certificates
XDR Collectors
XDR Collector audit logs
XDR Collector machine requirements and supported operating systems
Resources required to enable access to XDR Collectors
Manage XDR Collectors
XDR Collectors installation resource for Windows and Linux
Create an XDR Collector installation package
Install the XDR Collector installation package for Windows
Install the XDR Collector on Windows using the MSI
Install the XDR Collector on Windows using Msiexec
Install the XDR Collector installation package for Linux
Configure the XDR Collector upgrade scheduler
Set an application proxy for XDR Collectors
Set an alias for an XDR Collector machine
Upgrade XDR Collectors
Uninstall the XDR Collector
Define XDR Collector machine groups
About Cortex XDR Collector content updates
XDR Collector profiles
Add an XDR Collector profile for Windows
Ingest logs from Windows DHCP using Elasticsearch Filebeat
Ingest Windows DNS debug logs using Elasticsearch Filebeat
Add an XDR Collector profile for Linux
Apply profiles to collection machine policies
XDR Collector datasets
Palo Alto Networks integrations
About Palo Alto Networks integrations
Cloud Next-Generation Firewall
Ingest data from Cloud Next-Generation Firewall
Next-Generation Firewall
Ingest data from Next-Generation Firewall
Ingest Next-Generation Firewall logs using the Syslog collector
Ingest data from Prisma Access
Ingest logs from Prisma Access Browser
Ingest detection data from Strata Logging Service
IoT Security
Ingest alerts and assets from IoT Security
Collecting URL and File log types
Detectors connected to URL and File log types
Cloud Posture and Runtime Security data sources
How to onboard on-premise assets to Cortex Cloud Data Security
Activate DSPM Fileshare
How to onboard Databricks
How to onboard Microsoft 365
Ingest logs and data from Okta
Activate Registry Scanner
How to onboard Snowflake
Activate Transporter
External alerts using External Issue Mapping
Ingest external alerts
Administration and troubleshooting
Manage instances
Add a new data source or instance
How to configure the scanning settings for supported services
Manage cloud instances
Update cloud permissions after Cortex release updates
Pending cloud instances
Troubleshoot errors on cloud instances
Manage Kubernetes Connector instances
Integrations
Integration use cases
Add an integration instance
Configure integration permissions
Fetch issues from an integration instance
Map fields to issue types
Classify events using a classifier for issue types
Manage credentials
Troubleshoot Integrations
Forward Requests to Long-Running Integrations
Verify collector connectivity
Overview of data ingestion metrics
Creating correlation rules to monitor data ingestion health
Measuring data freshness
About health issues
Investigate and resolve health issues
Monitor data ingestion health
Monitor correlation rules
Marketplace
Cortex Marketplace
Content packs
Content Pack Support Types
Manage content packs
Marketplace FAQs
Content changes when upgrading Cortex XSIAM versions
Content pack contributions
Configure the Cortex Agentic Assistant
Agentic Assistant components and concepts
Agents Hub
Manage actions
Register actions
Manage agents
Build agents
Expand agent capabilities with MCP integrations
Agentic Assistant role-based access control
Cortex MCP server
Cortex MCP server overview
Install the Cortex MCP server
Configure the MCP client
Use the Cortex MCP server
Create custom Cortex MCP server tools
Automations
Automation in Cortex XSIAM
Quick Actions
Automation Exclusion Center
Manage automation exclusion policies
Playbooks
Playbooks overview
Access to playbooks
Playbook development checklist
Plan your playbook
Manage playbooks
Build your playbook
Task 1. Choose from existing playbooks or create your own
Task 2. Configure playbook settings
Task 3. Add objects from the Task Library
Add commands and scripts
Add sub-playbooks
Add AI prompt tasks
Add manual tasks and blank tasks
Create a standard task
Create a conditional task
Create a communication task
Create a section header
Configure script error handling in a playbook
Task 4. Add custom playbook features
Task 5. Test and debug the playbook
Task 6. Manage playbook content
Customize your playbook
Configure a sub-playbook loop
Filter and transform data
Filter considerations, categories, and built-in filters
Transformer considerations, categories, and built-in transformers
Extend context
Extract indicators
Update issue fields with playbook tasks
Test your playbook
Troubleshoot playbook performance
Manage playbook content
Best practices
Autonomous playbooks
Autonomous playbooks
Enable autonomous playbooks
Manage autonomous playbooks
Manage autonomous automation rules
Work Plan for autonomous playbooks
AI Prompts
AI prompts role-based access control
Use existing prompts
Create a prompt
Write effective prompts
Agentic Response (Preview)
Create an automation rule
Scripts
Access to scripts
Use existing scripts
Create a script
Use the Automation Engineer agent to accelerate script development and deployment
Change the Docker image in an integration or script
Context data
Issue context data
Case context data
Search context data
Add context data to an issue
Add context data to a case
Delete context data from a case
Use context data in a playbook
Lists
Create a list
List commands
Use cases: JSON lists
Transform a list into an array
Jobs
Manage jobs
Create a time triggered job
Create a job triggered by a delta in a feed
Engines
What is an engine?
