Palo Alto Networks Cortex XSOAR Reviews

For organizations that are stable with their security operations, like those with around 50 members in their security team running full-phased operations 24/7, Cortex is necessary. They can automate many processes and build their own scripts. Then, we use it for Flashflakes. 

But for a smaller organization with binding budgets and who is unaware of security, they may end up wasting money on it. This is an expensive tool. We have to use it wisely, or it’s easy to mistrust its value.

Previously, when Demisto was, there was a community edition; we could use it, reinstall it, and customize it. Since Palo Alto took over, it has become more financially oriented. It's business, but they could offer a pro model and a lighter model for different needs. 

For example, creating a pro model alongside a lighter model could be beneficial, like FortiSOAR or others providing a lighter model that focuses on the automation segment, where you could integrate maybe five or ten playbooks and integrations for day-to-day operations. This would make it more accessible to everyone.

Currently, Cortex XSOAR operates on a larger scale, which may not be necessary for all. If there's a minimum budget of around 50k or 80k for SOAR, having a scaled-down version of Cortex XSOAR would be advantageous. This would allow integration with current business operations at a minimal cost, saving money while still leveraging the capabilities of Cortex XSOAR.

And if there's a need to scale up later, moving to a pro model could be an option. That's something that's missing on the business side but could greatly aid incident response, as we're all trying to secure organizations from threats. Having such an option would make it a more socially viable cost and still provide widespread use.

In future releases, I would like to see more differential models could be implemented, instead of having a one-size-fits-all approach.

It is a stable solution.

It is a scalable solution. The best part was the working model when it transitioned from Demisto to Palo Alto Networks. Demisto had around 220 plus integrations when they launched. That was back in 2018 before it was acquired by Palo Alto Networks. But automation can be increased.

The customer service and support are very good. Palo Alto has scaled well. 

Positive

We've worked with Cortex XSOAR. We haven't worked with other SOAR solutions much.

From my experience, Cortex XSOAR is a leading product in the market.  While I haven't worked with competing products like Phantom to offer a comparative analysis, it's standing against Microsoft's Azure Sentinel SOAR solution. 

Cortex XSOAR is indeed a market leader. It may come at a higher price point, but it supports a vast technology ecosystem and offers a comprehensive suite of features, such as inbuilt ITSM management, a war room, an advisory system, threat intelligence connections, and a lot of integrations. The communication capabilities are exceptional. When it comes to top-tier products like Cortex XSOAR, we're paying for premium quality.

You have to spend a dedicated core engineer and a lead team to tune and tweak it. But once you do that, it all runs automatically. You will save money on a lot of analysts or multiple analysis jobs because a lot of automation will be done for savings, especially since it's all based on machine learning now. 

At the end of the day, I cannot remove or unplug the analysts, but I can reduce the number. If I have 20 people managing and monitoring an endpoint solution or a SIEM solution for one organization, I can reduce it to at least one-fourth, and you will save a lot of money.

The pricing is fair. The pricing reflects the value and feature set it offers. 

For example, with the purchase of a license, a dedicated success team, professional support, and integration assistance are part of the package. 

People pay for the right value, but the organization has to leverage it fully. If they don’t, it can be problematic. They might end up wasting money on something they don’t need. 

When a client wants to economize on licenses—preferring development and technology investment over licensing fees—the Elastic SIEM tool is a zero-cost option we haven't fully explored yet, either as a company or personally.

Technologies like QRadar and cloud-based projects such as QRock are in the market. 

Splunk is certainly costly, but it offers strong technology and cloud infrastructure. Sentinel is cloud-exclusive and a bit expensive but advanced. There's a trade-off. 

However, if a customer has a limited budget for licenses but can afford operational expenses, we need to investigate Elastic, which operates like any data lake, offering quick searches and high data storage capacity depending on the computing power. One could manage hundreds of GB per hour, running analytics effectively. 

Nonetheless, clients must invest in building their security technologies and partnerships, which is resource-heavy SIEM. Elastic is expanding its offerings, but it still leads to a platform-based model that many opt for due to its cost-effectiveness. So, I have evaluated all these SIEM solutions. 

My company is involved with SOAR, but not to a great extent. Post-COVID, there are not many people who show interest in SOAR solutions and many customers are now reluctant to allocate budgets for this. 

Open-source alternatives are gaining traction, which is why we're considering developing capabilities in that area. With Microsoft's Sentinel, we see a unique case where its SOAR capabilities are more cost-effective. Hence, it has seen some adoption. 

However, my direct experience with a comprehensive SOAR solution is with Cortex XSOAR, which is a product of Palo Alto Networks—previously known as Demisto.

