Cortex Toolbox Kitlist Builder Ingest Calculator
Content ▾
Packs Integrations Playbooks Scripts
Incident Types Incident Fields Classifiers Layouts
Parsing Rules Correlation Rules Modeling Rules
Reputation Commands Threat Feeds
Docs ▾
Documentation Analytics Alerts XDM Explorer
Settings ▾
Sign in
View as single page
  • Learn about Cortex XSIAM
    • Get started with Cortex XSIAM
      • Cortex XSIAM architecture
    • Agentic AI in Cortex XSIAM
      • Agentic Assistant use cases
      • Compare Agentic Assistant with Cortex Assistant
      • Agentic Assistant security
    • Cortex XSIAM product licenses
      • Data retention
      • Data storage lifecycle
      • License allocation
      • License expiration
      • Upgrade your tenant
    • In-product support case creation
    • Supported web browsers
    • Use the interface
    • Manage API keys
  • Onboard Cortex XSIAM
    • Plan and prepare
      • Plan your agent deployment
    • Deployment steps
      • Cortex XSIAM onboarding checklist
      • Activate Cortex XSIAM
        • Bring your own keys
        • Cortex XSIAM supported regions
        • Enable access to required PANW resources
          • Regional egress resources
          • Engines IP addresses (outbound)
          • Inbound source resources
          • FedRamp and the US Federal Government required resources
      • Set up users, groups, and roles
        • User group management
        • Assign user roles and groups
      • Set up authentication
        • Authenticate users through the Customer Support Portal
        • Authenticate users using SSO
        • Set up Okta as the Identity Provider Using SAML 2.0
        • Set up Microsoft Entra ID as the Identity Provider Using SAML 2.0
      • Configure content
      • Set up Cloud Identity Engine
      • Install Cortex XDR agents
        • Create an agent installation package
        • Deploy agent installation packages
        • Endpoint data collection
        • Configure global agent settings
        • Define endpoint groups
        • Manage endpoint profiles
        • Guidelines for keeping Cortex XDR agents and content updated
      • Cortex XSIAM - Analytics
        • Configure Cortex XSIAM network parameters
        • Enable the Analytics Engine and Identity Analytics
      • FedRAMP overview
        • Cortex Cloud federal compliance
        • Onboarding & configuration
        • Limitations & supported regions
    • Post-deployment
      • Post-deployment checklist
      • Perform health checks
        • Monitor agent operational status in Cortex XSIAM
      • Cortex Marketplace
        • Content packs
        • Install content packs
      • Manage user roles and access management
        • Manage user roles
        • Manage user access
          • User access reference information
        • Manage user scope
        • Manage access to objects
          • Manage access to custom dashboards
          • Manage access to report templates
          • Manage access to playbooks and scripts
          • Manage access to saved queries
      • Dashboards and reports
      • Configure server settings
      • Configure security settings
      • Data and log forwarding
        • Forward logs and data from Cortex XSIAM to external services
          • Configure external applications for forwarding
            • Forward notifications to Amazon SQS
            • Forward notifications to Amazon S3
            • Forward notifications to Splunk
            • Forward notifications to webhook
            • Integrate a syslog receiver
            • Integrate Slack for outbound notifications
          • Configure notification forwarding
          • Monitor administrative activity
        • Data and log notification formats
          • Management audit log messages
          • Issue notification format
          • Agent Audit log notification format
          • Management Audit log notification format
          • Log format for IOC and BIOC issues
          • Analytics log format
  • Configure Cortex XSIAM
    • Data management
      • Optimize data management in Cortex XSIAM
      • Configure Cortex Data Lake tier
      • Broker VM
        • What is the Broker VM?
        • Set up and configure Broker VM
          • Broker VM image installations
            • Set up Broker VM on Alibaba Cloud
            • Set up Broker VM on Amazon Web Services
            • Set up Broker VM on Google Cloud Platform (GCP)
            • Set up Broker VM on KVM using Ubuntu
            • Set up Broker VM on Microsoft Azure
            • Set up Broker VM on Microsoft Hyper-V
            • Set up Broker VM on Nutanix Hypervisor
            • Set up Broker VM on VMware ESXi using vSphere Client
          • Broker VM data collector applets
        • Manage Broker VM
          • Edit Broker VM Configuration
          • Increase Broker VM storage allocated for data caching
          • Monitor Broker VM using Prometheus
          • Collect Broker VM Logs
          • Upgrade Broker VM
          • Import Broker VM Configuration
          • Open Live Terminal
          • Add Broker VM to cluster
          • Switchover Primary Node in Cluster
          • Remove from Cluster
        • Manage Broker VM data collector applets
        • Broker VM High Availability Cluster
          • Configure High Availability Cluster
          • Manage Broker VM clusters
            • View cluster details
            • Edit cluster
            • Add applet to cluster
            • Add Broker VM to cluster
            • Remove cluster
        • Broker VM notifications
        • Monitor Broker VM activity
        • Troubleshoot Broker VM applet errors
      • Dataset management
        • What are datasets?
        • Lookup datasets
          • Import a lookup dataset
          • Download JSON file of lookup dataset
          • Set time to live for lookup datasets
        • Monitor datasets and dataset views activity
      • Archived data
        • Import historical data into cold storage
        • Building XQL archived data queries
        • Success and failure code responses to your HTTP POST requests
      • Parsing Rules
        • What are Parsing Rules?
        • Parsing Rules editor views
        • Parsing Rules file structure and syntax
          • INGEST
            • parse_cisco
          • COLLECT
          • CONST
          • RULE
          • EXTEND
        • Create Parsing Rules
        • Troubleshooting Parsing rules errors
        • Parsing Rules Raw Dataset
      • Data Model Rules
        • What are Data Model Rules?
        • Data Model Rules editor views
        • Data Model Rules file structure and syntax
          • MODEL
          • RULE
          • Field structure
        • How to map authentication story events?
        • Create Data Model Rules
        • Troubleshooting Data Model Rules
        • Using data enrichment
        • Data Model Rules notifications
        • Monitor Data Model Rules activity
      • Manage Event Forwarding
        • Endpoints Event Forwarding - included/excluded fields by event type
      • Manage compute units
        • Compute units usage
    • Cortex XSIAM Data Sources
      • What are Cortex XSIAM data sources?
      • Complete data source catalog
      • Vendor-specific data sources
        • Amazon CloudWatch
          • Ingest logs from Amazon CloudWatch
        • Amazon S3
          • Ingest audit logs from AWS Cloud Trail
          • Ingest network flow logs from Amazon S3
          • Ingest generic logs from Amazon S3
          • Ingest network Route 53 logs from Amazon S3
          • Create an assumed role
          • Configure data collection from Amazon S3 manually
        • Amazon Web Services
        • API Security
          • Ingest data for API security
            • Ingest AWS API Gateway
            • Ingest Azure APIM
            • Ingest Apigee Proxy
            • Ingest Kong
            • Ingest-F5
        • Azure Event Hub
          • Ingest logs from Microsoft Azure Event Hub
        • Azure Network Watcher
          • Ingest network flow logs from Microsoft Azure Network Watcher
        • BeyondTrust Privilege Management Cloud
          • Ingest logs from BeyondTrust Privilege Management Cloud
        • Box
          • Ingest logs and data from Box
        • Check Point FW1/VPN1
        • Cisco ASA firewalls and AnyConnect
        • Corelight Zeek
        • Cribl
          • Ingest data from Cribl
            • Disable or delete Cribl integration
            • Data source UUIDs
            • Collect Windows Event Logs for Cortex XSIAM via Cribl
        • CrowdStrike APIs
          • Ingest alerts and metadata from CrowdStrike APIs
        • CrowdStrike Falcon Data Replicator
          • Ingest raw EDR events from CrowdStrike Falcon Data Replicator
        • Databricks
          • How to onboard Databricks
        • Dropbox
          • Ingest logs and data from Dropbox
        • Elasticsearch Filebeat
          • Ingest logs from Elasticsearch Filebeat
        • Forcepoint DLP
        • Fortinet Fortigate
        • Google Cloud Platform
          • Ingest logs and data from a GCP Pub/Sub
        • Google Workspace
          • Ingest logs and data from Google Workspace
        • Google Kubernetes Engine
          • Ingest logs from Google Kubernetes Engine
        • HTTP log collector
          • Set up an HTTP log collector to receive logs
        • Kubernetes
          • Onboard the Kubernetes Connector
          • What's new in Kubernetes Connector?
