What can fire in XSIAM: BIOCs, ABIOCs, Analytics, IOCs, and how they compare to a traditional SIEM.

In a traditional SIEM, every alert is a correlation rule you wrote. In XSIAM, alerts come from at least five distinct detection mechanisms running in parallel. Knowing which one fired (and why) is the difference between tuning the platform and fighting it.

8 min read·Cortex XSIAM

Cortex XSIAM ships hundreds of detection rules already mapped to MITRE ATT&CK and tuned by Palo Alto Networks against telemetry from across their customer base. The work in week one is enabling the right ones, not authoring from scratch.

When a deployment SOW prices six weeks of rule tuning, half of that scope is reading the OOTB ruleset, deciding which to enable, and toggling them on. That work is genuinely valuable, but it is hours, not weeks. The other half, customizing rules to your environment specific noise, is real engineering and worth your partner full rate.

The trap is letting both halves get billed at the same engineering rate. Your team sees a six-week scope, assumes it is all custom work, and pays accordingly.

Read the full lesson with Pro.

The takeaways below are public so you know what is in the lesson. The full body, the negotiation script, and every other lesson unlock with Pro. Free 30 days, no card.

Start free 30-day trial →Sign in

Takeaways

→XSIAM has at least 5 distinct detection mechanisms: IOC rules (indicators), BIOC rules (behavior), ABIOC rules (analytics-driven behavior), XDR Analytics rules (ML detections), and Correlation rules (your XQL).
→Plus alerts from the XDR agent, NDR, CDR, and ASM. The Alert Source field tells you which fired.
→Global BIOCs are maintained by Palo Alto Networks and pushed via content updates; you can copy them as templates and add exceptions but can't edit globals directly.
→ABIOCs require XSIAM Analytics enabled and live on a separate page from regular BIOCs.
→You write correlation rules for environment-specific patterns, multi-source joins, and auditable compliance detections, NOT to duplicate what Analytics already covers.
→Right-click any alert -> 'View Generating Rule' to jump to the rule definition. Fastest path to tuning.
→Bring a partner in for multi-source correlation, custom ABIOC tuning, or MITRE ATT&CK coverage mapping.

Source: View and manage Analytics rules (Palo Alto Networks docs)Last verified Apr 26, 2026

Copy-ready script

Pro

“Can you split the rule scope into two phases? Phase one is enablement of the OOTB ruleset against my environment, ideally on a flat-rate or fixed-fee basis. Phase two is authoring custom rules where the OOTB set has gaps, billed hourly.”

Unlock with Pro →

See it in your own quote.

Paste a Palo Alto Networks quote. The engine will tell you, line by line, where the pattern in this lesson actually shows up.

Have Clarify read your SOW