Palo Alto Networks Cortex XSOAR Reviews

It is a security orchestration and automation tool.

It basically lets us automate and orchestrate tasks across all your security tools. Imagine integrating our vulnerability management tool with XSOAR. For example, we get a ServiceNow ticket requesting a scan for a specific server before it goes live. XSOAR can trigger that scan automatically, streamlining the entire process. That's the power of XSOAR—automating repetitive tasks and freeing up your security team for more strategic work.

The most valuable feature is its capability to automate responses and collect information for any security event before you even delve into the details.

It's a vast product with an active roadmap, so I'm satisfied with it for now. It's very efficient at data collection and correlation. 

There is room for improvement in support. The response time could be faster.

We have been using it for two years now. It's cloud-based and hosted by Palo Alto.

It's stable. The features and functionalities work as intended mostly. It's a good, reliable product.

We have six users actively using XSOAR. XSOAR is specifically for security teams, it is not for everyone to use.

The customer service and support are okay, not the best, not the worst. Their initial response time is quite long, and even after you get back to them, it takes them a while to provide troubleshooting steps and follow through.

Negative

We actually did run a couple of POCs for other products. My company switched to XSOAR because it's a very stable product, and its integration capabilities with most security tools are fantastic. 

If it wasn't available, we'd have to manually develop integrations for each tool, which would be incredibly time-consuming. So, that's the main reason we went with XSOAR.

For cloud deployments, it's a breeze. No installation is needed; just access the provided link and start working. 

But for on-prem, it's a different story. You need to install multiple components and provision servers and integrate them with Palo Alto's platform according to documentation. It's a lengthy process, not overly complex, but due to the tool's architecture, it's unavoidable for on-prem installations. Cloud-based is definitely the easier option.

On-premise installation is complex and time-consuming, with multiple servers and integrations to manage. So, on-premise installation is a hassle.

It's expensive, but the value it offers makes it worthwhile.

It's a very stable product, definitely worth the investment. You won't regret your spending.

Overall, I would rate the solution a nine out of ten. The only reason it loses a point is the support team. Their performance hasn't reached the same level as other Palo Alto offerings.

The platform’s setup procedures could be streamlined compared to Sentinel, which has a much easier setup regarding Single Sign-On and policy management.

I haven’t seen any lag in terms of platform scalability. It scales to cover all the endpoints. Although, sometimes there are latencies for Panorama. It could be because there are a lot of legacy systems.

The platform’s technical support team has been helping us from the beginning. At present, we are building a new setup team. They help us with that as well. They are always prompt and pretty fast. Sometimes, we get answers to our queries when we are not officially enrolled in technical support.

Positive

The platform’s setup process is conducted on a virtual machine. The complexity depends on the expertise.

Palo Alto offers significant discounts to customers who purchase the products repeatedly. For example, if they charged 160,000 last year, they might charge 60,000 less this year.

The platform is integrated with Panorama in the Palo Alto ecosystem. It provides the advantage of pulling data and logs from legacy systems better than Sentinel. In comparison, Sentinel primarily pulls data from Defender and Azure Active Directory and doesn’t provide visibility.

The platform uses Python for automation scripts, which is helpful due to Python's extensive data science libraries. At the same time, Sentinel utilizes different languages and Microsoft Visual Basic scripts. It is library friendly.

The Palo Alto ecosystem has a marketplace offering integration with Sentinel or other products. It is useful.

They are bringing a new XDR product. It would have a lot of machine learning and artificial intelligence, data deduplication, and transformation features, which is great for threat detection procedures. It is a sandbox model with features for building playbooks and scripts.

I advise others to visit the website called Palo Alto Beacon. You can access a lot of free training, including example scenarios. You can experiment with different types of use cases. I even advise using Panorama with Palo Alto appliances, especially in the case of a lot of legacy systems like Windows 7 and unique servers like Solaris.

I rate it an eight out of ten.

In my company, it is not me but my team that is involved with Palo Alto Networks Cortex XSOAR. The tool is majorly useful for incident response and automation purposes.

Owing to the features of Palo Alto Networks Cortex XSOAR, my team that operates within our company likes it.

Palo Alto Networks Cortex XSOAR lacks to offer SIEM functionalities currently. From an improvement perspective, I would like to see Palo Alto Networks Cortex XSOAR offer SIEM functionalities.

