What you'll learn

Understand the core architecture and components of Cortex XSIAM.
Configure profiles, policies, and alerts to enhance SOC visibility.
Write and optimize XQL queries for detection and threat hunting.
Integrate threat intelligence and automate response with SOAR playbooks.
Apply real-world use cases to investigate incidents using Cortex XSIAM.

Course content

7 sections • 52 lectures • 2h 9m total length

Introduction to Cortex XSIAM0:32
In this lecture, we introduce the Cortex XSIAM platform and provide an overview of what this course will cover. You will learn why XSIAM is important for modern SOCs and what to expect in the upcoming modules.
The History of XSIAM1:25
In this lecture, you will learn about the evolution of Cortex SIEM Tool. We explain the shift towards advanced platforms like XSIAM.
Why XSIAM Matters?1:41
This lecture highlights why Cortex XSIAM is a game-changer for SOCs. You will understand the business and security benefits of adopting XSIAM in modern operations.
Core Capabilities of Cortex XSIAM1:38
Explore the main capabilities of XSIAM, including advanced detection, automation, threat intelligence integration, and full SOC visibility.
Core Functionalities of XSIAM1:44
Dive deeper into XSIAM’s core functionalities such as data ingestion, analytics, alert correlation, and response orchestration.
XSIAM Architecture1:54
Get an overview of XSIAM’s architecture, including the data lake, XQL query engine, and integration points with other tools.
What Challenges Do Legacy SOCs Face?1:31
Identify the pain points of traditional SOCs, such as alert fatigue, siloed tools, lack of automation, and slow incident response.
How Can We Address These Challenges?1:36
Discover how XSIAM addresses SOC challenges with automation, AI-driven detection, and streamlined workflows.
Walkthrough of XSIAM3:45
A guided demo of the Cortex XSIAM platform, walking through its interface and main features to give you hands-on familiarity.
GUI Walkthrough

Intro Deploying and Setting Up XSIAM Agents0:45
An introduction to the role of the XSIAM Agent and why it is essential for visibility and protection across endpoints.
Endpoint Security Profiles1:34
Understand the different types of endpoint security profiles available in XSIAM and how they can be used to enforce consistent security controls.
Reviewing Default Profiles5:17
Review and validate existing security profiles in XSIAM to ensure they align with SOC requirements and best practices.
Create Windows Profile and Policy2:20
A step-by-step demonstration of creating a Windows-specific profile and policy, including customization for endpoint protection.
Agent Deployment and Configuration1:07
Explore how to deploy and configure the XSIAM Agent, including supported platforms and configuration options.
Create and Deploy Agent1:38
Explore how to deploy and configure the XSIAM Agent, including supported platforms and configuration options.
Endpoints Quiz

XQL Queries1:01
In this section, you will learn the fundamentals of the XQL (Extended Query Language), including syntax, datasets, presets, and data sources. By the end of this module, you will be able to build and run your own XQL queries to support threat hunting and detection in Cortex XSIAM.
Introduction to XQL0:58
Learn the basics of XQL syntax, including queries, stages, operators, and how XQL fits into the overall SOC workflow.
Data Sources in XQL Queries1:30
Explore the various data sources available in XSIAM for XQL queries, such as endpoint events, network logs, and identity data.
Datasets1:29
Understand datasets in XQL and how they organize information for queries. Learn to identify the right dataset for your investigation.
Presets1:25
Learn how to use XQL presets, which provide pre-built queries to accelerate investigations and reduce time to detection.
Components of XQL Queries1:34
Break down the components of an XQL query, including stages, functions, operators, and parameters.
XQL Demo4:20
Watch a live demonstration of writing and executing XQL queries inside Cortex XSIAM to detect suspicious activity.
XQL Quiz
XQL Examples1:38

Intro Alerting & Detection1:05
An introduction to alerting and detection in Cortex XSIAM, covering the basics of how alerts are generated and managed.
Smart Incident Correlation1:32
Learn how XSIAM uses smart correlation to group related alerts into incidents, reducing noise and improving investigation efficiency.
Correlation Rule Demo2:44
A demonstration of creating and applying correlation rules in XSIAM to detect suspicious activity.
Causality View – Key Insights1:50
Explore the causality view in XSIAM to understand the root cause of incidents and how different events are connected.
Incident Prioritization & Scoring in XSIAM1:27
Understand how incidents are scored and prioritized in XSIAM to help analysts focus on the most critical threats.
Incident Lifecycle Management in XSIAM2:24
Learn about the full incident lifecycle in XSIAM, from detection to closure, and how to manage investigations effectively.
Incident Handling in XSIAM4:24
Identify and understand the core elements of an incident, alerts, assets, and artifacts and their critical roles in managing security events.
Analyze Incident Demo4:08
A hands-on demo showing how to analyze an incident in XSIAM, review evidence, and determine next steps.
Detection&Alerts Quiz