Overall, I would rate the solution a nine out of ten. The platform is constantly evolving, offering freeware and community editions. You can clearly go for it. The advice is to opt for it and use it to the max.

It is a security orchestration and automation tool.

It basically lets us automate and orchestrate tasks across all your security tools. Imagine integrating our vulnerability management tool with XSOAR. For example, we get a ServiceNow ticket requesting a scan for a specific server before it goes live. XSOAR can trigger that scan automatically, streamlining the entire process. That's the power of XSOAR—automating repetitive tasks and freeing up your security team for more strategic work.

The most valuable feature is its capability to automate responses and collect information for any security event before you even delve into the details.

It's a vast product with an active roadmap, so I'm satisfied with it for now. It's very efficient at data collection and correlation. 

There is room for improvement in support. The response time could be faster.

We have been using it for two years now. It's cloud-based and hosted by Palo Alto.

It's stable. The features and functionalities work as intended mostly. It's a good, reliable product.

We have six users actively using XSOAR. XSOAR is specifically for security teams, it is not for everyone to use.

The customer service and support are okay, not the best, not the worst. Their initial response time is quite long, and even after you get back to them, it takes them a while to provide troubleshooting steps and follow through.

Negative

We actually did run a couple of POCs for other products. My company switched to XSOAR because it's a very stable product, and its integration capabilities with most security tools are fantastic. 

If it wasn't available, we'd have to manually develop integrations for each tool, which would be incredibly time-consuming. So, that's the main reason we went with XSOAR.

For cloud deployments, it's a breeze. No installation is needed; just access the provided link and start working. 

But for on-prem, it's a different story. You need to install multiple components and provision servers and integrate them with Palo Alto's platform according to documentation. It's a lengthy process, not overly complex, but due to the tool's architecture, it's unavoidable for on-prem installations. Cloud-based is definitely the easier option.

On-premise installation is complex and time-consuming, with multiple servers and integrations to manage. So, on-premise installation is a hassle.

It's expensive, but the value it offers makes it worthwhile.

It's a very stable product, definitely worth the investment. You won't regret your spending.

Overall, I would rate the solution a nine out of ten. The only reason it loses a point is the support team. Their performance hasn't reached the same level as other Palo Alto offerings.

The client never had any XSOAR automation before, and they never had a CRM implemented with them, either. So we provided both CRM and complemented with XSOAR.

So it's a totally new experience, and we have already developed three playbooks. To move further, we have to wait for the next few months before we agree on any automation response.

The repository of playbooks and the integration between Palo Alto and IBM QRadar are some useful features. It is followed by a lot of people simply needing to reference it. So, it is very easy to use for people facing chat problems.

I would like to have a better visualization of the command center. In command and samples, the sample has a product called the command center.

I want the scalability of the product to be improved.

I have been using Palo Alto Networks Cortex XSOAR for three months. My company is a service provider for Palo Alto Networks.

It is a stable solution. I rate the stability an eight out of ten.

It is not a very scalable solution. Because of the implementation that we have within the device as it is metered by the number of even EPS that we are able to accept. At present, twelve users are using the solution as we are a government enterprise.

I rate the scalability a six out of ten.

The initial setup is a bit complex because we have to log in to the virtual machine, which is a bit of a negative process. It takes around three weeks to be deployed. On a scale of one to ten, where one is difficult, and ten is easy, I rate the initial setup a six. The solution got deployed on the cloud and on-premises.

The pricing is on the high side. It's pricey and expensive. On a scale of one to ten, where one is a low price, and ten is a high price, I rate the pricing a nine.

I recommend the solution but ensure it fits your requirements.

I rate the overall solution a nine out of ten.

Cortex XSOAR is our desktop endpoint security standard. We deploy it on the desktops, monitor the events, and ensure the endpoints stay clean and inoculated. The client is a retail company with salespeople on the floor and roving notebooks that employees bring with them to various locations. We needed a solution that allows us to protect those endpoints no matter where they are. We deployed them through Active Directory using a group policy system. 

Customers don't always have endpoints that are part of their Active Directory, but we chose to use ADGPO to ensure any user logging into our domain(s) had the product installed. There are about 600 users spread out across three locations and six dealerships.

Well since we have deployed Cortex, we have not had any serious malware concerns. I believe Cortex or Traps as it were has helped immensely in keeping our end-user community safe.

That said, cortex has not been without its headaches. For one thing, recently it stopped updating clients and wouldn't allow new installations due to a MS patch that needed to be deployed. It wasn't obvious to me what was occurring as there were zero logs indicating the reason for the failures. We started having desktops falling out of compliance faster and I had to do a bit of digging to find out what was causing it. 

