Cortex XSOAR

April 8, 2021

Technology Overview

Security operations, in any organization, requires a lot of orchestration to run smoothly and efficiently. Problems of alert and tool fatigue are well known around the industry as a common problem when looking at the security operation teams in companies. There are too many alerts, underdeveloped processes and repetitive manual tasks for security analysts to effectively investigate incidents. Analysts find themselves using a lot of their time correlating multiple data sources and tools to get a wholistic view of the attack, in which is continuously increases time to respond to the threats in an environment.  

The solution for this is XSOAR. Palo Alto's XSOAR technology provides security operations teams with a solution to these challenges by focusing on four areas: security orchestration and automation, real-time collaboration, case management and threat intel management. 

Introducing Cortex XSOAR

Automation and orchestration 

  • To reduce the manual tasks analysts must work on daily the XSOAR solution implements playbooks which help to automate various tasks and workflows based on security events, environment rules, and triggers that are customized to fit the needs of the environment.
  • Palo Alto offers 450+ out-of-the-box playbook templates to tackle different use cases that may occur in the security environment.
  • XSOAR offers over 600 integrations and content packs with coverage across product categories such as SIEMs, EDR, malware analysis, and threat intelligence. These integrations are developed by Palo Alto Networks as well as the community and are regularly updated and improved in the Cortex XSOAR Marketplace.

Real-time collaboration 

  • Cortex XSOAR offers an additional complement to the normal automation and case management through the use of an incident specific virtual War Room. The War Room allows Analysts to communicate through the chat function and run commands through a CLI, as well as having evidence, notes and all commands run auto documented in one place.
  • XSOAR offers a unique solution to team collaboration on incident investigations. The War Room, powered by ChatOps, is a communication space in XSOAR where analysts can discuss incident operations, run security actions through a CLI, while also acting as a worklog for all notes, evidence and commands that occur in the investigation.

Case management

  • The Cortex XSOAR solution provides security teams with a centralized location from which all security incidents can be remediated. By integrating Case Management into the Cortex XSOAR tool, analysts spend less time switching from one technology to another helping them to mitigate threat faster and reduce incident closure times.
  • All data and actions derived from the incident is collected in one space and can be reporting upon and visualized in a singular automated manor.

Threat intel management

  • Often, too much threat intelligence data is being given to analysts and they must sift through to ensure they are using the relevant information in their investigations. Cortex XSOAR provides a unique approach to threat intel by aggregating the different sources and creating custom feeds and intel scores to depict what is happening in the environment.

Major benefits

  • Playbooks help to automate repeatable processes so security analysts can focus on more complex threats
  • Shorten time to respond and containment
  • Unified case management
  • Team collaboration through XSOAR’s War Room functionality
  • Optimize threat intelligence
  • Reduction of unimportant alerts and alert fatigue
  • Integration of tools and technologies
  • Automated wholistic reporting and dashboards

Security operations roles 

XSOAR IT Administrator:  
  • Provisions host platforms
  • Installs server application software
  • Monitors, maintains, and troubleshoots the XSOAR platform architecture
XSOAR Security Analyst: 
  • Uses the War Room page for investigations
  • Accepts, assigns and manages cases
  • Uses the graphical CLI
  • Works with the Cortex XSOAR engineer to provide feedback for continuous improvement of the system
XSOAR Engineer:
  • Enables and configures integrations
  • Creates custom incident types and layouts
  • Creates, debugs and deploys automations and playbooks

Cortex XSOAR architecture

  • Single-engine deployment
  • Multi-engine deployment
  • Hosting methods
    • On-prem
    • Cloud
    • Hybrid
  • Database structure
    • Dedicated database
    • Distributed database
Palo Alto Networks Cortex XSOAR | PaloGuard.com

WWT service offerings 

  • SOAR (Security Orchestration Automation Response) Readiness Assessment
  • XSOAR Playbook Development
Related Content