Palo Alto Networks Cortex XSOAR Valuable Features
CC
ChrisCollins
Enterprise Security Architect V at FirstEnergy
What I appreciate most about Palo Alto Networks Cortex XSOAR is that it is very open, even more so than Anomali. I can create various custom automations and custom fields. There is significant customization ability in this platform. If I already have an established process, I do not have to change my process to fit into the tool. I can modify the tool to fit into my process, which makes things considerably easier.
All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools. This serves as our central location where our SOC analysts can work and determine if incident response is needed. The platform provides data enrichment capabilities, offering information upfront so analysts do not have to search for it. They can access details such as username, phone number, email address, and workplace information. For malware files, they can retrieve details from VirusTotal, including file names and environment presence. We have built substantial automation around these features, which also helps us track case metrics, investigation time, and threat mitigation duration.
View full review »The best feature is the CLI part. If you want to execute any command or something like that, it is very easy. You can get a tab, and you just type the command there, and it will run. The playground feature is very good. You don't need a separate development environment; you can use it directly within XSOAR. These are the things that make XSOAR stand out compared to other products.
For orchestration, the processes are very user-friendly. Even if I'm not an XSOAR admin, I can quickly become proficient with it. You just have to navigate through the various options in Palo Alto Networks Cortex XSOAR, and it becomes easy to manage. For instance, if you are a SOC analyst and want to start using XSOAR, it's very easy to access and retrieve the details you need.
To put it in simpler terms, using XSOAR is like using a Fire Stick, where you have all your OTT platforms available. Similarly, in XSOAR, you get all the related alerts, whether from SIEM, EDR, or XDR, all consolidated in one place. You can analyze the data, make decisions, and even automate certain processes based on the data you receive. XSOAR assists in automating workflows, making decision-making processes easier.
The orchestration in XSOAR is significantly easier compared to other SOAR tools I've used, like Siemplify, Splunk Phantom, and FortiSOAR. The processes are much more streamlined in XSOAR, which is what I appreciate most about it.
So, when it comes to automation and playbooks, it is very easy. XSOAR is the only platform that supports three scripting languages: Python, JavaScript, and PowerShell. So you don't have to worry much about compatibility. If someone knows Python, they can easily create a playbook for automation. They can write the automation scripts and handle everything. Even if you're like me, coming from a Windows background and only familiar with PowerShell scripting, you can still create automation within XSOAR. This flexibility is something that XSOAR provides, unlike other tools that only support Python.
XSOAR uses machine learning and generative AI, particularly in threat intelligence. In security, threat intelligence is the only area where AI and machine learning are truly effective. Aside from that, whatever vendors are claiming about AI is often just marketing hype. They might suggest that AI can be used everywhere, but security compliance is a crucial factor.
For example, if I request AD admin access, it's unlikely anyone would grant it due to security concerns. This demonstrates the limits of AI in certain aspects of security. They may have chatbots and other features, but their necessity is questionable. For instance, if I need details about a particular IP or URL, I can retrieve it myself by running a command. Human intervention is still necessary in these cases.
We can definitely use AI in incident response, but the major thing is in managing case notes. We recently initiated a project focused on ensuring that case notes added by analysts follow a proper format. We can then utilize generative AI to improve this process. For example, if an alert is related to a DNS query, we can create different templates. Based on the best keyword match, AI can make decisions, which is part of our plan.
View full review »The solution is an orchestration automation platform. Three main features can help me: execution of automatic tasks for collecting, enriching, and correlating security events from hundreds of different technologies that I can integrate into the platform. Each incident collected is orchestrated with automation that selects the security analyst to be involved, or provides complex execution plans for managing security incidents.
View full review »Buyer's Guide
Palo Alto Networks Cortex XSOAR
June 2025

Learn what your peers think about Palo Alto Networks Cortex XSOAR. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
861,481 professionals have used our research since 2012.
The most valuable features of Cortex XSOAR include its vast library of plugins, which allow us to integrate various tools and solutions seamlessly. Additionally, the ability to create complex playbooks tailored to our needs and the option to incorporate user input within the workflows are highly beneficial.
View full review »The most valuable feature is its capability to automate responses and collect information for any security event before you even delve into the details.
It's a vast product with an active roadmap, so I'm satisfied with it for now. It's very efficient at data collection and correlation.
View full review »The solution is user-friendly and easy to configure.
I chose Cortex XSOAR because we use Palo Alto firewalls. My plan was to consolidate our log data from the Palo Alto firewalls and Cortex into a single pane of glass. However, this has not been the experience. The log data from the firewalls never correlates with the log data from Cortex. We still have seperate streams of information to examine. I have not found an easy way to get this to work. But I'm sure there is one.
View full review »Owing to the features of Palo Alto Networks Cortex XSOAR, my team that operates within our company likes it.
View full review »MA
Musammil Azar
MSS Delivery Lead at Help AG
The product’s stability is good. We are able to achieve our use cases. We have multiple playbooks to support automation.
View full review »The repository of playbooks and the integration between Palo Alto and IBM QRadar are some useful features. It is followed by a lot of people simply needing to reference it. So, it is very easy to use for people facing chat problems.
View full review »Its agility and scalability are valuable.
View full review »The solution has a lot of information, like playbooks and incidents. It goes really deep. The vendor provides training, knowledge bases, workshops, and webinars. The product can automate security tasks. Playbooks are the most beneficial feature. We can create a playbook. We can get visibility on incidents.
