Palo Alto XSOAR Review and Alternatives

Palo Alto Cortex XSOAR is part of a suite of modules that provide system security. The three elements of this platform are XDR for coordinated endpoint protection and response, XSOAR, which provides coordination with third-party system tools, and Xpanse, a vulnerability scanner.

The Cortex system’s three modules work together to protect networks through coordinating threat research gathered from endpoints and system features, such as network activity monitors, access rights managers, and firewalls. It is the job of XSOAR to link through to those third-party packages. XSOAR gets its name from SOAR, security orchestration, automation, and response.

About Palo Alto Networks

Palo Alto Networks was founded in 2005 by Nir Zuk. Although Zuk built his career in his native Israel, he had emigrated to the USA when he created Palo Alto Networks. Zuk started his interest in cyber security at the age of 16 by writing viruses. Then, he switched to developing systems to block malware and forged a career with Check Point. Zuk was the lead developer on the Check Point project that created the world’s first stateful firewall.

The firewall is the main product of Palo Alto Networks. The company’s first creation was the original next-generation firewall, released in 2007. This product is based on the stateful concept, which examines a series of packets and their contents rather than scrutinizing the headers of each packet individually.

The innovations that went into creating the next-generation firewall can also be encountered in Palo Alto’s other products, including the Cortex suite. Important elements that indicate a next-gen product are user and entity behavior analytics (UEBA) and SOAR. While the XSOAR product is a distinct module in the Cortex platform, the UEBA feature, which applies machine learning to identify non-standard behavior, is integrated into the XDR.

About SOAR

The concept of SOAR aims to promote the flow of data between software. By complying with data exchange protocols, systems can pass instructions to each other and information.

The monitoring systems on your endpoints can provide source information for security threat detection services. This is in addition to the log messages that software, operating systems, and applications routinely generate. While SIEM systems can pick up log messages, the rich source of information that software gathers and holds for its purposes is usually inaccessible to security systems.

Security orchestration, automation, and response services provide a way to extract meaningful data in a useable format. However, the information that the security management system can use might not be automatically available in the other software running on the same host. So, SOAR requires a workflow that can activate a data query within an application, output it in a transferable format, import it into the incident management hub, and pool that information with data from other sources for analysis.

When a correlation system sorts through a data pool for indicators of compromise, it will generate an alert if one suspicious event is detected. That single event in isolation might seem innocuous, and if non-threatening processes execute it, it could easily be a good action. However, the indicators of compromise (IoCs) used by threat detection systems usually link together a series of actions representing a security breach. Therefore, an initial alert would begin an observation period that looks for a linked event.

If sufficient linked events indicate a threat, the threat detection system declares an incident that needs to be blocked. This triggers an action. The rules base that comprises IoCs and actions is called a playbook. This is a list of triggers and actions that need to be performed if one is activated.

Those actions represent the response part of SOAR, and they can be implemented by passing instructions to other software packages. This again involves a data exchange and could be an update to access rights management tables or changes to rules in firewalls. The operating system can be instructed to kill a process and delete specific files in the response.

How XSOAR operates

The software provided by different developers to work together is no accident. However, that capability needs to be built in because the sending and receiving of data need to be coordinated, and data needs to be formatted in an agreed layout to be useable.

The capability for one software package to launch processes in another is enabled through APIs. These are libraries of functions that can be used in other programs to call services in the package for which the API was written.

The critical feature that makes Cortex XSOAR powerful is its library of integrations. Each integration is a package of APIs and data exchange formats. The XSOAR software contains routines to provide communications with 750 other software packages. These are the stubs for the integrations. The user needs to activate an integration and install the functions that make those stubs useful.

The activation of integration creates routines that can be viewed in the dashboard for XSOAR. The facilities created by the integrations can then be included in a playbook to draw in data from other software and then send out instructions to system services.

XSOAR removes the need for security monitors to duplicate the effort of applications already running on the network. For example, if you already have a network monitor, there is no need to buy a security system with its network monitoring routines. Instead, XSOAR can extract the relevant information from that existing network monitor, specifying statistics relevant to threat analysis.

XSOAR Content Packs

The quality of service you get from XSOAR dramatically depends on the other software packages running on your system. Not all software will automatically be compatible with XSOAR – only those with integrations available. Palo Alto also hopes that customers will buy the Cortex XDR and Cortex Xpanse systems to augment the services of Cortex XSOAR.

Integrations are called Content Packs. In most cases, these are plugins for connections through to commercial software packages that you have already bought. In some cases, the content Pack provides a partial implementation of the related software, so you don’t need to buy that other software package. However, those Content Packs are charged for. Essentially, you buy those other software packages as add-ons to Cortex XDR rather than purchasing the package separately and linking it to Cortex XSOAR.