Intro Threat Intel & Automation1:23
An overview of how threat intelligence and automation work together in XSIAM to improve detection and response.
Key Capabilities of Threat Intelligence in XSIAM1:31
Explore the core threat intelligence capabilities of XSIAM, including enrichment, IOC ingestion, and contextual insights.
Threat Intelligence Management in XSIAM1:35
Learn how to manage threat intelligence feeds, import external sources, and centralize IOCs in XSIAM.
Core Concepts for Indicators2:30
Understand the fundamentals of indicators (IOCs), including types, attributes, and how XSIAM uses them for detection.
Working with Indicators in XSIAM2:30
A walkthrough of managing indicators in XSIAM, including creating, tagging, and applying them to detection rules.
Indicator Investigation in XSIAM3:15
Learn how to investigate indicators in XSIAM, correlate them with incidents, and validate their impact.
Threat Intel Demo3:05
A live demo showing how to integrate threat intel feeds, investigate IOCs, and enrich alerts in XSIAM.
Intro Automation in Cortex XSIAM2:25
Automation in Cortex XSIAM3:08
Dive deeper into automation in XSIAM, focusing on use cases such as automated enrichment, containment, and notifications.
Playbooks in Cortex XSIAM – Overview3:36
Learn about playbooks in XSIAM, their structure, and how they are used to orchestrate automated response.
Context Data in XSIAM3:05
Understand how context data is used in XSIAM to enrich alerts and incidents, providing analysts with deeper insights.
Jobs, Content Packs, Integrations & Scripts3:17
Discover how jobs, integrations, and content packs extend XSIAM’s automation capabilities, and how scripts can be applied.
Review Playbook Demo3:59
A demo of reviewing, testing, and validating playbooks in XSIAM before production deployment.
Create Playbook Demo7:59
Hands-on demo of creating a new playbook in XSIAM, showing the process from design to deployment.
Threat Intel Quiz

Intro Attack Surface Management (ASM)3:08
An introduction to Attack Surface Management in XSIAM and why it is essential for identifying external exposures before attackers do.
ASM Inventory4:34
Learn how to build and manage the ASM inventory in XSIAM, including domains, IP addresses, and applications.
ASM Incidents3:54
Understand how XSIAM generates and manages ASM-related incidents, such as exposed services or misconfigured assets, and how to remediate them.
ASM QUIZ

Intro Dashboards & Reports in XSIAM2:37
An introduction to dashboards and reports in XSIAM, explaining how they help visualize security metrics and track SOC performance.
Custom Dashboards & Reporting2:09
Learn how to create and customize dashboards in XSIAM to display the metrics and insights most relevant to your SOC operations.
Reports in XSIAM2:25
Understand how to generate and schedule reports in XSIAM for regular updates and executive-level visibility.
Dashboards Demo5:34
A hands-on demonstration of building and using dashboards&Reports in XSIAM, including real examples of SOC KPIs and monitoring.
Dashboards&Reports Quiz

Requirements

Basic understanding of cybersecurity or SOC operations is helpful but not required.
Familiarity with SIEM, XDR, or log analysis concepts will make learning easier.
No prior experience with Cortex XSIAM is needed – everything will be explained step by step.
A computer with internet access to follow the hands-on demonstrations.

Description

Become a Cortex XSIAM expert with this complete, hands-on Masterclass.

This course is designed for SOC analysts, security engineers, and IT professionals who want to master Palo Alto Cortex XSIAM, one of the most advanced platforms for security operations and automation.

Through practical lessons, real-world examples, and guided exercises, you will learn how to:

Understand Incident Handling & Lifecycle (Identify, Investigate, Mitigate, Improve).
Work with Detection & Alerts to triage and investigate threats effectively.
Leverage Threat Intelligence & Automation to accelerate response.
Explore Attack Surface Management to reduce exposure and risks.
Build and customize Dashboards & Reports to optimize visibility and decision-making.

By the end of this course, you’ll be able to:

Confidently navigate the XSIAM console and manage incidents.
Create custom detection rules and automation workflows.
Generate reports and dashboards tailored to your organization’s needs.
Apply industry best practices to improve SOC efficiency and reduce false positives.

Whether you are preparing for a SOC role, looking to upskill in cybersecurity, or aiming to implement XSIAM in your organization, this course will provide you with the tools and knowledge to succeed.

No prior experience with XSIAM is required, but basic knowledge of cybersecurity concepts (alerts, incidents, response) is recommended.

Disclaimer: Some elements of this course (such as scripts, text, or visuals) were created with the assistance of Artificial Intelligence (AI).

Join now and take your SOC and XSIAM skills to the next level!

Who this course is for:

SOC Analysts who want to master Cortex XSIAM for threat detection and response.
Security Engineers and Incident Responders looking to enhance their XDR and SOAR skills.
Cybersecurity students or professionals interested in SIEM/XDR technologies.
IT professionals curious about modern SOC platforms and automation.

What you'll learn

Explore related topics

Course content

Introduction9 lectures • 16min

Endpoint6 lectures • 13min

XQL Queries8 lectures • 14min

Detection & Alerts8 lectures • 20min

Threat Intel & Automation14 lectures • 43min

Attack Surface Management3 lectures • 12min

Dashboards & Reports4 lectures • 13min

Requirements

Description

Who this course is for: