Paloalto Networks XSIAM-Engineer - Palo Alto Networks XSIAM Engineer

When creating a custom incident domain in Cortex XSIAM, alert grouping still applies, allowing related alerts to be combined into incidents. However, SmartScore is not applied, since it is reserved for predefined domains.

The MODEL section in a data model rule is used to map log fields to the corresponding Cortex XSIAM Data Model (XDM) fields. This ensures that ingested data aligns with XDM, enabling consistent analytics, detections, and queries across different data sources.

During Cortex XSIAM tenant activation, data at rest is configured with AES 128 encryption by selecting "BYOK" (Bring Your Own Key) under the Advanced → Encryption Method option and following the wizard’s instructions. This ensures secure key management and compliance with encryption standards.

Cloud Identity Engine must be deployed in the same region as Cortex XSIAM to ensure compliance and proper data handling. Once integrated, the ingestion can be verified by checking the pan_dss_raw dataset, which records the raw directory synchronization logs.

A parsing rule in Cortex XSIAM is bound to a specific vendor and product, ensuring accurate parsing logic for that log source. It processes each log individually (once per log) and does not allow grouping, making it distinct from data model rules.

The correct query is the one using preset = metrics_view with

comp sum(total_event_count) as total_events by _reporting_device_name and filtering total_events = 0.

This query directly checks event counts reported by the NGFW ("MainFW"). If no logs are received in the last 30 minutes, the total event count will be 0, which triggers the correlation rule alert.

In the query action_local_port in (1122, 2234), the word "in" functions as an operator. It checks whether the field action_local_port matches any value in the specified list (1122, 2234).