Marketplace Overview - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Use the Marketplace to install, exchange, contribute and manage your content in Cortex XSIAM.

The marketplace enables you to easily do the following:

  • Discover top-rated, validated content—Identify the content offerings recommended by your peers and validated by the world’s leading cyber security company. Discover how to increase automation with the tools that you already have.

  • Solve your toughest security use cases—Deploy turn-key security workflows that span integrations, automations, alert fields, types, and playbooks with a single click.

The Marketplace content packs are pre-built bundles of integrations, playbooks, automations and fields, and all the dependencies needed to support specific security orchestration use cases. Content packs, which are free, can be used by all customers and contain any of the following elements:




You can define the following types of integrations:

  • (SOAR) Automation: Add your 3rd-party security and alert management vendors, which can then trigger events from these integrations that become alerts in Cortex XSIAM. Once the alerts are created, you can run playbooks on these incidents to enrich them with information from other products in your system, which helps you complete the picture.

  • Collection (SIEM): Add integrations that collect raw events, such as logs. These integrations are separate from automation integrations so that you can add a collection integration that requires read permissions without having to add an automation (read and write permissions).


You can automate many security processes, including handling investigations and managing tickets and security responses that were previously handled manually. When an alert is ingested, the playbook runs and an alert is created.

Alert Types

All alerts that are ingested into Cortex XSIAM are assigned an alert type when they are classified. After you classify the alert, you can then map the relevant fields to the alert.

Alert Fields

Alert types contain fields that are relevant to the alert type.


Perform specific actions and are comprised of commands, which are used in playbook tasks and when running commands in the alert War Room.

Correlation Rules

Analyzes correlation of multi-event from multiple sources by using the Cortex XSIAM XQL-based engine for creating these correlations (scheduled) rules. Alerts can then be triggered based on these rules with a defined time-frame and schedule.

Data Model Rules

Data Model rules enable you to normalize logs for out-of-the-box analytics and data enrichment. This allows you to do the following:

  • Map 3rd party data to a consolidated schema with predefined data types.

  • Enjoy auto-complete and mapping suggestions.

  • Map multiple datasets to one Data Model.

Some content packs contain out-of-the-box default Data Model Rules.

Parsing Rules

Enables you to add rules which remove non-required data for analytics, hunting, or regulation, reduce data storage costs, pre-process all incoming data, etc.


When installed, the parsing rules are enabled and added as Default Rules. When deleted, all related parsing rules (including all Rule sections) are removed from the Default Rules tab.


Dashboards consist of visualized data powered by fully customizable widgets, which enables you to analyze data from inside or outside Cortex XSIAM, in different formats such as line charts, tables, text, etc.


Reports contain statistical data in the form of widgets (from a dashboard), which enable you to analyze data from inside or outside Cortex XSIAM, in different formats such as line charts, tables, text from information, etc.

Content Pack Support Types

Marketplace includes the following content pack support types:

  • Supported content packs

    Applies only to content packs published by Palo Alto Networks. These content packs are supported and maintained by Palo Alto Networks according to the Palo Alto Networks End User Support Agreement.

  • Partner-Supported content packs

    Applies to content packs published by Cortex XSIAM Technology Partners. Support and maintenance is provided by the Technology Partner, whose contact information appears in the content pack details. Technology Partners are required to join the industry-standard support framework, TSANet, to deliver support to our mutual customers. Customers engage directly with the Partner for support and maintenance of the partner-supported content pack.