My main use case for Palo Alto Networks Cortex XSOAR is automation and running playbooks. It is providing connectors to automate and stop security incidents on our network. I can share a specific situation where I used Palo Alto Networks Cortex XSOAR to automate and stop a security incident. We already have XCM from Palo Alto on the cloud and we have implemented Palo Alto Networks Cortex XSOAR to automate our SOC operations. Whenever we have a security incident, the playbooks we have already set on Palo Alto Networks Cortex XSOAR run and provide powerful automation to stop any security incident. For example, with phishing attempts, after integrating with Palo Alto Networks Cortex XSOAR and our email gateway, we can stop phishing and delete the user and stop the user on Active Directory. This change is very useful for my SOC team as it reduces time and provides a fast response to the incident. That is really helpful.
We are more of a SI and reseller, not really acting as a customer ourselves. We are reselling Palo Alto Networks Cortex XSOAR and SentinelOne. We are dealing with all Palo Alto products, related to firewalls, including Fortinet, Palo Alto, Check Point, and Cisco. When these services go live, we will see their full potential. I am dealing with Palo Alto products such as firewalls and SASE, which we have proposed to multiple customers, and we have positioned Palo Alto Networks Cortex XSOAR for a few customers. The customer was already using Micro Focus, which provided a bundle with their SIEM and SOAR product, requiring a lot of manual work and configuration. To replace that, we are positioning Palo Alto Networks Cortex XSOAR, which can be used in the SOC and do a lot of automation for the customer, but it was expensive, making it essential for the customer to evaluate whether ROI is coming from the business model, as they are also acting as a SOC provider.
We use Palo Alto Networks Cortex XSOAR for incident response as a case management tool. All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools that we bring in. This is our central place where our SOC analysts can work and determine if they need to perform incident response on the alerts they have. It provides them with the ability to do data enrichment, so it has all the information we can provide upfront. They can find out the username, phone number, email address, where they work, and all that information. If it involves a malware file, they can get all the details from VirusTotal, such as the file name, how often it has been in the environment, and similar information. We built a lot of automation around it. From that, we track our case metrics, which helps us leverage how long it takes us to investigate and mitigate any threats.
The primary use case for Cortex XSOAR is as an orchestration automation platform. I use it to execute automatic tasks for collecting, enriching, and correlating security events from hundreds of different technologies. It involves incident orchestration and automation in the selection of security analysts to be involved in event handling.
We automate security processes, particularly SOC automation, for our clients using Cortex XSOAR. We implement these processes for major companies in Portugal.
Cyber Security Analyst at Altisec Technologies Pvt Ltd
Real User
Top 5
Sep 24, 2024
I have created a couple of playbooks for a few clients using Cortex XSOAR. For example, we created a phishing playbook that checks the reputation of IP addresses or URLs using various reputation checker platforms. We've integrated Firepower Threat Defense, as well as Aviso IPTP and Cisco Talos for comparing the results. These were some of the use cases we worked on.
Learn what your peers think about Palo Alto Networks Cortex XSOAR. Get advice and tips from experienced pros sharing their opinions. Updated: February 2026.
I have worked on multiple use cases related to network security and cybersecurity. In network security, I've created multiple playbooks to fetch data from multiple firewalls. We can also upgrade them in parallel to Axon. Apart from that, we can block URLs and IPs in real time. It takes less than five minutes to block something. You don't have to push a policy or create a rule on the firewall directly. You just upload the IOC (Indicator of Compromise), URL, or IP into a SharePoint sheet, and it gets blocked within five minutes. Those are the kinds of use cases I've created. In addition, we've automated several tasks, including Nikto vulnerability scans and SOCL (Security Orchestration, Automation, and Response) tasks. We've also created multiple threat intelligence playbooks, fetching data through the MITRE framework and following compliances like HIPAA. It's a very good tool.
The SOC team needs the tool to understand the network and determine why an incident happens. The tool helps understand user behavior and helps with threat hunting.
Senior Cybersecurity Engineer (Security Operations & Engineering) at a manufacturing company with 10,001+ employees
Real User
Jan 3, 2024
It is a security orchestration and automation tool. It basically lets us automate and orchestrate tasks across all your security tools. Imagine integrating our vulnerability management tool with XSOAR. For example, we get a ServiceNow ticket requesting a scan for a specific server before it goes live. XSOAR can trigger that scan automatically, streamlining the entire process. That's the power of XSOAR—automating repetitive tasks and freeing up your security team for more strategic work.
