Verify XSIAM instance is reachable and responding to API calls

Calculate connected vs total endpoint ratio and flag coverage gaps below 80%

Analyze last 24 hours of alert volume and score based on alert counts

Composite health score combining API status, endpoint coverage, and alert volume

Analyze endpoint policy assignments and flag endpoints with missing or outdated policies

Identify endpoints that are disconnected or lost from the XSIAM instance

Group endpoints by agent version and identify outdated installations

Check which endpoints support network isolation capabilities

Calculate alert response metrics and resolution rates from recent alerts

Analyze alert volume, severity distribution, and identify noise patterns

Discover internet-facing services and flag risky exposed ports

List deployed playbooks and identify automation coverage gaps

Check data source coverage and ingestion rates via XQL query

Measure alert sources to assess correlation vs raw detection value

Analyze authentication patterns and top login sources via XQL

Enumerate monitored cloud workloads by provider and region

Track incidents over 90 days in monthly buckets to measure breach risk reduction percentage

Count data sources ingested into XSIAM and estimate consolidation savings

Composite score from endpoints, alerts, services, and health metrics

Measure auto-resolved vs total incidents for automation effectiveness

Analyze event types and ingestion rates via XQL for data lake usage

Calculate false positive rate from alert statuses and estimate analyst savings

ROI calculator from incidents, alerts, and endpoints to estimate payback period

Compare proactive hunts vs reactive alerts via XQL to measure hunting productivity

Audit data sources, services, endpoints, and playbooks for integration completeness

Composite score from alert reduction, MTTR, automation, and integration coverage

Analyze audit management logs for compliance coverage and gap analysis

Measure login frequency and unique active users from audit logs

Compare ML-driven vs rule-based alert sources for detection efficacy

Measure auto-resolved incidents and playbook coverage for response automation

Calculate cost per incident from resolution times and estimate savings

Measure endpoint scale, alert load, event throughput, and API stability

Count intel-source alerts vs total to measure threat intelligence integration

Measure playbook execution frequency as proxy for knowledge base leverage

Check external services status and error frequency for integration reliability

Classify proactive vs reactive work to measure operational maturity shift