Canadian Federal Entity Modernizes SOC with Cortex XSIAM
Legacy SIEM to AI-native in 20 weeks. Bilingual delivery.
How a Canadian federal entity replaced its legacy SIEM with Cortex XSIAM in 20 weeks, consolidating telemetry from 35+ sources, aligning to CCCS ITSG-33 control families, and delivering all artifacts in EN and FR.
Canadian federal government entity, ITSG-33-aligned, with operations across Ontario and Quebec
Legacy SIEM at end-of-cycle and ITSG-33 pressure
The federal entity ran a legacy enterprise SIEM that was approaching contract end. License costs were rising. Detection content had drifted. The SOC team was firefighting alerts rather than hunting threats. CCCS had updated ITSG-33 expectations on logging integrity, retention, and reporting. The legacy SIEM met the controls technically but produced reports the audit team had to massage manually. The entity weighed continuing on the legacy platform, moving to a cloud-native alternative, or modernizing to XSIAM with the rest of the Palo Alto stack already deployed. Bilingual EN/FR delivery was a foundational requirement.
Four reasons CWS won the engagement.
-
Federal-grade engagement experience
CWS engineers had delivered to federal-entity standards previously, including bilingual documentation in EN/FR.
-
Cortex XDR continuity
Existing Cortex XDR deployment integrated natively into XSIAM. No wasted investment.
-
Senior content authoring
Detection content migrated from legacy SPL-style queries to XQL with senior-engineer review on every detection rule.
-
ITSG-33 mapping as a deliverable
Compliance artifact produced alongside technical migration in both official languages.
Five phases. Defined ownership.
- Phase 1
Discovery and content audit
Three weeks. Inventoried 35+ telemetry sources. Audited existing detection content. Mapped ITSG-33 control requirements to XSIAM content packs.
- Phase 2
Data source onboarding
Six weeks. Onboarded each telemetry source into XSIAM with parsing validation. Sources included PA-series NGFW, Cortex XDR, AD, DNS, web proxy, email, and 25+ application logs.
- Phase 3
Content migration
Six weeks. Migrated 100+ detection rules from legacy SPL to XQL with senior-engineer review. Custom ITSG-33-content pack built. Operations runbooks updated in EN and FR.
- Phase 4
Parallel run
Three weeks. XSIAM ran in parallel with legacy SIEM. Detection coverage validated. Operations team trained on XQL in both languages.
- Phase 5
Cutover and decommission
Two weeks. Legacy SIEM decommissioned. Operations handed over to entity SOC team.
What changed after the engagement.
- 35+telemetry sources consolidatedSingle XSIAM data lake replaced legacy multi-source SIEM
- 100+detection rules migratedLegacy SPL content rewritten in XQL with senior-engineer review
- ITSG-33compliance pack deliveredCustom ITSG-33-aligned content pack as engagement deliverable
- 20 weeksend to endFrom kickoff to legacy SIEM decommission
- EN/FRbilingual artifactsEngineering documentation in EN; runbooks, executive briefings, and audit artifacts in both languages
- Loweroperational overheadAI-native correlation reduced alert volume and freed analyst time for hunting
Where the engagement is heading.
The entity is expanding XSIAM coverage to additional federal sub-entities under a federal-wide SOC consolidation initiative. CWS continues to author detection content and run quarterly tuning sessions in both languages.