Palo Alto Networks Cortex XSOAR Reviews

Cortex XSOAR is our desktop endpoint security standard. We deploy it on the desktops, monitor the events, and ensure the endpoints stay clean and inoculated. The client is a retail company with salespeople on the floor and roving notebooks that employees bring with them to various locations. We needed a solution that allows us to protect those endpoints no matter where they are. We deployed them through Active Directory using a group policy system. 

Customers don't always have endpoints that are part of their Active Directory, but we chose to use ADGPO to ensure any user logging into our domain(s) had the product installed. There are about 600 users spread out across three locations and six dealerships.

Well since we have deployed Cortex, we have not had any serious malware concerns. I believe Cortex or Traps as it were has helped immensely in keeping our end-user community safe.

That said, cortex has not been without its headaches. For one thing, recently it stopped updating clients and wouldn't allow new installations due to a MS patch that needed to be deployed. It wasn't obvious to me what was occurring as there were zero logs indicating the reason for the failures. We started having desktops falling out of compliance faster and I had to do a bit of digging to find out what was causing it. 

Another dig I have is in the Cortex Dashboard, there are a large numbers of machines that don't show associated usernames. This keeps growing over time. I still been able to determine the cause of this. I have some ideas its due to the way Palo Alto Networks determines who a user is. They look at AD authentication logs and associate the IP address of the user as he joins the network. Then this IP stays associated with that user for about 45 minutes after the user leaves his desktop. So the desktop becomes orphaned when the IP is no longer applicable. 

So in summary, the product has stood up to its core-capabilities, but is lacking in useable actionable logs.

I chose Cortex XSOAR because we use Palo Alto firewalls. My plan was to consolidate our log data from the Palo Alto firewalls and Cortex into a single pane of glass. However, this has not been the experience. The log data from the firewalls never correlates with the log data from Cortex. We still have seperate streams of information to examine. I have not found an easy way to get this to work. But I'm sure there is one.

I want to make note that it seems like Palo Alto Networks is moving to a full A La-cart licensing model where just about every feature in the product has a separate key and license to purchase/maintain and monitor. I have had firewalls bricked because it became cost prohibitive to license them. Once licenses expire, the firewall virtually stops operating as anything more than a router.

With Cortex specifically, it's the poor platform based logging. I can generate logs for individual users, but there is little platform data available from either the client or the Dashboard.

Also, having to maintain GP and Cortex on the same machines makes life more complicated as there are two seperate controls that need to be managed, licensed and monitored. I would like to see a day when GP and Cortex are one and the same with feature switches to enable/disable functionality

We've been using Cortex XSOAR for over 4 years now

Cortex XSOAR is stable as long as it and your end-users computers stay updated. If your population falls behind on certain critical MS updates, your Cortex may stop working!

I believe Cortex is scalable but only to a point. I couldn't see attempting to manage 1000+ users on it. Too many headaches to have to deal with that large a deployment. 

Palo Alto support is horrible and getting worse! What happened to the day I could speak to a real human at Palo Alto Networks that actually understood what I was asking? What happened to the concept of SLA's where priority 1 tickets were addressed within hours? I have gotten to the point where I dread even picking up the phone or opening a support ticket with Palo Alto Networks. 

Maybe they got too big, or maybe they want to be more like Checkpoint in their licensing. Not sure, but please be capable of solving most of your own problems if you incorporate these guys into your solution. 

Spoken from a once true fan of Palo Alto Networks... :( 

Negative

Previously, the clients depended on Malware defense programs like Trend Micro and Norton AV. But these products lack the Endpoint protections needed to adequately protect a user from himself.

Deploying Cortex XSOAR is straightforward if you have experience with this kind of solution. The deployment is about the same as any of its competitors. Cortex isn't any easier or harder to deploy than the other products.

In house. 

Well its hard to put a price on protecting a networks data. The ROI is, we still have our data lol. Still, all employee based organizations need to be implementing an EndPoint Protection control. But budget conscious organizations very definitely should do their homework before commiting. Its not easy to change your mind.

Be aware that licensing can become challenging. Also, there are other products out there such as CrowdStrike, Fortinet and Cisco, that have stronger reputations in EndPoint protection. But they are also point solutions that lack the integration and feature set to become a full operational security endpoint suite of tools. 

I was a former Palo Alto Networks employee (4+) years. So my natural inclination was to choose a product I knew about from my background working for Palo Alto Networks.

I still rate Palo Alto Networks Cortex XSOAR seven out of 10. Since we installed it, we've never had a significant infection. However, beware of new pricing models and ways that Palo Alto will stack licensing up until a solution can become quite expensive to maintain. 

Do your homework!

In my company, it is not me but my team that is involved with Palo Alto Networks Cortex XSOAR. The tool is majorly useful for incident response and automation purposes.

