Palo Alto Networks Cortex XSOAR Reviews

We primarily use the solution for network inspection.

The solution works well.

It’s easy to install.

It’s stable.

The solution can scale as needed.

The stability could be better.

The integration could be better. Cortex, for example, does not work with iPhone.

I’ve been using the solution for less than one year.

Right now, it’s been stable for us. We may consider something from Microsoft in the future. It’s possible it could be more stable.

The solution is quite scalable. If a company needs to expand it, it can do so.

At the moment, we don’t actually get support from Palo Alto as we’ve never needed any help. I can’t say how helpful or responsive they would be.

We’ve also worked with CrowdStrike. We switched as we weren’t happy with their detection capabilities.

The installation is very easy to set up. It’s not overly complex or difficult.

The deployment took less than a week. I recall we had it up and running within a couple of days.

In our case, we went to a consultant for installation assistance. However, a company might likely be able to handle it on its own.

I can’t speak to the exact cost of the solution.

This is a SaaS product.

I’d rate the solution nine out of ten.

We were looking for a single pane of glass type of solution that would allow us to physically be in one appliance be able to work in concert with other servers that we have within our environment. We wanted orchestration and automation. The single pane of glass was the most important part. 

Every investigator has a different way of tackling an investigation. Essentially what we wanted to do is to take the mundane tasks that the investigators have to do as part of their investigation process and then automate those mundane tasks as a pre-processor. That way, when the investigation is provided to the investigator in order to review what was found, all they have to do is look at the data that was presented to them and they wouldn't have to go through the process of doing the data enrichment with regards to threats and functions of that nature because all of that was done ahead of time as part of the processing.

Right now we've started with one investigation, which is phishing. The user will report any phishing attempts against any of our users within JPL to an email address. Our XSOAR appliance will peek into that mailbox, pull the emails out, and then process those emails that have been reported. As part of the processing, it'll do the data enrichment and once that's done, that's presented to the investigator in order to review the findings. The investigator makes the final verdict. Once the final verdict is rendered, then the other automated task would be the enforcement tasks, which would include any blocking of the sender, blocking of the IP, blocking of the domain, blocking of the URL, and those types of actions.

Palo Alto has gotten the investigators more presence to actually go in the report because being that the platform will email the investigator that it's been assigned to, now the investigators will jump in there and start going through the review process a lot quicker.

When my juniors receive an email, I have trained them to jump on it quickly in order to remediate it quickly. The sooner we get it remediated, the less likely a user that hasn't reported it will click on the link and become a victim.

Palo Alto has reduced the time that it takes to go through the process of investigating a reported abuse. Rather than one individual, which was the process before, that would handle the abuse mailbox, now we have a team of 15 individuals that all share in the remediation of those reported abuse messages.

The process is a lot quicker, nothing seems to slip between the cracks. We've been able to quickly contain phishing campaigns that were launched by external actors against our environment and been able to quickly identify users that have clicked on links and then had them change their passwords in order to reduce the risk of having those accounts used in order to perpetuate additional attacks.

In terms of improvement, it needs to be more modular. It's not. When you're working in layouts and you create specific apps within layouts, there's no portability right now in order to reuse that code across multiple layouts. I can't take a tab and say I want to use this tab on these other layouts. I have to physically go in there and recreate it from scratch, which is maddening.

From an analyst perspective, it's not that hard to use. From a developer, it takes a little while in order to get to understand exactly how one would go about creating a playbook. The automation part is not that hard. It's relatively easy. It's just creating the flowchart.

I have been using this solution for one and a half to two years. 

I have not had an issue with stability yet. 

It is scalable. If I noticed that there wasn't any impact in performance, then I'd simply launch another instance and then cluster them together in order to provide shared resources between the two in a cluster. If a particular integration is misbehaving because there aren't sufficient resources on the one instance that we currently have, then I can detach that instance or that integration from the instance into its own VM. That way it has enough resources on another VM in order to actually run that integration.

There are 15 investigators using this solution. 

In terms of increasing usage, we're looking at bringing in our audit vulnerability and assessment team and having them do their vulnerability assessments from within the platform. I'm going to have to reach out to them to get them to start looking at the vulnerability layout, the incident type, the playbook, and the Nessus connectors in order to be able to have them perform that through XSOAR and then follow up through XSOAR with regards to remediation.

