The type of content in Cortex XSIAM
In Cortex XSIAM, content includes individual content entities that you create such as individual playbooks and alert fields, preinstalled content packs, and content packs that you download from Marketplace.
Content in Marketplace is organized into content packs to support specific security orchestration use cases. Content packs are created by Palo Alto Networks, technology partners, contributors, and customers.
In Cortex XSIAM, content includes the following:
Content | Description |
|---|---|
Alert types and fields | All alerts that are ingested into Cortex XSIAM are assigned an alert type when they are classified. After you classify the alert, you can then map the relevant fields to the alert. Alert types contain fields that are relevant to the alert type. |
Classifiers | Classification determines the type of alerts/indicator that is created for events ingested from a specific integration. You create a classifier and define that classifier in an integration. Mappers map the fields from your third-party integration to the fields in your alert/indicator layouts. |
Correlation Rules | Analyzes correlation of multi-event from multiple sources by using the Cortex XSIAM XQL-based engine for creating these correlations (scheduled) rules. Alerts can then be triggered based on these rules with a defined time frame and schedule. |
Dashboards | Dashboards consist of visualized data powered by fully customizable widgets, which enables you to analyze data from inside or outside Cortex XSIAM, in different formats such as line charts, tables, text, etc. |
Data Model Rules | Data Model rules enable you to normalize logs for out-of-the-box analytics and data enrichment. This allows you to do the following:
Some content packs contain out-of-the-box default Data Model Rules. |
Indicator types and fields | Indicators are categorized by indicator type, which determines the indicator layout and fields that are displayed and which scripts are run on indicators of that type. |
Integrations | You can define the following integrations:
|
Layouts and layout rules | Enables you to add rules, which define the layout of alerts and notifications, When installed, the layout rules are enabled and added as Default Rules. When deleted, all related layout rules (including all Rule sections) are removed from the Default Rules tab. |
Parsing rules | Enables you to add rules, which remove non-required data for analytics, hunting, or regulation, reduce data storage costs, pre-process all incoming data, etc. When installed, the parsing rules are enabled and added as Default Rules. When deleted, all related parsing rules (including all Rule sections) are removed from the Default Rules tab. |
Playbooks | You can automate many security processes, including handling investigations and managing tickets and security responses that were previously handled manually. When an alert is ingested, the playbook runs and an alert is created. |
Reports | Reports contain statistical data in the form of widgets (from a dashboard), which enable you to analyze data from inside or outside Cortex XSIAM, in different formats such as line charts, tables, text from information, etc. |
Scripts | Perform specific actions and are comprised of commands, which are used in playbook tasks and when running commands in the alert War Room. |