Palo Alto Networks Cortex XSOAR Reviews

We have a lot of playbooks. It makes our SOC operations easy.

Our response has become very fast. We are able to achieve SLAs faster.

The product’s stability is good. We are able to achieve our use cases. We have multiple playbooks to support automation.

The tool’s multi-tenancy feature must be improved. The user interface must be made a little bit easier.

I have been using the solution for two years. I am using the latest version of the solution.

I rate the tool’s stability a ten out of ten.

The tool is highly scalable. I rate the scalability an eight out of ten. There are ten users in our organization. The solution is used 24/7. We have a plan to increase the usage.

We had some issues with the professional services. The team should not waste time and close the projects quickly.

Positive

I rate the ease of setup an eight out of ten. The initial setup was straightforward. There were issues during integration. We found a lot of challenges in it. It should be improved. The deployment took around two weeks. Developing the playbooks took a long time. It could take a month or more.

We deployed two main servers in the primary and secondary locations. We started the integration with a couple of technologies. During the third phase, we started working with the playbook development. After that, we started with the notifications and email templates. Finally, we did the test phase. We needed only one person for deployment and maintenance.

The solution is expensive. I rate the pricing a nine out of ten. There are no additional costs associated with the product. The license renewal cost increased this year.

We reviewed other solutions, but we did not choose them. We chose XSOAR because it is the market leader. Some friends who used the solution recommended it. We also considered the Gartner report.

The product is perfectly suitable for enterprise customers. We can achieve whatever playbooks we want to deploy. The stability is really good. We need the right professional services person who can finish the project on time. Overall, I rate the tool a nine out of ten.

From the security team's standpoint, the solution has improved our organization's overall cybersecurity.

The price of the solution could be improved.

I have been using the solution for the past three and a half years.

I rate the stability of the tool as a ten out of ten.

I rate the scalability of the solution as an eight out of ten.

We haven’t used technical support yet.

The initial setup was not complex. 

Overall, I would rate the product as an eight out of ten.

Our primary use case for the solution is customization and integration with Microsoft infrastructure.

Its agility and scalability are valuable.

Customization and performance can be improved. For example, some formats were incompatible when integrating, and they said we needed to work with the vendor to fix this issue because some logs that AVA logs were not compatible, and it did not readily recognize the format. Most of the time, I heard this as feedback. The formats are not compatible, are readily not available, and are not readable. Then we had to work it and write it manually.

We have been using the solution for over five years.

The solution is stable.

The solution is scalable. Internally, there are around ten to 12 people who use it. However, I am unsure of the exact number of external users.

The solution is priced reasonably.

I rate the solution a seven out of ten. The solution is good, but its performance and customization can be improved. I advise new users to understand their use cases. For example, suppose somebody is starting with highly customizable options and wants more agility to go to a micro level. In that case, I will still recommend people start with XSOAR, understand the environment, and then go to Sentinel. But it could also be done differently. It depends on the company's objective, so if you look at it as we started with Cortex a couple of years before. And now, looking forward and at compelling factors, we are moving to Microsoft. 

We were looking for a single pane of glass type of solution that would allow us to physically be in one appliance be able to work in concert with other servers that we have within our environment. We wanted orchestration and automation. The single pane of glass was the most important part. 

Every investigator has a different way of tackling an investigation. Essentially what we wanted to do is to take the mundane tasks that the investigators have to do as part of their investigation process and then automate those mundane tasks as a pre-processor. That way, when the investigation is provided to the investigator in order to review what was found, all they have to do is look at the data that was presented to them and they wouldn't have to go through the process of doing the data enrichment with regards to threats and functions of that nature because all of that was done ahead of time as part of the processing.

Right now we've started with one investigation, which is phishing. The user will report any phishing attempts against any of our users within JPL to an email address. Our XSOAR appliance will peek into that mailbox, pull the emails out, and then process those emails that have been reported. As part of the processing, it'll do the data enrichment and once that's done, that's presented to the investigator in order to review the findings. The investigator makes the final verdict. Once the final verdict is rendered, then the other automated task would be the enforcement tasks, which would include any blocking of the sender, blocking of the IP, blocking of the domain, blocking of the URL, and those types of actions.

