We use Palo Alto Networks Cortex XSOAR for several areas of security automation, such as phishing, investigating, mitigating, the detection of impossible travel, and consolidating threat information for our internal systems.
Splunker, Networking and E-Mail Security Architect, Engineer and Guru at a healthcare company with 10,001+ employees
Easy to use, stable, scalable, and has responsive support
Pros and Cons
- "It has an extensive list of integrations that are available out of the box which makes it easy to start."
- "I would love to see more flexibility on what we can display and design on the dashboards."
What is our primary use case?
How has it helped my organization?
It reduces manual interactions of security analysts. Before they had to check on three, or four different websites to see if something was good or bad. Now, Cortex does all of that for us.
What is most valuable?
It is very easy to use.
It has an extensive list of integrations that are available out of the box which makes it easy to start.
What needs improvement?
I would love to see more flexibility on what we can display and design on the dashboards.
Buyer's Guide
Palo Alto Networks Cortex XSOAR
October 2024
Learn what your peers think about Palo Alto Networks Cortex XSOAR. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
For how long have I used the solution?
Palo Alto Networks Cortex XSOAR has been active for six months.
We are always on the latest version.
What do I think about the stability of the solution?
Palo Alto Networks Cortex XSOAR is pretty stable.
What do I think about the scalability of the solution?
It offers some architecture recommendations to make it really scalable if you choose.
For example, hot standby, bond standby, clustering, and breaking out components in dedicated servers. You can go wild if you want to go wild, but we wanted to keep it easy and stable.
Pretty much network security and SOC are the main users. I believe that we are licensed for 20 users.
We are definitely extensively using this solution. We are currently training many additional teams to be self-sufficient in usage. The usage will increase more and more.
How are customer service and support?
With Palo Alto technical support, if you get to the right people, you get an answer very quickly.
What I like about the Cortex team is that they have a dedicated select center where you can get service in minutes and that's extremely helpful.
Overall, I am satisfied with the technical support.
Which solution did I use previously and why did I switch?
We evaluated two or three other vendors.
We are a very big Palo Alto shop and we needed to have some Palo Alto features, which are implemented now in Cortex. We are pretty much guided in that direction for some of the security features we need for our firewalls.
How was the initial setup?
I would say the initial setup was really straightforward.
You need to be a little bit aware of Linux unless you buy the hosted version, then you don't need to know anything about it. If you decide you want to run it yourself, you should have some Linux skills because it's a Docker framework on Linux. Knowing a bit about that is handy.
It was up and running in half a day.
What about the implementation team?
It only requires one person to maintain this solution. I do it myself along with many other tasks. In a larger environment, you split into two teams, OS maintenance and application maintenance.
We had help from Palo Alto SE resource for the PoC, but the setup was completed on our own.
What's my experience with pricing, setup cost, and licensing?
We have a concurrent user license.
The licensing is a pretty high price for a user license per year.
The base product is very cheap, you can even get it for free, but the fee per user is expensive. It is approx $10,000 or $20,000 per year for two user licenses.
It's a great product, although it might become very pricey if you need several user licenses.
They need to automate everything to reduce the number of user licenses needed. If it is an automated workflow, you don't need to be licensed.
If Cortex sends an email asking a user to say yes or no, you don't need a license for that user. You just need a user license if you want to improve what Cortex does in terms of workbooks, cases, and more.
Which other solutions did I evaluate?
We evaluated Splunk for six months and decided against it three to six months ago.
What other advice do I have?
Have a very good understanding of what you want to automate. Define the process and make sure the integrations you need are available out of the box.
I would also suggest starting simple. Try easy use cases first and until you feel confident before you get into more complex use cases.
I would rate Palo Alto Networks Cortex XSOAR a nine out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cyber Security Analyst at Altisec Technologies Pvt Ltd
Enhanced security operations through automation and advanced playbook creation
Pros and Cons
- "The most valuable features of Cortex XSOAR include its vast library of plugins, which allow us to integrate various tools and solutions seamlessly."