Engine requirements
Install an engine
Docker
Install Docker
Install Docker distribution for Red Hat on an engine server
Docker image security
Docker FAQs
Troubleshoot Docker issues
Configure Docker pull rate limit
Change the Docker installation folder
Docker hardening guide
Podman
Change the container storage directory
Install Podman
Migrate From Docker to Podman
Troubleshoot Podman
Manage engines
Upgrade an engine
Remove an engine
Configure engines
Configure the engine to use a web proxy
Configure the engine to call the server without using a proxy
Use NGINX as a reverse proxy
Configure an engine to use custom certificates
Use an engine in an integration
Run a script using an engine
Troubleshoot engines
Troubleshoot integrations running on engines
Remote repository management
Cortex XSIAM development tenant
Set up a remote repository
Set up a built-in remote repository
Set up a Private Remote Repository
Push and pull content
Remote repository troubleshooting
Multi-Tenant
What is Cortex XSIAM multi-tenant?
MSSP multi-tenant
Enterprise multi-tenant
Multi-tenant central licensing management
Onboard Cortex multi-tenant
Onboarding checklist for multi-tenant central licensing deployments
Step 1. Activate Cortex XSIAM (main account)
Step 2. Create a child tenant
Onboarding checklist for multi-tenant customer-owned license deployments
Step 1. Activate Cortex Cortex XSIAM (parent and child tenants)
Step 2. Define access configurations and role permissions
Step 3. Pair a parent tenant with child tenant
Dynamic license allocation
Child tenant management
Manage a child tenant
Track your tenant management
Investigate child tenant data
Create and allocate configurations
Create a security managed action
About managed threat hunting
Set up Managed Threat Hunting
Investigate Managed Threat Hunting reports
XQL query management
Customize cases and issues
Customize cases and issues
External integrations
Set up case scoring
Create a starring configuration
Create custom case statuses and resolution reasons
Create a sync profile
Create a case domain
Customize case fields and layouts
Create case timers and SLAs
Update case timer and SLA fields
Case fields
Case field types
Create custom case fields
Create a grid field for a case
Update case fields
Case layouts
Create custom case layouts
Create rules for case layouts
Customize issue fields and layouts
Issue fields
Issue field types
Create custom issue fields
Create a grid field for an issue
Issue timer fields
Issue field triggered scripts
Configure issue timer fields
Configure a playbook to run timers
Automate changes to issue fields using timer scripts
Use issue timer field commands manually in the CLI
Issue layouts
Create custom issue layouts
Add a custom widget to an issue layout
Create rules for issue layouts
Service Level Agreements (SLAs) for issue resolution
Create issue exceptions
Configure the issue exception approval workflow
Create an issue exception rule
Create an exception rule from an issue
View issue Exception Rules
Disable issue exception rules
View excepted issues
Optimize case grouping in correlations
Run indicator extraction in the CLI
Managed Services configuration in Cortex
Managed Services configuration
Configure report forwarding
Configure actions permissions
Manage escalation contacts
Protect your endpoints
Endpoint security
Endpoint protection
Malware protection
Exploit protection
File analysis and protection flow
Endpoint protection capabilities
Endpoint protection modules
Processes protected by exploit security policy
File Integrity Monitoring (FIM)
CaaS Workloads
WildFire analysis concepts
Guidelines for keeping Cortex XDR agents and content updated
About content updates
Endpoint data collection
Install and manage endpoints
Set up endpoint protection
Set up endpoint profiles and exception rules
Set up malware prevention profiles
Set up exploit prevention profiles
Set up agent settings profiles
Set up restrictions prevention profiles
Set up exception profiles and rules
Exception configuration
Issue exclusions
Add an issue exclusion rule
Add an IOC or BIOC rule exception
Add a disable prevention rule for endpoints
Add a disable injection and prevention rule
Add a support exception rule for endpoints
Add a legacy exception rule for endpoints
Add a new exceptions security profile
Add a global endpoint policy exception
Set up Identity profiles
Define endpoint groups
Configure global agent settings
Apply profiles to endpoints
Create an agent installation package
Manage an agent installation package
Harden endpoint security
Device control
Host firewall
Host firewall for Windows
Host firewall for macOS
Disk encryption
Host Inventory
Vulnerability Assessment
Set a Cortex XDR agent Critical Environment version
Set an application proxy for Cortex XDR agents
Manage endpoint protection
Move agents between managing servers
Manage endpoint tags
Set an alias for an endpoint
Manage endpoint prevention profiles
Upgrade Cortex XDR agents
Restart agent
Uninstall the Cortex XDR agent
Clear agent database
Delete Cortex XDR agents
Manage agent tokens
Retrieve support file password
Send push notifications to iOS
Monitor agent operational status
Monitor agent activity
Monitor agent upgrade status
Endpoint DLP
Cortex Data Loss Prevention (DLP) module overview
Personas workflow for DLP
Best Practices
Configure DLP end-to-end
Onboarding checklist for DLP
Install DLP browser extension on your endpoint
Create endpoint applications
Create endpoint application groups
Create data-in-motion rules
Configure endpoint DLP settings
DLP status in all endpoints
Cortex DLP threat detection and issues
Detect, investigate, and respond to threats
Monitor dashboards and reports
About dashboards
Command Center dashboards
Cortex Command Center
Cortex Agentic Assistant dashboard
XSIAM Command Center
Data Inventory
Dynamic View
Cases Overview
Cloud Detection and Response (CDR) Command Center
Cloud Security Operations
Cloud Security Operations
Dashboard Widgets
Generate Reports
Filter Options
Cortex Cloud Command Center
Predefined dashboards
Reports
Report templates
Build custom dashboards and reports
Build a custom dashboard
Manage your Widget Library
Fine-tune dashboards and reports
Create a custom widget using a script
Script-based widget examples
Create a text widget
Create custom XQL widgets
Configure filters and inputs for custom XQL widgets
Configure dashboard drilldowns
Variables in drilldowns
Run or schedule reports
Investigation and response
Overview of cases
What are cases?
