What is our primary use case?
Our usual use cases for Palo Alto Networks Cortex XSOAR are basically security automation, where we write our different rules based on different security issues like intrusions, misuse, account takeover, and account management, such as identity and access management. Based on these events, we write the signatures in Python code for these particular events by connecting to upstream and downstream systems.
We use automation to create dashboards for security operations and link these dashboards to automations, which will have standard operating procedures linked for each use case, deployable at the discretion of the security analyst. This is mainly how we use Palo Alto Networks Cortex XSOAR.
The integration capabilities of Palo Alto Networks Cortex XSOAR with third-party tools enhance our security strategy as it works with 80% of the tools we have. Being a Palo shop, we have numerous Palo products like Palo Firewall, Palo CASB, and Palo Autofocus, in addition to regular third-party automations like ServiceNow. The integration is very good, especially with the addition of AI features that require little to no programming.
Before using Palo Alto Networks Cortex XSOAR, we did not have a single tool but used different custom-written tools, as we lacked a comprehensive solution. Previously, we wrote integrations on top of SIEM tools or other incident management tools such as ServiceNow automations. However, once we adopted Cortex XSOAR, we migrated all our workflows to it.
What is most valuable?
The most valuable features of Palo Alto Networks Cortex XSOAR, especially since we are leveraging it for automation, are the Playbooks feature, followed by the command and control screen feature that allows us to aggregate multiple dashboards and create custom dashboards based on different scenarios.
Regarding Playbook automation, I find it has helped streamline our incident response workflows significantly. Previously, manual incident reviews and actions took up a lot of time. Without dashboards and single pane of glass access, the security analyst had to handle multiple data sources, incident sources, and SOP documents, leading to more manual effort and increased potential for errors. All actions required manual tracking of logs and reviews to management. With Palo Alto Networks Cortex XSOAR Playbooks, we utilize standard inbuilt automations from Palo and can create our custom automations. We integrate multiple inbuilt playbooks and write our custom playbooks for incident management, taking inputs from incident sources such as SIEM and threat intelligence, aggregating them into dashboards, and enabling relevant automations for necessary changes, logging, or actions.
The machine learning models in Palo Alto Networks Cortex XSOAR help prioritize alerts in our organization, proving to be very important as they aid our incident processing. Given that many incidents require discretion from analysts due to their relevance to our business, the ML workflows eliminate a lot of false positives.
Palo Alto Networks Cortex XSOAR analytics features significantly impact our ability to gain insights and visibility into security, which is crucial for communicating with management. Management has different preferences for seeing the most frequent threats or identifying which particular systems are targeted by threat actors, making these analytics very useful.
What needs improvement?
I think the areas of Palo Alto Networks Cortex XSOAR that could be improved are mainly in UX. We have communicated with the vendor team about this, but they are prioritizing product functionality over usability because most target customers are technical and understand a primitive UI. They face difficulties in implementing UI changes as their team is stretched. Thus, the UI/UX of the tool needs significant improvement. There are plans on their roadmap, but a lot remains to be done. Parts of the tool run on an older framework, causing slowness. Usability is a broader issue than features alone. This usability problem is common in many cybersecurity tools, unlike customer-facing applications.
Some integrations have speed issues and might not function seamlessly with different upstream configurations, requiring manual updates. These are the main pain points we encountered, particularly with UI/UX, integration speed, and the usability of certain inbuilt playbooks.
For how long have I used the solution?
I have been working with Palo Alto Networks Cortex XSOAR since 2022, so it has been three years.
What do I think about the stability of the solution?
I would rate the stability and reliability of Palo Alto Networks Cortex XSOAR as a nine. Occasionally, we have had rare issues with few plugins that led to high stack usage, requiring shutdown and restart. Generally, it is highly available nine out of ten times.
What do I think about the scalability of the solution?
I would rate Palo Alto Networks Cortex XSOAR's scalability as an eight. It is highly scalable, but we do encounter some issues here and there.
The issues with scalability arise from the speed of some integrations, as not all are perfectly tuned by Palo; some were released without complete testing. Overall, most platform requirements are met with high scalability capabilities.
How are customer service and support?
I often communicate with the technical support team of Palo Alto Networks.
My experience with Palo Alto Networks technical support has been quite satisfactory, rating it an eight. Eight out of ten times, they provide valuable help. However, in two instances, I encountered service associates who were not very knowledgeable or where the tasks were complex, leading to escalations. Even then, they were timely in their responses.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
Before selecting Palo Alto Networks Cortex XSOAR, our organization was using Demisto, which made it logical to transition to Cortex XSOAR. We did evaluate Splunk, but we decided that Palo Alto Networks Cortex XSOAR was the better option.
While evaluating options, Splunk lacked the number of playbook integrations that Palo Alto Networks Cortex XSOAR offered. Although I hear Splunk has improved since then, being a Palo shop provided additional advantages, including a favorable bundle discount, as everything from our CASB to cloud monitoring and firewalls is with Palo, creating a tight dependency.
How was the initial setup?
The initial setup process for Palo Alto Networks Cortex XSOAR involved having the necessary infrastructure suggested by Palo, spinning up the servers, establishing dependencies, ensuring proper network segmentation, and setting up the right monitoring appliances and connections. Once the setup was complete, we moved all dependencies, basic necessary automations, and basic dashboards into the system, which comprised the beginning work.
Overall, the process has been far from straightforward.
I have faced several challenges during installation where the necessary servers require varying amounts of RAM and specific network segmentation. These requirements are not straightforward, and I realized many issues post-installation. While they advise installing a VM, the actual installation process reveals that debugging is often necessary, making it less seamless and not functional right out of the box.
What about the implementation team?
I participated in the initial setup and deployment of Palo Alto Networks Cortex XSOAR.
What other advice do I have?
Palo Alto Networks Cortex XSOAR has had a huge impact on our organization's mean time to resolution for incidents. As I previously described, instead of going through the entire manual process, it improves the security SOC operations efficiency tremendously, by more than 80% to 90%. I would rate this solution a nine overall.
Which deployment model are you using for this solution?
On-premises
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