In the future, I would like to see more automation functionalities.

I have been using Palo Alto Networks Cortex XSOAR for nearly two months.

Stability-wise, I rate the solution a nine out of ten. My team knows about the stability of Palo Alto Networks Cortex XSOAR, and to date, I haven't heard anything bad about the product.

It is a scalable solution.

Palo Alto Networks Cortex XSOAR is a tool that is used only by me and my team in our company. The tool is mainly used by only two people in my company.

Palo Alto Networks Cortex XSOAR's partner, with whom my company deals, helps us whenever needed.

My company did not make any payments towards the licensing costs attached to the product since we were only using its pilot version.

I recommend the solution to those who plan to use it.

I rate the overall product a nine out of ten.

We use Palo Alto Networks Cortex XSOAR for several areas of security automation, such as phishing, investigating, mitigating, the detection of impossible travel, and consolidating threat information for our internal systems.

It reduces manual interactions of security analysts. Before they had to check on three, or four different websites to see if something was good or bad. Now, Cortex does all of that for us.

It is very easy to use.

It has an extensive list of integrations that are available out of the box which makes it easy to start.

I would love to see more flexibility on what we can display and design on the dashboards.

Palo Alto Networks Cortex XSOAR has been active for six months. 

We are always on the latest version.

Palo Alto Networks Cortex XSOAR is pretty stable.

It offers some architecture recommendations to make it really scalable if you choose.

For example, hot standby, bond standby, clustering, and breaking out components in dedicated servers. You can go wild if you want to go wild, but we wanted to keep it easy and stable.

Pretty much network security and SOC are the main users. I believe that we are licensed for 20 users.

We are definitely extensively using this solution. We are currently training many additional teams to be self-sufficient in usage. The usage will increase more and more.

With Palo Alto technical support, if you get to the right people, you get an answer very quickly. 

What I like about the Cortex team is that they have a dedicated select center where you can get service in minutes and that's extremely helpful.

Overall, I am satisfied with the technical support.

We evaluated two or three other vendors. 

We are a very big Palo Alto shop and we needed to have some Palo Alto features, which are implemented now in Cortex. We are pretty much guided in that direction for some of the security features we need for our firewalls.

I would say the initial setup was really straightforward. 

You need to be a little bit aware of Linux unless you buy the hosted version, then you don't need to know anything about it. If you decide you want to run it yourself, you should have some Linux skills because it's a Docker framework on Linux. Knowing a bit about that is handy.

It was up and running in half a day.

It only requires one person to maintain this solution. I do it myself along with many other tasks. In a larger environment, you split into two teams, OS maintenance and application maintenance.

We had help from Palo Alto SE resource for the PoC, but the setup was completed on our own.

We have a concurrent user license. 

The licensing is a pretty high price for a user license per year.

The base product is very cheap, you can even get it for free, but the fee per user is expensive. It is approx $10,000 or $20,000 per year for two user licenses.

It's a great product, although it might become very pricey if you need several user licenses.

They need to automate everything to reduce the number of user licenses needed. If it is an automated workflow, you don't need to be licensed.

If Cortex sends an email asking a user to say yes or no, you don't need a license for that user. You just need a user license if you want to improve what Cortex does in terms of workbooks, cases, and more.

We evaluated Splunk for six months and decided against it three to six months ago.

Have a very good understanding of what you want to automate. Define the process and make sure the integrations you need are available out of the box.

I would also suggest starting simple. Try easy use cases first and until you feel confident before you get into more complex use cases.

I would rate Palo Alto Networks Cortex XSOAR a nine out of ten.

The SOC team needs the tool to understand the network and determine why an incident happens. The tool helps understand user behavior and helps with threat hunting.

The solution has a lot of information, like playbooks and incidents. It goes really deep. The vendor provides training, knowledge bases, workshops, and webinars. The product can automate security tasks. Playbooks are the most beneficial feature. We can create a playbook. We can get visibility on incidents.

We can also analyze user behavior and understand whether it is a true positive or a false positive. We have so many false positives these days in security, so it's nice when we can put things in the block list. We can perform investigations. The product can be integrated with third-party tools.

The solution is complicated to learn. Customers find it difficult to learn how the solution works. We need professionals to learn and understand how the tool works to expand it further. Our customers want to see more use cases. They want to have more facilitations and more visibility on how it works. We need more skilled people inside and outside the team to understand how it works. It’s difficult to find skilled people to understand how the tool works.