Resolving cases with AI
Case lifecycle
Case thresholds
Case scope and impact
Case and issue domains
Case concepts
Issues, findings, and events
Issues
Findings and events
Case grouping
Case scoring
Case starring
SLAs and tracking
What is Causality?
Analyze and resolve cases
Review all cases
Start case analysis
Agentic Assistant- Case Investigation agent
Establish case context
AI-generated case summaries
Assess case severity and score
Update case attributes
Analyze case details
Grouping graph
Evidence
Issue feed
Associated assets and artifacts
MITRE ATT&CK tactics and techniques
Case timeline
Detailed View
Resolve the case
Resolution Center
Collaborative notes and comments
Resolve a case
Resolution reasons for cases and issues
Cortex Response and Remediation content pack
Investigate an issue using Cortex Response and Remediation playbooks
Example use cases
Additional case actions
Create a case
Merge a case
Unified case view
Investigate issues
Overview of the Issues page
Issue card
Resolution actions
Link or unlink issues from a case
Run an automation on an issue
Use the War Room in an investigation
Use the Work Plan in an investigation
Issue syncing
Issue deduplication
Causality view
Network causality view
Cloud causality view
SaaS causality view
Timeline
Causality icons key
Issue investigation actions
Copy issues
Analyze an issue
Update issue fields
Query case and issue data
Exclude an issue
Create a featured field
Export issue details to a file
Investigate contributing events
Retrieve additional issue details
View generating BIOC or IOC rule
Create profile exceptions
Add a file path to a malware profile allow list
Close an issue
Review findings
Findings card
Investigate artifacts and assets
Investigate an IP address
Investigate an asset
Investigate a host
Investigate a file and process hash
Investigate a user
Investigate endpoints
Overview of the Action Center
Initiate and monitor endpoint actions
Action Center reference information
Manage endpoints
Retrieve files from an endpoint
Retrieve support logs from an endpoint
Retrieve support file password
Scan an endpoint for malware
Investigate files
Manage file execution
Manage quarantined files
Review WildFire analysis details
Import file hash exceptions
Cortex Assistant
Cortex Assistant layout
Cortex Assistant capabilities
Response actions
Initiate a Live Terminal session
Isolate an endpoint
Pause endpoint protection
Run agent scripts on an endpoint
Remediate changes from malicious activity
Search and destroy malicious files
Manage external dynamic lists
Collect a memory image
Forensics
Forensic investigations
Manage an investigation
Create a new investigation
Edit an investigation
Close an investigation
User permissions
Data collection
Hunting
Create a hunt
Hunt results
Hunt status
Triage
Create a triage
Upload an offline triage package
Offline triage collection
Triage results
Triage status
Configure collection
Analysis and documentation
Review alerts
Investigation timeline
Key assets & artifacts
Export
Notebooks
Manage datasets in Notebooks
Notebooks scheduler
Build XQL queries
About the Query Builder
How to build XQL queries
Get started with XQL queries
Useful XQL user interface features
XQL Query best practices
Expected results when querying fields
Create XQL query
Review XQL query results
Translate to XQL
Graph query results
Query Builder templates
Get started with Query Builder templates
Considerations for using Query Builder templates
Create a query from a template
Run a free text query
Query Builder template examples
Overview of the Query Center
Edit and run queries in Query Center
Query Center reference information
Manage scheduled queries
Scheduled Queries reference information
Manage your query library
Federated Search
Federated Search
Federated Search configuration
Query using Federated Search
Manage external datasets
Legacy Query Builder
Create authentication query
Create event log query
Create file query
Create image load query
Create network connections query
Create network query
Create process query
Create registry query
Query across all entities
Research a known threat
Agentic Assistant chat
Get started with Agentic Assistant chat
Choose an Agentic Assistant agent
Chat with an Agentic Assistant agent
Chat with the Agentic Assistant from Slack
Create and run XQL queries with Agentic Assistant chat
Use natural language to query and visualize your data
Manage chat history
Inventory management
Asset management
Asset inventory overview
All assets
All cloud assets
Discovery Engine
Asset classes
AI assets
API assets
Application assets
Code and CI/CD assets
IaC resources assets
Repository assets
VCS organization assets
CI/CD pipelines assets
CI/CD instances assets
Software packages assets
Compute assets
Container images assets
Serverless functions assets
VM images assets
Data assets
Device assets
External Surface assets
Services assets
Domain assets
Certificates assets
External Surface attribution evidence
Identity assets
Network Assets
Security services assets
Asset groups
Network configuration
Configure your network parameters
Asset Roles
Manage Asset Roles for Endpoints
Manage Asset Roles for Users
Honey user
Manage Asset Scores
Vulnerability Assessment
Query the asset inventory via XQL
Threat management
Detection rules
What are detection rules?