Anytime I have any issues, I'll open up a TAC ticket and then they'll contact a customer support engineer and they'll hand it over to him.

From the aspect of the actual people that work in the technical support area, I would rate them an eight out of ten. I would rate it higher just for the technical aspect. 

We're taking what we have inside of our incident management system and building it into XSOAR. The way case management works now is completely different from the default case management system that is currently in XSOAR.

They wanted to free up the guy that was actually doing all of the work. For some reason, we decided we didn't want it in-house. As far as our in-house solution, it was built on CodeFusion and CodeFusion had a number of vulnerabilities that were identified in the last 15 years. They wanted to move away from that. In order to be able to move away from that, we had to find a solution that would allow us the customizability in order to be able to mimic what we already have.

The initial setup was straightforward. I had assistance with the pre-sales support engineer and the pre-sale support architect. Both helped me to get it set up. As far as our proof of concept, I had to prove that it was customizable enough in order to have it mimic what we already use because we already had a homegrown internal incident management system that we've been using for 15 years.

The initial setup took 90 days. As far as the proof of concept and to set up the first playbook, we ran into some issues where Palo Alto said that the EWS integration worked with on-prem and that we could actually do expungements in an automated fashion. It turned out not to be the case. That took approximately four and a half months to determine that it was not going to function the way it was stated that it would function within the EWS integration. I was hoping to have it done within six months, but it actually took a little over a year to get everything done and into production because of the couple of hiccups that we had with EWS.

I had to reach out to Microsoft and talk to their developers with regards to EWS on-prem and then contact the developers inside of Palo Alto which at first didn't want to talk to me, but I finally got them to talk to me, and then I got them to talk to each other and then came to find out that it doesn't really work.

That took four and a half months of trying to negotiate the communications between Microsoft and Palo Alto. Finally, I had to bypass the expungement enforcement action because there's no way we could do it with our on-prem devices. As far as that's concerned, that's a manual process. We have to send an email out to our Exchange team in order to get the expungement done.

We have seen ROI in the time spent on the investigations.

The pricing model could be better. When I first looked at Demisto, it had a price tag of $250,000 but when we finally purchased it, it was $345,000.

My boss thinks that it was a competitive price though compared to other solutions. My thoughts are we could have done a lot better with the price.

We evaluated Phantom, Siemplify, SOC 3D,  Swimlane, and a plethora of other solutions. 

Demisto led the field. At the time I was looking at it, it was Demisto. Palo Alto had not purchased it. When I started this endeavor, it was six years ago when Demisto was its own company, when Phantom was its own company, SOC 3D was still a company out of Israel, Siemplify was still a company out of Israel, but it was actually starting to set up its US operations. There were a number of other ones. Resilient was another one that I was looking at before they were picked up by IBM.

A lot of these didn't have what I needed, which was the ability to customize and the ability to integrate with a lot of vendors that we already have in-house. The two that came to the very top were Phantom and Demisto, and my final decision was to actually go with Demisto because Phantom was acquired by Splunk and I hate Splunk.

I was ready to buy, but my management was dragging its feet and they didn't want to loosen up the purse strings in order to make the purchase. But as soon as Palo Alto picked them up, then they were okay with it.

I would rate Palo Alto a nine out of ten. 

My advice would be to do the same type of research I did to ensure that it's the appropriate fit for your use case. If it's an organization that has an already existing incident management system, make sure that you can customize it so you can reduce the learning curve for your investigators in order to be able to transition from your old IMS over to the new IMS, which would be XSOAR.

That's the reason why I took so much time in order to ensure that the customization was there in order to allow me to mimic what we already had in IMS and transition that over to XSOAR. That way, the investigators had a lot less of a learning curve. The only learning curve they had was, "Here's the investigation tab. There's all the data that you need in order to make your verdict. Make your verdict." But as far as writing all the reports, call-down lists, and all that other stuff, that's all part of our original process that I transitioned over to XSOAR.