- "Creating complex playbooks using coding languages, such as Python, could be easier."
What is our primary use case?
I have created a couple of playbooks for a few clients using Cortex XSOAR. For example, we created a phishing playbook that checks the reputation of IP addresses or URLs using various reputation checker platforms. We've integrated Firepower Threat Defense, as well as Aviso IPTP and Cisco Talos for comparing the results. These were some of the use cases we worked on.
How has it helped my organization?
Using Cortex XSOAR has helped us create complex playbooks and streamline our security operations through automation. The integration capabilities with other solutions, like Cortex XDR and various SIEM solutions, have improved our incident management and detection capabilities.
What is most valuable?
The most valuable features of Cortex XSOAR include its vast library of plugins, which allow us to integrate various tools and solutions seamlessly. Additionally, the ability to create complex playbooks tailored to our needs and the option to incorporate user input within the workflows are highly beneficial.
What needs improvement?
Creating complex playbooks using coding languages, such as Python, could be easier. Sometimes the process becomes tedious and requires manual tasks.
For how long have I used the solution?
I have worked with Cortex XSOAR for approximately five to six months.
What do I think about the stability of the solution?
I have not experienced any performance or stability issues with Cortex XSOAR.
What do I think about the scalability of the solution?
Cortex XSOAR is scalable. We had around 50 to 60 playbooks created by my colleagues, and the solution scaled well up to a certain extent and beyond.
How are customer service and support?
I would rate the technical support 9.5 to ten out of ten. Palo Alto Networks provides concrete and to-the-point solutions to our issues.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Before using Palo Alto Networks Cortex XSOAR, I used a product called Sequium SOAR. It was not up to the mark as we could not insert any code or create complex playbooks.
What about the implementation team?
The setup was done by another team.
What's my experience with pricing, setup cost, and licensing?
I do not know about the pricing as it was handled by the salespeople.
Which other solutions did I evaluate?
We evaluated other products such as SplunkSource, SecondSource, and Stream LensSource. However, we chose Cortex XSOAR because of its scalability and flexibility.
What other advice do I have?
To create your own customized playbooks, it's important to be well-versed with Python.
I'd rate the solution ten out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Sep 25, 2024
Flag as inappropriateBuyer's Guide
Palo Alto Networks Cortex XSOAR
October 2024
Learn what your peers think about Palo Alto Networks Cortex XSOAR. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
BDM/Chief Information Officer at Afcor PLC
A user-friendly solution simplifying security with easy configuration
Pros and Cons
- "The solution is user-friendly and easy to configure."
- "Palo Alto needs to develop more AI-centric products."
What is most valuable?
The solution is user-friendly and easy to configure.
What needs improvement?
Palo Alto needs to develop more AI-centric products. Also, the price could be cheaper. It doesn’t have infinite connectors.
For how long have I used the solution?
I have been using Palo Alto Networks Cortex XSOAR for a couple of years.
What do I think about the stability of the solution?
The product is very stable.
What do I think about the scalability of the solution?
5,000-7,000 users are using this solution.
How are customer service and support?
Technical support is knowledgeable.
Which solution did I use previously and why did I switch?
We used to work on the IBM XSOAR product, which was well-developed and competitive. The IBM component was strong, but Palo Alto Networks Cortex XSOAR performed well. The main difference lies in the level of suggestions provided by the playbooks when analyzing logs. IBM's suggestions to be better.
How was the initial setup?
The initial setup is simple. Your level of understanding significantly impacts the effectiveness of implementation. People may learn the hard way, especially post-implementation, highlighting the importance of a comprehensive experience.
What other advice do I have?
I recommended Palo Alto Networks Cortex XSOAR to a friend, and they have been using it to access and respond to issues in their data center. So far, there have been no complaints, not even worth mentioning. They also requested repairs through the platform.
The playbook is very good and user-friendly compared to IBM.
There are always things missing in some of the boxes. In some instances, there appears to be a leak. There are inconsistencies. Solutions like Palo Alto Networks Cortex XSOAR or similar products are necessary.