What's an IOC?
IOC rule details
Create an IOC rule
What's a BIOC?
BIOC rule details
Create a BIOC rule
Manage Global BIOC Rules
What's a correlation rule?
Correlation rule details
Create a correlation rule
Field replacement syntax in correlation rules
Manage correlation rules
Monitor correlation rules
Troubleshoot server errors in scheduled correlation rules
Manage IOC and BIOC rules
Analytics
Analytics overview
Analytics engine
Analytics sensors
Coverage of MITRE Attack tactics
Review MITRE ATT&CK framework coverage
Analytics detection time intervals
Analytics issues and Analytics BIOCs
View and manage Analytics rules
Identity Analytics
Identity Threat Module (ITDR)
AI Detection & Response in Cortex XSIAM (Beta)
Data sources and supported services
AI Detection & Response Dashboard
Collect prompt logs
Prompt log collection in AWS
Enable prompt log collection in Azure
Configure the Azure Event Hub collection in Cortex XSIAM
Set up prompt logging
Log HTTP data
Configure diagnostic settings:
Threat Intel Management
Get started with Threat Intel Management
What is Threat Intel Management?
Threat Intel Management use cases
Roles and responsibilities in Threat Intel Management
Indicator concepts
Indicator lifecycle
Indicator configuration
Configure Threat Intelligence feed integrations
Customize indicator fields and types
Create an indicator type
Indicator type profile
Formatting scripts
Enhancement scripts
Reputation scripts
Reputation commands
Map custom indicator fields
Create an indicator field
Indicator field structure
Indicator field trigger scripts
Indicator classification and mapping
Indicator extraction
Set the indicator extraction mode for a playbook task
Disable indicator extraction for scripts or integrations
Configure Threat Intelligence feed integrations
Exclude indicators from enrichment
Generate issues from indicators using indicator rules for prevention and detection
Export indicators
Indicator management
Indicator investigation
Indicator verdict
Extract and enrich an indicator
Expire an indicator
Manage indicator relationships
Delete and exclude indicators
Attack Surface Management
Get started with Attack Surface Management
What is Attack Surface Management?
Attack Surface Management use cases
Network mapping
Scanning
Scanning cadences
Known Assets Monitoring
Scanning ports and protocols
Scanning activity
GeoIP data collection
Attack Surface Management detections
Attack surface rules
Attack Surface Testing
Attack surface tests
Attack Surface Testing intrusivity
Set up Attack Surface Testing
Manage attack surface tests
View issues created from Attack Surface Testing results
Source IP addresses for Attack Surface Testing scans
Externally inferred CVEs
Digital Risk Protection
Attack surface assets
Upload or remove ASM assets
Upload assets
Remove assets
Deploy ASM and Exposure Management enrichment and remediation automation
ASM enrichment of cloud assets
Emerging Vulnerabilities
Global Lookup
Vulnerability management
Vulnerability management in Cortex XSIAM
Cortex XSIAM vulnerability concepts
Vulnerability Management dashboard
Cortex Vulnerability Risk Score
Vulnerability policies
Create a vulnerability policy
Update the Ignored CVEs, Asset Groups, and Assets policy
Modify a vulnerability policy
Configure a block grace period
Enable or disable a vulnerability policy
Investigate and remediate vulnerabilities
View all Vulnerabilities
View vulnerability issues
View All Vulnerability Findings
View vulnerable assets
Vulnerability Intelligence
Recast CVSS scores and CVSS severities
Cloud Security
Monitor and track compliance adherence
Cortex compliance flow
Choose compliance standards from the compliance catalog
Standards Catalog
Use a built-in or custom standard
Controls catalog
Use a built-in or custom control
Associate a custom control to a detection rule
Create a new Custom Detection Rule
Use an assessment profile to run compliance checks on your assets
Configuring assessments for custom compliance standards based on custom cloud security rules
View and manage compliance assessments and reports
Compliance score
Assessments
Reports
View the compliance assessment of an individual asset
Compliance Overview Dashboard
Cloud Security Rules and Policies
Cloud security rules and policies
Cloud security rules
Cloud security policies
Create and manage cloud security rules
Create an attack path rule
Create a configuration rule
Guidelines for creating cloud security rules
Cloud security rule status for custom configuration rules
Create a data rule
Create an identity rule
Create a network exposure rule
Create an AI rule
View cloud security rule status
Edit a cloud security rule
Enable or disable a rule
Use an existing rule to create a new one
Delete a custom cloud security rule
Create and manage cloud security policies
Create a cloud security policy
Edit a cloud security policy
Enable or disable a policy
Use an existing policy to create a new one
Delete a custom cloud security policy
Cortex Cloud Data Classification
What is Cortex Cloud Data Classification?
