Setting the "--memory-swap" option to "-1" during Cortex XSIAM engine deployment configures the container to run without requiring swap capabilities. This ensures the engine operates fully within allocated RAM, improving stability and avoiding issues related to memory swapping.

To enable Cloud Identity Engine on Cortex XSIAM, it must first be activated on HUB, Palo Alto Networks’ centralized service management platform. Once activated, it can be configured and integrated with Cortex XSIAM for identity-based visibility and enforcement.

When running the playbook debugger with attached test data, Cortex XSIAM operates entirely in debug mode, meaning neither the original list objects nor the original context are altered. All interactions happen in an isolated debug environment to avoid impacting production data.

To reduce ingestion from the custom application, the engineer should configure a parsing rule on the Broker VM. Parsing rules can be set to drop unnecessary data before it is ingested into Cortex XSIAM, preventing wasteful log volume and optimizing system efficiency.

Cortex XSIAM ingests structured third-party logs (such as CEF, LEEF, and JSON) by breaking down the key-value pairs and saving them in a normalized table format. This enables efficient correlation, analytics, and query performance across diverse log sources while preserving data fidelity.

The XQL query uses regextract with conditions to check if the source IP begins with 149.235. When true, it assigns the replacement value 192.168.10.1, otherwise it extracts the source port. From the given logs, this produces 123 (from the port extraction in the second log) and 192.168.10.1 (replacement for the first log’s matching source IP).

The URL https:// -docker.pkg.dev is used in Palo Alto Networks infrastructure to download Engine Docker containers. This ensures the Cortex XSIAM engine components are pulled securely from the regional Docker registry.