Owing to the features of Palo Alto Networks Cortex XSOAR, my team that operates within our company likes it.

Palo Alto Networks Cortex XSOAR lacks to offer SIEM functionalities currently. From an improvement perspective, I would like to see Palo Alto Networks Cortex XSOAR offer SIEM functionalities.

In the future, I would like to see more automation functionalities.

I have been using Palo Alto Networks Cortex XSOAR for nearly two months.

Stability-wise, I rate the solution a nine out of ten. My team knows about the stability of Palo Alto Networks Cortex XSOAR, and to date, I haven't heard anything bad about the product.

It is a scalable solution.

Palo Alto Networks Cortex XSOAR is a tool that is used only by me and my team in our company. The tool is mainly used by only two people in my company.

Palo Alto Networks Cortex XSOAR's partner, with whom my company deals, helps us whenever needed.

My company did not make any payments towards the licensing costs attached to the product since we were only using its pilot version.

I recommend the solution to those who plan to use it.

I rate the overall product a nine out of ten.

We have a lot of playbooks. It makes our SOC operations easy.

Our response has become very fast. We are able to achieve SLAs faster.

The product’s stability is good. We are able to achieve our use cases. We have multiple playbooks to support automation.

The tool’s multi-tenancy feature must be improved. The user interface must be made a little bit easier.

I have been using the solution for two years. I am using the latest version of the solution.

I rate the tool’s stability a ten out of ten.

The tool is highly scalable. I rate the scalability an eight out of ten. There are ten users in our organization. The solution is used 24/7. We have a plan to increase the usage.

We had some issues with the professional services. The team should not waste time and close the projects quickly.

Positive

I rate the ease of setup an eight out of ten. The initial setup was straightforward. There were issues during integration. We found a lot of challenges in it. It should be improved. The deployment took around two weeks. Developing the playbooks took a long time. It could take a month or more.

We deployed two main servers in the primary and secondary locations. We started the integration with a couple of technologies. During the third phase, we started working with the playbook development. After that, we started with the notifications and email templates. Finally, we did the test phase. We needed only one person for deployment and maintenance.

The solution is expensive. I rate the pricing a nine out of ten. There are no additional costs associated with the product. The license renewal cost increased this year.

We reviewed other solutions, but we did not choose them. We chose XSOAR because it is the market leader. Some friends who used the solution recommended it. We also considered the Gartner report.

The product is perfectly suitable for enterprise customers. We can achieve whatever playbooks we want to deploy. The stability is really good. We need the right professional services person who can finish the project on time. Overall, I rate the tool a nine out of ten.

The client never had any XSOAR automation before, and they never had a CRM implemented with them, either. So we provided both CRM and complemented with XSOAR.

So it's a totally new experience, and we have already developed three playbooks. To move further, we have to wait for the next few months before we agree on any automation response.

The repository of playbooks and the integration between Palo Alto and IBM QRadar are some useful features. It is followed by a lot of people simply needing to reference it. So, it is very easy to use for people facing chat problems.

I would like to have a better visualization of the command center. In command and samples, the sample has a product called the command center.

I want the scalability of the product to be improved.

I have been using Palo Alto Networks Cortex XSOAR for three months. My company is a service provider for Palo Alto Networks.

It is a stable solution. I rate the stability an eight out of ten.

It is not a very scalable solution. Because of the implementation that we have within the device as it is metered by the number of even EPS that we are able to accept. At present, twelve users are using the solution as we are a government enterprise.

I rate the scalability a six out of ten.

The initial setup is a bit complex because we have to log in to the virtual machine, which is a bit of a negative process. It takes around three weeks to be deployed. On a scale of one to ten, where one is difficult, and ten is easy, I rate the initial setup a six. The solution got deployed on the cloud and on-premises.

The pricing is on the high side. It's pricey and expensive. On a scale of one to ten, where one is a low price, and ten is a high price, I rate the pricing a nine.

I recommend the solution but ensure it fits your requirements.

I rate the overall solution a nine out of ten.

We were looking for a single pane of glass type of solution that would allow us to physically be in one appliance be able to work in concert with other servers that we have within our environment. We wanted orchestration and automation. The single pane of glass was the most important part. 

Every investigator has a different way of tackling an investigation. Essentially what we wanted to do is to take the mundane tasks that the investigators have to do as part of their investigation process and then automate those mundane tasks as a pre-processor. That way, when the investigation is provided to the investigator in order to review what was found, all they have to do is look at the data that was presented to them and they wouldn't have to go through the process of doing the data enrichment with regards to threats and functions of that nature because all of that was done ahead of time as part of the processing.