How to create and validate a custom data pattern
Custom data patterns: Guardrails and syntax guide
How to disable and enable data patterns in Data Classification
How to create and validate a custom data profile
How to disable and enable data profiles in Cortex Cloud Data Classification
How to report a false positive in Cortex Cloud Data Classification
Cortex Cloud Data Security
What is Cortex Cloud Data Security?
Supported assets in Cortex Cloud Data Security
Cortex Cloud Data Security concepts
Cortex Cloud Data Security use cases
Data Inventory
How to review errors in Cortex Cloud Data Security
How to configure the scanning settings for supported services
How to perform advanced Data Security investigations using XQL
How to onboard Databricks
How to onboard Microsoft 365
How to onboard on-premise assets to Cortex Cloud Data Security
How to onboard Snowflake
How to use information protection labels in Cortex Cloud Data Security
Cortex Cloud Identity Security
What is Cortex Cloud Identity Security?
Review and improve your Identity Security posture
How does Effective Permission Calculation work?
Cortex Cloud Identity Security functionality
Unified Human Identities
Achieve the principle of least privilege access
Explore permissions using the simple and advanced access tables
Create a custom detection rule in Cortex Cloud Identity Security
Perform advanced Identity Security investigations using XQL
Ingest logs and data from Okta
Enable inactive human identity logs on Azure in Cortex Cloud Identity Security
Manage RBAC and SBAC in Cortex Cloud Identity Security
Network exposure detection
What is Cloud Network Analyzer?
Internet exposure detection
Outbound exposure detection
East-west exposure detection
Investigate an internet exposure
Configure trusted IPs
Cortex Cloud AI Security
What is Cortex Cloud AI Security?
Supported services in Cortex Cloud AI Security
Cortex Cloud AI Security concepts
Cortex Cloud AI Security use cases
How to perform advanced AI Security investigations using XQL
Serverless function posture security
Onboard cloud providers for serverless functions
Serverless function posture policies
Manage serverless function policies
Create serverless function policies
Serverless function posture rules
Manage serverless function rules
Create serverless function rules
Create an attack path rule for serverless functions
Create a configuration rule for serverless functions
Create a network exposure rule for serverless functions
Serverless function usage
Cortex Cloud Application Security
Onboard data sources
Onboard version control systems
AWS CodeCommit
Azure DevOps
Azure DevOps onboarding system architecture
Bitbucket Cloud
Bitbucket Data Center
GitHub Cloud
GitHub Enterprise (On-Prem)
GitLab SaaS
GitLab Self Managed (On-Prem)
Onboard CI/CD systems
CircleCI for CI/CD pipeline scans
Jenkins for CI/CD pipeline scans
Integrate CI tools
AWS CodeBuild
CircleCI for code scans
Connect Cortex CLI
GitHub Actions
Jenkins for code scans
Terraform Cloud (Run Tasks)
Terraform Enterprise (Run Tasks)
CLI pipeline code snippets
Onboard private package registries
JFrog Artifactory
Onboard JFrog Artifactory
Ingest third-party data sources
Semgrep
Semgrep Software Composition Analysis (SCA) data ingestion
Semgrep Static Application Security Testing (SAST) data ingestion
Snyk
Snyk Software Composition Analysis (SCA) ingestion
Snyk Static Application Security Testing (SAST) data ingestion
SonarQube
Veracode
Generic 3rd Party AppSec Collector
Tenant (console) workflow
API workflow
Upload findings from CI/CD pipelines
Technical requirements and SARIF specifications
Troubleshooting
Manage data source integrations
Transporter over Broker VM
Set up a Transporter applet on Broker VM
Set up a Transporter on your VCS
Manage integrations via data source APIs
Application Security dashboard
Application Security Posture Management (ASPM)
Code to Cloud
Supported integrations
Code to Cloud context and visibility
Code to Cloud troubleshooting
ASPM Command Center
Operational workflows
Applications
Defining Business Applications
Defining business applications by Criteria
Manage Criteria via the tenant UI
Define applications by Code Criteria
Define applications by cloud tag-based Criteria
Manage criteria via the public API
How to manually build an application
Application management and visibility
Manage applications via public APIs
Business application assets
Business application expanded asset details
Export business application data
Scope user access to applications (Application SBAC)
Enable SBAC in the Cortex XSIAM tenant
Create an application-based Asset Group
Scope user access to an application
Create application-scoped policies
Terraform workflow for Asset Groups
Repository as an asset
Understanding repository assets via the UI
Investigate repository assets
Manage repositories via API
Coverage
Coverage in the user interface
Urgency
Urgency and code to cloud traceability
Prioritize issues by Urgency levels
Urgency metrics
View Urgency in the tenant
Backlog baseline
Backlog use cases