Palo Alto has gotten the investigators more presence to actually go in the report because being that the platform will email the investigator that it's been assigned to, now the investigators will jump in there and start going through the review process a lot quicker.

When my juniors receive an email, I have trained them to jump on it quickly in order to remediate it quickly. The sooner we get it remediated, the less likely a user that hasn't reported it will click on the link and become a victim.

Palo Alto has reduced the time that it takes to go through the process of investigating a reported abuse. Rather than one individual, which was the process before, that would handle the abuse mailbox, now we have a team of 15 individuals that all share in the remediation of those reported abuse messages.

The process is a lot quicker, nothing seems to slip between the cracks. We've been able to quickly contain phishing campaigns that were launched by external actors against our environment and been able to quickly identify users that have clicked on links and then had them change their passwords in order to reduce the risk of having those accounts used in order to perpetuate additional attacks.

In terms of improvement, it needs to be more modular. It's not. When you're working in layouts and you create specific apps within layouts, there's no portability right now in order to reuse that code across multiple layouts. I can't take a tab and say I want to use this tab on these other layouts. I have to physically go in there and recreate it from scratch, which is maddening.

From an analyst perspective, it's not that hard to use. From a developer, it takes a little while in order to get to understand exactly how one would go about creating a playbook. The automation part is not that hard. It's relatively easy. It's just creating the flowchart.

I have been using this solution for one and a half to two years. 

I have not had an issue with stability yet. 

It is scalable. If I noticed that there wasn't any impact in performance, then I'd simply launch another instance and then cluster them together in order to provide shared resources between the two in a cluster. If a particular integration is misbehaving because there aren't sufficient resources on the one instance that we currently have, then I can detach that instance or that integration from the instance into its own VM. That way it has enough resources on another VM in order to actually run that integration.

There are 15 investigators using this solution. 

In terms of increasing usage, we're looking at bringing in our audit vulnerability and assessment team and having them do their vulnerability assessments from within the platform. I'm going to have to reach out to them to get them to start looking at the vulnerability layout, the incident type, the playbook, and the Nessus connectors in order to be able to have them perform that through XSOAR and then follow up through XSOAR with regards to remediation.

Anytime I have any issues, I'll open up a TAC ticket and then they'll contact a customer support engineer and they'll hand it over to him.

From the aspect of the actual people that work in the technical support area, I would rate them an eight out of ten. I would rate it higher just for the technical aspect. 

We're taking what we have inside of our incident management system and building it into XSOAR. The way case management works now is completely different from the default case management system that is currently in XSOAR.

They wanted to free up the guy that was actually doing all of the work. For some reason, we decided we didn't want it in-house. As far as our in-house solution, it was built on CodeFusion and CodeFusion had a number of vulnerabilities that were identified in the last 15 years. They wanted to move away from that. In order to be able to move away from that, we had to find a solution that would allow us the customizability in order to be able to mimic what we already have.

The initial setup was straightforward. I had assistance with the pre-sales support engineer and the pre-sale support architect. Both helped me to get it set up. As far as our proof of concept, I had to prove that it was customizable enough in order to have it mimic what we already use because we already had a homegrown internal incident management system that we've been using for 15 years.

The initial setup took 90 days. As far as the proof of concept and to set up the first playbook, we ran into some issues where Palo Alto said that the EWS integration worked with on-prem and that we could actually do expungements in an automated fashion. It turned out not to be the case. That took approximately four and a half months to determine that it was not going to function the way it was stated that it would function within the EWS integration. I was hoping to have it done within six months, but it actually took a little over a year to get everything done and into production because of the couple of hiccups that we had with EWS.

I had to reach out to Microsoft and talk to their developers with regards to EWS on-prem and then contact the developers inside of Palo Alto which at first didn't want to talk to me, but I finally got them to talk to me, and then I got them to talk to each other and then came to find out that it doesn't really work.

That took four and a half months of trying to negotiate the communications between Microsoft and Palo Alto. Finally, I had to bypass the expungement enforcement action because there's no way we could do it with our on-prem devices. As far as that's concerned, that's a manual process. We have to send an email out to our Exchange team in order to get the expungement done.

We have seen ROI in the time spent on the investigations.