Cybersecurity incident response team lead at Information Technology Solutions- ITS
Real User
Sep 29, 2023
As an integrator, I have used Palo Alto Networks Cortex XSOAR in various customer environments for a wide range of purposes. This includes improving IT security, streamlining operations, automating incident response actions, creating playbooks with approvals, and enhancing integrations with different security tools. In essence, Cortex XSOAR serves as a versatile platform that helps address multiple cybersecurity and operational needs in organizations.
Cortex XSOAR is standard. We deploy it on the desktops, monitor the events, and ensure the endpoints stay clean and inoculated. The client is a retail company with salespeople on the floor and roving notebooks that employees bring with them to various locations. We needed a solution that allows us to protect those endpoints no matter where they are. We deployed them through Active Directory using a group policy system. Customers don't always have endpoints that are part of their Active Directory, but we had to have them enrolled for it to work right. We push them out through a group policy and manage them through the console. There are about 600 users spread out across three locations and six dealerships.
XSOAR is the cherry on top of Cortex XDR. It provides you with the ability to make a lot of response actions to your incidents. Cortex XDR is collecting an incident, and Cortex XSOAR is providing you the ability to remediate it. When the customers need the ability to remediate incidents, for example, antivirus or network security issues, some SIEM solution, et cetera, yet need to integrate everything, they can use the power of the platform without needing different solutions. Cortex XSOAR will give you the ability to integrate For example, if some endpoint was infected in your infrastructure, you need to do something about that. XSOAR provides you the ability to understand how that endpoint was infected and to do something with that. Cortex XSOAR will go to the firewall and block the IP address of this endpoint. Cortex XSOAR will go to the domain and disable the user as well. Then it will go to some other solution and will do something there. It is a variety of actions based on the incidents.
Cybersecurity Cyber Crime Infrastructure Engineer & Investigator at a government with 5,001-10,000 employees
Real User
Nov 11, 2021
We were looking for a single pane of glass type of solution that would allow us to physically be in one appliance be able to work in concert with other servers that we have within our environment. We wanted orchestration and automation. The single pane of glass was the most important part. Every investigator has a different way of tackling an investigation. Essentially what we wanted to do is to take the mundane tasks that the investigators have to do as part of their investigation process and then automate those mundane tasks as a pre-processor. That way, when the investigation is provided to the investigator in order to review what was found, all they have to do is look at the data that was presented to them and they wouldn't have to go through the process of doing the data enrichment with regards to threats and functions of that nature because all of that was done ahead of time as part of the processing. Right now we've started with one investigation, which is phishing. The user will report any phishing attempts against any of our users within JPL to an email address. Our XSOAR appliance will peek into that mailbox, pull the emails out, and then process those emails that have been reported. As part of the processing, it'll do the data enrichment and once that's done, that's presented to the investigator in order to review the findings. The investigator makes the final verdict. Once the final verdict is rendered, then the other automated task would be the enforcement tasks, which would include any blocking of the sender, blocking of the IP, blocking of the domain, blocking of the URL, and those types of actions.
Splunker, Networking and E-Mail Security Architect, Engineer and Guru at a healthcare company with 10,001+ employees
Real User
Sep 8, 2021
We use Palo Alto Networks Cortex XSOAR for several areas of security automation, such as phishing, investigating, mitigating, the detection of impossible travel, and consolidating threat information for our internal systems.
Vice President Global Technology Infrastructure Automation at a financial services firm with 10,001+ employees
Real User
Jul 2, 2021
We use Palo Alto as a firewall, a system for detecting and whitelisting certain IP addresses or to block certain IP addresses based on where they're coming from. We then send the logs to another log management tool for more forensics and analysis before we make a decision. We're basically using Palo Alto for firewalling and sending those logs to another security monitoring tool to make decisions based on analytics that it provides us.
Consultant at a tech services company with 501-1,000 employees
Reseller
Jun 4, 2021
We are using this solution to have a completely organized SOC from a list of devices in our environment. We are able to manage all of our devices, such as firewalls and endpoint protection solutions.
I primarily pitch and sell this solution to our customers. We do product assessments and consult with customers for the most part. Clients can use it for automation.
Network Security Engineer at a tech services company with 201-500 employees
Real User
Nov 4, 2020
The use cases basically came from the customers. Most of the time, the major concern is from a security perspective because various kinds of attacks are happening. To restrict or stop those attacks, we are building playbooks. We are also automating repetitive tasks. We are using on-premise as well as cloud deployments.
