Persistent timeout issues with Cortex XSIAM Live Terminal, despite firewall rules being open, are often caused by SSL Decryption inspecting the traffic. Live Terminal relies on secure, end-to-end TLS communication, and decryption breaks this channel, leading to session failures.

In a For Each Input loop, each iteration takes the next value from the list inputs while keeping constant inputs unchanged.

On the second iteration:

x = X (second value of W,X,Y,Z)

y = b (second value of a,b,c,d)

z = 9 (constant for all iterations).

So, the values are X, b, 9.

The integrationContext object in Cortex XSIAM is persistent across integration command runs and is managed using get_integration_context() and set_integration_context(). This allows data (such as key-value dictionaries) to be stored and retrieved reliably between executions.

In a Cortex XSIAM parsing rule, the COLLECT section defines the newly created dataset. This section specifies how the parsed fields and data should be structured and stored for further use in analytics and queries.

In a Broker VM cluster, the Syslog Collector applet runs in active/standby mode (active on the primary node, standby on others), while the Kafka Collector applet runs in active/active mode (active on all nodes). This design ensures both high availability and scalability for ingestion.

For Cortex XDR agents running on servers in zones without internet access, a Broker VM is used as a communication bridge. The Broker VM securely relays traffic between the isolated agents and the Cortex platform, maintaining connectivity without requiring direct internet access from the servers.

Cloud Identity Engine must be deployed in the same region as Cortex XSIAM to ensure compliance and proper data handling. Once integrated, the ingestion can be verified by checking the pan_dss_raw dataset, which records the raw directory synchronization logs.

In Cortex XSIAM’s Alert Layout Builder, the " War Room " and " Work Plan " tabs are optional and can be removed, while the " Alert Info " tab is mandatory and cannot be deleted. This ensures that essential alert details are always retained, while collaboration and workflow tabs can be customized.

For Cortex XDR agents to use the Broker VM as a download source, the Agent Settings profile must specify the Broker VM as the update source, and the Broker VM must be configured with an FQDN so agents can reliably resolve and connect to it.

A parsing rule in Cortex XSIAM is bound to a specific vendor and product, ensuring accurate parsing logic for that log source. It processes each log individually (once per log) and does not allow grouping, making it distinct from data model rules.