Palo Alto Networks Cortex XSOAR Reviews

I have created a couple of playbooks for a few clients using Cortex XSOAR. For example, we created a phishing playbook that checks the reputation of IP addresses or URLs using various reputation checker platforms. We've integrated Firepower Threat Defense, as well as Aviso IPTP and Cisco Talos for comparing the results. These were some of the use cases we worked on.

Using Cortex XSOAR has helped us create complex playbooks and streamline our security operations through automation. The integration capabilities with other solutions, like Cortex XDR and various SIEM solutions, have improved our incident management and detection capabilities.

The most valuable features of Cortex XSOAR include its vast library of plugins, which allow us to integrate various tools and solutions seamlessly. Additionally, the ability to create complex playbooks tailored to our needs and the option to incorporate user input within the workflows are highly beneficial.

Creating complex playbooks using coding languages, such as Python, could be easier. Sometimes the process becomes tedious and requires manual tasks.

I have worked with Cortex XSOAR for approximately five to six months.

I have not experienced any performance or stability issues with Cortex XSOAR.

Cortex XSOAR is scalable. We had around 50 to 60 playbooks created by my colleagues, and the solution scaled well up to a certain extent and beyond.

I would rate the technical support 9.5 to ten out of ten. Palo Alto Networks provides concrete and to-the-point solutions to our issues.

Positive

Before using Palo Alto Networks Cortex XSOAR, I used a product called Sequium SOAR. It was not up to the mark as we could not insert any code or create complex playbooks.

The setup was done by another team.

I do not know about the pricing as it was handled by the salespeople.

We evaluated other products such as SplunkSource, SecondSource, and Stream LensSource. However, we chose Cortex XSOAR because of its scalability and flexibility.

To create your own customized playbooks, it's important to be well-versed with Python.

I'd rate the solution ten out of ten.

For organizations that are stable with their security operations, like those with around 50 members in their security team running full-phased operations 24/7, Cortex is necessary. They can automate many processes and build their own scripts. Then, we use it for Flashflakes. 

But for a smaller organization with binding budgets and who is unaware of security, they may end up wasting money on it. This is an expensive tool. We have to use it wisely, or it’s easy to mistrust its value.

Previously, when Demisto was, there was a community edition; we could use it, reinstall it, and customize it. Since Palo Alto took over, it has become more financially oriented. It's business, but they could offer a pro model and a lighter model for different needs. 

For example, creating a pro model alongside a lighter model could be beneficial, like FortiSOAR or others providing a lighter model that focuses on the automation segment, where you could integrate maybe five or ten playbooks and integrations for day-to-day operations. This would make it more accessible to everyone.

Currently, Cortex XSOAR operates on a larger scale, which may not be necessary for all. If there's a minimum budget of around 50k or 80k for SOAR, having a scaled-down version of Cortex XSOAR would be advantageous. This would allow integration with current business operations at a minimal cost, saving money while still leveraging the capabilities of Cortex XSOAR.

And if there's a need to scale up later, moving to a pro model could be an option. That's something that's missing on the business side but could greatly aid incident response, as we're all trying to secure organizations from threats. Having such an option would make it a more socially viable cost and still provide widespread use.

In future releases, I would like to see more differential models could be implemented, instead of having a one-size-fits-all approach.

It is a stable solution.

It is a scalable solution. The best part was the working model when it transitioned from Demisto to Palo Alto Networks. Demisto had around 220 plus integrations when they launched. That was back in 2018 before it was acquired by Palo Alto Networks. But automation can be increased.

The customer service and support are very good. Palo Alto has scaled well. 

Positive

We've worked with Cortex XSOAR. We haven't worked with other SOAR solutions much.

From my experience, Cortex XSOAR is a leading product in the market.  While I haven't worked with competing products like Phantom to offer a comparative analysis, it's standing against Microsoft's Azure Sentinel SOAR solution. 

Cortex XSOAR is indeed a market leader. It may come at a higher price point, but it supports a vast technology ecosystem and offers a comprehensive suite of features, such as inbuilt ITSM management, a war room, an advisory system, threat intelligence connections, and a lot of integrations. The communication capabilities are exceptional. When it comes to top-tier products like Cortex XSOAR, we're paying for premium quality.

You have to spend a dedicated core engineer and a lead team to tune and tweak it. But once you do that, it all runs automatically. You will save money on a lot of analysts or multiple analysis jobs because a lot of automation will be done for savings, especially since it's all based on machine learning now. 

At the end of the day, I cannot remove or unplug the analysts, but I can reduce the number. If I have 20 people managing and monitoring an endpoint solution or a SIEM solution for one organization, I can reduce it to at least one-fourth, and you will save a lot of money.