          • Supported Kubernetes distributions
        • Microsoft Azure
        • Microsoft Defender for Endpoint Events
          • Ingest raw EDR events from Microsoft Defender for Endpoint
        • Microsoft Office 365
          • Ingest logs from Microsoft Office 365
        • Microsoft Office 365 (email)
          • Ingest logs and data from Microsoft 365
        • Microsoft 365 (Posture)
          • How to onboard Microsoft 365
        • Okta
          • Ingest logs and data from Okta
        • OneLogin
          • Ingest logs and data from OneLogin
        • Oracle Cloud Infrastructure
        • PingFederate
        • PingOne
          • Ingest authentication logs and data from PingOne
        • Proofpoint Targeted Attack Protection
          • Ingest logs from Proofpoint Targeted Attack Protection
        • Salesforce
          • Ingest logs and data from Salesforce
          • Ingest and run Salesforce automation and remediation
        • SentinelOne DeepVisibility
          • Ingest raw EDR events from SentinelOne DeepVisibility
        • ServiceNow CMDB
          • Ingest data from ServiceNow CMDB
        • Windows DHCP via Elasticsearch Filebeat
          • Ingest logs from Windows DHCP using Elasticsearch Filebeat
        • Workday
          • Ingest report data from Workday
        • Snowflake
          • How to onboard Snowflake
        • Zscaler Internet Access
        • Zscaler Private Access
      • Cloud service provider (CSP) onboarding
        • Cloud service provider onboarding
        • Understand CSP onboarding tiers and licensing
        • Amazon Web Services cloud onboarding
          • Security capabilities and deployment planning
          • Resource inventory
          • Security model and authentication
          • Cortex XSIAM and AWS audit log collection architecture
          • Onboard Amazon Web Services
          • Prerequisites
          • How to onboard Amazon Web Services
          • How to onboard Amazon Web Services with foundational configuration
          • Deploy the CloudFormation template in AWS
          • AWS post-deployment verification
        • Microsoft Azure cloud onboarding
          • Onboard Microsoft Azure
          • Prerequisites
          • How to onboard Microsoft Azure
          • How to onboard Microsoft Azure with foundational configuration
          • Finalize Microsoft Azure onboarding by executing the authentication template
        • GCP cloud onboarding
          • Onboard Google Cloud Platform
          • Prerequisites
          • How to onboard Google Cloud Platform
          • How to onboard GCP with foundational configuration
          • Deploy the Terraform authentication template in GCP
          • Connect Google Workspace with your GCP cloud instance
        • Oracle Cloud Infrastructure cloud onboarding
          • Onboard Oracle Cloud Infrastructure
          • Prerequisites
          • How to onboard Oracle Cloud Infrastructure
          • How to onboard Oracle Cloud Infrastructure with foundational configuration
          • Deploy the Terraform authentication template in OCI
        • Alibaba Cloud cloud onboarding
          • Security capabilities and deployment planning
          • Resource inventory
          • Security model and authentication
          • Onboard Alibaba Cloud
          • Prerequisites
          • How to onboard Alibaba Cloud
          • Alibaba Cloud post-deployment verification
        • Manually connect a cloud instance
        • Manage cloud instances
        • Pending cloud instances
        • Edit your onboarded CSP configuration
        • Update cloud permissions after Cortex release updates
        • Troubleshoot errors on cloud instances
        • Outposts
          • Outpost fundamentals and planning
          • Create an outpost
          • Amazon Web Services provider outpost permissions
          • Microsoft Azure provider outpost permissions
          • Google Cloud Platform provider outpost permissions
        • Introduction to Terraform for Cloud service provider (CSP) onboarding
        • Cloud service provider permissions
          • Amazon Web Services provider permissions
          • Microsoft Azure provider permissions
          • Google Cloud Platform provider permissions
          • Oracle Cloud Infrastructure provider permissions
      • Container Registry Scanning
        • Overview of container registry scanning
          • Registry Components
          • How Container Registry Scanning Works
        • Configure registry scanning for cloud accounts
        • Modify the container registry scanning scope
        • Scan re-evaluation process
        • Connect Docker Hub registry
          • Manage a Docker Hub connector
        • Connect Docker V2 compliant container registry
          • Manage a Docker V2 connector
        • Connect GitLab container registry
          • Manage a Gitlab Container Registry connector
        • Connect Harbor registry
          • Manage a Harbor connector
        • Connect JFrog container registry
          • Manage a JFrog connector
        • Connect Sonatype Nexus registry
          • Manage a Sonatype connector
      • Generic on-premise data collectors
        • Broker VM data collector applets
          • Activate Apache Kafka Collector
          • Activate Cortex Network Scanner
          • Activate CSV Collector
          • Activate Database Collector
          • Activate DSPM Fileshare
          • Activate Files and Folders Collector
          • Activate FTP Collector
          • Activate Local Agent Settings
          • Activate NetFlow Collector
          • Activate Network Mapper
          • Activate Registry Scanner
          • Syslog Collector applet
            • Activate Syslog Collector
            • Ingest logs from a Syslog receiver
            • Check Point FW1/VPN1
              • Ingest logs from Check Point firewalls
            • Cisco ASA firewalls and AnyConnect
              • Ingest logs from Cisco ASA firewalls and AnyConnect
            • Corelight Zeek
              • Ingest logs from Corelight Zeek
            • Forcepoint DLP
              • Ingest logs from Forcepoint DLP
            • Fortinet Fortigate
              • Ingest logs from Fortinet Fortigate firewalls
            • Next-Generation Firewall
              • Ingest Next-Generation Firewall logs using the Syslog collector
            • PingFederate
              • Ingest authentication logs from PingFederate
            • Zscaler Internet Access
              • Ingest logs from Zscaler Internet Access
            • Zscaler Private Access
              • Ingest logs from Zscaler Private Access
          • Activate Transporter
          • Activate Windows Event Collector
            • Activate Windows Event Collector on Windows Core
            • Renew WEC certificates
        • XDR Collectors
          • XDR Collector audit logs
          • XDR Collector machine requirements and supported operating systems
          • Resources required to enable access to XDR Collectors
          • Manage XDR Collectors
            • XDR Collectors installation resource for Windows and Linux
            • Create an XDR Collector installation package
            • Install the XDR Collector installation package for Windows
              • Install the XDR Collector on Windows using the MSI
              • Install the XDR Collector on Windows using Msiexec
            • Install the XDR Collector installation package for Linux
            • Configure the XDR Collector upgrade scheduler
            • Set an application proxy for XDR Collectors
            • Set an alias for an XDR Collector machine
            • Upgrade XDR Collectors
            • Uninstall the XDR Collector
          • Define XDR Collector machine groups
