Cortex XSIAM Reviews

I use Cortex XSIAM and XDR.

When considering a zero-trust solution, you have to think of multiple vendors, multiple devices, and multiple layers. One of the layers is the endpoint protection and overall management view to actually do correlations. For me, to have Cortex XSIAM available is to basically have integration of all log sources, all alerting, and so on and so forth from firewalls and different tools, to get everything in one place, and afterwards to be able to build on the information that is coming. That is the big win. This is why I believe Cortex XSIAM is good, and it is important to have a tool such as Cortex XSIAM. It can be Cortex XSIAM, it can be different, it can be Microsoft Sentinel, or it can be something else.

I cannot say 100 percent, but I can definitely say that at the beginning, at one point, I was seeing colleagues that are managing discussing with multiple teams to do the integrations and do playbooks and automations on this. This had a massive impact on everything that they are doing, and being able to treat alerts and incidents and so on and so forth automatically on a lot of the layers. It is a big, massive impact from my perspective.

The firewall side can make some improvements. I know the firewall on Cortex XSIAM is based on Windows. From what I have experienced so far, I have seen that the policies you can create are actually very in-depth. I mean, you can do most of the things and a lot of integration that you actually want. So if I want to choose to send things to WildFire, for example, I can choose to send it, I can choose to not send it. This basically offers flexibility to implement Cortex XSIAM in more standardized places where you maybe have a certification. I would say that the thing that maybe needs a bit more improvement is the fact that the one with the firewall because I have seen some things there that are kind of hard to manage. You do not really have a very easy way to manage those, unless you actually know where you have put them. So it is very inflexible. In the rest, you have a lot of playbooks that you can do and you can do lots of automation, which is actually easy to manage from what I have seen from my colleagues.

Two years and a half.

I do not have visibility anymore. I know this feature is being used by the SOC team. I had visibility at the beginning when it was deployed, but I know that it has been a big work on this to make it more and more perfect. This is like with any product in the end, you need a couple of years to do a project to be more mature. With continuous integration that the colleagues probably are doing, it is becoming better and better. I remember at the beginning we had a lot of false alerts.

It is a dedicated team. You have a SOC team in every company. The SOC team is responsible for fully managing Cortex XSIAM.

They have always been very prompt. Every time when I had issues, they came with a good answer. Even if it took one or two weeks, we worked together and we resolved it. I had a dedicated person allocated for supporting, and even with them, it was very good, so no complaining. The answer was fast. You can put a 9 or 10 rating. They are good. We just did not have issues with this. In the end, when you actually choose a product, one of the things that you can think about is the support. The support for them was better than maybe Trellix, for example.

The machine learning that it is doing is being used. It is a big difference from Trellix, for example, because Trellix was something that you were deploying. I am not sure if it changed from the last time that I was reading about them, but from what I know, there was a big downside with Trellix because Trellix basically was not allowing you to have this machine learning and could have triggered things and you needed a lot more whitelisting that you needed to be done. Now you have machine learning, machine learning is being in use, and machine learning can help you, in the end, maybe identify and not trigger immediately an alert unless it is actually necessary. This is a good integration from my perspective, the machine learning and everything that is today, I think. You need machine learning in most of the things, so it is not necessarily Cortex XSIAM again. It is a general view again.

If I put in a comparison with what I used so far, I consider it better than Sentinel. I consider it better than Trellix. I would give a 9 overall.

I have used it, it is true that I used it a bit less at one point because I was doing migration from Trellix to Cortex XSIAM. I do not have that feature.

I think Network Detection and Response was on it. To be honest, I have not used it in two years now. So, maybe it is not the best idea to give some insight because I would have to remember things. I will not remember all the features and everything on it.

That one, I used it before Trellix. So it is even longer. That is why I rated Cortex XSIAM, because basically I passed through them. For several years now I am using Cortex XSIAM, Cortex XSIAM I do remember more of the information. The other, Sentinel, I used it before Trellix, so it is even longer.

Visualization is a good approach. The visualization and everything, graphs, dashboards that you can build and that you can have are really well done.

It depends because you have different roles in a company, so you have roles with different accesses. I have accesses to do some checks today, but the SOC team is the one that is fully responsible for managing Cortex XSIAM platform itself today.