Overall, I rate the solution an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Apr 25, 2024
Flag as inappropriateHead of Security Monitoring and Control at Alstom Ferroviaria S.p.A.
Great customization and integration with Microsoft infrastructure, but its performance and customization could be better
Pros and Cons
- "Its agility and scalability are valuable."
- "The formats are not compatible, are readily not available, and are not readable."
What is our primary use case?
Our primary use case for the solution is customization and integration with Microsoft infrastructure.
What is most valuable?
Its agility and scalability are valuable.
What needs improvement?
Customization and performance can be improved. For example, some formats were incompatible when integrating, and they said we needed to work with the vendor to fix this issue because some logs that AVA logs were not compatible, and it did not readily recognize the format. Most of the time, I heard this as feedback. The formats are not compatible, are readily not available, and are not readable. Then we had to work it and write it manually.
For how long have I used the solution?
We have been using the solution for over five years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is scalable. Internally, there are around ten to 12 people who use it. However, I am unsure of the exact number of external users.
What's my experience with pricing, setup cost, and licensing?
The solution is priced reasonably.
What other advice do I have?
I rate the solution a seven out of ten. The solution is good, but its performance and customization can be improved. I advise new users to understand their use cases. For example, suppose somebody is starting with highly customizable options and wants more agility to go to a micro level. In that case, I will still recommend people start with XSOAR, understand the environment, and then go to Sentinel. But it could also be done differently. It depends on the company's objective, so if you look at it as we started with Cortex a couple of years before. And now, looking forward and at compelling factors, we are moving to Microsoft.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Helps understand user behavior, automates security tasks, and enables threat hunting
Pros and Cons
- "The product can automate security tasks."
- "The solution is complicated to learn."
What is our primary use case?
The SOC team needs the tool to understand the network and determine why an incident happens. The tool helps understand user behavior and helps with threat hunting.
What is most valuable?
The solution has a lot of information, like playbooks and incidents. It goes really deep. The vendor provides training, knowledge bases, workshops, and webinars. The product can automate security tasks. Playbooks are the most beneficial feature. We can create a playbook. We can get visibility on incidents.
We can also analyze user behavior and understand whether it is a true positive or a false positive. We have so many false positives these days in security, so it's nice when we can put things in the block list. We can perform investigations. The product can be integrated with third-party tools.
What needs improvement?
The solution is complicated to learn. Customers find it difficult to learn how the solution works. We need professionals to learn and understand how the tool works to expand it further. Our customers want to see more use cases. They want to have more facilitations and more visibility on how it works. We need more skilled people inside and outside the team to understand how it works. It’s difficult to find skilled people to understand how the tool works.
What do I think about the scalability of the solution?
The solution is suitable for enterprise businesses.
How are customer service and support?
We can send an email to the online support portal. We can contact Palo Alto engineers immediately and open a ticket. The engineers will take care of the issue depending on the severity level of the ticket.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup is really easy. We just have to order it. When we have the tool, someone from Palo Alto will provide us with the account information. After that, we must set up the users, customers, and resellers. We can do onboarding immediately. The deployment takes one or two days.
What's my experience with pricing, setup cost, and licensing?
Whether the product is cheap or expensive depends on the company and how much they are willing to spend on security. Nowadays, security is important. The solution is not suitable for small businesses. It is better suited for medium and enterprise businesses because it starts with 200 endpoints.
Which other solutions did I evaluate?
SentinelOne is an endpoint protection tool. However, Palo Alto gives us more security features.
What other advice do I have?
I work with a distributor. I recommend the product to my customers. I'm really satisfied with the tool. It's a very nice tool. It can work and give us what we need. We just need to be patient and learn how it works. The incidents can be handled very easily. Overall, I rate the product a nine out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Last updated: Apr 24, 2024
Flag as inappropriateSenior Information Technology Support Engineer at TSCNET Services GmbH
Easy to install, able to expand, and reliable
Pros and Cons
- "It’s easy to install."
- "The integration could be better. Cortex, for example, does not work with iPhone."
What is our primary use case?