          • About Cortex XDR Collector content updates
          • XDR Collector profiles
            • Add an XDR Collector profile for Windows
              • Ingest logs from Windows DHCP using Elasticsearch Filebeat
              • Ingest Windows DNS debug logs using Elasticsearch Filebeat
            • Add an XDR Collector profile for Linux
          • Apply profiles to collection machine policies
          • XDR Collector datasets
      • Palo Alto Networks integrations
        • About Palo Alto Networks integrations
        • Cloud Next-Generation Firewall
          • Ingest data from Cloud Next-Generation Firewall
        • Next-Generation Firewall
          • Ingest data from Next-Generation Firewall
          • Ingest Next-Generation Firewall logs using the Syslog collector
        • Ingest data from Prisma Access
        • Ingest logs from Prisma Access Browser
        • Ingest detection data from Strata Logging Service
        • IoT Security
          • Ingest alerts and assets from IoT Security
        • Collecting URL and File log types
          • Detectors connected to URL and File log types
      • Cloud Posture and Runtime Security data sources
        • How to onboard on-premise assets to Cortex Cloud Data Security
          • Activate DSPM Fileshare
        • How to onboard Databricks
        • How to onboard Microsoft 365
        • Ingest logs and data from Okta
        • Activate Registry Scanner
        • How to onboard Snowflake
        • Activate Transporter
      • External alerts using External Issue Mapping
        • Ingest external alerts
      • Administration and troubleshooting
        • Manage instances
          • Add a new data source or instance
          • How to configure the scanning settings for supported services
          • Manage cloud instances
          • Update cloud permissions after Cortex release updates
          • Pending cloud instances
          • Troubleshoot errors on cloud instances
          • Manage Kubernetes Connector instances
        • Integrations
          • Integration use cases
          • Add an integration instance
          • Configure integration permissions
          • Fetch issues from an integration instance
            • Map fields to issue types
            • Classify events using a classifier for issue types
          • Manage credentials
          • Troubleshoot Integrations
          • Forward Requests to Long-Running Integrations
        • Verify collector connectivity
        • Overview of data ingestion metrics
          • Creating correlation rules to monitor data ingestion health
          • Measuring data freshness
        • About health issues
          • Investigate and resolve health issues
          • Monitor data ingestion health
          • Monitor correlation rules
    • Marketplace
      • Cortex Marketplace
      • Content packs
      • Content Pack Support Types
      • Manage content packs
      • Marketplace FAQs
      • Content changes when upgrading Cortex XSIAM versions
      • Content pack contributions
    • Configure the Cortex Agentic Assistant
      • Agentic Assistant components and concepts
      • Agents Hub
        • Manage actions
        • Register actions
        • Manage agents
        • Build agents
        • Expand agent capabilities with MCP integrations
      • Agentic Assistant role-based access control
    • Cortex MCP server
      • Cortex MCP server overview
        • Install the Cortex MCP server
        • Configure the MCP client
        • Use the Cortex MCP server
        • Create custom Cortex MCP server tools
    • Automations
      • Automation in Cortex XSIAM
      • Quick Actions
      • Automation Exclusion Center
        • Manage automation exclusion policies
      • Playbooks
        • Playbooks overview
        • Access to playbooks
        • Playbook development checklist
        • Plan your playbook
        • Manage playbooks
        • Build your playbook
          • Task 1. Choose from existing playbooks or create your own
          • Task 2. Configure playbook settings
          • Task 3. Add objects from the Task Library
            • Add commands and scripts
            • Add sub-playbooks
            • Add AI prompt tasks
            • Add manual tasks and blank tasks
              • Create a standard task
              • Create a conditional task
              • Create a communication task
            • Create a section header
            • Configure script error handling in a playbook
          • Task 4. Add custom playbook features
          • Task 5. Test and debug the playbook
          • Task 6. Manage playbook content
        • Customize your playbook
          • Configure a sub-playbook loop
          • Filter and transform data
            • Filter considerations, categories, and built-in filters
            • Transformer considerations, categories, and built-in transformers
          • Extend context
          • Extract indicators
          • Update issue fields with playbook tasks
        • Test your playbook
          • Troubleshoot playbook performance
        • Manage playbook content
        • Best practices
      • Autonomous playbooks
        • Autonomous playbooks
        • Enable autonomous playbooks
        • Manage autonomous playbooks
        • Manage autonomous automation rules
        • Work Plan for autonomous playbooks
      • AI Prompts
        • AI prompts role-based access control
        • Use existing prompts
        • Create a prompt
        • Write effective prompts
      • Agentic Response (Preview)
      • Create an automation rule
      • Scripts
        • Access to scripts
        • Use existing scripts
        • Create a script
        • Use the Automation Engineer agent to accelerate script development and deployment
        • Change the Docker image in an integration or script
      • Context data
        • Issue context data
        • Case context data
        • Search context data
        • Add context data to an issue
        • Add context data to a case
        • Delete context data from a case
        • Use context data in a playbook
      • Lists
        • Create a list
        • List commands
        • Use cases: JSON lists
        • Transform a list into an array
      • Jobs
        • Manage jobs
        • Create a time triggered job
        • Create a job triggered by a delta in a feed
    • Engines
      • What is an engine?
      • Engine requirements
      • Install an engine
        • Docker
          • Install Docker
            • Install Docker distribution for Red Hat on an engine server
            • Docker image security
            • Docker FAQs
            • Troubleshoot Docker issues
            • Configure Docker pull rate limit
            • Change the Docker installation folder
          • Docker hardening guide
        • Podman
          • Change the container storage directory
          • Install Podman
          • Migrate From Docker to Podman
          • Troubleshoot Podman
      • Manage engines
      • Upgrade an engine
      • Remove an engine
      • Configure engines
        • Configure the engine to use a web proxy
        • Configure the engine to call the server without using a proxy
          • Use NGINX as a reverse proxy
        • Configure an engine to use custom certificates
      • Use an engine in an integration
      • Run a script using an engine
      • Troubleshoot engines
      • Troubleshoot integrations running on engines
    • Remote repository management
      • Cortex XSIAM development tenant
      • Set up a remote repository
        • Set up a built-in remote repository
        • Set up a Private Remote Repository
      • Push and pull content
      • Remote repository troubleshooting
    • Multi-Tenant
      • What is Cortex XSIAM multi-tenant?