Right now we've started with one investigation, which is phishing. The user will report any phishing attempts against any of our users within JPL to an email address. Our XSOAR appliance will peek into that mailbox, pull the emails out, and then process those emails that have been reported. As part of the processing, it'll do the data enrichment and once that's done, that's presented to the investigator in order to review the findings. The investigator makes the final verdict. Once the final verdict is rendered, then the other automated task would be the enforcement tasks, which would include any blocking of the sender, blocking of the IP, blocking of the domain, blocking of the URL, and those types of actions.

Palo Alto has gotten the investigators more presence to actually go in the report because being that the platform will email the investigator that it's been assigned to, now the investigators will jump in there and start going through the review process a lot quicker.

When my juniors receive an email, I have trained them to jump on it quickly in order to remediate it quickly. The sooner we get it remediated, the less likely a user that hasn't reported it will click on the link and become a victim.

Palo Alto has reduced the time that it takes to go through the process of investigating a reported abuse. Rather than one individual, which was the process before, that would handle the abuse mailbox, now we have a team of 15 individuals that all share in the remediation of those reported abuse messages.

The process is a lot quicker, nothing seems to slip between the cracks. We've been able to quickly contain phishing campaigns that were launched by external actors against our environment and been able to quickly identify users that have clicked on links and then had them change their passwords in order to reduce the risk of having those accounts used in order to perpetuate additional attacks.

In terms of improvement, it needs to be more modular. It's not. When you're working in layouts and you create specific apps within layouts, there's no portability right now in order to reuse that code across multiple layouts. I can't take a tab and say I want to use this tab on these other layouts. I have to physically go in there and recreate it from scratch, which is maddening.

From an analyst perspective, it's not that hard to use. From a developer, it takes a little while in order to get to understand exactly how one would go about creating a playbook. The automation part is not that hard. It's relatively easy. It's just creating the flowchart.

I have been using this solution for one and a half to two years. 

I have not had an issue with stability yet. 

It is scalable. If I noticed that there wasn't any impact in performance, then I'd simply launch another instance and then cluster them together in order to provide shared resources between the two in a cluster. If a particular integration is misbehaving because there aren't sufficient resources on the one instance that we currently have, then I can detach that instance or that integration from the instance into its own VM. That way it has enough resources on another VM in order to actually run that integration.

There are 15 investigators using this solution. 

In terms of increasing usage, we're looking at bringing in our audit vulnerability and assessment team and having them do their vulnerability assessments from within the platform. I'm going to have to reach out to them to get them to start looking at the vulnerability layout, the incident type, the playbook, and the Nessus connectors in order to be able to have them perform that through XSOAR and then follow up through XSOAR with regards to remediation.

Anytime I have any issues, I'll open up a TAC ticket and then they'll contact a customer support engineer and they'll hand it over to him.

From the aspect of the actual people that work in the technical support area, I would rate them an eight out of ten. I would rate it higher just for the technical aspect. 

We're taking what we have inside of our incident management system and building it into XSOAR. The way case management works now is completely different from the default case management system that is currently in XSOAR.

They wanted to free up the guy that was actually doing all of the work. For some reason, we decided we didn't want it in-house. As far as our in-house solution, it was built on CodeFusion and CodeFusion had a number of vulnerabilities that were identified in the last 15 years. They wanted to move away from that. In order to be able to move away from that, we had to find a solution that would allow us the customizability in order to be able to mimic what we already have.

The initial setup was straightforward. I had assistance with the pre-sales support engineer and the pre-sale support architect. Both helped me to get it set up. As far as our proof of concept, I had to prove that it was customizable enough in order to have it mimic what we already use because we already had a homegrown internal incident management system that we've been using for 15 years.

The initial setup took 90 days. As far as the proof of concept and to set up the first playbook, we ran into some issues where Palo Alto said that the EWS integration worked with on-prem and that we could actually do expungements in an automated fashion. It turned out not to be the case. That took approximately four and a half months to determine that it was not going to function the way it was stated that it would function within the EWS integration. I was hoping to have it done within six months, but it actually took a little over a year to get everything done and into production because of the couple of hiccups that we had with EWS.

I had to reach out to Microsoft and talk to their developers with regards to EWS on-prem and then contact the developers inside of Palo Alto which at first didn't want to talk to me, but I finally got them to talk to me, and then I got them to talk to each other and then came to find out that it doesn't really work.

That took four and a half months of trying to negotiate the communications between Microsoft and Palo Alto. Finally, I had to bypass the expungement enforcement action because there's no way we could do it with our on-prem devices. As far as that's concerned, that's a manual process. We have to send an email out to our Exchange team in order to get the expungement done.

We have seen ROI in the time spent on the investigations.

The pricing model could be better. When I first looked at Demisto, it had a price tag of $250,000 but when we finally purchased it, it was $345,000.

My boss thinks that it was a competitive price though compared to other solutions. My thoughts are we could have done a lot better with the price.

We evaluated Phantom, Siemplify, SOC 3D,  Swimlane, and a plethora of other solutions. 