I am a kind of implementer of a solution.

I have used Sentinel for more than three years, and Trellix was approximately three years ago. My overall review rating for Cortex XSIAM is 9.

The typical use cases for Cortex XSIAM are diverse.

I would describe the impact of Cortex XSIAM's automation on my security operations center as efficient.

I use Cortex XSIAM's behavior analytics, and it helps identify unusual activities.

I leverage Cortex XSIAM's incident management features for automation.

The features of this product I find most beneficial include integration.

The product integrates seamlessly with third-party solutions.

The advanced visualization capabilities of the product are important for understanding security trends in an organization.

They improved incident resolution speed, which has been beneficial when using Cortex XSIAM.

Cortex XSIAM is on the expensive side and requires substantial improvement in pricing.

There are other features that could be improved, including integration with vendors such as CyberArk.

I would like to see identity management in future releases of Cortex XSIAM.

I have been working with Cortex XSIAM for two years.

Based on what Cortex XSIAM needs to do, the installation process is appropriate.

The installation of Cortex XSIAM takes two to three months, depending on the customer requirements and whether everything proceeds as planned.

It is a stable product.

Cortex XSIAM is scalable.

I would rate the support of Palo Alto a nine out of ten.

Three people are involved in the installation process from my side.

I am familiar with Cortex XSIAM but not with Cortex Co-pilot. On a scale of 1-10, I rate Cortex XSIAM a 9.

With Cortex XSIAM, we installed an agent on Active Directory on-premise. We connected our Firewalls to the Data Lake and the Active Directory, and protected the Firewalls with another authentication factor. There is a kind of identity management component.

With Cortex XSIAM, we work with playbooks, and it includes AI to improve threat detection and interaction with issues. We have the Managed Threat Hunting feature and the Detect and Respond capabilities with configurable playbooks. The way the solution responds to detections and warnings is really impressive.

It works really nice and performs really efficiently after configuration. At the beginning, we experienced some difficulties setting up the product with connectivity and infrastructure, but ultimately it functioned really effectively.

The support was excellent. We could solve the majority of difficulties with the local team.

Neutral

At the beginning, we experienced some difficulties setting up the product with connectivity and infrastructure, but ultimately it functioned really effectively.

I did not participate in pricing discussions for Cortex XSIAM solutions, so I cannot provide a review regarding prices for this solution.

I would rate Cortex XSIAM a nine out of ten.

It is a scalable solution and it's easy to include or scale from one to 1,000 devices in any kind of infrastructure. Adding devices you want to include is really straightforward on the solution.

I am trying to check the solution for a new organization I have moved to. Previously, I used the older version of the solution.

The flexibility for creating manual workflows stands out. Although it is time-consuming, it offers significant flexibility. 

Additionally, from a ticketing point of view, the platform works very well.

The standard integrations are very limited, and the integrations available are not listed in the marketplace. Obtaining validation for integrations from Palo Alto takes around eight months, which is quite long. The solution would benefit from having more standard playbooks and templates available, as in other partners. 

Currently, everything must be created from scratch. In terms of incident response automation, it is quite poor due to the lack of integration with all security tools, making manual intervention necessary.

I have been familiar with the solution for almost six years.

I would rate the stability of Cortex XCM as around seven to 7.5 out of ten.

The solution is only rated five out of ten for scalability. Scalability heavily relies on the integration aspect. Without proper integration, scaling up with more servers is meaningless.

The technical support from Palo Alto is very slow. It is ineffective in terms of responding to basic queries and addressing future requirements. I rate their support at four out of ten.

Neutral

I have moved to other products, however, I cannot disclose which ones due to a nondisclosure agreement with my company.

The initial setup was phase-by-phase, with configuration being the most challenging part, especially moving the playbooks manually as they cannot be imported.

There were around ten engineers involved in the installation and deployment.

There has been no return on investment.

The product is very expensive. Additional integration and support are not provided by Cortex and must be purchased from partners. This adds to the cost and delays projects due to resource dependency.

Overall, I rate the solution a five out of ten. 