        • MSSP multi-tenant
        • Enterprise multi-tenant
      • Multi-tenant central licensing management
      • Onboard Cortex multi-tenant
        • Onboarding checklist for multi-tenant central licensing deployments
          • Step 1. Activate Cortex XSIAM (main account)
          • Step 2. Create a child tenant
        • Onboarding checklist for multi-tenant customer-owned license deployments
          • Step 1. Activate Cortex Cortex XSIAM (parent and child tenants)
          • Step 2. Define access configurations and role permissions
          • Step 3. Pair a parent tenant with child tenant
      • Dynamic license allocation
      • Child tenant management
        • Manage a child tenant
        • Track your tenant management
        • Investigate child tenant data
        • Create and allocate configurations
        • Create a security managed action
      • About managed threat hunting
        • Set up Managed Threat Hunting
        • Investigate Managed Threat Hunting reports
    • XQL query management
    • Customize cases and issues
      • Customize cases and issues
        • External integrations
        • Set up case scoring
        • Create a starring configuration
        • Create custom case statuses and resolution reasons
        • Create a sync profile
        • Create a case domain
        • Customize case fields and layouts
          • Create case timers and SLAs
            • Update case timer and SLA fields
          • Case fields
            • Case field types
            • Create custom case fields
            • Create a grid field for a case
            • Update case fields
          • Case layouts
            • Create custom case layouts
            • Create rules for case layouts
        • Customize issue fields and layouts
          • Issue fields
            • Issue field types
            • Create custom issue fields
            • Create a grid field for an issue
            • Issue timer fields
            • Issue field triggered scripts
            • Configure issue timer fields
            • Configure a playbook to run timers
            • Automate changes to issue fields using timer scripts
            • Use issue timer field commands manually in the CLI
          • Issue layouts
            • Create custom issue layouts
            • Add a custom widget to an issue layout
            • Create rules for issue layouts
        • Service Level Agreements (SLAs) for issue resolution
        • Create issue exceptions
          • Configure the issue exception approval workflow
          • Create an issue exception rule
          • Create an exception rule from an issue
          • View issue Exception Rules
          • Disable issue exception rules
          • View excepted issues
        • Optimize case grouping in correlations
        • Run indicator extraction in the CLI
    • Managed Services configuration in Cortex
      • Managed Services configuration
      • Configure report forwarding
      • Configure actions permissions
      • Manage escalation contacts
  • Protect your endpoints
    • Endpoint security
      • Endpoint protection
        • Malware protection
        • Exploit protection
        • File analysis and protection flow
        • Endpoint protection capabilities
        • Endpoint protection modules
        • Processes protected by exploit security policy
        • File Integrity Monitoring (FIM)
        • CaaS Workloads
        • WildFire analysis concepts
        • Guidelines for keeping Cortex XDR agents and content updated
        • About content updates
        • Endpoint data collection
      • Install and manage endpoints
        • Set up endpoint protection
          • Set up endpoint profiles and exception rules
            • Set up malware prevention profiles
            • Set up exploit prevention profiles
            • Set up agent settings profiles
            • Set up restrictions prevention profiles
            • Set up exception profiles and rules
              • Exception configuration
              • Issue exclusions
                • Add an issue exclusion rule
              • Add an IOC or BIOC rule exception
              • Add a disable prevention rule for endpoints
              • Add a disable injection and prevention rule
              • Add a support exception rule for endpoints
              • Add a legacy exception rule for endpoints
                • Add a new exceptions security profile
                • Add a global endpoint policy exception
            • Set up Identity profiles
          • Define endpoint groups
          • Configure global agent settings
          • Apply profiles to endpoints
          • Create an agent installation package
            • Manage an agent installation package
          • Harden endpoint security
            • Device control
            • Host firewall
              • Host firewall for Windows
              • Host firewall for macOS
            • Disk encryption
            • Host Inventory
            • Vulnerability Assessment
          • Set a Cortex XDR agent Critical Environment version
          • Set an application proxy for Cortex XDR agents
        • Manage endpoint protection
          • Move agents between managing servers
          • Manage endpoint tags
          • Set an alias for an endpoint
          • Manage endpoint prevention profiles
          • Upgrade Cortex XDR agents
          • Restart agent
          • Uninstall the Cortex XDR agent
          • Clear agent database
          • Delete Cortex XDR agents
          • Manage agent tokens
          • Retrieve support file password
          • Send push notifications to iOS
          • Monitor agent operational status
          • Monitor agent activity
          • Monitor agent upgrade status
    • Endpoint DLP
      • Cortex Data Loss Prevention (DLP) module overview
      • Personas workflow for DLP
      • Best Practices
      • Configure DLP end-to-end
        • Onboarding checklist for DLP
          • Install DLP browser extension on your endpoint
          • Create endpoint applications
          • Create endpoint application groups
          • Create data-in-motion rules
          • Configure endpoint DLP settings
      • DLP status in all endpoints
      • Cortex DLP threat detection and issues
  • Detect, investigate, and respond to threats
    • Monitor dashboards and reports
      • About dashboards
        • Command Center dashboards
          • Cortex Command Center
          • Cortex Agentic Assistant dashboard
          • XSIAM Command Center
            • Data Inventory
            • Dynamic View
            • Cases Overview
          • Cloud Detection and Response (CDR) Command Center
          • Cloud Security Operations
            • Cloud Security Operations
              • Dashboard Widgets
                • Generate Reports
                • Filter Options
          • Cortex Cloud Command Center
        • Predefined dashboards
        • Reports
          • Report templates
      • Build custom dashboards and reports
        • Build a custom dashboard
        • Manage your Widget Library
      • Fine-tune dashboards and reports
        • Create a custom widget using a script
          • Script-based widget examples
        • Create a text widget
        • Create custom XQL widgets
          • Configure filters and inputs for custom XQL widgets
        • Configure dashboard drilldowns
          • Variables in drilldowns
      • Run or schedule reports
    • Investigation and response
      • Overview of cases
        • What are cases?
        • Resolving cases with AI
        • Case lifecycle
        • Case thresholds
        • Case scope and impact
        • Case and issue domains
      • Case concepts
        • Issues, findings, and events
          • Issues
          • Findings and events
        • Case grouping
        • Case scoring
        • Case starring
        • SLAs and tracking
        • What is Causality?
      • Analyze and resolve cases
        • Review all cases
        • Start case analysis
          • Agentic Assistant- Case Investigation agent
        • Establish case context
          • AI-generated case summaries
          • Assess case severity and score
          • Update case attributes
        • Analyze case details
          • Grouping graph
          • Evidence
          • Issue feed
          • Associated assets and artifacts
          • MITRE ATT&CK tactics and techniques
          • Case timeline
          • Detailed View
        • Resolve the case
          • Resolution Center
          • Collaborative notes and comments
          • Resolve a case
          • Resolution reasons for cases and issues
          • Cortex Response and Remediation content pack
            • Investigate an issue using Cortex Response and Remediation playbooks
            • Example use cases
        • Additional case actions
          • Create a case
          • Merge a case
        • Unified case view
      • Investigate issues
        • Overview of the Issues page
        • Issue card
        • Resolution actions
        • Link or unlink issues from a case
        • Run an automation on an issue
        • Use the War Room in an investigation
        • Use the Work Plan in an investigation
        • Issue syncing
        • Issue deduplication
        • Causality view
          • Network causality view
          • Cloud causality view
          • SaaS causality view
          • Timeline
          • Causality icons key
        • Issue investigation actions
          • Copy issues
          • Analyze an issue
          • Update issue fields
          • Query case and issue data
          • Exclude an issue
          • Create a featured field
          • Export issue details to a file
          • Investigate contributing events
          • Retrieve additional issue details
          • View generating BIOC or IOC rule
          • Create profile exceptions
          • Add a file path to a malware profile allow list
          • Close an issue
      • Review findings
        • Findings card
      • Investigate artifacts and assets
        • Investigate an IP address
        • Investigate an asset
        • Investigate a host
        • Investigate a file and process hash
        • Investigate a user
      • Investigate endpoints
        • Overview of the Action Center
          • Initiate and monitor endpoint actions
          • Action Center reference information
        • Manage endpoints
        • Retrieve files from an endpoint
        • Retrieve support logs from an endpoint
        • Retrieve support file password
        • Scan an endpoint for malware
      • Investigate files
        • Manage file execution
        • Manage quarantined files
        • Review WildFire analysis details
        • Import file hash exceptions
      • Cortex Assistant
        • Cortex Assistant layout
        • Cortex Assistant capabilities
      • Response actions
        • Initiate a Live Terminal session
        • Isolate an endpoint
        • Pause endpoint protection
        • Run agent scripts on an endpoint