Demisto led the field. At the time I was looking at it, it was Demisto. Palo Alto had not purchased it. When I started this endeavor, it was six years ago when Demisto was its own company, when Phantom was its own company, SOC 3D was still a company out of Israel, Siemplify was still a company out of Israel, but it was actually starting to set up its US operations. There were a number of other ones. Resilient was another one that I was looking at before they were picked up by IBM.

A lot of these didn't have what I needed, which was the ability to customize and the ability to integrate with a lot of vendors that we already have in-house. The two that came to the very top were Phantom and Demisto, and my final decision was to actually go with Demisto because Phantom was acquired by Splunk and I hate Splunk.

I was ready to buy, but my management was dragging its feet and they didn't want to loosen up the purse strings in order to make the purchase. But as soon as Palo Alto picked them up, then they were okay with it.

I would rate Palo Alto a nine out of ten. 

My advice would be to do the same type of research I did to ensure that it's the appropriate fit for your use case. If it's an organization that has an already existing incident management system, make sure that you can customize it so you can reduce the learning curve for your investigators in order to be able to transition from your old IMS over to the new IMS, which would be XSOAR.

That's the reason why I took so much time in order to ensure that the customization was there in order to allow me to mimic what we already had in IMS and transition that over to XSOAR. That way, the investigators had a lot less of a learning curve. The only learning curve they had was, "Here's the investigation tab. There's all the data that you need in order to make your verdict. Make your verdict." But as far as writing all the reports, call-down lists, and all that other stuff, that's all part of our original process that I transitioned over to XSOAR.

From the security team's standpoint, the solution has improved our organization's overall cybersecurity.

The price of the solution could be improved.

I have been using the solution for the past three and a half years.

I rate the stability of the tool as a ten out of ten.

I rate the scalability of the solution as an eight out of ten.

We haven’t used technical support yet.

The initial setup was not complex. 

Overall, I would rate the product as an eight out of ten.

Our primary use case for the solution is customization and integration with Microsoft infrastructure.

Its agility and scalability are valuable.

Customization and performance can be improved. For example, some formats were incompatible when integrating, and they said we needed to work with the vendor to fix this issue because some logs that AVA logs were not compatible, and it did not readily recognize the format. Most of the time, I heard this as feedback. The formats are not compatible, are readily not available, and are not readable. Then we had to work it and write it manually.

We have been using the solution for over five years.

The solution is stable.

The solution is scalable. Internally, there are around ten to 12 people who use it. However, I am unsure of the exact number of external users.

The solution is priced reasonably.

I rate the solution a seven out of ten. The solution is good, but its performance and customization can be improved. I advise new users to understand their use cases. For example, suppose somebody is starting with highly customizable options and wants more agility to go to a micro level. In that case, I will still recommend people start with XSOAR, understand the environment, and then go to Sentinel. But it could also be done differently. It depends on the company's objective, so if you look at it as we started with Cortex a couple of years before. And now, looking forward and at compelling factors, we are moving to Microsoft. 

The SOC team needs the tool to understand the network and determine why an incident happens. The tool helps understand user behavior and helps with threat hunting.

The solution has a lot of information, like playbooks and incidents. It goes really deep. The vendor provides training, knowledge bases, workshops, and webinars. The product can automate security tasks. Playbooks are the most beneficial feature. We can create a playbook. We can get visibility on incidents.

We can also analyze user behavior and understand whether it is a true positive or a false positive. We have so many false positives these days in security, so it's nice when we can put things in the block list. We can perform investigations. The product can be integrated with third-party tools.

The solution is complicated to learn. Customers find it difficult to learn how the solution works. We need professionals to learn and understand how the tool works to expand it further. Our customers want to see more use cases. They want to have more facilitations and more visibility on how it works. We need more skilled people inside and outside the team to understand how it works. It’s difficult to find skilled people to understand how the tool works.

The solution is suitable for enterprise businesses.

We can send an email to the online support portal. We can contact Palo Alto engineers immediately and open a ticket. The engineers will take care of the issue depending on the severity level of the ticket.

Positive

The initial setup is really easy. We just have to order it. When we have the tool, someone from Palo Alto will provide us with the account information. After that, we must set up the users, customers, and resellers. We can do onboarding immediately. The deployment takes one or two days.

Whether the product is cheap or expensive depends on the company and how much they are willing to spend on security. Nowadays, security is important. The solution is not suitable for small businesses. It is better suited for medium and enterprise businesses because it starts with 200 endpoints.

SentinelOne is an endpoint protection tool. However, Palo Alto gives us more security features.

I work with a distributor. I recommend the product to my customers. I'm really satisfied with the tool. It's a very nice tool. It can work and give us what we need. We just need to be patient and learn how it works. The incidents can be handled very easily. Overall, I rate the product a nine out of ten.