Use the interface - Learn more about how to use the Cortex XSIAM interface. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-11
Category
Administrator Guide
Abstract

Learn more about how to use the Cortex XSIAM interface.

The Cortex XSIAM interface provides a centralized workspace for viewing and managing security data across your environment.

Use the navigation menu on the left to move between product areas in the tenant. For a quick overview of each area, see the Navigation cheat sheet below.

From the interface, you can:

  • Navigate between product areas.

  • Chat with an Agentic Assistant agent

  • Filter table results to find relevant information.

  • Create saved views with commonly used filter configurations.

  • Export table data.

  • Access in-product help and documentation.

Note

  • Each SAML login session is valid for 8 hours.

  • Some menu items only appear if you have the relevant license.

Filter page results

To reduce the number of results, you can filter by any heading and value. When you apply a filter, Cortex XSIAM displays the filter criteria above the results table. You can also filter individual columns for specific values using the icon to the right of the column heading.

Some fields also support additional operators such as =, !=, Contains, not Contains, *, !*.Filters are persistent. When you navigate away from the page and return, any filter you added remains active.

To build a filter using one or more fields:

  1. From a Cortex XSIAM page, select filter (filter-icon.png).

    Cortex XSIAM adds the filter criteria above the top of the table.

  2. For each field, you would like to filter by:

    1. Select or search the field.

    2. Select the operator that matches the criteria.

      Use = to include results that match the value you specify, or != to exclude results that match the value.

    3. Enter a value to complete the filter criteria.

      Note

      CMD fields have a 128-character limit. Shorten longer query strings to 127 characters and add an asterisk (*).

      Alternatively, you can select Include empty values to create a filter that excludes or includes results when the field has empty values.

  3. To add additional filters, click +AND, within the filter brackets, to display results that must match all specified criteria, or +OR to display results that match any of the criteria.

  4. To see the results, click out of the filter area.

Save views and filters

Cortex XSIAM allows you to save filter configurations so you can quickly return to commonly used data selections. Depending on the page you are working on, you can save either views or filters:

  • Saved views store table configurations, including filters, so you can quickly switch between commonly used table perspectives.

  • Saved filters store only the filter criteria, allowing you to quickly apply the same filtering logic again.

These options help you quickly focus on the data most relevant to your workflow.

Saved views

Saved views store filter configurations for table data, allowing you to quickly return to frequently used filters. You can filter table data by fields such as domain, context, or work queue, configure the columns you want to see, and save the configuration as a reusable view.

Saved views are available on most table-based pages, such as the Cases and Issues pages. The default view is All (for example, All Cases).

Select the arrow next to the view name to see all available views. If you modify filters in an existing view, you can update the view or save the configuration as a new view.

Save a view

  1. Apply one or more filters.

  2. Select Save.

  3. Enter a name for the view.

  4. Choose whether to share the view.

Manage views

  • Use the three-dot Actions menu next to the view name to take the following actions:

    • Set the view as the default.

    • Share or unshare the view.

    • Update the view after modifying filters.

    • Delete the view.

Note

  • Deleting a shared view removes it for all users.

  • You can delete your own saved views.

  • To delete views created by other users, you must have the Account administrator or Instance administrator role.

Saved filters

Some pages allow you to save filters instead of views, such as the IOC and BIOC pages.

Saved filters store filter criteria, allowing you to quickly apply the same filters again. Saved filters help standardize filtering and allow users to quickly apply commonly used search conditions.

Apply a saved filter

  1. Open the three-dot Actions menu in the table filter row.

  2. Select Saved filters and choose a filter to apply.

  3. Click Apply.

Create a filter

  1. Remove all filters from the table.

  2. Click Add filter and define the filter values.

  3. Click Save and define a filter name.

Share or delete a saved filter

  1. Open the three-dot Actions menu in the table filter row.

  2. Select Saved filters.

  3. Click the Actions menu next to a filter name and select the relevant action.

Note

  • Deleting a shared filter removes it for all users.

  • You can delete your own saved filters.

  • To delete filters created by other users, you must have the Account administrator or Instance administrator role.

Export results

You can export the page results for most pages in Cortex XSIAM to a tab-separated values (TSV) file.

  1. (Optional) Filter page results to reduce the number of results for export.