I would recommend it to organizations requiring a standardized tool for regulation purposes. It is suitable for highly regulated organizations and not for standard operations seeking automation.

In our organization, we are using Cortex XSIAM for full-fledged SOC monitoring services. We onboard all the devices and network devices, and all the possible syslogging devices, everything is on one tool.

Since implementing Cortex XSIAM, incident response times have been significantly reduced by approximately twenty percent.

We use the IOCs, updating them with malware hashes and similar elements. Cortex XSIAM allows us to onboard almost every device, whether they are on-prem or on SaaS. We can integrate and write our own parsers and parse the logs, which is quite simple.

Cortex XSIAM needs improvements in terms of data onboarding, parsers, and third-party integration supports. Additionally, a future update request is to enable tagging of endpoints in groups, similar to a feature available in Cortex XDR. The AI analytics need fine-tuning because some use cases are not working from my side.

We have been using Cortex XSIAM for about two years now.

Overall, Cortex XSIAM is stable, but there have been issues as it sometimes crashes, requiring us to ask the team to fix it.

Cortex XSIAM is highly scalable. In our team, around seventy people, including engineers, managers, and developers, are working with it.

The Palo Alto support team is fully responsive and helpful.

Positive

We used Splunk User Behavior Analytics before switching to Cortex XSIAM.

We deploy Cortex XSIAM with support from the Palo Alto team.

The licensing cost of Cortex XSIAM is more or less the same as Splunk, making it quite expensive compared to other tools. There are additional expenses for more functionalities.

Overall, I rate Cortex XSIAM an eight out of ten. We manage maintenance in-house with a team of ten engineers. Although the licensing cost is high, the architecture and in-house capabilities it provides align well with our organizational needs.

Cortex XSIAM functions as a SIEM and SOAR solution, where you can integrate all your firewalls and other security tools, whether cloud-based or on-premises hardware. You can send all your security incidents, and it will provide correlation. Additionally, you can implement automation for blocking in response to security incidents.

Regarding behavior analytics, we haven't explored this feature yet, so I cannot comment on it, but it is one of the capabilities Cortex XSIAM offers.

The most valuable aspect is that Cortex XSIAM doesn't generate excessive alerts. It will refine all search results effectively. When there are thousands of queries incoming, it will only present the defined ones that require SOC engineer attention, filtering out incidents where SOC intervention isn't necessary.

Its advanced visualization capabilities merit an 8 out of 10. Whatever data is ingested, it performs its own threat intelligence in the backend through Palo Alto, providing defined results for engineers or SOC analysts to review. There are also defined playbooks for automation, requiring minimal manual intervention as most processes can be automated from the console itself.

The main area for improvement is the user interface intuitiveness - specifically how quickly users can grasp the portal functionality. For SOC analysts, the focus should be on improving the speed of accessing defined searches and filtering capabilities. While Palo Alto performs adequately in these areas, there is always room for enhancement. They can continue to improve the search functionality and defined results presentation.

I have been working with Cortex XSIAM for four years.

Technical support varies based on the support level. With premium support, core Palo Alto technical experts handle issues directly. Otherwise, support is routed through distributors such as Redington or Tech Data. The quality of distributor support depends on their engineers' expertise. Premium support provides direct access, while distributor support quality can vary.

Positive

We participate in the implementation of Cortex XSIAM.

Return on investment with Cortex XSIAM varies based on customer scope. When customers have specific incidents or use cases they're implementing, they typically see returns within three to four months of deployment.

The cost of Cortex XSIAM in the India market differs from other regions. When considering competition, from a sales perspective, the pricing is acceptable.

Splunk has several advantages over Cortex XSIAM, including established market reach, superior filtering processes that enable different types of searches with quick data retrieval, and extensive integration capabilities with unlimited connectors for data ingestion. Splunk's position as a market leader adds to its advantages.

The deployment of Cortex XSIAM is straightforward. For smaller setups with few devices requiring registration and playbook implementation, deployment can be completed within two months. Larger implementations may take up to three months, but the process remains quick and efficient.

Incident management in Cortex XSIAM is highly effective. It can be integrated with help desk solutions such as ServiceNow. For critical incidents, it automatically raises tickets to notify engineers to address issues through the console.