Palo Alto Networks delivers a complete solution that helps Tier-1 through Tier-3 analysts and SOC managers to optimize the entire incident life cycle while auto documenting and journaling all the evidence. More than 100+ integrations enable security orchestration workflows for incident management and other critical security operation tasks.
Palo Alto Networks Cortex XSOAR is a piece of Security Orchestration, Automation, and Response software that redefines what it means for a program to...
My main use case for Palo Alto Networks Cortex XSOAR is automation and running playbooks. It is providing connectors to automate and stop security incidents on our network. I can share a specific situation where I used Palo Alto Networks Cortex XSOAR to automate and stop a security incident. We already have XCM from Palo Alto on the cloud and we have implemented Palo Alto Networks Cortex XSOAR to automate our SOC operations. Whenever we have a security incident, the playbooks we have already set on Palo Alto Networks Cortex XSOAR run and provide powerful automation to stop any security incident. For example, with phishing attempts, after integrating with Palo Alto Networks Cortex XSOAR and our email gateway, we can stop phishing and delete the user and stop the user on Active Directory. This change is very useful for my SOC team as it reduces time and provides a fast response to the incident. That is really helpful.
We are more of a SI and reseller, not really acting as a customer ourselves. We are reselling Palo Alto Networks Cortex XSOAR and SentinelOne. We are dealing with all Palo Alto products, related to firewalls, including Fortinet, Palo Alto, Check Point, and Cisco. When these services go live, we will see their full potential. I am dealing with Palo Alto products such as firewalls and SASE, which we have proposed to multiple customers, and we have positioned Palo Alto Networks Cortex XSOAR for a few customers. The customer was already using Micro Focus, which provided a bundle with their SIEM and SOAR product, requiring a lot of manual work and configuration. To replace that, we are positioning Palo Alto Networks Cortex XSOAR, which can be used in the SOC and do a lot of automation for the customer, but it was expensive, making it essential for the customer to evaluate whether ROI is coming from the business model, as they are also acting as a SOC provider.
We use Palo Alto Networks Cortex XSOAR for incident response as a case management tool. All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools that we bring in. This is our central place where our SOC analysts can work and determine if they need to perform incident response on the alerts they have. It provides them with the ability to do data enrichment, so it has all the information we can provide upfront. They can find out the username, phone number, email address, where they work, and all that information. If it involves a malware file, they can get all the details from VirusTotal, such as the file name, how often it has been in the environment, and similar information. We built a lot of automation around it. From that, we track our case metrics, which helps us leverage how long it takes us to investigate and mitigate any threats.
The primary use case for Cortex XSOAR is as an orchestration automation platform. I use it to execute automatic tasks for collecting, enriching, and correlating security events from hundreds of different technologies. It involves incident orchestration and automation in the selection of security analysts to be involved in event handling.
We automate security processes, particularly SOC automation, for our clients using Cortex XSOAR. We implement these processes for major companies in Portugal.
I have created a couple of playbooks for a few clients using Cortex XSOAR. For example, we created a phishing playbook that checks the reputation of IP addresses or URLs using various reputation checker platforms. We've integrated Firepower Threat Defense, as well as Aviso IPTP and Cisco Talos for comparing the results. These were some of the use cases we worked on.
I have worked on multiple use cases related to network security and cybersecurity. In network security, I've created multiple playbooks to fetch data from multiple firewalls. We can also upgrade them in parallel to Axon. Apart from that, we can block URLs and IPs in real time. It takes less than five minutes to block something. You don't have to push a policy or create a rule on the firewall directly. You just upload the IOC (Indicator of Compromise), URL, or IP into a SharePoint sheet, and it gets blocked within five minutes. Those are the kinds of use cases I've created. In addition, we've automated several tasks, including Nikto vulnerability scans and SOCL (Security Orchestration, Automation, and Response) tasks. We've also created multiple threat intelligence playbooks, fetching data through the MITRE framework and following compliances like HIPAA. It's a very good tool.
The SOC team needs the tool to understand the network and determine why an incident happens. The tool helps understand user behavior and helps with threat hunting.
It is a security orchestration and automation tool. It basically lets us automate and orchestrate tasks across all your security tools. Imagine integrating our vulnerability management tool with XSOAR. For example, we get a ServiceNow ticket requesting a scan for a specific server before it goes live. XSOAR can trigger that scan automatically, streamlining the entire process. That's the power of XSOAR—automating repetitive tasks and freeing up your security team for more strategic work.
We have a lot of playbooks. It makes our SOC operations easy.