        • Remediate changes from malicious activity
        • Search and destroy malicious files
        • Manage external dynamic lists
        • Collect a memory image
      • Forensics
        • Forensic investigations
          • Manage an investigation
            • Create a new investigation
            • Edit an investigation
            • Close an investigation
            • User permissions
          • Data collection
            • Hunting
              • Create a hunt
              • Hunt results
              • Hunt status
            • Triage
              • Create a triage
              • Upload an offline triage package
              • Offline triage collection
              • Triage results
              • Triage status
            • Configure collection
          • Analysis and documentation
            • Review alerts
            • Investigation timeline
            • Key assets & artifacts
          • Export
      • Notebooks
        • Manage datasets in Notebooks
        • Notebooks scheduler
      • Build XQL queries
        • About the Query Builder
        • How to build XQL queries
          • Get started with XQL queries
          • Useful XQL user interface features
          • XQL Query best practices
          • Expected results when querying fields
          • Create XQL query
          • Review XQL query results
          • Translate to XQL
          • Graph query results
        • Query Builder templates
          • Get started with Query Builder templates
          • Considerations for using Query Builder templates
          • Create a query from a template
          • Run a free text query
          • Query Builder template examples
        • Overview of the Query Center
          • Edit and run queries in Query Center
            • Query Center reference information
        • Manage scheduled queries
          • Scheduled Queries reference information
        • Manage your query library
        • Federated Search
          • Federated Search
          • Federated Search configuration
          • Query using Federated Search
          • Manage external datasets
        • Legacy Query Builder
          • Create authentication query
          • Create event log query
          • Create file query
          • Create image load query
          • Create network connections query
          • Create network query
          • Create process query
          • Create registry query
          • Query across all entities
      • Research a known threat
    • Agentic Assistant chat
      • Get started with Agentic Assistant chat
      • Choose an Agentic Assistant agent
      • Chat with an Agentic Assistant agent
      • Chat with the Agentic Assistant from Slack
      • Create and run XQL queries with Agentic Assistant chat
      • Use natural language to query and visualize your data
      • Manage chat history
    • Inventory management
      • Asset management
        • Asset inventory overview
        • All assets
        • All cloud assets
          • Discovery Engine
        • Asset classes
          • AI assets
          • API assets
          • Application assets
          • Code and CI/CD assets
            • IaC resources assets
            • Repository assets
            • VCS organization assets
            • CI/CD pipelines assets
            • CI/CD instances assets
            • Software packages assets
        • Compute assets
          • Container images assets
          • Serverless functions assets
          • VM images assets
        • Data assets
        • Device assets
        • External Surface assets
          • Services assets
          • Domain assets
          • Certificates assets
          • External Surface attribution evidence
        • Identity assets
        • Network Assets
        • Security services assets
        • Asset groups
        • Network configuration
          • Configure your network parameters
        • Asset Roles
          • Manage Asset Roles for Endpoints
          • Manage Asset Roles for Users
            • Honey user
        • Manage Asset Scores
        • Vulnerability Assessment
        • Query the asset inventory via XQL
    • Threat management
      • Detection rules
        • What are detection rules?
          • What's an IOC?
            • IOC rule details
            • Create an IOC rule
          • What's a BIOC?
            • BIOC rule details
            • Create a BIOC rule
            • Manage Global BIOC Rules
          • What's a correlation rule?
            • Correlation rule details
            • Create a correlation rule
            • Field replacement syntax in correlation rules
            • Manage correlation rules
            • Monitor correlation rules
            • Troubleshoot server errors in scheduled correlation rules
          • Manage IOC and BIOC rules
      • Analytics
        • Analytics overview
          • Analytics engine
          • Analytics sensors
          • Coverage of MITRE Attack tactics
          • Review MITRE ATT&CK framework coverage
          • Analytics detection time intervals
          • Analytics issues and Analytics BIOCs
          • View and manage Analytics rules
          • Identity Analytics
          • Identity Threat Module (ITDR)
          • AI Detection & Response in Cortex XSIAM (Beta)
            • Data sources and supported services
            • AI Detection & Response Dashboard
            • Collect prompt logs
              • Prompt log collection in AWS
              • Enable prompt log collection in Azure
                • Configure the Azure Event Hub collection in Cortex XSIAM
                • Set up prompt logging
                • Log HTTP data
                • Configure diagnostic settings:
      • Threat Intel Management
        • Get started with Threat Intel Management
          • What is Threat Intel Management?
          • Threat Intel Management use cases
          • Roles and responsibilities in Threat Intel Management
          • Indicator concepts
          • Indicator lifecycle
        • Indicator configuration
          • Configure Threat Intelligence feed integrations
          • Customize indicator fields and types
            • Create an indicator type
              • Indicator type profile
              • Formatting scripts
              • Enhancement scripts
              • Reputation scripts
              • Reputation commands
              • Map custom indicator fields
            • Create an indicator field
              • Indicator field structure
              • Indicator field trigger scripts
          • Indicator classification and mapping
          • Indicator extraction
            • Set the indicator extraction mode for a playbook task
            • Disable indicator extraction for scripts or integrations
          • Exclude indicators from enrichment
          • Generate issues from indicators using indicator rules for prevention and detection
          • Export indicators
        • Indicator management
        • Indicator investigation
          • Indicator verdict
          • Extract and enrich an indicator
          • Expire an indicator
          • Manage indicator relationships
          • Delete and exclude indicators
    • Attack Surface Management
      • Get started with Attack Surface Management
        • What is Attack Surface Management?
          • Attack Surface Management use cases
        • Network mapping
        • Scanning
          • Scanning cadences
          • Known Assets Monitoring
          • Scanning ports and protocols
          • Scanning activity
        • GeoIP data collection
      • Attack Surface Management detections
        • Attack surface rules
        • Attack Surface Testing
          • Attack surface tests
            • Attack Surface Testing intrusivity
          • Set up Attack Surface Testing
          • Manage attack surface tests
          • View issues created from Attack Surface Testing results
          • Source IP addresses for Attack Surface Testing scans
        • Externally inferred CVEs
        • Digital Risk Protection
      • Attack surface assets
        • Upload or remove ASM assets
          • Upload assets
          • Remove assets
      • Deploy ASM and Exposure Management enrichment and remediation automation
      • ASM enrichment of cloud assets
      • Emerging Vulnerabilities
      • Global Lookup
    • Vulnerability management
      • Vulnerability management in Cortex XSIAM
        • Cortex XSIAM vulnerability concepts
        • Vulnerability Management dashboard
      • Cortex Vulnerability Risk Score
      • Vulnerability policies
        • Create a vulnerability policy
        • Update the Ignored CVEs, Asset Groups, and Assets policy
        • Modify a vulnerability policy
        • Configure a block grace period
        • Enable or disable a vulnerability policy
      • Investigate and remediate vulnerabilities
        • View all Vulnerabilities
        • View vulnerability issues
        • View All Vulnerability Findings
        • View vulnerable assets
      • Vulnerability Intelligence
      • Recast CVSS scores and CVSS severities
    • Cloud Security
      • Monitor and track compliance adherence
        • Cortex compliance flow
        • Choose compliance standards from the compliance catalog
          • Standards Catalog
            • Use a built-in or custom standard
          • Controls catalog
            • Use a built-in or custom control
              • Associate a custom control to a detection rule
              • Create a new Custom Detection Rule
        • Use an assessment profile to run compliance checks on your assets
          • Configuring assessments for custom compliance standards based on custom cloud security rules
        • View and manage compliance assessments and reports
          • Compliance score
          • Assessments
          • Reports
        • View the compliance assessment of an individual asset
        • Compliance Overview Dashboard
      • Cloud Security Rules and Policies
        • Cloud security rules and policies
        • Cloud security rules
        • Cloud security policies
        • Create and manage cloud security rules
          • Create an attack path rule
          • Create a configuration rule
            • Guidelines for creating cloud security rules
            • Cloud security rule status for custom configuration rules
          • Create a data rule
          • Create an identity rule
          • Create a network exposure rule
          • Create an AI rule
          • View cloud security rule status
          • Edit a cloud security rule
          • Enable or disable a rule
          • Use an existing rule to create a new one
          • Delete a custom cloud security rule
        • Create and manage cloud security policies
          • Create a cloud security policy
          • Edit a cloud security policy
          • Enable or disable a policy
          • Use an existing policy to create a new one
          • Delete a custom cloud security policy
      • Cortex Cloud Data Classification
        • What is Cortex Cloud Data Classification?