You can access a database of available Content Packs for Cortex XSOAR at the XSOAR website. Examples include packs to link to AWS services, such as GuardDuty, CloudWatchLogs, and CloudTrail. Cisco Systems, Anomali, and Ansible are three other providers of Content Packs. In these instances, the packs are free to use. Premium Content Packs have to be paid for, and examples of these are threat intelligence feeds and analyzers. The majority of Content Packs are offered for no charge.

Palo Alto XSOAR deployment options

Palo Alto offers Cortex XSOAR as a hosted SaaS service. This presents a dashboard in the cloud, which is hosted on AWS servers. In this configuration, the XSOAR system requires agents to be installed on your system. The agent is called the Cortex XSOAR Engine. Although this module performs some processing locally, its primary function is to send data to the Cortex server in the cloud and receive instructions back. It will then implement thorough interfaces to other software packages.

The Cortex XSOAR Engine is available for Windows, Docker on Linux, and RHEL, Ubuntu, and CentOS Linux.

The Cortex XSOAR server can be installed on-premises for those who don’t want to use the SaaS version. This software package runs on Linux: RHEL, Ubuntu, CentOS, Oracle Linux, and Amazon Linux.

Cortex XSOAR prices

Palo Alto doesn’t publish its prices for any of its products. In the case of Cortex XSOAR, you can access a package version without paying anything. The Cortex XSOAR Community Edition is offered for download through a 30-day free trial of the full, paid Cortex XSOAR system. After 30 days, those who choose not to buy get to the free version.

The Community edition is limited to:

  • 166 automation commands per day
  • A 30-day data retention period
  • Five active feeds with 100 indicators per feed
  • The incident closure report system

While the paid Enterprise Edition receives full professional support, users of the Community Edition need to rely on community forums for assistance.

Cortex XSOAR strengths and weaknesses

You might think that the Palo Alto XSOAR system provides all of the security management that you could need. However, this is not the case. The service is more of a data hub. The dashboard includes incident statistics and offers automation playbooks, but its power is only as great as the related software that you already have installed. You will probably need to buy and run other security software, such as the Cortex XDR and Cortex Xpanse systems plus firewall software to get complete system protection. Here is a summary of the strengths and weaknesses of Palo Alto Cortex XSOAR.


  • A way to exploit your existing monitoring and management systems to provide security monitoring functions
  • Data retention for incidence analysis
  • Links through to well-known ticketing and project management tools
  • Options for SaaS or an on-premises deployment
  • Free version that is suitable for small businesses


  • It doesn’t replace a complete security system

You need to buy other software packages that are compatible to get the full benefit of this service.

Alternatives to Palo Alto Cortex XSOAR

Palo Alto Cortex XSOAR is probably a better idea if it is subscribed to in conjunction with Cortex XDR. That product will ensure that the XSOAR gets good quality security data fed into it. Without compatible software packages a good source of system activity information, the Cortex XSOAR service won’t be used.

Cortex XSOAR isn’t the only SOAR service available, and it is always a good idea to check out a few contenders before choosing any IT asset.

Here is our list of the best alternatives to Palo Alto XSOAR:

  1. Rapid7 Insight Connect This SOAR service is a close match for Cortex XSOAR because it supplies a reputable security system. It is part of a suite of security systems. The Insight platform includes an XDR/SIEM system and a vulnerability manager. In addition, this system has a library of 300 plug-ins to facilitate connections to other software systems. Access a free trial to assess Rapid7 Insight Connect.
  2. Siemplify SOAR This service is available in both free and paid versions. The SOAR is also offered as a multi-tenancy system for MSPs. The package has its case management dashboard and includes compatible software packages progress and efficiency reporting. This is a SaaS platform, and the Community Edition, while permanently free, acts as an assessment tool for businesses interested in buying.
  3. ThreatConnect SOAR Platform Like Cortex, ThreatConnect is a SaaS platform that provides a suite of security utilities, one of which is a SOAR. This system links to a threat intelligence platform and a risk assessment service on the same platform. It will also integrate with third-party software. You can access a demo to try out ThreatConnect SOAR.
  4. Splunk SOAR The Splunk system is a flexible data analyzer, and its producer has recently been adding on new services, particularly security monitoring capabilities. The SOAR is part of that innovation and shares its platform with other services, such as a SIEM and an incident response system. This service is available as part of Splunk Security Cloud or an on-premises system, Splunk Enterprise Security, for Windows, Windows, Server, Linux, Unix, and macOS.
  5. ServiceNow Security Incident Response Provided by a leading service management system provider, this SOAR integrates seamlessly with incident and project management tools on the same SaaS platform. Reach out to your monitoring and management tools to improve security data sharing with this SOAR. This unit is part of the ServiceNow Security Operations package, which you can experience on a demo.