Product Review

Optimizing Security
Operations with
Palo Alto Networks’
Cortex XSOAR
Written by Matt Bromiley
June 2024

©2024 SANS™ Institute

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 1
Introduction
Today’s relentless pace of cyberattacks keeps security teams and SOCs on high alert. This
is coupled with an ever-growing digital footprint, generating a constant stream of security
data such as logs, events, traffic, and alerts. Sifting through all this data to find needles
in haystacks is an extremely time-consuming task that doesn’t scale well if all you have
is human power. This sifting exercise can easily lead to delayed response times, missed
threats, and analyst burnout.
Cortex XSOAR has distinct deployment options to
Security orchestration, automation, and response (SOAR) platforms
facilitate the needs of any organization, including:
offer a lifeline to SOCs drowning in alerts and struggling to keep up
• C
 loud-based SaaS for infinite scalability to meet
with threats. SOCs are always seeking ways to optimize their workflows ever-changing needs
and empower analysts. Although automation is a key strategy, choosing
• O
 n-prem for local data handling and total
the right tools for the job is critical. This paper takes a closer look ownership over the security of the data and all
at Palo Alto Networks’ Cortex XSOAR®, a SOAR platform that offers a resources in use
comprehensive suite of features designed to address the challenges XSOAR is Federal Risk and Authorization Management
faced by modern SOCs. Program (FedRAMP) certified, facilitating the needs of
government agencies. It is also multi-tenant capable,
This paper delves into XSOAR’s functionalities and ability to empower allowing managed security service providers (MSSPs)
SOCs to achieve better security outcomes. It offers opportunities for any to easily provide services to their customers.
reader. If your organization is considering a SOAR platform, look closely
at how XSOAR enables teams and empowers analysts. Consider what capabilities your
team is looking for. If you already have a SOAR platform, compare your current setup and
capabilities to Palo Alto’s Cortex XSOAR. Let’s get started!

Cortex XSOAR
Our examination of Cortex XSOAR began with all products at the initial dashboard. A
product’s initial dashboard is always a good starting point because many security tools
are utilized by junior
analysts, executives,
and everyone in
between. The initial
dashboard is an
opportunity to quickly
answer “What is going
on?” for all viewers. In
Figure 1, XSOAR answers
that question.

Figure 1. XSOAR’s Initial Dashboard

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 2

XSOAR’s starting dashboard is a link to everything within the platform and a navigator for our
product review. Some of the key areas of XSOAR examined in this review include:
• Dashboards and reports
• Incidents
• Threat intelligence
• Playbooks and scripts
• XSOAR++

XSOAR provides a wealth of options and capabilities, many of which work together to create a
seamless experience for security teams. However, like any tool or platform, the adage “garbage in,
garbage out” always applies. Ensure that your team utilizes XSOAR with the best available telemetry
to lessen the burden on the SOC.

Dashboards and Reports

XSOAR’s dashboarding and reporting capabilities represent a powerful, customizable way to display
key data from XSOAR. Figure 2 provides a screenshot of My Dashboard, the initial dashboard screen.

Figure 2. My Dashboard from

Dashboards and reporting capabilities are critical within any tool, especially comprehensive XSOAR’s Interface
ones like XSOAR. With many moving pieces, security teams, leaders, and executives need
succinct views into what’s happening within an organization. Customized reporting helps
achieve this easily.

In Figure 2, you can see XSOAR offers prebuilt dashboards that focus on metrics such as:
• “My Threat Landscape”
• SLAs
• Troubleshooting
• Incidents
• Cost optimization playbooks

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 3

XSOAR’s vast dashboard capabilities offer multiple views of the same data. This is an
important reminder for security teams: The same data triggering an alert of adversarial
activity (Incidents) can also be represented in the Cost Optimization dashboard. By
considering unique perspectives on the same data, organizations can begin to view their
data as much more than simple security telemetry.

Reporting is an equally powerful feature within XSOAR’s platform. Out of the box, XSOAR
includes a wealth of rich reports for all needs. See Figure 3.

Figure 3. Snippet of the Reports

Out-of-the-box reports include options to satisfy multiple needs and viewpoints, such as:
Dashboard from Cortex XSOAR
• Incident-based reports, focused on severities such as “critical” and “high”

• Time-based reports, such as activity within the past 24 hours or seven days

• Metric-based reports, such as Mean Time to Resolve or late incidents (past an SLA)

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 4

One of our favorite out-of-the-box reports was the executive-focused “Monthly Report for
our CISO.” See Figure 4.