Issue/Finding classification by scanner
Using Backlog
Service Lead Agreements (SLA)
Configure and monitor Application Security SLAs
Compliance for Application Security
Infrastructure-as-Code (IaC) compliance
Manage IaC compliance
CI/CD Compliance
Create CI/CD compliance reports
Terraform workflow for Compliance assessments
Unified Application Security policies
Core concepts
Tenant (UI) workflow
Create a policy
View and manage policy details
API workflow
Cortex CLI workflow
IDE workflow
Terraform workflow for policies
Reference A: Finding type details
Reference B: Condition filters and logic
Reference C: Scope mapping details
Reference D: Trigger and actions mapping
Reference E: Grace period logic and configuration
Reference F: Engine evaluation and Urgency logic
Reference G: Finding type to trigger mapping
Reference H: Action availability by trigger
Reference I: Audit logging
Application Security Rules
Roles and permissions
Rules inventory
Create custom Application Security rules
Configure YAML file properties
Terraform workflows for rules
Manage custom rules
Manage code weakness issues
Navigate to SAST code weakness issues
Understand the Code Weaknesses table
Investigate and remediate code weakness issues
Code weakness findings
Software supply chain security
Supply Chain assets
VCS organization assets
Understanding VCS organization assets
Investigate VCS organization assets
Manage VCS organization assets
VCS collaborators as assets
In-depth Collaborator asset information
Manage Collaborator assets
Repository as an asset
Understanding repository assets via the UI
Investigate repository assets
Manage Repository assets
Export Software Bill of Materials (SBOM)
Manage issues detected in repositories
Technologies as assets
Manage repository technologies
Troubleshooting and FAQs
Software packages as assets
Understanding software package assets
Investigate software package assets and security issues
CI/CD instance as an asset
Understanding CI/CD instance assets
Investigate and manage CI/CD instance assets
Manage CI/CD pipeline instances
CI/CD pipeline as an asset
Understanding CI/CD pipeline assets
Investigate and manage CI/CD pipeline assets
Manage CI/CD pipeline assets
Tools as an asset
Active tools
Supply Chain Tools
Expanded Supply Chain tool information
Supply chain catalog
Software Composition Analysis (SCA ) scanners
Supported Software Composition Analysis (SCA) frameworks and languages
Software Composition Analysis (SCA) vulnerability issues
Understand the Vulnerabilities table
Investigate and remediate CVE vulnerability issues
Investigate CVE vulnerabilities findings
Manage SCA CVE vulnerability issues
License miscompliance issues
Understand the Licenses table
Take action on license miscompliance issues
License miscompliance findings
Open-source software license categories
Manage license miscompliance issues
Ingest third-party SCA data
CI/CD Risks
CI/CD pipeline issues
Expanded CI/CD risks issue information
VCS and CI/CD pipeline risk findings
CI/CD Policies
CI/CD policies user roles and permissions
CI/CD policies inventory
Create CI/CD configuration policies
Application Security CI/CD policy Condition attributes
Manage CI/CD policies
CI/CD Rules
CI/CD rules roles and permissions
CI/CD rules inventory
Code Security
Code Security assets
Software packages as assets
Supported Software Composition Analysis (SCA) frameworks and languages
Understanding software package assets
Investigate software package assets and security issues
Infrastructure-as-Code (IaC) resources as assets
Supported frameworks and languages
Access and filter IaC assets
Investigate IaC assets
Code Security scanners
Secrets scans
Navigate to secrets issues
Understand the secrets issues table
Investigate and remediate secrets issues
Secrets findings
Infrastructure as Code (IaC) misconfiguration scanner
Navigate to IaC misconfiguration issues
Understand the IaC misconfigurations table
Investigate and remediate IaC misconfiguration issues
IaC misconfiguration findings
IaC Drift Detection scans
Navigate to IaC drift detection issues
Understand the IaC drift detection table
Investigate and remediate IaC drift issues
Investigate IaC drift detection findings
Software Composition Analysis (SCA ) scanners
Software Composition Analysis (SCA) vulnerability issues
Navigate to CVE vulnerability issues
Understand the Vulnerabilities table
Investigate and remediate CVE vulnerability issues
Investigate CVE vulnerabilities findings
License miscompliance issues
Navigate to license miscompliance issues
Understand the Licenses table
Take action on license miscompliance issues
How license miscompliance issues fit in the Application Security ecosystem
Open-source software license categories
Package operational risk scanner
Understand the package operational risk table
Investigate and remediate package operational risk issues
How package operational risk issues fit in the Application Security ecosystem
API workflows for Code Security issues
Application Security scans management
Manage scans through the tenant (UI)
