Share your experience using Threat Stack Oversight [EOL]

We use Palo Alto Networks Cortex XSOAR for incident response as a case management tool. All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools that we bring in. This is our central place where our SOC analysts can work and determine if they need to perform incident response on the alerts they have. It provides them with the ability to do data enrichment, so it has all the information we can provide upfront. They can find out the username, phone number, email address, where they work, and all that information. If it involves a malware file, they can get all the details from VirusTotal, such as the file name, how often it has been in the environment, and similar information. We built a lot of automation around it. From that, we track our case metrics, which helps us leverage how long it takes us to investigate and mitigate any threats.

What I appreciate most about Palo Alto Networks Cortex XSOAR is that it is very open, even more so than Anomali. I can create various custom automations and custom fields. There is significant customization ability in this platform. If I already have an established process, I do not have to change my process to fit into the tool. I can modify the tool to fit into my process, which makes things considerably easier.

All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools. This serves as our central location where our SOC analysts can work and determine if incident response is needed. The platform provides data enrichment capabilities, offering information upfront so analysts do not have to search for it. They can access details such as username, phone number, email address, and workplace information. For malware files, they can retrieve details from VirusTotal, including file names and environment presence. We have built substantial automation around these features, which also helps us track case metrics, investigation time, and threat mitigation duration.

For Palo Alto Networks Cortex XSOAR, there is always room for improvement. One of the significant issues we encounter is system slowdown when we receive an influx of alerts, which inhibits how quickly we can access the information needed for investigation.

I have been using Palo Alto Networks Cortex XSOAR since 2018, for about seven years.

I would rate the stability of Palo Alto Networks Cortex XSOAR a six out of ten.

The scalability of Palo Alto Networks Cortex XSOAR supports our growth and security needs because we can integrate various tools and continuously add more capability. Whatever we can envision with this tool, we can implement. We have not reached a limit on the amount of items we can have in the platform. We manage scaling effectively. Though we experience slowdowns during simultaneous operations, once we get through that period, performance returns to normal and we can process things quickly. There does not seem to be any limitation on the amount of data or alerts we put through the platform.

I follow up with Palo Alto Networks Cortex XSOAR support when issues occur. Their support has been better than Anomali's and they are more responsive. The main challenge we encounter with their support is that their engineers, who handle escalated issues, are located in the Middle East. We often need to accommodate their time zone for meetings. I would rate their support a six out of ten.

Neutral

The deployment of Palo Alto Networks Cortex XSOAR started on-premises and then moved to the cloud. The on-premises deployment was very simple, using a standard shell file. The setup instructions are straightforward - you execute the shell file on the server, agree to terms, and fill in some data points such as passwords. After completing these guided questions and steps, the installation is automated. You do not have to intervene, and it spins up and starts itself. The process is painless to set up.

My advice would be to understand your use cases and ensure this solution addresses them. Test it against other products in the market. Whatever you can envision, you can probably implement. The platform is very supportive of different integrations and tools. I would suggest learning Python or having someone with Python understanding as they develop things in the platform. Having a code-based background is beneficial as the platform is very code-centric for the playbooks. Having that background or at least logic could be helpful. This review rates Palo Alto Networks Cortex XSOAR 9 out of 10.

We have implemented ActiveWolf due to its more hands-off approach, suitable for our small IT team without dedicated security specialists.

The solution works well for our team as it offers a hands-off approach, which we need. The pricing is okay and comparable to other solutions. We value the hands-off approach as we don't have our own security team. We have monthly meetings with them, where they help us secure parts of our network, which is valuable to us.

The only frustrating aspect is the lack of support for Windows on ARM devices. We cannot fully secure these devices until they release an updated version of their agent software.

I've used the solution for just over a year.

There is not much downtime, however, they are sometimes a bit slow in responding with more information when an issue is flagged.

They are quite responsive overall. We have monthly meetings where they help us with network security. However, their response can be slow when we ask for more information.

Positive

It took us about three to four weeks to bring it live as we had to ship the sensors to different sites. It probably took a month to be fully up to speed, but that was fine because we needed to onboard it anyway.

The pricing is okay and comparable to other solutions, with competitive pricing obtained for most options. We value the ease of use and hands-off approach.

We looked at the Microsoft service and another solution, however, I can't remember the name of the latter.

I rate the overall solution nine out of ten.