We use Palo Alto Networks Cortex XSOAR for several areas of security automation, such as phishing, investigating, mitigating, the detection of impossible travel, and consolidating threat information for our internal systems.

It reduces manual interactions of security analysts. Before they had to check on three, or four different websites to see if something was good or bad. Now, Cortex does all of that for us.

It is very easy to use.

It has an extensive list of integrations that are available out of the box which makes it easy to start.

I would love to see more flexibility on what we can display and design on the dashboards.

Palo Alto Networks Cortex XSOAR has been active for six months. 

We are always on the latest version.

Palo Alto Networks Cortex XSOAR is pretty stable.

It offers some architecture recommendations to make it really scalable if you choose.

For example, hot standby, bond standby, clustering, and breaking out components in dedicated servers. You can go wild if you want to go wild, but we wanted to keep it easy and stable.

Pretty much network security and SOC are the main users. I believe that we are licensed for 20 users.

We are definitely extensively using this solution. We are currently training many additional teams to be self-sufficient in usage. The usage will increase more and more.

With Palo Alto technical support, if you get to the right people, you get an answer very quickly. 

What I like about the Cortex team is that they have a dedicated select center where you can get service in minutes and that's extremely helpful.

Overall, I am satisfied with the technical support.

We evaluated two or three other vendors. 

We are a very big Palo Alto shop and we needed to have some Palo Alto features, which are implemented now in Cortex. We are pretty much guided in that direction for some of the security features we need for our firewalls.

I would say the initial setup was really straightforward. 

You need to be a little bit aware of Linux unless you buy the hosted version, then you don't need to know anything about it. If you decide you want to run it yourself, you should have some Linux skills because it's a Docker framework on Linux. Knowing a bit about that is handy.

It was up and running in half a day.

It only requires one person to maintain this solution. I do it myself along with many other tasks. In a larger environment, you split into two teams, OS maintenance and application maintenance.

We had help from Palo Alto SE resource for the PoC, but the setup was completed on our own.

We have a concurrent user license. 

The licensing is a pretty high price for a user license per year.

The base product is very cheap, you can even get it for free, but the fee per user is expensive. It is approx $10,000 or $20,000 per year for two user licenses.

It's a great product, although it might become very pricey if you need several user licenses.

They need to automate everything to reduce the number of user licenses needed. If it is an automated workflow, you don't need to be licensed.

If Cortex sends an email asking a user to say yes or no, you don't need a license for that user. You just need a user license if you want to improve what Cortex does in terms of workbooks, cases, and more.

We evaluated Splunk for six months and decided against it three to six months ago.

Have a very good understanding of what you want to automate. Define the process and make sure the integrations you need are available out of the box.

I would also suggest starting simple. Try easy use cases first and until you feel confident before you get into more complex use cases.

I would rate Palo Alto Networks Cortex XSOAR a nine out of ten.

We use the solution to automate our SIEM tools and incidents.

The solution's correlation rules and playbooks should be improved.

I have been using Palo Alto Networks Cortex XSOAR for six to seven months.

I rate the solution seven and a half out of ten for stability.

More than 100 users are using the solution in our organization.

I rate the solution a six out of ten for the scalability of its on-premises version.

I also use the ArcSight solution.

The solution can be deployed within a few minutes.

We are using the latest version of Palo Alto Networks Cortex XSOAR. The solution's on-premises version is not scalable. Around five people are involved with the solution’s maintenance.

Overall, I rate the solution an eight out of ten.

My primary use for Palo Alto Networks Cortex XSOAR is to protect the workstation for the end-users.

The most valuable features of Palo Alto Networks Cortex XSOAR are the remote controller from the workstation that can execute commands and isolate the systems outside of the network. Only the system with an internet connection can execute the task because the main console is in the cloud.

Palo Alto Networks Cortex XSOAR could improve the look, feel, and management of the cloud console. Additionally, the user could be more easily integrated.

I have been using Palo Alto Networks Cortex XSOAR for two years.

We have approximately 1,000 users using Palo Alto Networks Cortex XSOAR in our organization. The solution is scalable.

We only require one or two staff to deploy the agent of Palo Alto Networks Cortex XSOAR because it is very simple. One for the server and the other for the workstation.