Another dig I have is in the Cortex Dashboard, there are a large numbers of machines that don't show associated usernames. This keeps growing over time. I still been able to determine the cause of this. I have some ideas its due to the way Palo Alto Networks determines who a user is. They look at AD authentication logs and associate the IP address of the user as he joins the network. Then this IP stays associated with that user for about 45 minutes after the user leaves his desktop. So the desktop becomes orphaned when the IP is no longer applicable. 

So in summary, the product has stood up to its core-capabilities, but is lacking in useable actionable logs.

I chose Cortex XSOAR because we use Palo Alto firewalls. My plan was to consolidate our log data from the Palo Alto firewalls and Cortex into a single pane of glass. However, this has not been the experience. The log data from the firewalls never correlates with the log data from Cortex. We still have seperate streams of information to examine. I have not found an easy way to get this to work. But I'm sure there is one.

I want to make note that it seems like Palo Alto Networks is moving to a full A La-cart licensing model where just about every feature in the product has a separate key and license to purchase/maintain and monitor. I have had firewalls bricked because it became cost prohibitive to license them. Once licenses expire, the firewall virtually stops operating as anything more than a router.

With Cortex specifically, it's the poor platform based logging. I can generate logs for individual users, but there is little platform data available from either the client or the Dashboard.

Also, having to maintain GP and Cortex on the same machines makes life more complicated as there are two seperate controls that need to be managed, licensed and monitored. I would like to see a day when GP and Cortex are one and the same with feature switches to enable/disable functionality

We've been using Cortex XSOAR for over 4 years now

Cortex XSOAR is stable as long as it and your end-users computers stay updated. If your population falls behind on certain critical MS updates, your Cortex may stop working!

I believe Cortex is scalable but only to a point. I couldn't see attempting to manage 1000+ users on it. Too many headaches to have to deal with that large a deployment. 

Palo Alto support is horrible and getting worse! What happened to the day I could speak to a real human at Palo Alto Networks that actually understood what I was asking? What happened to the concept of SLA's where priority 1 tickets were addressed within hours? I have gotten to the point where I dread even picking up the phone or opening a support ticket with Palo Alto Networks. 

Maybe they got too big, or maybe they want to be more like Checkpoint in their licensing. Not sure, but please be capable of solving most of your own problems if you incorporate these guys into your solution. 

Spoken from a once true fan of Palo Alto Networks... :( 

Negative

Previously, the clients depended on Malware defense programs like Trend Micro and Norton AV. But these products lack the Endpoint protections needed to adequately protect a user from himself.

Deploying Cortex XSOAR is straightforward if you have experience with this kind of solution. The deployment is about the same as any of its competitors. Cortex isn't any easier or harder to deploy than the other products.

In house. 

Well its hard to put a price on protecting a networks data. The ROI is, we still have our data lol. Still, all employee based organizations need to be implementing an EndPoint Protection control. But budget conscious organizations very definitely should do their homework before commiting. Its not easy to change your mind.

Be aware that licensing can become challenging. Also, there are other products out there such as CrowdStrike, Fortinet and Cisco, that have stronger reputations in EndPoint protection. But they are also point solutions that lack the integration and feature set to become a full operational security endpoint suite of tools. 

I was a former Palo Alto Networks employee (4+) years. So my natural inclination was to choose a product I knew about from my background working for Palo Alto Networks.

I still rate Palo Alto Networks Cortex XSOAR seven out of 10. Since we installed it, we've never had a significant infection. However, beware of new pricing models and ways that Palo Alto will stack licensing up until a solution can become quite expensive to maintain. 

Do your homework!

In my company, it is not me but my team that is involved with Palo Alto Networks Cortex XSOAR. The tool is majorly useful for incident response and automation purposes.

Owing to the features of Palo Alto Networks Cortex XSOAR, my team that operates within our company likes it.

Palo Alto Networks Cortex XSOAR lacks to offer SIEM functionalities currently. From an improvement perspective, I would like to see Palo Alto Networks Cortex XSOAR offer SIEM functionalities.

In the future, I would like to see more automation functionalities.

I have been using Palo Alto Networks Cortex XSOAR for nearly two months.

Stability-wise, I rate the solution a nine out of ten. My team knows about the stability of Palo Alto Networks Cortex XSOAR, and to date, I haven't heard anything bad about the product.

It is a scalable solution.

Palo Alto Networks Cortex XSOAR is a tool that is used only by me and my team in our company. The tool is mainly used by only two people in my company.

Palo Alto Networks Cortex XSOAR's partner, with whom my company deals, helps us whenever needed.

My company did not make any payments towards the licensing costs attached to the product since we were only using its pilot version.

I recommend the solution to those who plan to use it.

I rate the overall product a nine out of ten.

