Learn

What you're actually paying for, in plain English.

Short explainers for Cortex XSIAM, written from your side of the table and grounded in the current Palo Alto Networks public docs and the Cortex marketplace. The vocabulary your partner assumes you know, the patterns the engine flags, and the negotiation language that fits each one. Each lesson cites its source and is dated.

What you can learn about

Every line of your Cortex XSIAM quote, in plain English.

Detection content

3 lessons

Out-of-the-box rules, correlation logic, and what's a deploy versus a project.

Data sources

3 lessons

Marketplace integrations, broker VM, parsers, and which work counts as engineering.

Playbooks

2 lessons

XSOAR templates, automation work, and where bespoke authoring is real value.

Platform configuration

1 lesson

Tenant setup, RBAC, alert routing. The day-one work that has docs and a checklist.

Analytics versus rules

1 lesson

Why correlation rules and ML analytics are different products, and how reps blur them.

Dashboards and widgets

1 lesson

Searches, widgets, and dashboards. Almost always DIY-with-patience.

Services scoping

2 lessons

How to read a deployment SOW: what's bundled, what's DIY, and what's worth full rate.

Licensing and SKUs

2 lessons

Tier mapping, credit-based ingestion, retention, and the math behind the line items.

Detection content. Out-of-the-box rules, correlation logic, and what's a deploy versus a project.

View all topics →

Detection content3 min read

OOTB rules enablement is a switch flip, not a project.

Cortex XSIAM ships hundreds of detection rules already mapped to MITRE ATT&CK. Most of the value of week one is enabling them, not authoring them.

Read the lesson

Detection content5 min read

How XSIAM detection actually fires: XQL triggers, real-time vs scheduled, and the alert pipeline.

Every detection in Cortex XSIAM is triggered by an XQL query, either continuously against the live data stream (real-time) or on a schedule. Understanding which one your rules use changes how you scope, tune, and pay for detection work.

Read the lesson

Detection content8 min read

What can fire in XSIAM: BIOCs, ABIOCs, Analytics, IOCs, and how they compare to a traditional SIEM.

In a traditional SIEM, every alert is a correlation rule you wrote. In XSIAM, alerts come from at least five distinct detection mechanisms running in parallel. Knowing which one fired (and why) is the difference between tuning the platform and fighting it.

Read the lesson

See it in your own quote.

Run a check and the engine will cite the lessons relevant to every line it flags. The pattern, the dollar consequence, and the script.

Have Clarify read your SOW