The pricing model could be better. When I first looked at Demisto, it had a price tag of $250,000 but when we finally purchased it, it was $345,000.

My boss thinks that it was a competitive price though compared to other solutions. My thoughts are we could have done a lot better with the price.

We evaluated Phantom, Siemplify, SOC 3D,  Swimlane, and a plethora of other solutions. 

Demisto led the field. At the time I was looking at it, it was Demisto. Palo Alto had not purchased it. When I started this endeavor, it was six years ago when Demisto was its own company, when Phantom was its own company, SOC 3D was still a company out of Israel, Siemplify was still a company out of Israel, but it was actually starting to set up its US operations. There were a number of other ones. Resilient was another one that I was looking at before they were picked up by IBM.

A lot of these didn't have what I needed, which was the ability to customize and the ability to integrate with a lot of vendors that we already have in-house. The two that came to the very top were Phantom and Demisto, and my final decision was to actually go with Demisto because Phantom was acquired by Splunk and I hate Splunk.

I was ready to buy, but my management was dragging its feet and they didn't want to loosen up the purse strings in order to make the purchase. But as soon as Palo Alto picked them up, then they were okay with it.

I would rate Palo Alto a nine out of ten. 

My advice would be to do the same type of research I did to ensure that it's the appropriate fit for your use case. If it's an organization that has an already existing incident management system, make sure that you can customize it so you can reduce the learning curve for your investigators in order to be able to transition from your old IMS over to the new IMS, which would be XSOAR.

That's the reason why I took so much time in order to ensure that the customization was there in order to allow me to mimic what we already had in IMS and transition that over to XSOAR. That way, the investigators had a lot less of a learning curve. The only learning curve they had was, "Here's the investigation tab. There's all the data that you need in order to make your verdict. Make your verdict." But as far as writing all the reports, call-down lists, and all that other stuff, that's all part of our original process that I transitioned over to XSOAR.

We use Palo Alto Networks Cortex XSOAR for several areas of security automation, such as phishing, investigating, mitigating, the detection of impossible travel, and consolidating threat information for our internal systems.

It reduces manual interactions of security analysts. Before they had to check on three, or four different websites to see if something was good or bad. Now, Cortex does all of that for us.

It is very easy to use.

It has an extensive list of integrations that are available out of the box which makes it easy to start.

I would love to see more flexibility on what we can display and design on the dashboards.

Palo Alto Networks Cortex XSOAR has been active for six months. 

We are always on the latest version.

Palo Alto Networks Cortex XSOAR is pretty stable.

It offers some architecture recommendations to make it really scalable if you choose.

For example, hot standby, bond standby, clustering, and breaking out components in dedicated servers. You can go wild if you want to go wild, but we wanted to keep it easy and stable.

Pretty much network security and SOC are the main users. I believe that we are licensed for 20 users.

We are definitely extensively using this solution. We are currently training many additional teams to be self-sufficient in usage. The usage will increase more and more.

With Palo Alto technical support, if you get to the right people, you get an answer very quickly. 

What I like about the Cortex team is that they have a dedicated select center where you can get service in minutes and that's extremely helpful.

Overall, I am satisfied with the technical support.

We evaluated two or three other vendors. 

We are a very big Palo Alto shop and we needed to have some Palo Alto features, which are implemented now in Cortex. We are pretty much guided in that direction for some of the security features we need for our firewalls.

I would say the initial setup was really straightforward. 

You need to be a little bit aware of Linux unless you buy the hosted version, then you don't need to know anything about it. If you decide you want to run it yourself, you should have some Linux skills because it's a Docker framework on Linux. Knowing a bit about that is handy.

It was up and running in half a day.

It only requires one person to maintain this solution. I do it myself along with many other tasks. In a larger environment, you split into two teams, OS maintenance and application maintenance.

We had help from Palo Alto SE resource for the PoC, but the setup was completed on our own.

We have a concurrent user license. 

The licensing is a pretty high price for a user license per year.

The base product is very cheap, you can even get it for free, but the fee per user is expensive. It is approx $10,000 or $20,000 per year for two user licenses.

It's a great product, although it might become very pricey if you need several user licenses.