The pricing is fair. The pricing reflects the value and feature set it offers. 

For example, with the purchase of a license, a dedicated success team, professional support, and integration assistance are part of the package. 

People pay for the right value, but the organization has to leverage it fully. If they don’t, it can be problematic. They might end up wasting money on something they don’t need. 

When a client wants to economize on licenses—preferring development and technology investment over licensing fees—the Elastic SIEM tool is a zero-cost option we haven't fully explored yet, either as a company or personally.

Technologies like QRadar and cloud-based projects such as QRock are in the market. 

Splunk is certainly costly, but it offers strong technology and cloud infrastructure. Sentinel is cloud-exclusive and a bit expensive but advanced. There's a trade-off. 

However, if a customer has a limited budget for licenses but can afford operational expenses, we need to investigate Elastic, which operates like any data lake, offering quick searches and high data storage capacity depending on the computing power. One could manage hundreds of GB per hour, running analytics effectively. 

Nonetheless, clients must invest in building their security technologies and partnerships, which is resource-heavy SIEM. Elastic is expanding its offerings, but it still leads to a platform-based model that many opt for due to its cost-effectiveness. So, I have evaluated all these SIEM solutions. 

My company is involved with SOAR, but not to a great extent. Post-COVID, there are not many people who show interest in SOAR solutions and many customers are now reluctant to allocate budgets for this. 

Open-source alternatives are gaining traction, which is why we're considering developing capabilities in that area. With Microsoft's Sentinel, we see a unique case where its SOAR capabilities are more cost-effective. Hence, it has seen some adoption. 

However, my direct experience with a comprehensive SOAR solution is with Cortex XSOAR, which is a product of Palo Alto Networks—previously known as Demisto.

Overall, I would rate the solution a nine out of ten. The platform is constantly evolving, offering freeware and community editions. You can clearly go for it. The advice is to opt for it and use it to the max.

The solution is user-friendly and easy to configure.

Palo Alto needs to develop more AI-centric products. Also, the price could be cheaper. It doesn’t have infinite connectors.

I have been using Palo Alto Networks Cortex XSOAR for a couple of years.

The product is very stable.

5,000-7,000 users are using this solution.

Technical support is knowledgeable.

We used to work on the IBM XSOAR product, which was well-developed and competitive. The IBM component was strong, but Palo Alto Networks Cortex XSOAR performed well. The main difference lies in the level of suggestions provided by the playbooks when analyzing logs. IBM's suggestions to be better.

The initial setup is simple. Your level of understanding significantly impacts the effectiveness of implementation. People may learn the hard way, especially post-implementation, highlighting the importance of a comprehensive experience.

I recommended Palo Alto Networks Cortex XSOAR to a friend, and they have been using it to access and respond to issues in their data center. So far, there have been no complaints, not even worth mentioning. They also requested repairs through the platform.

The playbook is very good and user-friendly compared to IBM.

There are always things missing in some of the boxes. In some instances, there appears to be a leak. There are inconsistencies. Solutions like Palo Alto Networks Cortex XSOAR or similar products are necessary.

Overall, I rate the solution an eight out of ten.

Our primary use case for the solution is customization and integration with Microsoft infrastructure.

Its agility and scalability are valuable.

Customization and performance can be improved. For example, some formats were incompatible when integrating, and they said we needed to work with the vendor to fix this issue because some logs that AVA logs were not compatible, and it did not readily recognize the format. Most of the time, I heard this as feedback. The formats are not compatible, are readily not available, and are not readable. Then we had to work it and write it manually.

We have been using the solution for over five years.

The solution is stable.

The solution is scalable. Internally, there are around ten to 12 people who use it. However, I am unsure of the exact number of external users.

The solution is priced reasonably.

I rate the solution a seven out of ten. The solution is good, but its performance and customization can be improved. I advise new users to understand their use cases. For example, suppose somebody is starting with highly customizable options and wants more agility to go to a micro level. In that case, I will still recommend people start with XSOAR, understand the environment, and then go to Sentinel. But it could also be done differently. It depends on the company's objective, so if you look at it as we started with Cortex a couple of years before. And now, looking forward and at compelling factors, we are moving to Microsoft. 

The SOC team needs the tool to understand the network and determine why an incident happens. The tool helps understand user behavior and helps with threat hunting.

The solution has a lot of information, like playbooks and incidents. It goes really deep. The vendor provides training, knowledge bases, workshops, and webinars. The product can automate security tasks. Playbooks are the most beneficial feature. We can create a playbook. We can get visibility on incidents.

We can also analyze user behavior and understand whether it is a true positive or a false positive. We have so many false positives these days in security, so it's nice when we can put things in the block list. We can perform investigations. The product can be integrated with third-party tools.