Branch periodic scans
Pull Request scans
CI scans
Scan health and status reference
Manage repository scan configurations
Monitor data source instances health
Manage scans through public APIs
Application Security CLI
IDE
System requirements
Visual Studio (VS) Code and VS Code compatible IDEs
How to use the Cortex Cloud extension in VS Code
JetBrains
How to use the JetBrains Cortex XSIAM extension
Developer Suppressions
API endpoints
Terraform workflows
Manage resources
Cloud Workload Policies and Rules
How policies and rules work together
Cloud Workload Policies
Types of Cloud Workload Policies
Trusted image cloud workload policies
Cloud Workload Policies page
Widgets panel
Show or hide the widget panel
Change the layout of the policies table
Policy Details Panel
Enable or disable a Cloud Workload Policy
Create a Cloud Workload Policy
Use an existing policy to create a new Cloud Workload policy
Edit a Cloud Workload Policy
Delete a Cloud Workload Policy
Cloud Workload Preventive Action
Cloud Workload Rules
Default (pre-defined) Rules
Custom (user-defined) Rules
Cloud Workload Rules page
Filter page results
Change the layout of the rules table
Rule details panel
Create a new Custom Detection Rule
Use an existing rule to create a new Custom Detection Rule
Edit a Custom Detection Rule
Delete a Custom Detection Rule
Base Images Rule
Web and API Security (WAAS)
Overview
Personas workflow
Secure your API landscape
Gain visibility and assess risk of API endpoints
Monitor and investigate API threats
Configure API security from end to end
Third-party integrations
Ingest AWS API Gateway
Ingest Azure APIM
Ingest Apigee Proxy
Ingest Kong
Ingest-F5
Agent-based protection
Set up Web and API Security profiles
Apply Web and API Security profiles to workloads
Manage Web and API Security prevention profiles
Add a disable prevention rule for cloud workloads
Add a support exception rule for cloud workloads
Add a legacy exception rule for cloud workloads
Additional workload management tasks
API specification inventory
Import API specification
Serverless function runtime security
Overview
Set up serverless function protection
Serverless runtime issues
Cortex Advanced Email Security
Cortex Advanced Email Security module overview
Cortex Advanced Email Security module architecture and data flow
Getting started with the Cortex Advanced Email Security module
Deploy and configure the Email Security module
Integrate Microsoft 365 with the Cortex Advanced Email Security Module
Configure the Cortex Advanced Email Security module
Cortex Advanced Email Security threat detection and issues
Email Security Analytics Rules
Investigate and respond to email security issues
Automate remediation for the Cortex Advanced Email Security module
Email Remediation Response Rules
Email Security Remediation Action Center
Email Command Center
Malicious Email Inventory
Mailbox Inventory
Advanced Email Security module security and compliance
Exposure management
Exposure Management
Get started with Exposure Management
Ingest assets and vulnerabilities from third-party applications
Security controls
Automatically detect security controls
Manually attested security control taxonomy
Establish security control roles
Create a security control
Manage security controls
Set compensating controls
Improve controls coverage
Create effectiveness rules
Manage effectiveness rules
Cortex Network Scanner
Get started with Cortex Network Scanner
Add a network
Define target groups
Manage Network Scanner credentials
Create a network scan
Manage scans
View issues triggered by network scanner findings
Exposure Management Command Center
Reference and developer docs
Cortex XSIAM XQL
Get started with XQL
XQL language features
XQL Language Structure
Adding comments in queries
Supported operators
Datasets and presets
About examples
JSON functions
How to filter for empty values in the results table
Understanding string manipulation in XQL
Build XQL queries
About the Query Builder
How to build XQL queries
Get started with XQL queries
Useful XQL user interface features
XQL Query best practices
Expected results when querying fields
Create XQL query
Review XQL query results
Translate to XQL
Graph query results
Query Builder templates
Get started with Query Builder templates
Considerations for using Query Builder templates
Create a query from a template
Run a free text query
Query Builder template examples
Overview of the Query Center
Edit and run queries in Query Center
Query Center reference information
Manage scheduled queries
Scheduled Queries reference information
Manage your query library
Federated Search
Federated Search
Federated Search configuration
Query using Federated Search
Manage external datasets
Legacy Query Builder
Create authentication query
Create event log query
Create file query
Create image load query
Create network connections query
Create network query
Create process query
Create registry query
Query across all entities
Cortex XQL syntax, parameters, and examples
Graph Search
What is Graph Search?