We can also analyze user behavior and understand whether it is a true positive or a false positive. We have so many false positives these days in security, so it's nice when we can put things in the block list. We can perform investigations. The product can be integrated with third-party tools.
The most valuable features of Palo Alto Networks Cortex XSOAR are its overall track record and features that fit our use case.
View full review »DL
Diego Lo Dico
Senior Information Technology Support Engineer at TSCNET Services GmbH
The solution works well.
It’s easy to install.
It’s stable.
The solution can scale as needed.
It is very easy to use.
It has an extensive list of integrations that are available out of the box which makes it easy to start.
View full review »Cortex XSOAR's playbook for incident management and automation is highly valuable. We develop Playbooks automation, centralize incident data, and try to enhance the efficiency of resolving incident cases. The platform's features focus on closing the incident lifecycle more quickly, managing incidents efficiently, and integration capabilities across security infrastructure.
View full review »We use the solution to automate our SIEM tools and incidents.
View full review »What I like most about Palo Alto Networks Cortex XSOAR is how user-friendly it is for development. It is much simpler to work with compared to similar tools I've used. If you can think of it, you can probably do it. However, there are some limitations, but speed isn't one of them.
Palo Alto is easy to use.
View full review »The solution is very reliable. The performance is great.
The scalability of the solution is excellent.
We find the solution to be very robust. Palo Alto has been in the industry a long time and the solution reflects that.
The initial setup is very straightforward. It's not hard to deploy.
View full review »The most valuable features of Palo Alto Networks Cortex XSOAR are the remote controller from the workstation that can execute commands and isolate the systems outside of the network. Only the system with an internet connection can execute the task because the main console is in the cloud.
View full review »Cortex XSOAR's most valuable features are the playbooks, custom integration, the machine-learning model, and the layout, classifier, and mapper.
View full review »The strengths of Palo Alto Networks Cortex XSOAR stem from the fact that it provides functionalities related to patching and URL blocking, and its strengths are the major reason why I recommend the product to others.
View full review »The drag-and-drop interface enables analysts with no programming knowledge to create playbooks easily.
View full review »Many different playbooks are available and can be customized.
View full review »The solution has very good integration capabilities. It's really the best at integration. Inside every integration, there are certain commands which we can call upon, which makes it very useful as a product.
The automation is excellent.
The product is very robust.
With this solution, we can do dynamic remediation.
It's a product that is constantly upgrading and improving.
It's a user-friendly solution.
Technical support is very helpful and responsive.
View full review »The advanced security capabilities and the automation available with the solution are the most valuable solution. Moreover, the scalability and ease of management are additional benefits.
View full review »It was useful as a ticketing tool. However, it's been discontinued.
View full review »DL
DenysLahutin
Sales engineer at MUK
It is pretty modern.
It has a lot of integrations. They have a portal where you can find any kind of integration that you need. The ability to integrate with third-party vendors and solutions is great.
They have a big amount of playbooks. These are a set of actions that you need to perform based on some exact incident. For example, if you find malware, you will need to block an endpoint. If you find a botnet that is connecting to your infrastructure, you will need to block this botnet on the firewall. This set of playbooks that XSOAR already has inside it is really huge, and it is also great for a lot of informational security or managers and engineers that can just choose what they need and not have to create anything from the scratch.
The initial setup is straightforward.
View full review »DS
Darshil Sanghvi
Consultant at a tech services company with 501-1,000 employees
The most valuable features are the orchestration because of the way in which it coordinates the loss from all the devices and it provides us with a high-level overview of the critical log information. Additionally, this solution integrates very well, we have integrated a Palo Alto firewall and everything is working perfectly.
View full review »We've only just installed the solution and need time to explore its functionality and capabilities. So far, we haven't experienced any issues.
The stability has been good overall.
The initial implementation wasn't overly complex. It was easy.
The pricing is very good.
Technical support is helpful and responsive.
View full review »SA
Shubham Agarwal
Network Security Engineer at a tech services company with 201-500 employees
The automation part and the playbook creation part are awesome. The way it is responding to the customers and incidents is also very good. In the SOC environment, I guess it will carry out around 50% of the work.
View full review »The most valuable features are simplicity and ease of integration.
The documentation is fantastic.
View full review »I am satisfied with the product overall.
View full review »SA
Samer Amr
CyberSecurity Consultant at Information Technology Solutions- ITS
The solution is user-friendly and provides integration with multiple products.
View full review »According to Gartner, it's a leader in NID. Customers are investing more in it, and that's why we are using the product.
View full review »The most valuable feature is automation. There is a huge variety of automation that can help any team and there is a threat model.
View full review »The solution has the best processing and incident analysis features.
View full review »NN
Susan Amiri
None at Invecto
NGFW and Cortex are the best features of the product. The solution provides threat intelligence with EDR. The most interesting part is that the product uses artificial intelligence and machine learning capabilities.
View full review »I have found the solution very useful, it integrates well with other platforms.
View full review »It is a good tool for automation. The product is quite easy to use. It provides great integrations.
View full review »Buyer's Guide
Palo Alto Networks Cortex XSOAR
June 2025

Learn what your peers think about Palo Alto Networks Cortex XSOAR. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
861,481 professionals have used our research since 2012.