Figure 4. Snippet of the “Monthly

We’ve long held that security tools need to provide capabilities for their
daily users and value to executive stakeholders. Palo Alto Networks
realizes this, and XSOAR’s reporting capabilities reflect it.
Reports also can be customized for any audience or need. In addition
to the metrics defined earlier, reports can be assembled for different
stakeholders, selecting any timeframe or data point of interest. This is
where some of the true power of XSOAR’s reporting capabilities comes
into play. See Figure 5.
Report for our CISO” Report
We cannot emphasize this enough: Reporting
capabilities are critical to the success of any
platform. From SOC auditors to long-term executives,
all security stakeholders must be able to derive value
from a platform by gathering the information that is
important to them.

Figure 5. Snippet of Custom Reporting Creation Within Cortex XSOAR

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 5

In Figure 5, we created a simple report to display active incidents from multiple angles.
This included a basic pie chart representation, a line chart to show active investigations or
incidents, and then a mapping of severities. Easily dragging and dropping various widgets
into our report template allowed us to create this report in all of five seconds. Reporting
should be that efficient, easily answering “What do you want to see?” and “How do you
want to see it?”

Reporting is not just a way to represent active data. It can also be a powerful vehicle for
generating insight to answer questions about optimization and efficiency. For example,
are response or remediation times too slow or too fast? Can we use reports to adjust
metrics on a monthly or quarterly basis? Are there incidents or issues that took too long
to resolve, necessitating an adjustment to our processes? You can only begin to answer
these questions with high-level insights into your data.

Incidents
The Incidents tab provides insight into incidents within Cortex XSOAR. Cortex XSOAR’s
classification engine streamlines security analysis by automatically categorizing incoming
alerts based on their content. This assigns predefined incident types (e.g., Malware,
Phishing) to each alert, enabling analysts to focus on the most relevant incidents. Figure 6
provides a snippet of the Incidents dashboard.

Figure 6. Snippet of the XSOAR Incidents Dashboard

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 6

As mentioned, incidents are “roll-ups” of alerts, context, associated indicators, response
actions, and much more. As an automation platform, XSOAR does an excellent job of
grouping the analysis capabilities and response actions that analysts need in one place.
This provides a single point for analysts to go to if manual intervention is necessary.
Figure 7 provides an example of a single incident.

Figure 7. Snippet of a Sample

As seen in Figure 7, we have a succinct view of nearly all the data points associated with XDR Incident
a particular incident. Incidents are also identified as cases, functioning with some teams
as a case management system. (Any good SOAR platform should be one!) Key data points
included in an incident include:

• Case details, valuable for case type and playbook identification

• Entities involved in the incident, including key technical details

• Alert(s) related to the incident, including categories, sources, etc.

• Case timeline information

• Work plan and automation tasks with status

• Response and IOC actions that can be executed with a single button click

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 7

Response and IOC action “buttons,” upfront and center, are some of the more useful
features of XSOAR and analyst empowerment. Of course, with any SOAR platform,
automated reactions are the easiest justification for implementation. Although it’s
possible to attempt to “automate everything,” humans must be in the loop to approve
some key automation. To assist with this, XSOAR includes quick action buttons that give
critical control to an analyst. These processes can be automated slowly, as necessary, and
as the team and response capabilities mature.

These quick response and IOC actions, including endpoint isolation, file quarantine, and
tagging an IOC for allow/deny lists, factor into the split-second decisions an analyst might
need to make to identify and stop a threat. Adversaries often introduce new techniques
and capabilities that playbooks may not act on but are still detected.
Sometimes, the placement of certain response
Having easily customizable response actions up front significantly cuts actions and capabilities within a tool or platform
down on response and remediation times, a goal for any security team. can seem trivial. In many cases, however, the faster
an analyst or responder can get to where they need
Integrated Case Management to be, the faster their response decisions can be.
With XSOAR, everything was quickly at our fingertips,
Far too often, security teams are stuck in conference rooms with resulting in less hesitation.
whiteboards and phone bridges, trying to work with remote teams.
Palo Alto looked at solving this issue within XSOAR, particularly in its case management
capabilities. Necessary for effective security triage and response, incident management
is a must-have. XSOAR’s built-in case management capabilities, such as the War Room,
provide real-time investigation into an incident. This ChatOps-powered capability allows
analysts to:

• Run real-time actions through the CLI

• Execute playbooks, scripts, and commands

• Capture alert or incident context in a concentrated area

• Document incident details, findings, and investigation status

Analysts can open and close tickets directly from the War Room, providing a “single-stop”
area for key incident and investigation analysis.