        • How to create and validate a custom data pattern
          • Custom data patterns: Guardrails and syntax guide
        • How to disable and enable data patterns in Data Classification
        • How to create and validate a custom data profile
        • How to disable and enable data profiles in Cortex Cloud Data Classification
        • How to report a false positive in Cortex Cloud Data Classification
      • Cortex Cloud Data Security
        • What is Cortex Cloud Data Security?
        • Supported assets in Cortex Cloud Data Security
        • Cortex Cloud Data Security concepts
        • Cortex Cloud Data Security use cases
        • Data Inventory
        • How to review errors in Cortex Cloud Data Security
        • How to configure the scanning settings for supported services
        • How to perform advanced Data Security investigations using XQL
        • How to onboard Databricks
        • How to onboard Microsoft 365
        • How to onboard on-premise assets to Cortex Cloud Data Security
        • How to onboard Snowflake
        • How to use information protection labels in Cortex Cloud Data Security
      • Cortex Cloud Identity Security
        • What is Cortex Cloud Identity Security?
        • Review and improve your Identity Security posture
        • How does Effective Permission Calculation work?
        • Cortex Cloud Identity Security functionality
        • Unified Human Identities
        • Achieve the principle of least privilege access
        • Explore permissions using the simple and advanced access tables
        • Create a custom detection rule in Cortex Cloud Identity Security
        • Perform advanced Identity Security investigations using XQL
        • Ingest logs and data from Okta
        • Enable inactive human identity logs on Azure in Cortex Cloud Identity Security
        • Manage RBAC and SBAC in Cortex Cloud Identity Security
      • Network exposure detection
        • What is Cloud Network Analyzer?
        • Internet exposure detection
        • Outbound exposure detection
        • East-west exposure detection
        • Investigate an internet exposure
        • Configure trusted IPs
      • Cortex Cloud AI Security
        • What is Cortex Cloud AI Security?
        • Supported services in Cortex Cloud AI Security
        • Cortex Cloud AI Security concepts
        • Cortex Cloud AI Security use cases
        • How to perform advanced AI Security investigations using XQL
      • Serverless function posture security
        • Onboard cloud providers for serverless functions
        • Serverless function posture policies
          • Manage serverless function policies
          • Create serverless function policies
        • Serverless function posture rules
          • Manage serverless function rules
          • Create serverless function rules
          • Create an attack path rule for serverless functions
          • Create a configuration rule for serverless functions
          • Create a network exposure rule for serverless functions
        • Serverless function usage
      • Cortex Cloud Application Security
        • Onboard data sources
          • Onboard version control systems
            • AWS CodeCommit
            • Azure DevOps
              • Azure DevOps onboarding system architecture
            • Bitbucket Cloud
            • Bitbucket Data Center
            • GitHub Cloud
            • GitHub Enterprise (On-Prem)
            • GitLab SaaS
            • GitLab Self Managed (On-Prem)
          • Onboard CI/CD systems
            • CircleCI for CI/CD pipeline scans
            • Jenkins for CI/CD pipeline scans
          • Integrate CI tools
            • AWS CodeBuild
            • CircleCI for code scans
            • Connect Cortex CLI
            • GitHub Actions
            • Jenkins for code scans
            • Terraform Cloud (Run Tasks)
            • Terraform Enterprise (Run Tasks)
          • CLI pipeline code snippets
          • Onboard private package registries
            • JFrog Artifactory
            • Onboard JFrog Artifactory
          • Ingest third-party data sources
            • Semgrep
              • Semgrep Software Composition Analysis (SCA) data ingestion
              • Semgrep Static Application Security Testing (SAST) data ingestion
            • Snyk
              • Snyk Software Composition Analysis (SCA) ingestion
              • Snyk Static Application Security Testing (SAST) data ingestion
            • SonarQube
            • Veracode
            • Generic 3rd Party AppSec Collector
              • Tenant (console) workflow
              • API workflow
              • Upload findings from CI/CD pipelines
              • Technical requirements and SARIF specifications
              • Troubleshooting
          • Manage data source integrations
          • Transporter over Broker VM
            • Set up a Transporter applet on Broker VM
            • Set up a Transporter on your VCS
          • Manage integrations via data source APIs
        • Application Security dashboard
        • Application Security Posture Management (ASPM)
          • Code to Cloud
            • Supported integrations
            • Code to Cloud context and visibility
            • Code to Cloud troubleshooting
          • ASPM Command Center
            • Operational workflows
          • Applications
            • Defining Business Applications
              • Defining business applications by Criteria
              • Manage Criteria via the tenant UI
              • Define applications by Code Criteria
              • Define applications by cloud tag-based Criteria
              • Manage criteria via the public API
              • How to manually build an application
            • Application management and visibility
            • Manage applications via public APIs
            • Business application assets
              • Business application expanded asset details
              • Export business application data
            • Scope user access to applications (Application SBAC)
              • Enable SBAC in the Cortex XSIAM tenant
              • Create an application-based Asset Group
              • Scope user access to an application
              • Create application-scoped policies
              • Terraform workflow for Asset Groups
          • Repository as an asset
            • Understanding repository assets via the UI
            • Investigate repository assets
            • Manage repositories via API
          • Coverage
            • Coverage in the user interface
          • Urgency
            • Urgency and code to cloud traceability
            • Prioritize issues by Urgency levels
            • Urgency metrics
            • View Urgency in the tenant
          • Backlog baseline
            • Backlog use cases
            • Issue/Finding classification by scanner
            • Using Backlog
          • Service Lead Agreements (SLA)
            • Configure and monitor Application Security SLAs
          • Compliance for Application Security
            • Infrastructure-as-Code (IaC) compliance
            • Manage IaC compliance
            • CI/CD Compliance
              • Create CI/CD compliance reports
            • Terraform workflow for Compliance assessments
          • Unified Application Security policies
            • Core concepts
            • Tenant (UI) workflow
            • Create a policy
            • View and manage policy details
            • API workflow
            • Cortex CLI workflow
            • IDE workflow
            • Terraform workflow for policies
            • Reference A: Finding type details
            • Reference B: Condition filters and logic
            • Reference C: Scope mapping details
            • Reference D: Trigger and actions mapping
            • Reference E: Grace period logic and configuration
            • Reference F: Engine evaluation and Urgency logic
            • Reference G: Finding type to trigger mapping
            • Reference H: Action availability by trigger
            • Reference I: Audit logging
          • Application Security Rules
            • Roles and permissions
            • Rules inventory
            • Create custom Application Security rules
            • Configure YAML file properties
            • Terraform workflows for rules
            • Manage custom rules
          • Manage code weakness issues
            • Navigate to SAST code weakness issues
            • Understand the Code Weaknesses table
            • Investigate and remediate code weakness issues
            • Code weakness findings
        • Software supply chain security
          • Supply Chain assets
            • VCS organization assets
              • Understanding VCS organization assets
              • Investigate VCS organization assets
              • Manage VCS organization assets
            • VCS collaborators as assets
              • In-depth Collaborator asset information
              • Manage Collaborator assets
            • Repository as an asset
              • Understanding repository assets via the UI
              • Investigate repository assets
              • Manage Repository assets
              • Export Software Bill of Materials (SBOM)
              • Manage issues detected in repositories
            • Technologies as assets
              • Manage repository technologies
              • Troubleshooting and FAQs
            • Software packages as assets
              • Understanding software package assets
              • Investigate software package assets and security issues
            • CI/CD instance as an asset
              • Understanding CI/CD instance assets
              • Investigate and manage CI/CD instance assets
              • Manage CI/CD pipeline instances
            • CI/CD pipeline as an asset
              • Understanding CI/CD pipeline assets
              • Investigate and manage CI/CD pipeline assets
              • Manage CI/CD pipeline assets
            • Tools as an asset
              • Active tools
                • Supply Chain Tools
                • Expanded Supply Chain tool information
              • Supply chain catalog
          • Software Composition Analysis (SCA ) scanners
            • Supported Software Composition Analysis (SCA) frameworks and languages
            • Software Composition Analysis (SCA) vulnerability issues
