Palo Alto Networks Cortex XSOAR Reviews

We use Palo Alto Networks Cortex XSOAR for incident response as a case management tool. All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools that we bring in. This is our central place where our SOC analysts can work and determine if they need to perform incident response on the alerts they have. It provides them with the ability to do data enrichment, so it has all the information we can provide upfront. They can find out the username, phone number, email address, where they work, and all that information. If it involves a malware file, they can get all the details from VirusTotal, such as the file name, how often it has been in the environment, and similar information. We built a lot of automation around it. From that, we track our case metrics, which helps us leverage how long it takes us to investigate and mitigate any threats.

What I appreciate most about Palo Alto Networks Cortex XSOAR is that it is very open, even more so than Anomali. I can create various custom automations and custom fields. There is significant customization ability in this platform. If I already have an established process, I do not have to change my process to fit into the tool. I can modify the tool to fit into my process, which makes things considerably easier.

All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools. This serves as our central location where our SOC analysts can work and determine if incident response is needed. The platform provides data enrichment capabilities, offering information upfront so analysts do not have to search for it. They can access details such as username, phone number, email address, and workplace information. For malware files, they can retrieve details from VirusTotal, including file names and environment presence. We have built substantial automation around these features, which also helps us track case metrics, investigation time, and threat mitigation duration.

I have worked on multiple use cases related to network security and cybersecurity. In network security, I've created multiple playbooks to fetch data from multiple firewalls. 

We can also upgrade them in parallel to Axon. Apart from that, we can block URLs and IPs in real time. It takes less than five minutes to block something. You don't have to push a policy or create a rule on the firewall directly. You just upload the IOC (Indicator of Compromise), URL, or IP into a SharePoint sheet, and it gets blocked within five minutes.

Those are the kinds of use cases I've created. In addition, we've automated several tasks, including Nikto vulnerability scans and SOCL (Security Orchestration, Automation, and Response) tasks. 

We've also created multiple threat intelligence playbooks, fetching data through the MITRE framework and following compliances like HIPAA. It's a very good tool.

XSOAR support the company's compliance and regulatory requirements. For example, I'm working with multiple clients from different industries—one from manufacturing, another from healthcare, and one from banking. Each of these clients has its own compliance policies. XSOAR is a product that allows you to meet all regulatory requirements effectively. The flexibility in XSOAR is much greater compared to other tools.

Security-wise, the integration of IAM and SSO in XSOAR is straightforward. For example, I'm currently working with an Indian client that must adhere to RBI regulations. These regulations require that data remain within the Indian subcontinent and not be sent overseas when using cloud services.

For instance, FortiSOAR has data centres in Dallas and Australia. Google Chronicle has data centres in Europe, Japan, and the US. However, XSOAR also has a data centre in India, which is essential for meeting local regulatory requirements. This makes XSOAR a very suitable option for such needs.

Cortex XSOAR is our desktop endpoint security standard. We deploy it on the desktops, monitor the events, and ensure the endpoints stay clean and inoculated. The client is a retail company with salespeople on the floor and roving notebooks that employees bring with them to various locations. We needed a solution that allows us to protect those endpoints no matter where they are. We deployed them through Active Directory using a group policy system. 

Customers don't always have endpoints that are part of their Active Directory, but we chose to use ADGPO to ensure any user logging into our domain(s) had the product installed. There are about 600 users spread out across three locations and six dealerships.

Well since we have deployed Cortex, we have not had any serious malware concerns. I believe Cortex or Traps as it were has helped immensely in keeping our end-user community safe.

That said, cortex has not been without its headaches. For one thing, recently it stopped updating clients and wouldn't allow new installations due to a MS patch that needed to be deployed. It wasn't obvious to me what was occurring as there were zero logs indicating the reason for the failures. We started having desktops falling out of compliance faster and I had to do a bit of digging to find out what was causing it. 

Another dig I have is in the Cortex Dashboard, there are a large numbers of machines that don't show associated usernames. This keeps growing over time. I still been able to determine the cause of this. I have some ideas its due to the way Palo Alto Networks determines who a user is. They look at AD authentication logs and associate the IP address of the user as he joins the network. Then this IP stays associated with that user for about 45 minutes after the user leaves his desktop. So the desktop becomes orphaned when the IP is no longer applicable. 

So in summary, the product has stood up to its core-capabilities, but is lacking in useable actionable logs.

The primary use case for Cortex XSOAR is as an orchestration automation platform. I use it to execute automatic tasks for collecting, enriching, and correlating security events from hundreds of different technologies. It involves incident orchestration and automation in the selection of security analysts to be involved in event handling.