The solution is complicated to learn. Customers find it difficult to learn how the solution works. We need professionals to learn and understand how the tool works to expand it further. Our customers want to see more use cases. They want to have more facilitations and more visibility on how it works. We need more skilled people inside and outside the team to understand how it works. It’s difficult to find skilled people to understand how the tool works.

The solution is suitable for enterprise businesses.

We can send an email to the online support portal. We can contact Palo Alto engineers immediately and open a ticket. The engineers will take care of the issue depending on the severity level of the ticket.

Positive

The initial setup is really easy. We just have to order it. When we have the tool, someone from Palo Alto will provide us with the account information. After that, we must set up the users, customers, and resellers. We can do onboarding immediately. The deployment takes one or two days.

Whether the product is cheap or expensive depends on the company and how much they are willing to spend on security. Nowadays, security is important. The solution is not suitable for small businesses. It is better suited for medium and enterprise businesses because it starts with 200 endpoints.

SentinelOne is an endpoint protection tool. However, Palo Alto gives us more security features.

I work with a distributor. I recommend the product to my customers. I'm really satisfied with the tool. It's a very nice tool. It can work and give us what we need. We just need to be patient and learn how it works. The incidents can be handled very easily. Overall, I rate the product a nine out of ten.

We primarily use the solution for network inspection.

The solution works well.

It’s easy to install.

It’s stable.

The solution can scale as needed.

The stability could be better.

The integration could be better. Cortex, for example, does not work with iPhone.

I’ve been using the solution for less than one year.

Right now, it’s been stable for us. We may consider something from Microsoft in the future. It’s possible it could be more stable.

The solution is quite scalable. If a company needs to expand it, it can do so.

At the moment, we don’t actually get support from Palo Alto as we’ve never needed any help. I can’t say how helpful or responsive they would be.

We’ve also worked with CrowdStrike. We switched as we weren’t happy with their detection capabilities.

The installation is very easy to set up. It’s not overly complex or difficult.

The deployment took less than a week. I recall we had it up and running within a couple of days.

In our case, we went to a consultant for installation assistance. However, a company might likely be able to handle it on its own.

I can’t speak to the exact cost of the solution.

This is a SaaS product.

I’d rate the solution nine out of ten.

We have a lot of playbooks. It makes our SOC operations easy.

Our response has become very fast. We are able to achieve SLAs faster.

The product’s stability is good. We are able to achieve our use cases. We have multiple playbooks to support automation.

The tool’s multi-tenancy feature must be improved. The user interface must be made a little bit easier.

I have been using the solution for two years. I am using the latest version of the solution.

I rate the tool’s stability a ten out of ten.

The tool is highly scalable. I rate the scalability an eight out of ten. There are ten users in our organization. The solution is used 24/7. We have a plan to increase the usage.

We had some issues with the professional services. The team should not waste time and close the projects quickly.

Positive

I rate the ease of setup an eight out of ten. The initial setup was straightforward. There were issues during integration. We found a lot of challenges in it. It should be improved. The deployment took around two weeks. Developing the playbooks took a long time. It could take a month or more.

We deployed two main servers in the primary and secondary locations. We started the integration with a couple of technologies. During the third phase, we started working with the playbook development. After that, we started with the notifications and email templates. Finally, we did the test phase. We needed only one person for deployment and maintenance.

The solution is expensive. I rate the pricing a nine out of ten. There are no additional costs associated with the product. The license renewal cost increased this year.

We reviewed other solutions, but we did not choose them. We chose XSOAR because it is the market leader. Some friends who used the solution recommended it. We also considered the Gartner report.

The product is perfectly suitable for enterprise customers. We can achieve whatever playbooks we want to deploy. The stability is really good. We need the right professional services person who can finish the project on time. Overall, I rate the tool a nine out of ten.

Our company uses the solution for security management and threat response. 

Many different playbooks are available and can be customized. 

Integrations with other applications are challenging and need to be improved. 

Reports or issues are often duplicated. 

The solution requires DV but does not support open-source DV elastic searches. 

I have been using the solution for seven months. 

The solution has stability issues from the performance side and often duplicates reports or issues.

The solution is not a Palo Alto product so technical support is inadequate. 

There is not a big focus on support for the solution so it takes a lot of time to receive responses for issues. 

The setup might not be easy because it requires official customers. 

Our company received technical support during installation.

The solution is based on an annual licensing model that is expensive. 

The solution is a good product that would be even better if technical support is improved and prices are discounted. 

Support is very important because there is a lot of follow up after implementations to properly manage changes and issues. 

I rate the solution a six out of ten.