              • Understand the Vulnerabilities table
              • Investigate and remediate CVE vulnerability issues
              • Investigate CVE vulnerabilities findings
              • Manage SCA CVE vulnerability issues
            • License miscompliance issues
              • Understand the Licenses table
              • Take action on license miscompliance issues
              • License miscompliance findings
              • Open-source software license categories
              • Manage license miscompliance issues
            • Ingest third-party SCA data
          • CI/CD Risks
            • CI/CD pipeline issues
            • Expanded CI/CD risks issue information
            • VCS and CI/CD pipeline risk findings
          • CI/CD Policies
            • CI/CD policies user roles and permissions
            • CI/CD policies inventory
            • Create CI/CD configuration policies
              • Application Security CI/CD policy Condition attributes
            • Manage CI/CD policies
          • CI/CD Rules
            • CI/CD rules roles and permissions
            • CI/CD rules inventory
        • Code Security
          • Code Security assets
          • Software packages as assets
            • Supported Software Composition Analysis (SCA) frameworks and languages
            • Understanding software package assets
            • Investigate software package assets and security issues
          • Infrastructure-as-Code (IaC) resources as assets
            • Supported frameworks and languages
            • Access and filter IaC assets
            • Investigate IaC assets
          • Code Security scanners
          • Secrets scans
            • Navigate to secrets issues
            • Understand the secrets issues table
            • Investigate and remediate secrets issues
            • Secrets findings
          • Infrastructure as Code (IaC) misconfiguration scanner
            • Navigate to IaC misconfiguration issues
            • Understand the IaC misconfigurations table
            • Investigate and remediate IaC misconfiguration issues
            • IaC misconfiguration findings
          • IaC Drift Detection scans
            • Navigate to IaC drift detection issues
            • Understand the IaC drift detection table
            • Investigate and remediate IaC drift issues
            • Investigate IaC drift detection findings
          • Software Composition Analysis (SCA ) scanners
            • Software Composition Analysis (SCA) vulnerability issues
              • Navigate to CVE vulnerability issues
              • Understand the Vulnerabilities table
              • Investigate and remediate CVE vulnerability issues
              • Investigate CVE vulnerabilities findings
            • License miscompliance issues
              • Navigate to license miscompliance issues
              • Understand the Licenses table
              • Take action on license miscompliance issues
              • How license miscompliance issues fit in the Application Security ecosystem
              • Open-source software license categories
            • Package operational risk scanner
              • Understand the package operational risk table
              • Investigate and remediate package operational risk issues
              • How package operational risk issues fit in the Application Security ecosystem
          • API workflows for Code Security issues
          • Application Security scans management
            • Manage scans through the tenant (UI)
            • Branch periodic scans
            • Pull Request scans
            • CI scans
            • Scan health and status reference
            • Manage repository scan configurations
            • Monitor data source instances health
            • Manage scans through public APIs
          • Application Security CLI
          • IDE
            • System requirements
            • Visual Studio (VS) Code and VS Code compatible IDEs
              • How to use the Cortex Cloud extension in VS Code
            • JetBrains
              • How to use the JetBrains Cortex XSIAM extension
          • Developer Suppressions
        • API endpoints
        • Terraform workflows
          • Manage resources
      • Cloud Workload Policies and Rules
        • How policies and rules work together
        • Cloud Workload Policies
          • Types of Cloud Workload Policies
            • Trusted image cloud workload policies
          • Cloud Workload Policies page
            • Widgets panel
              • Show or hide the widget panel
            • Change the layout of the policies table
            • Policy Details Panel
          • Enable or disable a Cloud Workload Policy
          • Create a Cloud Workload Policy
          • Use an existing policy to create a new Cloud Workload policy
          • Edit a Cloud Workload Policy
          • Delete a Cloud Workload Policy
          • Cloud Workload Preventive Action
        • Cloud Workload Rules
          • Default (pre-defined) Rules
          • Custom (user-defined) Rules
          • Cloud Workload Rules page
            • Filter page results
            • Change the layout of the rules table
            • Rule details panel
          • Create a new Custom Detection Rule
          • Use an existing rule to create a new Custom Detection Rule
          • Edit a Custom Detection Rule
          • Delete a Custom Detection Rule
      • Base Images Rule
      • Web and API Security (WAAS)
        • Overview
        • Personas workflow
        • Secure your API landscape
          • Gain visibility and assess risk of API endpoints
          • Monitor and investigate API threats
          • Configure API security from end to end
            • Third-party integrations
              • Ingest AWS API Gateway
              • Ingest Azure APIM
              • Ingest Apigee Proxy
              • Ingest Kong
              • Ingest-F5
            • Agent-based protection
              • Set up Web and API Security profiles
              • Apply Web and API Security profiles to workloads
              • Manage Web and API Security prevention profiles
              • Add a disable prevention rule for cloud workloads
              • Add a support exception rule for cloud workloads
              • Add a legacy exception rule for cloud workloads
              • Additional workload management tasks
          • API specification inventory
            • Import API specification
      • Serverless function runtime security
        • Overview
        • Set up serverless function protection
        • Serverless runtime issues
    • Cortex Advanced Email Security
      • Cortex Advanced Email Security module overview
      • Cortex Advanced Email Security module architecture and data flow
      • Getting started with the Cortex Advanced Email Security module
      • Deploy and configure the Email Security module
        • Integrate Microsoft 365 with the Cortex Advanced Email Security Module
        • Configure the Cortex Advanced Email Security module
      • Cortex Advanced Email Security threat detection and issues
        • Email Security Analytics Rules
      • Investigate and respond to email security issues
      • Automate remediation for the Cortex Advanced Email Security module
        • Email Remediation Response Rules
        • Email Security Remediation Action Center
      • Email Command Center
      • Malicious Email Inventory
      • Mailbox Inventory
      • Advanced Email Security module security and compliance
    • Exposure management
      • Exposure Management
      • Get started with Exposure Management
      • Ingest assets and vulnerabilities from third-party applications
      • Security controls
        • Automatically detect security controls
        • Manually attested security control taxonomy
        • Establish security control roles
        • Create a security control
        • Manage security controls
        • Set compensating controls
        • Improve controls coverage
        • Create effectiveness rules
        • Manage effectiveness rules
      • Cortex Network Scanner
        • Get started with Cortex Network Scanner
        • Add a network
        • Define target groups
        • Manage Network Scanner credentials
        • Create a network scan
        • Manage scans
        • View issues triggered by network scanner findings
      • Exposure Management Command Center
  • Reference and developer docs
    • Cortex XSIAM XQL
      • Get started with XQL
        • XQL language features
        • XQL Language Structure
          • Adding comments in queries
        • Supported operators
        • Datasets and presets
        • About examples
        • JSON functions
        • How to filter for empty values in the results table
        • Understanding string manipulation in XQL
      • Build XQL queries
        • About the Query Builder
        • How to build XQL queries
          • Get started with XQL queries
          • Useful XQL user interface features
          • XQL Query best practices
          • Expected results when querying fields
          • Create XQL query
          • Review XQL query results
          • Translate to XQL
          • Graph query results
        • Query Builder templates
          • Get started with Query Builder templates
          • Considerations for using Query Builder templates
          • Create a query from a template
          • Run a free text query
          • Query Builder template examples
        • Overview of the Query Center
          • Edit and run queries in Query Center
            • Query Center reference information
        • Manage scheduled queries
          • Scheduled Queries reference information
        • Manage your query library
        • Federated Search
          • Federated Search
          • Federated Search configuration
          • Query using Federated Search
          • Manage external datasets
        • Legacy Query Builder
          • Create authentication query
          • Create event log query
          • Create file query
          • Create image load query
          • Create network connections query
          • Create network query
          • Create process query
          • Create registry query
          • Query across all entities
      • Cortex XQL syntax, parameters, and examples
    • Graph Search
      • What is Graph Search?