They need to automate everything to reduce the number of user licenses needed. If it is an automated workflow, you don't need to be licensed.

If Cortex sends an email asking a user to say yes or no, you don't need a license for that user. You just need a user license if you want to improve what Cortex does in terms of workbooks, cases, and more.

We evaluated Splunk for six months and decided against it three to six months ago.

Have a very good understanding of what you want to automate. Define the process and make sure the integrations you need are available out of the box.

I would also suggest starting simple. Try easy use cases first and until you feel confident before you get into more complex use cases.

I would rate Palo Alto Networks Cortex XSOAR a nine out of ten.

We automate security processes, particularly SOC automation, for our clients using Cortex XSOAR. We implement these processes for major companies in Portugal.

Cortex XSOAR's playbook for incident management and automation is highly valuable. We develop Playbooks automation, centralize incident data, and try to enhance the efficiency of resolving incident cases. The platform's features focus on closing the incident lifecycle more quickly, managing incidents efficiently, and integration capabilities across security infrastructure.

The price of the solution could be lower. Companies utilizing this solution should have a well-developed cybersecurity team to maximize its benefits. It is more suited for large organizations rather than small or medium-sized companies.

We have been using Cortex XSOAR for three years.

The stability is rated eight out of ten, indicating it's quite stable without major issues.

Scalability is rated nine, reflecting its ability to scale effectively.

Our team has more experience with the solution than Palo Alto's technical support. Our experience initially showed that the Palo Alto implementation was not optimal, but this has improved over time.

Neutral

We previously used Fortinet. We have now shifted focus to Palo Alto, specifically relying on the Cortex XDR and Cortex XSOAR solutions.

The initial setup of Cortex XSOAR is simple.

Our internal team has been pivotal in implementing and solving issues with the solution.

The price of the solution is high and not justifiable for small or medium-sized companies without a developed cybersecurity team.

We moved from a primary focus on Fortinet to Palo Alto.

I would rate the overall solution eight out of ten as it is considered top-notch in the market. It is highly recommended, however, better suited for organizations with mature cybersecurity teams.

My primary use for Palo Alto Networks Cortex XSOAR is to protect the workstation for the end-users.

The most valuable features of Palo Alto Networks Cortex XSOAR are the remote controller from the workstation that can execute commands and isolate the systems outside of the network. Only the system with an internet connection can execute the task because the main console is in the cloud.

Palo Alto Networks Cortex XSOAR could improve the look, feel, and management of the cloud console. Additionally, the user could be more easily integrated.

I have been using Palo Alto Networks Cortex XSOAR for two years.

We have approximately 1,000 users using Palo Alto Networks Cortex XSOAR in our organization. The solution is scalable.

We only require one or two staff to deploy the agent of Palo Alto Networks Cortex XSOAR because it is very simple. One for the server and the other for the workstation.

The price of Palo Alto Networks Cortex XSOAR could be reduced. We are always looking for a discount. There is an annual license needed to use this solution.

I rate Palo Alto Networks Cortex XSOAR a ten out of ten.

I mainly use Cortex XSOAR to automate cybersecurity and the SOC environment.

To minimize manual tasks and increase level of automation. 

Cortex XSOAR drastically reduces trivial tasks inside the SOC environment, which provides a huge benefit for L1 analysts.

Cortex XSOAR's most valuable features are the playbooks, custom integration, the machine-learning model, and the layout, classifier, and mapper.

Corex XSOAR could be improved by reducing the time it takes to process large amounts of data and increasing the number of integrations. In the next release, Palo Alto should include popup features - for example, if someone is working on an incident, it should pop up and display in front of me once it's clicked.

4 years

Cortex XSOAR is very stable in our environment, and we haven't seen any platform issues with it.

Cortex XSOAR is scalable.

Palo Alto's support services require a lot of improvement.

I used Qradar SOAR . Cortex xsoar support is very good and contain lot of OOTB playbooks but comparatively qradar soar lack in OOTB Playbooks. 

The initial setup is very easy. Also in latest version platform is managed by Palo alto cloud itself and rest of the configuration is done from UI itself. 

So zero load in configuring platform. 

Cortex XSOAR's license price could be lower.

I would give Cortex SOAR a rating of eight out of ten.