Threat Intelligence
One of the more powerful capabilities of XSOAR is its integration
The Threat Intelligence module allows SOCs to manage
within Palo Alto Networks’ Cortex ecosystem. As seen in the multiple
their own threat feeds, including a combination of
Incidents screenshots presented so far, XDR can be a powerful source open source, industry, and paid feeds. This is a driving
of telemetry. Threat intelligence feeds and more (see sidebar) can be feature that integrates within the platform and assists
fed into XSOAR, as part of the larger Cortex ecosystem. Although other with threat intelligence management—a much-needed
feature for enterprise SOCs.
Cortex products are outside the scope of this product review, we cannot
overstate from how powerful a single-platform approach is.

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 8

The same holds true for threat intelligence capabilities in XSOAR. Looking at the threat
intelligence dashboard in Figure 8, we can see a powerful list of indicators, decisions, and
hits within our tenant.

Figure 8. Threat Intel Dashboard

As seen in Figure 8, the threat intelligence capabilities of XSOAR provide a catalog view
from XSOAR
and insight into indicators observed across alerts and incidents. Some key details
presented include:
• IOC type
• Value
• Malicious verdict
• Timeline of first and last seen
• Related incidents

In many cases, security analysts will not begin at a threat intelligence page. For example,
if you needed to triage the incidents in your organization, you wouldn’t start by asking,
“What types of malware have been observed?” Often, supporting metadata and other key
points are included as part of the alert or rolled-up incident. Being able to drill down into
those details and understand why something was determined to be malicious, however,
is exactly the additional support analysts require. As we pointed out earlier, the faster
analysts can access the relevant information they need to make decisions, the faster they
can make those decisions.

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 9

Drilling down into any of the listed indicators provides deep details, as seen in Figure 9.

As seen in Figure 9, XSOAR provides a wealth of data points about an investigation. The Figure 9. Snippet of an IOC as
Identified in XSOAR’s Threat
importance of this screen, and making it accessible to security analysts, is critical. XSOAR Intelligence Pane
isn’t simply displaying metadata; it is displaying relationships and analysis-driving data.
For example,

• Relationships show how malware can land on a system, such as a dropper or

archive. They can also show related details such as associated network data or
command and control (C2).

• Related incidents provide a quick, high-level answer to “Where have we seen this?”
In many cases, threat intelligence may provide context about a threat without
confirming whether it’s part of an active incident.

• The Timeline feature shows the lifecycle of an IOC, from initial classification to
granular updates. This is critical for understanding the “newness” of a threat.

• Additional data points, such as the Verdict, help drive an understanding of why
something was flagged as malicious.

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 10

Examining a particular IOC further, analysts can also drill down into Unit 42 intel, as shown
in Figure 10.

Figure 10. Snippet of Unit 42 Intel

In addition to the valuable data provided in Figure 9, data in Figure 10 shows granular from the IOC Shown in Figure 9
malware analysis details. This can include dynamic or static analysis from malware
sandboxes, malicious decisions, and even provide the WildFire report for download.

All in all, the threat intelligence section not only provides resources on incident or case
enrichment, but also can act as a “self-serve” capability for analysts looking to drill
further into why or how something was classified as malicious. The end result? Analysts
are adequately informed to make better decisions or craft more precise playbooks.

Playbooks and Scripts

Speaking of playbooks, this is by far the “meat” of any SOAR platform
and represents its ability to receive data and execute automated Palo Alto Networks provides a no-/low-code approach
actions. Automation is the name of the game. This is the purpose of a to SOAR via easy-to-create, visual playbooks. This can
be a huge enabler for security teams of all skill levels,
SOAR platform—to assist analysts in automating as much as possible so
especially those who might be less experienced.
that humans can focus on the bigger problems. It comes as no surprise
that XSOAR’s playbook and automation capabilities are vast.

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 11

Playbooks are exactly what they sound like—easy ways to create and
define workflows within XSOAR. Playbooks are the lifeblood of any SOC
because they can define the actions to take in the event of certain alerts.
For example, the playbook in Figure 11 is built to retrieve a file by SHA256
hash, driven by the file path present in an alert.