The solution is an orchestration automation platform. Three main features can help me: execution of automatic tasks for collecting, enriching, and correlating security events from hundreds of different technologies that I can integrate into the platform. Each incident collected is orchestrated with automation that selects the security analyst to be involved, or provides complex execution plans for managing security incidents.

We were looking for a single pane of glass type of solution that would allow us to physically be in one appliance be able to work in concert with other servers that we have within our environment. We wanted orchestration and automation. The single pane of glass was the most important part. 

Every investigator has a different way of tackling an investigation. Essentially what we wanted to do is to take the mundane tasks that the investigators have to do as part of their investigation process and then automate those mundane tasks as a pre-processor. That way, when the investigation is provided to the investigator in order to review what was found, all they have to do is look at the data that was presented to them and they wouldn't have to go through the process of doing the data enrichment with regards to threats and functions of that nature because all of that was done ahead of time as part of the processing.

Right now we've started with one investigation, which is phishing. The user will report any phishing attempts against any of our users within JPL to an email address. Our XSOAR appliance will peek into that mailbox, pull the emails out, and then process those emails that have been reported. As part of the processing, it'll do the data enrichment and once that's done, that's presented to the investigator in order to review the findings. The investigator makes the final verdict. Once the final verdict is rendered, then the other automated task would be the enforcement tasks, which would include any blocking of the sender, blocking of the IP, blocking of the domain, blocking of the URL, and those types of actions.

Palo Alto has gotten the investigators more presence to actually go in the report because being that the platform will email the investigator that it's been assigned to, now the investigators will jump in there and start going through the review process a lot quicker.

When my juniors receive an email, I have trained them to jump on it quickly in order to remediate it quickly. The sooner we get it remediated, the less likely a user that hasn't reported it will click on the link and become a victim.

Palo Alto has reduced the time that it takes to go through the process of investigating a reported abuse. Rather than one individual, which was the process before, that would handle the abuse mailbox, now we have a team of 15 individuals that all share in the remediation of those reported abuse messages.

The process is a lot quicker, nothing seems to slip between the cracks. We've been able to quickly contain phishing campaigns that were launched by external actors against our environment and been able to quickly identify users that have clicked on links and then had them change their passwords in order to reduce the risk of having those accounts used in order to perpetuate additional attacks.

For organizations that are stable with their security operations, like those with around 50 members in their security team running full-phased operations 24/7, Cortex is necessary. They can automate many processes and build their own scripts. Then, we use it for Flashflakes. 

But for a smaller organization with binding budgets and who is unaware of security, they may end up wasting money on it. This is an expensive tool. We have to use it wisely, or it’s easy to mistrust its value.

Previously, when Demisto was, there was a community edition; we could use it, reinstall it, and customize it. Since Palo Alto took over, it has become more financially oriented. It's business, but they could offer a pro model and a lighter model for different needs. 

For example, creating a pro model alongside a lighter model could be beneficial, like FortiSOAR or others providing a lighter model that focuses on the automation segment, where you could integrate maybe five or ten playbooks and integrations for day-to-day operations. This would make it more accessible to everyone.

Currently, Cortex XSOAR operates on a larger scale, which may not be necessary for all. If there's a minimum budget of around 50k or 80k for SOAR, having a scaled-down version of Cortex XSOAR would be advantageous. This would allow integration with current business operations at a minimal cost, saving money while still leveraging the capabilities of Cortex XSOAR.

And if there's a need to scale up later, moving to a pro model could be an option. That's something that's missing on the business side but could greatly aid incident response, as we're all trying to secure organizations from threats. Having such an option would make it a more socially viable cost and still provide widespread use.

In future releases, I would like to see more differential models could be implemented, instead of having a one-size-fits-all approach.

The client never had any XSOAR automation before, and they never had a CRM implemented with them, either. So we provided both CRM and complemented with XSOAR.

So it's a totally new experience, and we have already developed three playbooks. To move further, we have to wait for the next few months before we agree on any automation response.

The repository of playbooks and the integration between Palo Alto and IBM QRadar are some useful features. It is followed by a lot of people simply needing to reference it. So, it is very easy to use for people facing chat problems.

The platform’s setup procedures could be streamlined compared to Sentinel, which has a much easier setup regarding Single Sign-On and policy management.

I haven’t seen any lag in terms of platform scalability. It scales to cover all the endpoints. Although, sometimes there are latencies for Panorama. It could be because there are a lot of legacy systems.