Learn

What you're actually paying for, in plain English.

Short explainers for Cortex XSIAM, written from your side of the table and grounded in the current Palo Alto Networks public docs and the Cortex marketplace. The vocabulary your partner assumes you know, the patterns the engine flags, and the negotiation language that fits each one. Each lesson cites its source and is dated.

What you can learn about

Every line of your Cortex XSIAM quote, in plain English.

Detection content

3 lessons

Out-of-the-box rules, correlation logic, and what's a deploy versus a project.

Data sources

3 lessons

Marketplace integrations, broker VM, parsers, and which work counts as engineering.

Playbooks

2 lessons

XSOAR templates, automation work, and where bespoke authoring is real value.

Platform configuration

1 lesson

Tenant setup, RBAC, alert routing. The day-one work that has docs and a checklist.

Analytics versus rules

1 lesson

Why correlation rules and ML analytics are different products, and how reps blur them.

Dashboards and widgets

1 lesson

Searches, widgets, and dashboards. Almost always DIY-with-patience.

Services scoping

2 lessons

How to read a deployment SOW: what's bundled, what's DIY, and what's worth full rate.

Licensing and SKUs

2 lessons

Tier mapping, credit-based ingestion, retention, and the math behind the line items.

Data sources. Marketplace integrations, broker VM, parsers, and which work counts as engineering.

View all topics →

Data sources3 min read

If your log source is in the marketplace, you're not paying for parser work.

Palo Alto Networks runs a marketplace of pre-built integrations. If your source is in there, the parser is one click. Don't pay engineering hours for it.

Read the lesson

Data sources3 min read

Parsing rules: real engineering, but only sometimes.

Cortex XSIAM ships default parsing rules and an editor for writing custom ones in XQL. Most ingestion does not need bespoke parser work. The cases where it does are specific and worth full rate.

Read the lesson

Data sources7 min read

How parsing actually works in XSIAM: INGEST, XDM, raw datasets, and the data flow.

Every log byte that lands in your XSIAM tenant takes a specific path: collected by Broker VM or marketplace integration, transformed by parsing rules, normalized into XDM, and stored in the Cortex Extended Data Lake. Knowing the path makes it obvious which work is configuration and which is engineering.

Read the lesson

See it in your own quote.

Run a check and the engine will cite the lessons relevant to every line it flags. The pattern, the dollar consequence, and the script.

Have Clarify read your SOW