[![Palo Alto](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xsiam-product-tour/images/logo-pan.svg)](https://www.paloaltonetworks.com/ "Palo Alto")[![Cortex](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xsiam-product-tour/images/logo-cortex.svg)](https://www.paloaltonetworks.com/cortex "Cortex") 1. [Use Case Overview](https://www.paloaltonetworks.com/resources/infographics/xsiam-use-case-tour?ts=markdown) 2. Detection Engineering ![Green lines](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xsiam-product-tour/images/bg-image-top.svg)![Green lines](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xsiam-product-tour/images/bg-image-bottom.svg) ![Laptop image](https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/igw/xsiam-product-tour/images/bg-laptop.webp) CORTEX XSIAM^®^ USE CASE: # Detection Engineering The Cortex XSIAM^®^ SecOps platform is built to amplify detection engineering programs by using analytics to automate the vast majority of detection use cases, while still empowering teams to create custom detections for specific or specialized use cases. Let's take a look at how to create custom detections. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) Scroll to begin Swipe to begin The Command Center provides real-time visibility into threats, detection efficacy, alert trends and rule performance, facilitating quicker incident prioritization. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) Maximize your threat detection with various detection rules, including correlation, BIOC and IOC rules. Customize and refine these tools to address your unique threat landscape, ensuring you achieve a perfect balance between out-of-the-box protection and tailored visibility. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) When detection engineers need more options than BIOC rules provide, including the ability to correlate multiple events from multiple sources, XSIAM provides a robust Correlation Rule builder. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) For example, we can set up a correlation rule to look for brute force attempts against an MSSQL server by looking for a number of failed login attempts beyond a threshold. Correlation rules use the robust XQL query language. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) Additional configurations can add drill-down queries, MITRE ATT\&CK mapping and customized field mapping to normalize alerts across the platform. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) Alerts triggered by a correlation rule appear in the alert table, where they're enriched with context and ready for investigation alongside alerts from other sources---giving analysts a clear, organized view of potential threats. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) XSIAM combines correlation rules with behavior indicators of compromise (BIOCs) for stronger threat detection. While correlation rules link signals across sources, BIOCs flag unusual user or system behavior. Together, they reveal subtle threats and connect them to larger attack patterns---boosting detection and proactive response. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) For example, BIOC rules track each time certain processes attempt to access IAM-security credentials, a tactic commonly exploited by threat actors. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) Watch for specific behaviors or patterns with alerts enriched with MITRE tactics, techniques and procedures (TTPs) Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) It's simple to navigate from the rule itself to associated alerts, so detection engineers can work with SOC analysts on the DE lifecycle for each rule. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) Alerts triggered by detection rules appear in the alert table and are automatically grouped into incidents based on their context and relationships. This smart grouping connects related alerts from across sources, giving analysts a complete, high-level view of the attack for faster, more effective investigation. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) The data is also contextualized with other data like threat intelligence and analytics, highlighting key details. Together with your custom detection engineering settings, this context can make investigations faster and more precise. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) The seamless integration of detection engineering is just one reason Cortex XSIAM delivers the industry-highest protection rate and leading SOC capabilities in one AI-driven platform. Ready to connect? [REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) Experience the future of security operations with the leader in SOC transformation --- Cortex XSIAM. Connect with us today. === **Connect with us today.** [EXPLORE MORE USE CASES](https://www.paloaltonetworks.com/resources/infographics/xsiam-use-case-tour?ts=markdown)[REQUEST A DEMO](https://www.paloaltonetworks.com/cortex/request-demo?ts=markdown) Copyright © 2025 Palo Alto Networks. All Rights Reserved * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use) * [Documents](https://www.paloaltonetworks.com/legal)