      • Get started with Graph Search queries
      • How to build Graph Search queries?
      • Understand Graph Search query results
      • Create Graph Search query
      • Graph Search examples
      • Manage the Graph Search Query Library
      • Edit and run queries in Query Center
        • Query Center reference information
      • Supported assets and findings
      • FAQ on Graph Search
    • Cortex CLI
      • Connect Cortex CLI
      • Authenticate credentials
      • Cortex CLI usage
      • Self-service API keys for CLI scans
      • Cortex CLI common command line reference guide
      • Cortex CLI for API Security
        • Cortex CLI API Security command line reference guide
      • Cortex CLI for Cloud Workload Protection
        • Cloud Workload Protection command line reference
      • Cortex CLI for Code Security
        • Cortex CLI usage for Application Security
        • Cortex CLI Application Security command line reference
        • Cortex CLI pre-commit hooks
        • Pre-commit hook usage
        • Cortex CLI pre-receive hooks
        • Pre-receive hook usage
    • Role-Based Access Control
      • Role permissions by component
      • Core tenant and administrative permissions
      • Configuration permissions
        • Auditing permissions
        • Alert Notifications permissions
        • General Configuration permissions
        • Cortex XDR Analytics permissions
        • Access management permissions
        • Data Broker permissions
        • Log Collection permissions
        • Data Sources permissions
        • External Issues Mapping permissions
        • Integrations - instance permissions
        • Integrations Permissions
        • Data Management permissions
        • Public API
        • Threat Intelligence permission - API configuration
        • Long-running HTTP Integrations configuration
        • Credentials permissions
        • Network Scanners permissions
        • Apps - Instance permissions
        • Object Setup permissions
          • Case Properties permissions
          • Exclusion List permissions
          • Fields and Types permissions
          • Layout permissions
          • Sync Profile permissions
      • Marketplace permissions
      • Help permissions
      • SOC Operations, Investigation & Response permissions
      • Dashboards and Reports permissions
        • Dashboards permissions
        • Command Center Dashboard permissions
        • Ingestion Monitoring dashboard permissions
        • Reports permissions
        • Email Command Center permissions
        • Cloud Security Command Center permissions
      • Cases and Issues permissions
      • Investigation and Response permissions
        • Search permissions
          • Query Library permissions
          • Query Center permissions
          • Forensics permissions
          • Host Insights permissions
          • Graph Search permissions
        • Response permissions
          • Action Center permissions
          • EDL permissions
          • Agent Scripts Library permissions
          • Live Terminal permissions
        • Automation permissions
          • Playbook permissions
          • Script permissions
          • Playground permissions
          • Automation Exclusion Center permissions
      • Jupyter and Observability apps permissions
      • Threat Management permissions
        • Detection Rules permissions
        • Threat Intelligence permissions
      • Exceptions Configuration permissions
        • Issue Exclusions permissions
        • Exception Management Admin permissions
        • Exception Approver Admin permissions
      • Managed Services permissions
      • Cortex Agentic Assistant permissions
        • AI Prompts
        • Cortex Agentic Assistant Agents
      • Agents and endpoint protection
      • Inventory - Agent permissions
        • Agent Administrations
        • Agent Groups
        • Agent Prevention Policies
        • Global Exceptions
        • Agent Profiles
        • Agent Extension Policies
        • Agent Installations
        • Host Firewall
        • Device Control
      • Data Security - Endpoint DLP permissions
        • Data-in-Motion Rules
        • Endpoint Applications
        • Endpoint Applications Groups
        • Endpoint DLP Settings
      • Inventory - Assets permissions
        • Network Configuration permissions
        • Compliance (Legacy) permissions
        • Asset Inventory permissions
        • Asset Roles configuration permissions
        • Asset Groups permissions
      • Exposure and Vulnerability Management permissions
        • Attack Surface permissions
        • Vulnerability Management permissions
        • Exposure Management permissions
      • Cloud Security and Posture Management permissions
        • CLI Tool permissions
        • Application Security permissions
          • Application Security - Generic Collector permissions
          • Application Security - Issues permissions
          • Application Security - Scans permissions
          • Application Security - Policy Management permissions
          • Application Security - 3rd Party tools permissions
          • Configurations - Application Security permissions
        • Policies - Cloud Workload permissions
        • Cloud Security permissions
        • Compliance - Cloud permissions
        • Data Security permissions
        • AI Security permissions
        • Data Classification permissions
        • Identity Security permissions
    • API documentation
    • Reference
      • Cloud service provider permissions
      • Microsoft Windows security auditing setup
        • Enable security auditing event IDs
          • Enable security auditing event IDs with GPO
          • Set up local machine security auditing without GPO
          • Additional setup for Active Directory Certificate Services (ADCS) events
          • Enable auditing access to AD domain objects - 4662
        • Enable additional event logs using Event Viewer
        • Enable LDAP server events logging (1644)
          • Enable LDAP server events logging using RegEdit
          • Enable LDAP server events logging using GPO
          • Validate log collection for LDAP Server events
      • XDM fields for mapping authentication events
      • Cortex Network Scanner OSS
      • Fair Usage policy for Cortex XSIAM
Detect, investigate, and respond to threats / Cloud Security

Cloud Security ↗

← Recast CVSS scores and CVSS severities Monitor and track compliance adherence →
Cortex Toolbox v0.1.0 — a community tool, not an official Palo Alto Networks product. Estimates are indicative; validate sizing with your Palo Alto Networks representative.