The platform’s setup procedures could be streamlined compared to Sentinel, which has a much easier setup regarding Single Sign-On and policy management.

I haven’t seen any lag in terms of platform scalability. It scales to cover all the endpoints. Although, sometimes there are latencies for Panorama. It could be because there are a lot of legacy systems.

The platform’s technical support team has been helping us from the beginning. At present, we are building a new setup team. They help us with that as well. They are always prompt and pretty fast. Sometimes, we get answers to our queries when we are not officially enrolled in technical support.

Positive

The platform’s setup process is conducted on a virtual machine. The complexity depends on the expertise.

Palo Alto offers significant discounts to customers who purchase the products repeatedly. For example, if they charged 160,000 last year, they might charge 60,000 less this year.

The platform is integrated with Panorama in the Palo Alto ecosystem. It provides the advantage of pulling data and logs from legacy systems better than Sentinel. In comparison, Sentinel primarily pulls data from Defender and Azure Active Directory and doesn’t provide visibility.

The platform uses Python for automation scripts, which is helpful due to Python's extensive data science libraries. At the same time, Sentinel utilizes different languages and Microsoft Visual Basic scripts. It is library friendly.

The Palo Alto ecosystem has a marketplace offering integration with Sentinel or other products. It is useful.

They are bringing a new XDR product. It would have a lot of machine learning and artificial intelligence, data deduplication, and transformation features, which is great for threat detection procedures. It is a sandbox model with features for building playbooks and scripts.

I advise others to visit the website called Palo Alto Beacon. You can access a lot of free training, including example scenarios. You can experiment with different types of use cases. I even advise using Panorama with Palo Alto appliances, especially in the case of a lot of legacy systems like Windows 7 and unique servers like Solaris.

I rate it an eight out of ten.

Cortex is an automation tool, which I have used to make manual processes flow in an automated way. We need to create flows to automate the manual processes.

Cortex orchestration, which I have used to make process automations. That is the Cortex Automation.

I liked the flow creation and the way it handled orchestration from a development point of view. However, my opinion has changed a bit since using ServiceNow, which is more flexible compared to Cortex. In order to create the pro-designer and process automation. 

It was mainly used for automation. For example, a telecom company needed to handle multiple network devices like Cisco devices. They had to check compliance, functionalities, and expiry dates manually. We automated those technical operations.

First of all, it's not very user-friendly. It's quite lagging and not very fast. I believe it's developed in C#, which makes it a bit slow. 

There are many hidden structures, so sometimes the flow gets stuck. We have communicated with Cortex community, and they are still working on these issues. System slowness and performance are the main concerns.

I used it for one year. 

I would rate it a six out of ten, with one being low and ten being high because I have only about one and a half years of experience with Cortex. So, I would rate it a six due to its slowness and complexity.

There were around 20 end users. 

They sometimes delay in providing answers and often don't give proper answers.

Neutral

Recently, I moved to the ServiceNow platform.

To create processes and automate them, ServiceNow offers more flexibility.

Cortex is a single point for automation. For end-to-end deployment, it involves front-end and back-end technologies. We have implemented Logix in Cortex to communicate with network devices. So, we haven't faced any issues during deployment, but after deployment, the slowness of Cortex application or system becomes apparent.

Deployment model:

It's deployed on-premises because I worked for an IT company. They had a relationship with Cortex, and we provided automation services to a telecom client using Cortex.

Integration:

It was easy to integrate Cortex with existing infrastructure and other tech tools. We have done integrations with Amdocs products for the telecom industry using MuleSoft, webMethods, and REST APIs, so it definitely supports these.

It's cheaper. For example, if UiPath costs ten dollars, Cortex might be around three to four dollars. But I'm not part of the pricing team, so this is just my opinion.

It's not difficult for a beginner to learn to use Cortex. I started as a beginner, and it was manageable. It just depends on the learner's interest.

I would rate it a seven out of ten. However, compared to other automation tools, Cortex is not the best, according to current market trends.

I suggest looking at alternatives like UiPath and Automation Anywhere. I don't have experience with them, but they are trending in the market. 

Currently, ServiceNow is also popular for automation purposes.

We use the solution to automate our SIEM tools and incidents.

The solution's correlation rules and playbooks should be improved.

I have been using Palo Alto Networks Cortex XSOAR for six to seven months.

I rate the solution seven and a half out of ten for stability.

More than 100 users are using the solution in our organization.

I rate the solution a six out of ten for the scalability of its on-premises version.

I also use the ArcSight solution.

The solution can be deployed within a few minutes.

We are using the latest version of Palo Alto Networks Cortex XSOAR. The solution's on-premises version is not scalable. Around five people are involved with the solution’s maintenance.

Overall, I rate the solution an eight out of ten.