UAE Federal Entity Modernizes SOC with Cortex XSIAM
Legacy SIEM to AI-native in 18 weeks.
How a UAE federal entity replaced its legacy SIEM with Cortex XSIAM in 18 weeks, consolidating telemetry from 30+ sources and aligning to NESA Information Assurance Standards reporting.
UAE federal government entity, NESA-designated critical infrastructure
Legacy SIEM at end-of-cycle and NESA pressure
The federal entity ran a legacy enterprise SIEM that was approaching end of cycle. License costs were rising. Detection content had drifted. The SOC team was firefighting alerts rather than hunting threats. NESA's technical-safeguard requirements had also tightened expectations on logging retention, integrity, and reporting. The legacy SIEM met the controls technically but produced reports the audit team had to massage manually. The entity weighed continuing on the legacy platform, moving to a cloud-native alternative, or modernizing to XSIAM with the rest of the Palo Alto stack already deployed.
Four reasons CWS won the engagement.
-
Federal-grade engagement experience
CWS engineers had delivered to federal-entity standards previously, including security-cleared workflows and federally-acceptable documentation in Arabic.
-
Cortex XDR continuity
Existing Cortex XDR deployment integrated natively into XSIAM. No wasted investment.
-
Senior content authoring
Detection content migrated from legacy SPL-style queries to XQL with senior-engineer review on every detection rule.
-
NESA mapping as a deliverable
Compliance artifact produced alongside the technical migration, not as an afterthought.
Five phases. Defined ownership.
- Phase 1
Discovery and content audit
Three weeks. Inventoried 30+ telemetry sources, audited existing detection content, mapped NESA control requirements to XSIAM content packs.
- Phase 2
Data source onboarding
Five weeks. Onboarded each telemetry source into XSIAM with parsing validation. Sources included PA-series NGFW, Cortex XDR, AD, DNS, web proxy, email, and 20+ application logs.
- Phase 3
Content migration
Five weeks. Migrated 80+ detection rules from legacy SPL to XQL with senior-engineer review. Custom NESA-content pack built. Operations runbooks updated.
- Phase 4
Parallel run
Three weeks. XSIAM ran in parallel with legacy SIEM. Detection coverage validated. Operations team trained on XQL.
- Phase 5
Cutover and decommission
Two weeks. Legacy SIEM decommissioned after parallel-run validation. Operations handed over to entity SOC team.
What changed after the engagement.
- 30+telemetry sources consolidatedSingle XSIAM data lake replaced legacy multi-source SIEM
- 80+detection rules migratedLegacy SPL content rewritten in XQL with senior-engineer review
- NESAcompliance pack deliveredCustom NESA-aligned content pack as engagement deliverable
- 18 weeksend to endFrom kickoff to legacy SIEM decommission
- EN/ARbilingual artifactsEngineering documentation in EN; executive briefings and audit artifacts in AR
- Loweroperational overheadAI-native correlation reduced alert volume and freed analyst time for hunting
Where the engagement is heading.
The entity is now expanding XSIAM coverage to additional federal sub-entities under a federal-wide SOC consolidation initiative. CWS continues to author detection content and run quarterly tuning sessions.