Playbooks are provided in an easily consumed visual format, showing

the logic flow from an origin event to the various actions taken by the
platform. Notice the granularity with which playbooks can be crafted,
including decision points such as “Were there any errors?” This control
provides analysts an opportunity to deal with potential errors and work
around them, rather than deal with a bunch of failed playbooks.

Security teams can also benefit from playbooks as a source of

enrichment, not just response actions. For example, in Figure 12,
we examine a playbook that captures User Manager details from
Active Directory.

The multi-use nature of playbooks makes them powerful additions to

any security team, enabling even less technical teams to benefit from
enrichment and automated actions.

Figure 11. Snippet of a Playbook to

Retrieve a File by SHA256 Hash

Figure 12. Snippet of a Playbook to Get

User Manager Details from Active Directory

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 12

Similarly, scripts are another powerful feature that enables technical teams to gain even
more control over their data, workflows, and automation. Custom and pre-built scripts can
assist with data handling, encoding/decoding, transformation(s), and more. For example,
Figure 13 shows a script that converts an array to CSV.

Figure 13. Screenshot of an XSOAR

This may seem like simple functionality to some, converting data from one type to Script That Converts an Array to CSV
another. However, within a platform as vast as XSOAR, proper data handling and
conversion is an important capability for all other actions, such as automated playbooks,
reporting, and so forth. Furthermore, your organization might have special data-parsing
requirements, output needs, or other transformations that require custom scripting.

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 13

Another example is data extraction for proper IOC categorization and cataloging. Figure 14
provides a snippet of a script that extracts email addresses—an important need.

Figure 14. XSOAR Script That Gets Email

Scripts in XSOAR can be written in Python, PowerShell, or JavaScript. This opens up Addresses in Context
possibilities to security teams of all shapes and sizes, and allows for the easy importing
of scripts from other sources. For example, security teams could port their data-handling
scripts directly to XSOAR, allowing for in-platform data handling, again saving time and
empowering teams to focus on more complex problems.

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 14

XSOAR++
In this final section, we posit that although XSOAR is a powerful and capable tool, it can be
extended even further. You can expand your XSOAR instance with integrations, use cases,
and other content packs via the Cortex Marketplace. Figure 15 provides a snippet of the
Marketplace, which contains integrations by Cortex XSOAR and third-party partners.

Figure 15. Snippet of the XSOAR

Marketplace

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 15

Content packs can be an integral part of security teams’ start-up with platforms like
XSOAR because they can help easily introduce responses and other actions to certain
adversaries and/or TTPs. For example, we spent some time getting familiar with the Rapid
Breach Response content pack, which contains “a collection of playbooks to rapidly
respond to high profile breaches.” See Figure 16.

Figure 16. Snippet of the Rapid

Marketplaces and shared content packs help security teams get up and running quickly, Breach Response Content Pack
utilizing shared content to get threat actor coverage immediately. This also buys the team from XSOAR’s Marketplace

time to get familiar with the platform’s capabilities and expand their understanding while
still receiving some forms of protection.

XSOAR has powerful integration capabilities. There are hundreds of integrations, allowing
customers to build their own approach. Customers can utilize their own plug-ins, APIs,
and data enrichment capabilities as they see fit. At no point did we see XSOAR define the
“right” way; rather, it provides a myriad of options to tune the tool as needed. In short,
XSOAR users can bring their own tech or capabilities to the table, and XSOAR can utilize
that technology to enable and expand current capabilities.

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 16

Closing Thoughts
Palo Alto Networks’ Cortex XSOAR offers a comprehensive SOAR solution that empowers
SOCs and security teams to automate incident response workflows, manage security cases
efficiently, and leverage threat intelligence effectively. Collaboration is key in security,
and with XSOAR, teams can easily work together to triage alerts and resolve incidents.
By automating repetitive tasks and centralizing security, Cortex XSOAR allows analysts to
focus on critical threats and investigations.

As the security landscape continues to evolve, platforms such as XSOAR will play an
important role in empowering and enabling SOCs to defend against threats of today and
tomorrow. However, even the best laid plans and tools can go to waste if not properly
tuned or trained to the needs of their host environment. Taking the time to utilize a
complete and capable platform such as Cortex XSOAR is an investment that will surely
arm your team for the threats of tomorrow.

Sponsor

SANS would like to thank this paper’s sponsor:

Optimizing Security Operations with Palo Alto Networks’ Cortex XSOAR 17