We primarily use the solution for network inspection.
What is most valuable?
The solution works well.
It’s easy to install.
It’s stable.
The solution can scale as needed.
What needs improvement?
The stability could be better.
The integration could be better. Cortex, for example, does not work with iPhone.
For how long have I used the solution?
I’ve been using the solution for less than one year.
What do I think about the stability of the solution?
Right now, it’s been stable for us. We may consider something from Microsoft in the future. It’s possible it could be more stable.
What do I think about the scalability of the solution?
The solution is quite scalable. If a company needs to expand it, it can do so.
How are customer service and support?
At the moment, we don’t actually get support from Palo Alto as we’ve never needed any help. I can’t say how helpful or responsive they would be.
Which solution did I use previously and why did I switch?
We’ve also worked with CrowdStrike. We switched as we weren’t happy with their detection capabilities.
How was the initial setup?
The installation is very easy to set up. It’s not overly complex or difficult.
The deployment took less than a week. I recall we had it up and running within a couple of days.
What about the implementation team?
In our case, we went to a consultant for installation assistance. However, a company might likely be able to handle it on its own.
What's my experience with pricing, setup cost, and licensing?
I can’t speak to the exact cost of the solution.
What other advice do I have?
This is a SaaS product.
I’d rate the solution nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
MSS Delivery Lead at Help AG
A highly stable and scalable product that enables organizations to achieve SLAs faster
Pros and Cons
- "The product’s stability is good."
- "The tool’s multi-tenancy feature must be improved."
What is our primary use case?
We have a lot of playbooks. It makes our SOC operations easy.
How has it helped my organization?
Our response has become very fast. We are able to achieve SLAs faster.
What is most valuable?
The product’s stability is good. We are able to achieve our use cases. We have multiple playbooks to support automation.
What needs improvement?
The tool’s multi-tenancy feature must be improved. The user interface must be made a little bit easier.
For how long have I used the solution?
I have been using the solution for two years. I am using the latest version of the solution.
What do I think about the stability of the solution?
I rate the tool’s stability a ten out of ten.
What do I think about the scalability of the solution?
The tool is highly scalable. I rate the scalability an eight out of ten. There are ten users in our organization. The solution is used 24/7. We have a plan to increase the usage.
How are customer service and support?
We had some issues with the professional services. The team should not waste time and close the projects quickly.
How would you rate customer service and support?
Positive
How was the initial setup?
I rate the ease of setup an eight out of ten. The initial setup was straightforward. There were issues during integration. We found a lot of challenges in it. It should be improved. The deployment took around two weeks. Developing the playbooks took a long time. It could take a month or more.
We deployed two main servers in the primary and secondary locations. We started the integration with a couple of technologies. During the third phase, we started working with the playbook development. After that, we started with the notifications and email templates. Finally, we did the test phase. We needed only one person for deployment and maintenance.
What's my experience with pricing, setup cost, and licensing?
The solution is expensive. I rate the pricing a nine out of ten. There are no additional costs associated with the product. The license renewal cost increased this year.
Which other solutions did I evaluate?
We reviewed other solutions, but we did not choose them. We chose XSOAR because it is the market leader. Some friends who used the solution recommended it. We also considered the Gartner report.
What other advice do I have?
The product is perfectly suitable for enterprise customers. We can achieve whatever playbooks we want to deploy. The stability is really good. We need the right professional services person who can finish the project on time. Overall, I rate the tool a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cybersecurity incident response team lead at Information Technology Solutions- ITS
Helps to address multiple cybersecurity and operational needs
Pros and Cons
- "What I like most about Palo Alto Networks Cortex XSOAR is how user-friendly it is for development. It is much simpler to work with compared to similar tools I've used."
- "It doesn't offer automatic internet reports out of the box."
What is our primary use case?
As an integrator, I have used Palo Alto Networks Cortex XSOAR in various customer environments for a wide range of purposes. This includes improving IT security, streamlining operations, automating incident response actions, creating playbooks with approvals, and enhancing integrations with different security tools. In essence, Cortex XSOAR serves as a versatile platform that helps address multiple cybersecurity and operational needs in organizations.