The incident management capabilities have received positive feedback from analysts who consider it an excellent tool. The compliance features include both predefined templates and custom options, allowing customers to follow their specific compliance requirements alongside incident management.

XSOAR operates on top of Cortex XSIAM, with XSIAM handling data ingestion and XSOAR managing automation components.

I rate Cortex XSIAM 8 out of 10 and recommend it to other organizations.

We are a partner, and we train people. However, we have not installed the product for a customer yet.

We started to work with Cortex due to the relationship between IBM and Palo Alto. One of the valued aspects of the product is its use of artificial intelligence to detect security vulnerabilities. The ease of use, simplicity in product setup, and the ability to optimize rules are crucial aspects.

Cortex could improve the detection and online resolution of security vulnerabilities. We hope that the artificial intelligence in Cortex will assist in optimizing responses to vulnerabilities.

We started working with Cortex XSIAM a few months ago, around April this year, which is approximately six months.

The product was easy to install and set up and worked right. Cortex XSIAM appears to be very stable.

We didn't test the scalability feature in a real customer setup, so it's early to tell about scalability.

Our experience with the support was very good. They solved the questions we had.

Positive

We work a lot with IBM, specifically IBM QRadar, which does not have this artificial intelligence feature.

It was easy to set up, easier than using QRadar.

Some technical team members took training courses and certification for the product.

The idea is that the value of the product justifies the cost difference.

The first impression is that XSIAM would be more expensive than others we tried.

Our main competitor today is Splunk.

I would rate it an eight out of ten. We have a big install base of Cortex QRadar in Latin America, and we need better positioning of the product.

I'd rate the solution eight out of ten.

At our organization, we have implemented Cortex XSIAM as our primary Security Information and Event Management (SIEM) solution. We've also harnessed its capabilities for our store operations. Our approach has been to strategically design it as the foundation for our in-house Security Operations Center (SOC), with a strong emphasis on incorporating store automation seamlessly into our security infrastructure.

Our primary focus with it has been to build and strengthen our security program. We have essentially developed a comprehensive security program around it. By using it as our SIEM solution, we've achieved the benefit of having a centralized, single interface for our security operations. Thanks to the capabilities of Security Orchestration, Automation, and Response (SOAR), our relatively smaller team has been able to efficiently manage our security operations. Another notable advantage is our ability to capture a lot of information that would have otherwise gone unnoticed. To illustrate this, consider that we've successfully integrated and correlated various log data from multiple sources. Viewing all this data from a unified perspective has allowed us to identify issues that might not have been detected individually but are indicative of more significant problems or threats.

When it comes to the key strengths of it, three aspects stand out prominently for me. Firstly, its store capabilities and robust features in the realm of security orchestration, automation, and response (SOAR) are truly exceptional. Secondly, the level of security intelligence it offers is impressive, providing us with crucial insights and context. Lastly, its detection enrichment capabilities are highly valuable, allowing us to receive meaningful and impactful information about alerts without the need for extensive log analysis, setting it apart from some competitors like McAfee ESM, which often necessitate deeper log exploration.

There is room for improvement in some areas, and I would highlight three key aspects. Firstly, the Attack Surface Management (ASM) module could benefit from more contextual depth. Currently, it tends to provide a broad overview without enriched context, and there's room for enhancement in this regard. Secondly, further integration capabilities with various other software products that can seamlessly tie into Cortex XSIAM would be advantageous. This would enhance its versatility and interoperability within a broader ecosystem. Regarding performance, there's potential for optimization. When multiple tabs are open in Cortex XSIAM, it can experience slowdowns, leading to longer load times for web pages. It's worth noting that this isn't a severe issue, and it doesn't entail waiting for extended periods, but there is room for improvement in terms of performance optimization.

I have been working with it for a year and a half.

In terms of stability, we have encountered only a single instance of downtime during our year and a half of using it. This issue was promptly resolved within approximately ten minutes. So, overall, the stability of the platform has been quite robust.

