Item: Palo Alto Networks Cortex XDR
Rating: 9
Author: Verified User

Overall Satisfaction with Palo Alto Networks Cortex XDR

Use Cases and Deployment Scope

XDR is being used as an Endpoint Response tool. As an EDR we are able to identify events and logs across multiple devices. The nodes on the network display a variety of information that help analyst understand behaviors in the environment. XDR address the problem of security analysts being able to discover, detect, and respond events or incidents involving hosts on the network.

Pros and Cons

Pros

Direct Access to devices via Live Terminal which provides operations with scripting, triage, and preservation of artifacts.
Behavioral Indicators of Compromise which provides alerts on events regarding groups of hosts and their signatures.
Querying complex data sets involving a variety of devices for network connections, hashes, DNS, etc.

Cons

The UI loads a large amount of data from each windows pane requiring users to scroll or modify queries for smaller list of results. The data being presented can be overwhelming and alerting does not always indicate IOCs.
Performance on XDR tends to fluctuate when running queries and features available don't make the process of hunting any faster.
Support for the product needs improvement as the product is newer more items are revealed that require attention or resolution.

Return on Investment

Device Isolation is a wonderful addition to positive impact the business when doing Incident Response which is the highest value in the product.
Support at time impacts the business negatively in the short term ROI, but long term goals are a work in progress and attainable.
Consolidating many features into one product can save a larger sum of investing into this security tool without a huge performance cut back.

Alternatives Considered

Anomali ThreatStream, Palo Alto Networks Cortex XSOAR (formerly Demisto), Cisco Secure Endpoint (formerly Cisco AMP), Broadcom Symantec Email Threat Detection and Response and Symantec Endpoint Encryption

XDR is a solid tool against other security suites. Since XDR goes beyond a EDR tool it's possible to say it can be a replacement for other EndPoint Tools. Although there is a lack of sandboxing binaries the capabilities to customize and tune the tool are vast. XDR is considered a Next Gen product and along with it's Incident Response Features and integration Palo Alto XDR was selected for these reasons and it's ability to work well across many devices.

Key Insights

Do you think Palo Alto Networks Cortex XDR delivers good value for the price?

Not sure

Are you happy with Palo Alto Networks Cortex XDR's feature set?

Yes

Did Palo Alto Networks Cortex XDR live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Palo Alto Networks Cortex XDR go as expected?

Yes

Would you buy Palo Alto Networks Cortex XDR again?

Yes

Other Software Used

Symantec Data Loss Prevention, Symantec Messaging Gateway, Cofense Vision

Likelihood to Recommend

In a scenario where EDR is a requirement or necessity XDR performs well with or without a SIEM. There are millions of events and logs to parse through and XDR is capable of handling the large load. On top of the large data that is being parsed, features such as Live Terminal, File Retrieval, OS support, and general Metrics, the tool has room to grow and provide a lot for a Security team or organization. Incident Response is a great example of how XDR can shine.

Palo Alto Networks Cortex XDR Feature Ratings

Comments

Please log in to join the conversation

Endpoint Response Where It Matters