What is most valuable?
What I like most about Palo Alto Networks Cortex XSOAR is how user-friendly it is for development. It is much simpler to work with compared to similar tools I've used. If you can think of it, you can probably do it. However, there are some limitations, but speed isn't one of them.
What needs improvement?
One limitation I have noticed with Cortex XSOAR is that it doesn't offer automatic threat intel reports out of the box. However, you can achieve this through coding, and we have managed to do it in our own environment using scripts and playbooks. It is not a built-in feature, but it is possible with some coding skills. The good news is that Palo Alto Networks plans to make this process more automated in the future, but it is not available yet.
For how long have I used the solution?
I have been using Palo Alto Networks Cortex XSOAR for three years.
What do I think about the stability of the solution?
Cortex XSOAR's stability depends on the right sizing. When sized correctly, it is very stable and I would rate it a strong nine out of ten. But if the sizing is wrong, performance problems can arise. For instance, customers with closed storage systems had issues during heavy workloads. To keep it stable, having at least 3,000 IOPs is advised, especially for customers with high storage needs. So, sizing is key for a successful and stable experience.
What do I think about the scalability of the solution?
Cortex XSOAR is generally scalable and I would rate the scalability an eight out of ten. It is a bit challenging to migrate it from a regular database to a high-availability Elastic database, but it is possible. The ease of migration depends on how well it was planned from the start. Overall, it is a good option for scalability, but careful planning is essential for smooth transitions. The engine, which acts as a broker for connections and integrations in Cortex XSOAR, is highly efficient and reliable.
How was the initial setup?
The initial setup of Cortex XSOAR is generally straightforward, but it can get a bit tricky when dealing with a lot of use cases. If you plan to create large playbooks, it is crucial to size the system correctly from the start. Otherwise, you might run into performance issues. Apart from that, there aren't many problems with the implementation process. The challenge mainly revolves around sizing the system correctly, especially when customers have lots of ideas that could make playbooks complex and resource-intensive. So, it is important to plan carefully in such cases. In the best-case scenario, deploying Cortex XSOAR can be done in about 30 minutes when everything is prepared and ready. However, for full integration into the customer's environment, assuming no restrictions or communication issues, it might take roughly two and a half hours.
What other advice do I have?
Overall, I would rate the solution an eight out of ten. My advice to new users would be to plan ahead before implementing Cortex XSOAR. Understand your use cases well and have a solid strategy because the implementation is an ongoing process that you can always improve. Consider creating an adoption plan for what you will do this year and next year in terms of integration and use cases. Keep it user-friendly and introduce use cases gradually to your team instead of overwhelming them all at once. It's about taking steps to make it effective over time.
Disclosure: My company has a business relationship with this vendor other than being a customer:
Buyer's Guide
Download our free Palo Alto Networks Cortex XSOAR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Popular Comparisons
CrowdStrike Falcon
Microsoft Sentinel
SentinelOne Singularity Complete
IBM Security QRadar
AWS Security Hub
VMware Carbon Black Endpoint
Sumo Logic Security
Arctic Wolf Managed Detection and Response
Cybereason Endpoint Detection & Response
Cortex XSIAM
ThreatConnect Threat Intelligence Platform (TIP)
Buyer's Guide
Download our free Palo Alto Networks Cortex XSOAR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which Do You Recommend, Phantom or Demisto?
- Which SOAR product has the better value: Palo Alto Networks Cortex XSOAR or Swimlane? Why?
- Which solution do you prefer: Microsoft Sentinel or Palo Alto Networks Cortex XSOAR?
- What are the Top 5 cybersecurity trends in 2022?
- What is the difference between SIEM and SOAR platforms?
- What is an incident response playbook and how is it used in SOAR?
- What are the latest trends in Security Operations Center (SOC)?
- What tools and solutions do you use for automated incident response in an enterprise in 2022?
- How to evaluate SIEM detection rules?
- Why a Security Operations Center (SOC) is important?