The price of Palo Alto Networks Cortex XSOAR could be reduced. We are always looking for a discount. There is an annual license needed to use this solution.

I rate Palo Alto Networks Cortex XSOAR a ten out of ten.

I mainly use Cortex XSOAR to automate cybersecurity and the SOC environment.

To minimize manual tasks and increase level of automation. 

Cortex XSOAR drastically reduces trivial tasks inside the SOC environment, which provides a huge benefit for L1 analysts.

Cortex XSOAR's most valuable features are the playbooks, custom integration, the machine-learning model, and the layout, classifier, and mapper.

Corex XSOAR could be improved by reducing the time it takes to process large amounts of data and increasing the number of integrations. In the next release, Palo Alto should include popup features - for example, if someone is working on an incident, it should pop up and display in front of me once it's clicked.

4 years

Cortex XSOAR is very stable in our environment, and we haven't seen any platform issues with it.

Cortex XSOAR is scalable.

Palo Alto's support services require a lot of improvement.

I used Qradar SOAR . Cortex xsoar support is very good and contain lot of OOTB playbooks but comparatively qradar soar lack in OOTB Playbooks. 

The initial setup is very easy. Also in latest version platform is managed by Palo alto cloud itself and rest of the configuration is done from UI itself. 

So zero load in configuring platform. 

Cortex XSOAR's license price could be lower.

I would give Cortex SOAR a rating of eight out of ten.

As an integrator, I have used Palo Alto Networks Cortex XSOAR in various customer environments for a wide range of purposes. This includes improving IT security, streamlining operations, automating incident response actions, creating playbooks with approvals, and enhancing integrations with different security tools. In essence, Cortex XSOAR serves as a versatile platform that helps address multiple cybersecurity and operational needs in organizations.

What I like most about Palo Alto Networks Cortex XSOAR is how user-friendly it is for development. It is much simpler to work with compared to similar tools I've used. If you can think of it, you can probably do it. However, there are some limitations, but speed isn't one of them.

One limitation I have noticed with Cortex XSOAR is that it doesn't offer automatic threat intel reports out of the box. However, you can achieve this through coding, and we have managed to do it in our own environment using scripts and playbooks. It is not a built-in feature, but it is possible with some coding skills. The good news is that Palo Alto Networks plans to make this process more automated in the future, but it is not available yet.

I have been using Palo Alto Networks Cortex XSOAR for three years.

Cortex XSOAR's stability depends on the right sizing. When sized correctly, it is very stable and I would rate it a strong nine out of ten. But if the sizing is wrong, performance problems can arise. For instance, customers with closed storage systems had issues during heavy workloads. To keep it stable, having at least 3,000 IOPs is advised, especially for customers with high storage needs. So, sizing is key for a successful and stable experience.

Cortex XSOAR is generally scalable and I would rate the scalability an eight out of ten. It is a bit challenging to migrate it from a regular database to a high-availability Elastic database, but it is possible. The ease of migration depends on how well it was planned from the start. Overall, it is a good option for scalability, but careful planning is essential for smooth transitions. The engine, which acts as a broker for connections and integrations in Cortex XSOAR, is highly efficient and reliable.

The initial setup of Cortex XSOAR is generally straightforward, but it can get a bit tricky when dealing with a lot of use cases. If you plan to create large playbooks, it is crucial to size the system correctly from the start. Otherwise, you might run into performance issues. Apart from that, there aren't many problems with the implementation process. The challenge mainly revolves around sizing the system correctly, especially when customers have lots of ideas that could make playbooks complex and resource-intensive. So, it is important to plan carefully in such cases. In the best-case scenario, deploying Cortex XSOAR can be done in about 30 minutes when everything is prepared and ready. However, for full integration into the customer's environment, assuming no restrictions or communication issues, it might take roughly two and a half hours.

Overall, I would rate the solution an eight out of ten. My advice to new users would be to plan ahead before implementing Cortex XSOAR. Understand your use cases well and have a solid strategy because the implementation is an ongoing process that you can always improve. Consider creating an adoption plan for what you will do this year and next year in terms of integration and use cases. Keep it user-friendly and introduce use cases gradually to your team instead of overwhelming them all at once. It's about taking steps to make it effective over time.