Get started with Graph Search queries
How to build Graph Search queries?
Understand Graph Search query results
Create Graph Search query
Graph Search examples
Manage the Graph Search Query Library
Edit and run queries in Query Center
Query Center reference information
Supported assets and findings
FAQ on Graph Search
Cortex CLI
Connect Cortex CLI
Authenticate credentials
Cortex CLI usage
Self-service API keys for CLI scans
Cortex CLI common command line reference guide
Cortex CLI for API Security
Cortex CLI API Security command line reference guide
Cortex CLI for Cloud Workload Protection
Cloud Workload Protection command line reference
Cortex CLI for Code Security
Cortex CLI usage for Application Security
Cortex CLI Application Security command line reference
Cortex CLI pre-commit hooks
Pre-commit hook usage
Cortex CLI pre-receive hooks
Pre-receive hook usage
Role-Based Access Control
Role permissions by component
Core tenant and administrative permissions
Configuration permissions
Auditing permissions
Alert Notifications permissions
General Configuration permissions
Cortex XDR Analytics permissions
Access management permissions
Data Broker permissions
Log Collection permissions
Data Sources permissions
External Issues Mapping permissions
Integrations - instance permissions
Integrations Permissions
Data Management permissions
Public API
Threat Intelligence permission - API configuration
Long-running HTTP Integrations configuration
Credentials permissions
Network Scanners permissions
Apps - Instance permissions
Object Setup permissions
Case Properties permissions
Exclusion List permissions
Fields and Types permissions
Layout permissions
Sync Profile permissions
Marketplace permissions
Help permissions
SOC Operations, Investigation & Response permissions
Dashboards and Reports permissions
Dashboards permissions
Command Center Dashboard permissions
Ingestion Monitoring dashboard permissions
Reports permissions
Email Command Center permissions
Cloud Security Command Center permissions
Cases and Issues permissions
Investigation and Response permissions
Search permissions
Query Library permissions
Query Center permissions
Forensics permissions
Host Insights permissions
Graph Search permissions
Response permissions
Action Center permissions
EDL permissions
Agent Scripts Library permissions
Live Terminal permissions
Automation permissions
Playbook permissions
Script permissions
Playground permissions
Automation Exclusion Center permissions
Jupyter and Observability apps permissions
Threat Management permissions
Detection Rules permissions
Threat Intelligence permissions
Exceptions Configuration permissions
Issue Exclusions permissions
Exception Management Admin permissions
Exception Approver Admin permissions
Managed Services permissions
Cortex Agentic Assistant permissions
AI Prompts
Cortex Agentic Assistant Agents
Agents and endpoint protection
Inventory - Agent permissions
Agent Administrations
Agent Groups
Agent Prevention Policies
Global Exceptions
Agent Profiles
Agent Extension Policies
Agent Installations
Host Firewall
Device Control
Data Security - Endpoint DLP permissions
Data-in-Motion Rules
Endpoint Applications
Endpoint Applications Groups
Endpoint DLP Settings
Inventory - Assets permissions
Network Configuration permissions
Compliance (Legacy) permissions
Asset Inventory permissions
Asset Roles configuration permissions
Asset Groups permissions
Exposure and Vulnerability Management permissions
Attack Surface permissions
Vulnerability Management permissions
Exposure Management permissions
Cloud Security and Posture Management permissions
CLI Tool permissions
Application Security permissions
Application Security - Generic Collector permissions
Application Security - Issues permissions
Application Security - Scans permissions
Application Security - Policy Management permissions
Application Security - 3rd Party tools permissions
Configurations - Application Security permissions
Policies - Cloud Workload permissions
Cloud Security permissions
Compliance - Cloud permissions
Data Security permissions
AI Security permissions
Data Classification permissions
Identity Security permissions
API documentation
Reference
Cloud service provider permissions
Microsoft Windows security auditing setup
Enable security auditing event IDs
Enable security auditing event IDs with GPO
Set up local machine security auditing without GPO
Additional setup for Active Directory Certificate Services (ADCS) events
Enable auditing access to AD domain objects - 4662
Enable additional event logs using Event Viewer
Enable LDAP server events logging (1644)
Enable LDAP server events logging using RegEdit
Enable LDAP server events logging using GPO
Validate log collection for LDAP Server events
XDM fields for mapping authentication events
Cortex Network Scanner OSS
Fair Usage policy for Cortex XSIAM