Cortex XSOAR observations from a Security Analyst's standpoint after 3 years of use
April 12, 2022

Cortex XSOAR observations from a Security Analyst's standpoint after 3 years of use

Sarthak Chand | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Overall Satisfaction with Palo Alto Networks Cortex XSOAR (formerly Demisto)

This product is being used as the SOAR platform for automation. Automating the repetitive security alerts is the main goal currently served by XSOAR. Also for documentation and escalation of sensitive cases within the team and in the extended information security team, we use it on a daily basis. It also helps analysts with required IOC enrichments, which is quite helpful and a time saver.
  • IOC enrichment for IP, URL, File Hashes
  • Automating workflows for notifications to the concerned team and decision-making for repetitive alerts/issues based on the playbook
  • Taking remediation action like blocking the IP, URL by the custom-made XSOAR commands
  • Providing the timeline of an incident, which helps in AAR activities
  • The XSOAR bot creates a lot of noise on the summary page of any XSOAR incident. Although the filter is available to reduce the view, by default this should not be visible cluttering the whole scenario.
  • The interface has too much data on a single pane. I would love to have many buttons to just click and do stuff.
  • Also, I would love to have search areas more interactive and easier to navigate.
  • The automation achieved by the playbook model of problem-solving for handling different alerts from SIEM
  • Notification to the concerned teams based on the role during the escalation of any SIEM alert
  • Secure and restricted documentation of security events and collaboration with different teams, evidence gathering, and evidence annotation in the Evidence Board
  • Taking containment actions for detected IOC and infected machines
  • Reduces man-hours spent on handling false-positive repetitive alerts, daily 40% of analysts' time saved during a 24 hour period. In the initial stage, it was 75% of analysts' time saved due to the new environment, less maturity, and a lot of un-finetuned alerts.
  • Single pane for notification, collaboration, and action (to some extent) which is a major time saver compared to the conventional method of meeting invites and emails back-and-forth.
  • Secure documentation of business-critical incidents with a need-to-know basis of access according to each role.

Do you think Palo Alto Networks Cortex XSOAR delivers good value for the price?


Are you happy with Palo Alto Networks Cortex XSOAR's feature set?


Did Palo Alto Networks Cortex XSOAR live up to sales and marketing promises?


Did implementation of Palo Alto Networks Cortex XSOAR go as expected?

I wasn't involved with the implementation phase

Would you buy Palo Alto Networks Cortex XSOAR again?


Well suited: In situations where the task is more repetitive and you are getting a lot of false-positive detections [what we get 95% of the time], XSOAR can take the burden and handle those repetitive false positives without causing any headache for analysts. Additionally, if you have a list of teams to notify on occasion for a particular type of incident and if the type of incidents you get is dynamic then XSOAR can help you by assigning appropriate "roles" to appropriate escalation points and associating your incident to the exact role to create an MS Teams, Slack, or email notification for the concerned team.