Cortex XSIAM content - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-22
Category
Administrator Guide
Abstract

The type of content in Cortex XSIAM

In Cortex XSIAM, content includes individual content entities that you create such as individual playbooks and alert fields, preinstalled content packs, and content packs that you download from Marketplace.

Content in Marketplace is organized into content packs to support specific security orchestration use cases. Content packs are created by Palo Alto Networks, technology partners, contributors, and customers.

In Cortex XSIAM, content includes the following:

Content

Description

Alert types and fields

All alerts that are ingested into Cortex XSIAM are assigned an alert type when they are classified. After you classify the alert, you can then map the relevant fields to the alert.

Alert types contain fields that are relevant to the alert type.

Classifiers

Classification determines the type of alerts/indicator that is created for events ingested from a specific integration. You create a classifier and define that classifier in an integration. Mappers map the fields from your third-party integration to the fields in your alert/indicator layouts.

Correlation Rules

Analyzes correlation of multi-event from multiple sources by using the Cortex XSIAM XQL-based engine for creating these correlations (scheduled) rules. Alerts can then be triggered based on these rules with a defined time frame and schedule.

Dashboards

Dashboards consist of visualized data powered by fully customizable widgets, which enables you to analyze data from inside or outside Cortex XSIAM, in different formats such as line charts, tables, text, etc.

Data Model Rules

Data Model rules enable you to normalize logs for out-of-the-box analytics and data enrichment. This allows you to do the following:

  • Map 3rd party data to a consolidated schema with predefined data types.

  • Enjoy auto-complete and mapping suggestions.

  • Map multiple datasets to one Data Model.

Some content packs contain out-of-the-box default Data Model Rules.

Indicator types and fields

Indicators are categorized by indicator type, which determines the indicator layout and fields that are displayed and which scripts are run on indicators of that type.

Integrations

You can define the following integrations:

  • (SOAR) Automation: Add your 3rd-party security and alert management vendors, which can then trigger events from these integrations that become alerts in Cortex XSIAM. Once the alerts are created, you can run playbooks on these incidents to enrich them with information from other products in your system, which helps you complete the picture.

  • Collection (SIEM): Add integrations that collect raw events, such as logs. These integrations are separate from automation integrations so that you can add a collection integration that requires read permissions without having to add automation (read and write permissions).

Layouts and layout rules

Enables you to add rules, which define the layout of alerts and notifications,

When installed, the layout rules are enabled and added as Default Rules. When deleted, all related layout rules (including all Rule sections) are removed from the Default Rules tab.

Parsing rules

Enables you to add rules, which remove non-required data for analytics, hunting, or regulation, reduce data storage costs, pre-process all incoming data, etc.

When installed, the parsing rules are enabled and added as Default Rules. When deleted, all related parsing rules (including all Rule sections) are removed from the Default Rules tab.

Playbooks

You can automate many security processes, including handling investigations and managing tickets and security responses that were previously handled manually. When an alert is ingested, the playbook runs and an alert is created.

Reports

Reports contain statistical data in the form of widgets (from a dashboard), which enable you to analyze data from inside or outside Cortex XSIAM, in different formats such as line charts, tables, text from information, etc.

Scripts

Perform specific actions and are comprised of commands, which are used in playbook tasks and when running commands in the alert War Room.