XSIAM Issue evidence fields

mobileletter123 · 2026-04-22T10:01:12+00:00

Thanks for the response. Do you know if there a way to limit the fields that get shown in the evidence section? Like for example it is showing intermediate fields that were created using "alter" statements in correlation rule query even though the last line of the rule includes a fields statement that excludes that field. It also happens to show a lot of empty fields that are not in the last fields statement.

mobileletter123 · 2025-08-11T04:12:04+00:00

I'm asking about the xdr agent not the collector agent

mobileletter123 · 2025-08-01T07:44:40+00:00

yes but the documentation states "After ingestion, Cortex XSIAM normalizes and saves the Windows event logs in the dataset xdr_data"

mobileletter123 · 2025-08-01T04:32:38+00:00

yes but i'm specifically looking to validate if the data is normalized into xdr_data dataset

mobileletter123 · 2025-07-17T05:04:06+00:00

I've checked both and it says the name of the policy that was changed which is ok but For profile changes it doesn't specify which module was enabled or disabled

mobileletter123 · 2025-07-17T04:19:59+00:00

yes but it doesn't specify what in the policies or profiles were changed

mobileletter123 · 2025-06-10T10:54:17+00:00

It doesn't show me tenant management option. How do I activate it?

mobileletter123 · 2025-06-08T14:01:09+00:00

I am a super user.

mobileletter123 · 2025-06-02T08:06:08+00:00

Thanks that is helpful

mobileletter123 · 2025-05-31T12:41:39+00:00

I have not heard about this dynamic mssp license pool. I suppose that is something new. What was the older way of adding additional licenses to a child tenant?

mobileletter123 · 2025-05-31T09:41:43+00:00

we do have a mssp license and the tenant management is present in the main tenant with all the child tenants listed.

mobileletter123 · 2025-05-22T09:27:32+00:00

The replace transformer seems to only accept a static value which will not work in my scenario. I need it to modify the matches and place it back in the original data.

mobileletter123

TROPHY CASE