  2. Select export to file (export-to-file-icon.png).

    Cortex XSIAM exports any results matching your applied filters in TSV format. The TSV format requires a tab separator, automatic detection does not work in the case of multi-event exports.

System tools and services

The following controls appear in the navigation bar and provide access to system tools, help resources, and tenant settings.

Cortex Agentic Assistant

Click agentic-assistant.png in the top-right corner to open the assistant.

The Cortex Agentic Assistant is the autonomous AI capability of Cortex XSIAM. It uses AI agents that plan, reason, and investigate complex threats, such as cloud identity theft or container breaches.

Notifications

The Notifications panel displays system alerts and updates generated by Cortex XSIAM.

Tenant Navigator

Use Tenant Navigator to view and switch between tenants you have access to. Tenants are organized by CSP account.You can also navigate directly to the Cortex Gateway.

Settings

From the Settings menu, you can:

  • View license information

  • Manage audit logs

  • Manage exceptions configuration

  • Configure data sources and system settings

Managed Services

The Managed Threat Hunting service provides 24/7 monitoring by Palo Alto Networks threat researchers and Unit 42 experts.

Help

Cortex XSIAM provides in-product help directly within the interface.

Click in-app-help-center-icon.png to open the Help Center. The topics listed in the panel reflect the current page opened in the Cortex XSIAM tenant. You can also go to the docs portal and enter a topic or keyword in the search bar for any information you are looking for.

You can also click the star icon on a topic to add it to your favorites. Favorites are saved to the Help Center home page.

User menu

Click your username to access user and tenant options.

From the user menu, you can:

  • View tenant information

  • See What's New

  • Switch between light and dark mode

  • Log out

Navigation cheat sheet

Dashboards & Reports

Component

Description

Dashboard

Select a dashboard/command center to view your tenant's activities, enabling you to effectively monitor your cases and overall activity in your environment

Reports

View all the reports that Cortex XSIAM have run.

Dashboard Manager

Manage dashboards, including adding dashboards with customized widgets to surface the statistics that matter to you most.

Report Templates

Build reports using pre-defined templates or customize a report. Reports can be generated on demand or scheduled.

Widget library

Search, view, edit, and create widgets based on predefined widgets and user-created custom widgets.

Cases & Issues

Component

Description

Cases

Investigate cases, manually create new cases, manage case severity and status, assign cases, and merge cases.

Issues

Investigate and manage individual issues. Run a playbook in the Work Plan for an individual issue or run the same playbook on multiple issues from the Issues table. Run commands in the War Room. Navigate to the Findings table.

Case Configuration

Add case scoring rules, view starred issues, and add featured hosts, users, and IP addresses.

Investigation & Response

Search

Component

Description

Query Builder

Build complex queries to investigate, identify connections, and expose the root cause of issues from your data sources.

Query Center

View and manage the results of all simple and complex queries created from the Query Builder.

Scheduled Queries

View and manage all scheduled and recurring queries created from the Query Builder.

Automation

Component

Description

Playbooks

Manage playbooks, including viewing, creating, and editing.

Scripts

Manage scripts. Use Script Helper to find relevant commands and scripts for your use case.

Jobs

Create and manage jobs to run a specific playbook, triggered either by time or a delta in a feed.

Playground

Safely develop and test scripts, commands, and more, in a non-production environment not connected to a specific issue or case.

Automation Rules

Automatically respond to events by defining trigger conditions and desired actions to perform once the condition is met.

Response

Component

Description

Action Center

Provides a central location from which you can track the progress of all investigation, response, and maintenance actions performed on your endpoints.

Live Terminal

Initiate a remote connection to an endpoint, enabling you to remotely manage, investigate, and perform response actions on the endpoint.

EDL

Add malicious domains and IP addresses to an external dynamic list enforceable on your Palo Alto Networks firewall.

Forensics

Component

Description

N/a

Streamline your case response, data collection, threat hunting, and analysis of your endpoint data to find the source and scope of an attack. Requires the Forensics add-on.

Notebooks

Component

Description

N/a

Use Jupyter tools to build machine learning models to visualize clusters, identify anomalies, and then feed your findings back into the Cortex XSIAM environment to generate security insights. You need a daily minimum of 1000 compute units.

Threat Management

Detection Rules

Component

Description

IOC

Identify specific hashes, IP addresses, domains, file names, and paths that indicate a threat.

BIOC

Identify a specific network, process, file, or registry activity that indicates a threat.

Correlations

Analyze correlations of multiple events from multiple sources.

Indicator Rules

Create rules based on filters that are applied as either SHA256 and MD5 prevention rules in specific Agent Prevention Profiles or as file, IP address, and domain detection rules.

Threat Intelligence

Component

Description

Threat Intelligence

Requires Cortex XSIAM Premium or any other XSIAM license with the TIM add-on

Indicators

Indicators database. Search, review, and interact with indicators including IPs, domains, URLs, hashes, and more.

Posture Management

Requires Cortex XSIAM Premium or any other XSIAM license with the Cloud Runtime Security add-on.

Component

Description

Vulnerability Management

View vulnerability issues, vulnerable assets, vulnerabilities, and vulnerability intelligence.

Compliance

Determine asset vulnerabilities and risk by checking whether assets adhere to industry standards or your organization's best practices for compliance. You can select compliance standards from the compliance catalog.

Rules & Policies

Create and edit rules and policies for cloud workload, cloud security, and vulnerability management.

Inventory

Assets

Component

Description

All Assets

Provides a central location from which you can view and investigate information relating to assets in your network.

Groups

Create and view groups of assets with shared attributes.

Network configuration

Define your internal IP address ranges and domain names to identify and track your network assets.

Endpoints

Component

Description

All Endpoints

View and manage endpoints that have registered with your Cortex XSIAM instance.

Groups

Create endpoint groups to which you can perform actions and assign the policy.

Installations

Create packages of the Cortex XSIAM agent software for deployment to your endpoints.

Host Insights

Access comprehensive insights into your system's components, including applications, services, users, and vulnerability assessments, to maintain visibility and security across your environment.

Policy Management

Configure your endpoint security profiles and assign them to your endpoints.

Host Firewall

Control communications on your endpoints by applying sets of rules that allow or block internal and external traffic.

Device Control Violations

Monitor all instances where end users attempted to connect restricted USB-connected devices and Cortex XSIAM blocked them on the endpoint.

Disk Encryption Visibility

View and manage endpoints that were encrypted using BitLocker.

File Integrity Monitoring

A security control designed to detect unauthorized or anomalous modifications to files and folders in the file system. Any change, such as, a new file being created or an existing file being modified, will trigger an event that is sent to the Cortex XSIAM tenant.

Modules

Component

Description

AI Security

Comprehensive overview of the AI assets within an organization. Designed to ensure AI security by offering tools to review and prioritize AI risks effectively.

This feature is included with a Cloud Runtime Security, Cloud Posture Security, or Cortex XSIAM Premium license.

Application Security

Secures your applications by identifying and prioritizing them as a single, logical entity encompassing assets across the entire software development lifecycle (SDLC).

This feature is included with a Cloud Runtime Security, Cloud Posture Security, or Cortex XSIAM Premium license.

Dats Security

Agentless multi-cloud data security platform that discovers, classifies, protects, and governs sensitive data.

This feature is included with a Cloud Runtime Security, Cloud Posture Security, or Cortex XSIAM Premium license.

Identity Security

Runs a proprietary algorithm to calculate effective permissions and entitlements of the identities across your cloud service providers.

This feature is included with a Cloud Runtime Security, Cloud Posture Security, or Cortex XSIAM Premium license.

Kubernetes Security

Automatically discovers assets, enforces policies, and scans for vulnerabilities, malware, secrets, and misconfigurations across the environment.

This feature is included with a Cloud Runtime Security, Cloud Posture Security, or Cortex XSIAM Premium license.

Attack Surface

ASM helps you discover and manage your public attack surface, providing visibility into all of your digital assets, including on-prem and cloud. Identify and remediate vulnerabilities, enforce compliance policies, and reduce the risk of cyberattacks. Included in Cortex XSIAM Premium or any other XSIAM license with the Attack Surface Management add-on.

Email Security

Provides a scalable detection, investigation, and response layer over cloud-hosted email environments. It connects directly to supported email platforms via secure API integrations to ingest rich message-level and identity-related telemetry. Requires the Email Security add-on.

Exposure Management

A collection of features, capabilities, integrations, and content designed to help defenders holistically assess, consolidate, prioritize, and proactively respond to exposures in their organization. Requires the Exposure Management add-on.