It demonstrates remarkable scalability. While we currently utilize a single tenant, it appears to be incredibly straightforward to scale up by adding additional tenants. Creating new integrations and features within the platform is a seamless process, making it highly adaptable for organizations of varying sizes. At our organization, we've implemented it across the entire company, with Cortex XDR integrated. Approximately thirty individuals within our IT department actively utilize Cortex XSIAM for a range of tasks, including security operations, system administration, and more. Currently, we have around eleven thousand assets under its purview.

Our experience with technical support has been somewhat challenging. It appears that many of the individuals assigned to provide support have come from various other business units within Palo Alto Networks. As a result, it has sometimes felt like they are learning about the product's offerings on the fly, which has posed difficulties in terms of the support we've received. I would rate it eight out of ten.

Positive

The setup process is generally quite intuitive and uncomplicated.

The deployment process has two distinct approaches. For existing Cortex XDR customers like us, the transition was remarkably straightforward. It merely required submitting a request to Palo Alto Networks to change our licensing type from Cortex XDR to Cortex XSIAM. Once approved, we gained immediate access to all the features and capabilities. For new customers or those starting from scratch, the initial steps would involve acquiring the necessary ports and IPs aligned with Palo Alto Networks' specifications and ensuring these are allowed throughout the network. In our case, the deployment involved a team of three individuals. I, as the Senior Manager of Security Operations, was one team member, accompanied by a Lead Threat Hunter and a Cloud Security Engineer. The entire deployment process took approximately twenty hours, making it a remarkably swift and efficient implementation in the grand scheme of things.

We realized an ROI of over five hundred thousand dollars from this solution. Our success lies in the fact that we've been able to fully automate at least fifty percent of our end-to-end detection and response processes. This means that we haven't needed to hire additional SOC analysts or allocate resources for that purpose.

In terms of pricing, we found Cortex XSIAM to offer a very reasonable and competitive rate. We entered into a two-year contract with them, and the pricing aligned well with our budget expectations, comparable to what we had considered with Splunk and Microsoft Sentinel. It's worth noting that there are additional costs, depending on the specific add-ons an organization chooses to purchase. For example, opting for add-ons like Managed Threat Hunting from Palo Alto Networks or Identity Threat Analytics would incur extra expenses.

Previously, we considered options like Splunk and Microsoft Sentinel. Our decision to opt for Cortex was primarily driven by its ability to support a lean and agile team without necessitating a significant increase in administrative overhead. In contrast, both Sentinel and Splunk would have required us to potentially double or even triple our team size to effectively manage them.

In my experience, it stands out as one of the top SIEM solutions I've had the opportunity to use. Its ability to deliver a substantial amount of security intelligence greatly enhances and optimizes our security operations program. I would rate it nine out of ten.

It is just a replacement in front of CrowdStrike or Trend Micro. I'll pitch Cortex because it can do the same thing. So if there's competition with CrowdStrike or with Trend Micro, and the customer can't afford CrowdStrike pricing, then I'll suggest Cortex.

It is an effective solution in terms of performance and functionalities.

The customer would be okay with receiving either CrowdStrike, SentinelOne or even Cortex, as long as the price is right because they all do the same job more or less. So, it's mainly the pricing point that makes a difference in India.

Since Palo Alto is trying to get as many new customers as possible, they're offering very competitive pricing.

If a customer is already using the Palo Alto firewall and Prisma Access, and maybe even Prisma Cloud, then they're already familiar with Palo Alto's solutions and find it easier to manage internally. That's how they'll switch to Cortex for a unified suite.

There is room for improvement in the support. It could be a bit faster. 

I am with this solution for a year. 

It is a stable solution. I would rate the stability a ten out of ten. 

We have enterprise-level businesses as our clients. Since it is available on the cloud, it is very easy to scale.

For support, they have two or three variants: premium support, enterprise support, and another one. So it depends on the customer.

Premium support is the best one, according to customer reports. But all the support is great. 

Positive

I've seen CrowdStrike, Trellix, SentinelOne.

It's very easy to deploy. It takes about a week to deploy the solution for a thousand users.

Just two engineers were enough for the deployment. It is easy to maintain. 

I would rate the solution's cost a six out of ten, where one is cheap, and ten is expensive.

If you want to build secure networks and you're already using a Palo Alto firewall, Cortex is a better choice. 

Overall, I would rate the solution a nine out of ten.