A Claude Code plugin for building Cortex XSIAM and XSOAR content — automation scripts, integrations, event collectors, XQL queries, correlation rules, dashboard widgets, playbooks, and documentation — using natural language.
claude plugin marketplace add joseph3325/xsiam-buddy
claude plugin install xsiam-buddy@xsiam-buddyGenerate standalone Python automation scripts embedded in importable YAML files. Produces unified .yml files ready for direct import into XSIAM, with Python embedded in the script: |- field, proper field ordering, register_module_line() calls, and demisto.alert() normalization for XSIAM context.
Example triggers: "create a script", "write an XSIAM script", "build an automation", "XSOAR script"
Generate multi-command Python integrations with BaseClient and a corresponding YAML metadata file. Produces unified .yml files matching real XSIAM export format — supportedModules on all params/commands/arguments, sectionorder tabs, register_module_line() calls, vcShouldKeepItemLegacyProdMachine, and full command/argument definitions. Supports fetch-incidents with dedup/lookback, OAuth2 token caching, polling commands, credential vault, and indicator enrichment patterns.
Example triggers: "build an integration", "create an integration for CrowdStrike", "write an XSIAM integration", "connect to an API"
Generate event collector integrations that ingest vendor events directly into the XSIAM data lake via send_events_to_xsiam(). Produces unified .yml files matching real XSIAM export format with isfetchevents: true, supportedModules on all params/commands/arguments, should_push_events debug pattern, _time normalization (including epoch-to-ISO conversion), and multi-event-type support with separate vendor/product streams. Unlike regular integrations that create incidents, event collector data lands in the data lake and is queryable via XQL.
Example triggers: "create an event collector", "build an event collector", "ingest events into XSIAM", "fetch events"
Generate XQL queries from natural language descriptions. Covers threat hunting, investigation, and analytics across all common XSIAM datasets. Uses tiered reference loading — core XQL references always load while advanced functions, extended datasets, and federated search references load on-demand based on query requirements.
Example triggers: "write an XQL query", "hunt for threats", "search XSIAM data", "query dataset"
Generate correlation rule JSON files matching the XSIAM export/import format. Produces complete .json files with embedded XQL, scheduling configuration, severity mapping, and MITRE ATT&CK tagging. Shares the tiered XQL reference layer with xsiam-xql.
Example triggers: "create a correlation rule", "build a detection rule", "detection engineering", "XSIAM alert rule"
Translate existing Splunk SPL queries into equivalent XQL. Maps SPL commands, functions, and syntax to their XQL counterparts using a dedicated translation reference. Shares the tiered XQL reference layer with xsiam-xql.
Example triggers: "translate SPL", "convert Splunk to XQL", "migrate Splunk query", "SPL to XQL"
Generate importable playbook YAML files matching real XSIAM export format. Produces unified .yml files with exact field ordering, all per-task boilerplate fields (note, timertriggers, ignoreworker, skipunavailable, quietmode, isoversize, isautoswitchedtoquietmode), real v4 UUIDs, vcShouldKeepItemLegacyProdMachine, view positioning, and inputSections/outputSections. Supports all task types: start, regular (command and script), condition (inline and script-based), title, sub-playbook, and collection.
Example triggers: "create a playbook", "build a playbook", "incident response workflow", "XSIAM playbook"
Generate XQL widget queries with | view graph visualization for Cortex XSIAM dashboards. Supports all 11 chart types (area, bubble, column, funnel, gauge, line, map, pie, scatter, single value, word cloud) with chart type selection guidance, aggregation patterns per visualization, and axis data-type validation. Shares the tiered XQL reference layer with xsiam-xql.
Example triggers: "create a widget", "build a dashboard widget", "pie chart of events by vendor", "visualize network traffic", "view graph"
Generate professional HTML documentation for XSIAM/XSOAR playbooks. Produces Google Docs-ready HTML with visual flow diagrams, task inventories, decision logic tables, and integration dependency maps — all styled with the Palo Alto Networks brand palette.
Example triggers: "document a playbook", "create playbook documentation", "playbook reference doc", "explain this playbook"
Generate professional HTML documentation for XSIAM/XSOAR automation scripts. Produces Google Docs-ready HTML with data flow diagrams, argument/output reference tables, logic walkthroughs, and script-type-specific guidance (standard, transformer, filter, dynamic-section, field-change-triggered, widget).