As an integrator, I have used Palo Alto Networks Cortex XSOAR in various customer environments for a wide range of purposes. This includes improving IT security, streamlining operations, automating incident response actions, creating playbooks with approvals, and enhancing integrations with different security tools. In essence, Cortex XSOAR serves as a versatile platform that helps address multiple cybersecurity and operational needs in organizations.
The solution is used for security.
We use the solution for incident orchestration.
The product can be used for securing endpoints from various types of attacks, threat incidents, and malware attacks.
We use the solution to create playbooks for all the operational programs.
I work for a company, and we provide support and complete end-to-end management of the product for our customers who hold the product.
Our primary use case for the solution is customization and integration with Microsoft infrastructure.
Our company uses the solution for security management and threat response.
Cortex XSOAR is standard. We deploy it on the desktops, monitor the events, and ensure the endpoints stay clean and inoculated. The client is a retail company with salespeople on the floor and roving notebooks that employees bring with them to various locations. We needed a solution that allows us to protect those endpoints no matter where they are. We deployed them through Active Directory using a group policy system. Customers don't always have endpoints that are part of their Active Directory, but we had to have them enrolled for it to work right. We push them out through a group policy and manage them through the console. There are about 600 users spread out across three locations and six dealerships.
Our primary case issues are phishing, TI, and sensors.
XSOAR is the cherry on top of Cortex XDR. It provides you with the ability to make a lot of response actions to your incidents. Cortex XDR is collecting an incident, and Cortex XSOAR is providing you the ability to remediate it. When the customers need the ability to remediate incidents, for example, antivirus or network security issues, some SIEM solution, et cetera, yet need to integrate everything, they can use the power of the platform without needing different solutions. Cortex XSOAR will give you the ability to integrate For example, if some endpoint was infected in your infrastructure, you need to do something about that. XSOAR provides you the ability to understand how that endpoint was infected and to do something with that. Cortex XSOAR will go to the firewall and block the IP address of this endpoint. Cortex XSOAR will go to the domain and disable the user as well. Then it will go to some other solution and will do something there. It is a variety of actions based on the incidents.
It is a help desk ticketing tool. It's a sought platform, however, it is just a help desk ticketing tool.
We primarily use the solution for network inspection.
My primary use for Palo Alto Networks Cortex XSOAR is to protect the workstation for the end-users.
I mainly use Cortex XSOAR to automate cybersecurity and the SOC environment.
I'm using Cortex XSOAR to manage our network security.
We were looking for a single pane of glass type of solution that would allow us to physically be in one appliance be able to work in concert with other servers that we have within our environment. We wanted orchestration and automation. The single pane of glass was the most important part. Every investigator has a different way of tackling an investigation. Essentially what we wanted to do is to take the mundane tasks that the investigators have to do as part of their investigation process and then automate those mundane tasks as a pre-processor. That way, when the investigation is provided to the investigator in order to review what was found, all they have to do is look at the data that was presented to them and they wouldn't have to go through the process of doing the data enrichment with regards to threats and functions of that nature because all of that was done ahead of time as part of the processing. Right now we've started with one investigation, which is phishing. The user will report any phishing attempts against any of our users within JPL to an email address. Our XSOAR appliance will peek into that mailbox, pull the emails out, and then process those emails that have been reported. As part of the processing, it'll do the data enrichment and once that's done, that's presented to the investigator in order to review the findings. The investigator makes the final verdict. Once the final verdict is rendered, then the other automated task would be the enforcement tasks, which would include any blocking of the sender, blocking of the IP, blocking of the domain, blocking of the URL, and those types of actions.
We use Palo Alto Networks Cortex XSOAR for several areas of security automation, such as phishing, investigating, mitigating, the detection of impossible travel, and consolidating threat information for our internal systems.
We use Palo Alto as a firewall, a system for detecting and whitelisting certain IP addresses or to block certain IP addresses based on where they're coming from. We then send the logs to another log management tool for more forensics and analysis before we make a decision. We're basically using Palo Alto for firewalling and sending those logs to another security monitoring tool to make decisions based on analytics that it provides us.
We are using this solution to have a completely organized SOC from a list of devices in our environment. We are able to manage all of our devices, such as firewalls and endpoint protection solutions.
I primarily pitch and sell this solution to our customers. We do product assessments and consult with customers for the most part. Clients can use it for automation.
We primarily use the solution for automation and the orchestration of security.
The use cases basically came from the customers. Most of the time, the major concern is from a security perspective because various kinds of attacks are happening. To restrict or stop those attacks, we are building playbooks. We are also automating repetitive tasks. We are using on-premise as well as cloud deployments.
We are a solution provider and this is one of the products that we are selling to our clients.