Share your experience using Threat Stack Oversight [EOL]

We are more of a SI and reseller, not really acting as a customer ourselves. We are reselling Palo Alto Networks Cortex XSOAR and SentinelOne. We are dealing with all Palo Alto products, related to firewalls, including Fortinet, Palo Alto, Check Point, and Cisco.

When these services go live, we will see their full potential. I am dealing with Palo Alto products such as firewalls and SASE, which we have proposed to multiple customers, and we have positioned Palo Alto Networks Cortex XSOAR for a few customers.

The customer was already using Micro Focus, which provided a bundle with their SIEM and SOAR product, requiring a lot of manual work and configuration. To replace that, we are positioning Palo Alto Networks Cortex XSOAR, which can be used in the SOC and do a lot of automation for the customer, but it was expensive, making it essential for the customer to evaluate whether ROI is coming from the business model, as they are also acting as a SOC provider.

Palo Alto Networks Cortex XSOAR is a good product with enhanced and efficient playbooks, as demonstrated during our use case simulations. We have implemented automation features, such as automated responses to email threats and automatic configuration of target devices for blocking specific IPs.

The analytics feature in Palo Alto Networks Cortex XSOAR is impressive. The solution is quite exhaustive regarding integrations, with many pre-integrations available, especially for market-leading products. There might be challenges with make-in-India products, as they tend not to build the necessary connectors. This depends on whether you are selling to enterprises or other customers. For government customers, you might encounter many Indian products, such as firewalls, which could pose integration challenges unless you have open APIs. However, for market-leading products, there are ready-made integrations available.

To improve the solution, it needs to have complete features that are low-code, no-code, and should be plug-and-play. We need to see improvements in that area to facilitate cyber analysts.

Currently, we are not using it in-house; however, we have explored whether we should create our next-generation SOC using IBM QRadar, Elastic, or maybe some other product such as Fortinet.

The technical support provided by Palo Alto Networks Cortex XSOAR is good. I would rate their support around nine out of ten.

Positive

Comparing pricing to Micro Focus, they were offering bundles, making it free with their SIEM. For customers, it is zero versus $20 million, which is why they have to make a decision.

The customer was already using Micro Focus, which provided a bundle with their SIEM and SOAR product, requiring a lot of manual work and configuration. To replace that, we are positioning Palo Alto Networks Cortex XSOAR, which can be used in the SOC and do a lot of automation for the customer, but it was expensive, making it essential for the customer to evaluate whether ROI is coming from the business model, as they are also acting as a SOC provider.

Comparing pricing to Micro Focus, they were offering bundles, making it free with their SIEM. For customers, it is zero versus $20 million, which is why they have to make a decision.

We are considering Splunk, which has a good market presence in the niche. Second is QRadar, which also has a good market presence, but the future with IBM is uncertain. Third is Elastic, which is doing great now as they have formed some partnerships; it will be a good product providing these kinds of services in the future.

We act as a SI with tie-ups with different EDR vendors. We are providing Palo Alto Networks Cortex XSOAR and SentinelOne as our main products.

We have given certain POCs, but we are not using it in-house. We are evaluating different products for our next-generation SOC, considering market conditions and pricing as key factors.

I found it easy to use and configure at the time of evaluation. I have not seen how the machine learning models help prioritize alerts, but this will be evaluated when shown to customers.

I would recommend Palo Alto Networks Cortex XSOAR for big companies only because it may be costly, so small companies will not adopt it unless they have a clear mindset to proceed with this product for specific reasons. It is easy to integrate within existing systems, especially with third-party solutions.

Based on my experience, I would rate Palo Alto Networks Cortex XSOAR a six out of ten.

We use Palo Alto Networks Cortex XSOAR for incident response as a case management tool. All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools that we bring in. This is our central place where our SOC analysts can work and determine if they need to perform incident response on the alerts they have. It provides them with the ability to do data enrichment, so it has all the information we can provide upfront. They can find out the username, phone number, email address, where they work, and all that information. If it involves a malware file, they can get all the details from VirusTotal, such as the file name, how often it has been in the environment, and similar information. We built a lot of automation around it. From that, we track our case metrics, which helps us leverage how long it takes us to investigate and mitigate any threats.

What I appreciate most about Palo Alto Networks Cortex XSOAR is that it is very open, even more so than Anomali. I can create various custom automations and custom fields. There is significant customization ability in this platform. If I already have an established process, I do not have to change my process to fit into the tool. I can modify the tool to fit into my process, which makes things considerably easier.

All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools. This serves as our central location where our SOC analysts can work and determine if incident response is needed. The platform provides data enrichment capabilities, offering information upfront so analysts do not have to search for it. They can access details such as username, phone number, email address, and workplace information. For malware files, they can retrieve details from VirusTotal, including file names and environment presence. We have built substantial automation around these features, which also helps us track case metrics, investigation time, and threat mitigation duration.

For Palo Alto Networks Cortex XSOAR, there is always room for improvement. One of the significant issues we encounter is system slowdown when we receive an influx of alerts, which inhibits how quickly we can access the information needed for investigation.

I have been using Palo Alto Networks Cortex XSOAR since 2018, for about seven years.

I would rate the stability of Palo Alto Networks Cortex XSOAR a six out of ten.

The scalability of Palo Alto Networks Cortex XSOAR supports our growth and security needs because we can integrate various tools and continuously add more capability. Whatever we can envision with this tool, we can implement. We have not reached a limit on the amount of items we can have in the platform. We manage scaling effectively. Though we experience slowdowns during simultaneous operations, once we get through that period, performance returns to normal and we can process things quickly. There does not seem to be any limitation on the amount of data or alerts we put through the platform.

I follow up with Palo Alto Networks Cortex XSOAR support when issues occur. Their support has been better than Anomali's and they are more responsive. The main challenge we encounter with their support is that their engineers, who handle escalated issues, are located in the Middle East. We often need to accommodate their time zone for meetings. I would rate their support a six out of ten.

Neutral

The deployment of Palo Alto Networks Cortex XSOAR started on-premises and then moved to the cloud. The on-premises deployment was very simple, using a standard shell file. The setup instructions are straightforward - you execute the shell file on the server, agree to terms, and fill in some data points such as passwords. After completing these guided questions and steps, the installation is automated. You do not have to intervene, and it spins up and starts itself. The process is painless to set up.

My advice would be to understand your use cases and ensure this solution addresses them. Test it against other products in the market. Whatever you can envision, you can probably implement. The platform is very supportive of different integrations and tools. I would suggest learning Python or having someone with Python understanding as they develop things in the platform. Having a code-based background is beneficial as the platform is very code-centric for the playbooks. Having that background or at least logic could be helpful. This review rates Palo Alto Networks Cortex XSOAR 9 out of 10.