Example triggers: "document a script", "create script documentation", "script reference doc", "explain this script"
Each skill draws from reference files included in the plugin:
| Reference | Used By | Contents |
|---|---|---|
| XQL core reference | xsiam-xql, xsiam-correlations, xsiam-splunk-to-xql, xsiam-widgets | Stages, operators, functions, and time syntax (always loaded) |
| XQL datasets core | xsiam-xql, xsiam-correlations, xsiam-splunk-to-xql, xsiam-widgets | Common dataset names, presets, and joins (always loaded) |
| XQL advanced functions | xsiam-xql, xsiam-correlations, xsiam-splunk-to-xql, xsiam-widgets | Array, JSON, and window functions (on-demand) |
| XQL datasets extended | xsiam-xql, xsiam-correlations, xsiam-splunk-to-xql, xsiam-widgets | Third-party, email, and CIE datasets (on-demand) |
| XQL federated search | xsiam-xql, xsiam-correlations, xsiam-splunk-to-xql, xsiam-widgets | External S3/GCS/Azure querying (on-demand) |
| Event collector spec | xsiam-event-collectors | YAML structure, send_events_to_xsiam(), _time handling, should_push_events pattern |
| Correlation rule spec | xsiam-correlations | JSON export format, scheduling, severity, MITRE mapping |
| Correlation examples | xsiam-correlations | Complete example correlation rule JSON files |
| SPL-to-XQL mapping | xsiam-splunk-to-xql | SPL command and function translation reference |
| Widget view graph spec | xsiam-widgets | Graph types, parameters, chart selection guide, aggregation patterns |
| Script YAML spec | xsiam-scripts | Required field ordering and complete examples |
| Script types & patterns | xsiam-scripts | Specialized script types: enrichment, remediation, polling, etc. |
| Integration YAML spec | xsiam-integrations, xsiam-event-collectors | Integration structure, supportedModules, sectionorder, command schema |
| Integration patterns | xsiam-integrations, xsiam-event-collectors | BaseClient, OAuth2, pagination, credential vault, error handling |
| Common patterns | xsiam-scripts, xsiam-integrations, xsiam-event-collectors | Shared Python patterns: CommandResults, indicators, logging |
| Playbook format spec | xsiam-playbooks | Complete YAML format: field ordering, task type examples, condition operators, argument patterns |
| Playbook doc spec | xsiam-docs-playbooks | Section specs, YAML extraction, content guidelines |
| Script doc spec | xsiam-docs-scripts | Section specs, Python analysis, type-specific docs |
| HTML styling guide | xsiam-docs-playbooks, xsiam-docs-scripts | PAN brand palette, Google Docs-compatible HTML patterns |
All Python-based skills generate unified YAML matching real XSIAM export format for direct tenant import. Key structural conventions:
supportedModules: []on every configuration parameter, command, and argumentvcShouldKeepItemLegacyProdMachine: falseaftercommonfieldssectionorder(lowercase) with Connect/Collect tabsregister_module_line()as first and last lines of embedded Python- No
CommonServerPython,CommonServerUserPython, ordemistomockimports — the platform injects these at runtime - Content-pack CI fields (
fromversion,marketplaces,tests) intentionally omitted - Docker image pinned to
3.12.x(never:latest)
Describe what you want to build in natural language. Examples:
Create an integration for CrowdStrike Falcon that can get detections and contain hosts
Create an event collector for Okta that ingests system log events into the data lake
Write a standalone script that enriches an IP address using VirusTotal
Write an XQL query to find all failed logins from outside the US in the last 24 hours
Create a correlation rule to detect brute force attacks — more than 10 failed logins in 5 minutes
Translate this Splunk query to XQL: index=main sourcetype=syslog | stats count by src_ip
Create a dashboard widget showing event counts by vendor as a column chart
Build a phishing response playbook that enriches URLs, checks reputation, and blocks malicious indicators
Write a runbook for responding to ransomware alerts
xsiam-buddy/
├── .claude-plugin/
│ ├── plugin.json # Plugin metadata
│ └── marketplace.json # Marketplace manifest
├── skills/
│ ├── xsiam-scripts/ # Standalone script generation
│ ├── xsiam-integrations/ # Multi-command integration generation
│ ├── xsiam-event-collectors/ # Event collector integration generation
│ ├── xsiam-xql/ # XQL query generation
│ ├── xsiam-correlations/ # Correlation rule JSON generation
│ ├── xsiam-splunk-to-xql/ # SPL to XQL translation
│ ├── xsiam-playbooks/ # Playbook generation
│ ├── xsiam-widgets/ # Dashboard widget query generation
│ ├── xsiam-docs-playbooks/ # Playbook documentation (HTML)
│ ├── xsiam-docs-scripts/ # Script documentation (HTML)
│ └── xsiam-shared/ # Shared XQL references and Python patterns
└── docs/
└── plans/ # Design documents
| Field | Value |
|---|---|
| Name | xsiam-buddy |
| Version | 0.13.0 |
| Author | joseph3325 |
| Keywords | xsiam, xsoar, cortex, xql, correlation, splunk, playbook, automation, security |