The solution is used for security. 

Palo Alto is easy to use. 

The dashboard could be better. 

I have used Palo Alto Network Cortex for six months. 

There are issues with stability as it was giving false positives and has bugs. I rate the stability a seven out of ten. 

It is a scalable solution. There are two hundred users using the solution at present. I rate the scalability an eight out of ten. 

The solution was deployed by analysts. 

I rate the overall solution an eight out of ten. 

We are using Palo Alto Networks Cortex XSOAR for automation.

The most valuable features of Palo Alto Networks Cortex XSOAR are its overall track record and features that fit our use case.

Palo Alto Networks Cortex XSOAR could improve the Panorama feature. We had to turn it off because it was not working properly.

I have been using Palo Alto Networks Cortex XSOAR for approximately six months.

Palo Alto Networks Cortex XSOAR is a stable solution.

The scalability of Palo Alto Networks Cortex XSOAR is fine for what we are using it for.

We have our SecOps department of user 50 people that are using the solution for alerts. We plan to increase usage in the future.

The support from Palo Alto Networks Cortex XSOAR could improve. However, a lot of the support is poor.

We have three people in the security operations that do the maintenance and support of Palo Alto Networks Cortex XSOAR.

The price of Palo Alto Networks Cortex XSOAR is comparable to other solutions in the market.

I rate Palo Alto Networks Cortex XSOAR a six out of ten.

XSOAR is the cherry on top of Cortex XDR. It provides you with the ability to make a lot of response actions to your incidents. Cortex XDR is collecting an incident, and Cortex XSOAR is providing you the ability to remediate it.

When the customers need the ability to remediate incidents, for example, antivirus or network security issues, some SIEM solution, et cetera, yet need to integrate everything, they can use the power of the platform without needing different solutions. Cortex XSOAR will give you the ability to integrate

For example, if some endpoint was infected in your infrastructure, you need to do something about that. XSOAR provides you the ability to understand how that endpoint was infected and to do something with that. 

Cortex XSOAR will go to the firewall and block the IP address of this endpoint. Cortex XSOAR will go to the domain and disable the user as well. Then it will go to some other solution and will do something there. It is a variety of actions based on the incidents. 

It is pretty modern. 

It has a lot of integrations. They have a portal where you can find any kind of integration that you need. The ability to integrate with third-party vendors and solutions is great. 

They have a big amount of playbooks. These are a set of actions that you need to perform based on some exact incident. For example, if you find malware, you will need to block an endpoint. If you find a botnet that is connecting to your infrastructure, you will need to block this botnet on the firewall. This set of playbooks that XSOAR already has inside it is really huge, and it is also great for a lot of informational security or managers and engineers that can just choose what they need and not have to create anything from the scratch.

The initial setup is straightforward. 

Nothing needs to be changed. It is a part of Cortex inside Palo Alto Networks. If you want to get all the benefits, you will need the Cortex XDR, then you will need to get Cortex XSOAR. It's like a brother and sister, and they will give you a lot of benefits if you integrate them. 

It's only one cloud right now. It might be helpful for some companies to have an on-premies option. 

I've been using the solution for a few months. It hasn't really been that long. 

As a cloud, it is really stable. All that you need to do is to provide a stable internet connection. That's all. Even without the internet connection, it still works, however, without the heart of the system, which is based in the cloud.

The solution is scalable. You have the ability to start from a small number of agents and go to any number of agents. Likely, small businesses will not need such a solution, however, if they will need it, and they need to grow, it can scale really well for them - so long as they have the money.

You get the same support you would get from Palo Alto Networks. It's the same support portal. You get really quick answers and nice instructions. The best practices they share with us are great.

The solution is on the cloud. You just have an agent on-premises, and all of the brains are in the cloud.

It is really straightforward, as it is a cloud deployment. You just need an agent, therefore, the basic deployment will be really straightforward, and it will take only maybe one hour or two. If you have thousands of endpoints, maybe it will take more time. That said, it is really is straightforward.

I can't speak to the exact cost of the solution. 

I'd recommend the solution.

I would rate it ten out of ten.