The solution is suitable for enterprise businesses.

We can send an email to the online support portal. We can contact Palo Alto engineers immediately and open a ticket. The engineers will take care of the issue depending on the severity level of the ticket.

Positive

The initial setup is really easy. We just have to order it. When we have the tool, someone from Palo Alto will provide us with the account information. After that, we must set up the users, customers, and resellers. We can do onboarding immediately. The deployment takes one or two days.

Whether the product is cheap or expensive depends on the company and how much they are willing to spend on security. Nowadays, security is important. The solution is not suitable for small businesses. It is better suited for medium and enterprise businesses because it starts with 200 endpoints.

SentinelOne is an endpoint protection tool. However, Palo Alto gives us more security features.

I work with a distributor. I recommend the product to my customers. I'm really satisfied with the tool. It's a very nice tool. It can work and give us what we need. We just need to be patient and learn how it works. The incidents can be handled very easily. Overall, I rate the product a nine out of ten.

Our primary use case for the solution is customization and integration with Microsoft infrastructure.

Its agility and scalability are valuable.

Customization and performance can be improved. For example, some formats were incompatible when integrating, and they said we needed to work with the vendor to fix this issue because some logs that AVA logs were not compatible, and it did not readily recognize the format. Most of the time, I heard this as feedback. The formats are not compatible, are readily not available, and are not readable. Then we had to work it and write it manually.

We have been using the solution for over five years.

The solution is stable.

The solution is scalable. Internally, there are around ten to 12 people who use it. However, I am unsure of the exact number of external users.

The solution is priced reasonably.

I rate the solution a seven out of ten. The solution is good, but its performance and customization can be improved. I advise new users to understand their use cases. For example, suppose somebody is starting with highly customizable options and wants more agility to go to a micro level. In that case, I will still recommend people start with XSOAR, understand the environment, and then go to Sentinel. But it could also be done differently. It depends on the company's objective, so if you look at it as we started with Cortex a couple of years before. And now, looking forward and at compelling factors, we are moving to Microsoft. 

We have a lot of playbooks. It makes our SOC operations easy.

Our response has become very fast. We are able to achieve SLAs faster.

The product’s stability is good. We are able to achieve our use cases. We have multiple playbooks to support automation.

The tool’s multi-tenancy feature must be improved. The user interface must be made a little bit easier.

I have been using the solution for two years. I am using the latest version of the solution.

I rate the tool’s stability a ten out of ten.

The tool is highly scalable. I rate the scalability an eight out of ten. There are ten users in our organization. The solution is used 24/7. We have a plan to increase the usage.

We had some issues with the professional services. The team should not waste time and close the projects quickly.

Positive

I rate the ease of setup an eight out of ten. The initial setup was straightforward. There were issues during integration. We found a lot of challenges in it. It should be improved. The deployment took around two weeks. Developing the playbooks took a long time. It could take a month or more.

We deployed two main servers in the primary and secondary locations. We started the integration with a couple of technologies. During the third phase, we started working with the playbook development. After that, we started with the notifications and email templates. Finally, we did the test phase. We needed only one person for deployment and maintenance.

The solution is expensive. I rate the pricing a nine out of ten. There are no additional costs associated with the product. The license renewal cost increased this year.

We reviewed other solutions, but we did not choose them. We chose XSOAR because it is the market leader. Some friends who used the solution recommended it. We also considered the Gartner report.

The product is perfectly suitable for enterprise customers. We can achieve whatever playbooks we want to deploy. The stability is really good. We need the right professional services person who can finish the project on time. Overall, I rate the tool a nine out of ten.

We use the solution to automate our SIEM tools and incidents.

The solution's correlation rules and playbooks should be improved.

I have been using Palo Alto Networks Cortex XSOAR for six to seven months.

I rate the solution seven and a half out of ten for stability.

More than 100 users are using the solution in our organization.

I rate the solution a six out of ten for the scalability of its on-premises version.

I also use the ArcSight solution.

The solution can be deployed within a few minutes.

We are using the latest version of Palo Alto Networks Cortex XSOAR. The solution's on-premises version is not scalable. Around five people are involved with the solution’s maintenance.

Overall, I rate the solution an eight out of ten.