Palo Alto Networks XSOAR Integration: Maximizing Automation for Incident Detection and Remediation

Automation is becoming more and more prevalent and sought after by Security Operations Centers (SOC). This is driven by the increasing cybersecurity skills gap, intensified by the volume of security data and alerts that require analysis. To address this, SOC teams are looking at tools such as Security Orchestration Automation and Remediation (SOAR) systems.

However, in our interactions with customers, we are finding a great deal of frustration for organizations that have rolled out SOARs. Much of this frustration comes from the inability of the SOAR to digest the volume of data and alerts that are generated from various sensors in the environment. Not to mention the correlation and decision-making that needs to happen to find malicious behavior. When this occurs, organizations miss out on the automation benefits, particularly for incident remediation, that SOAR was meant to address in the first place.

Exacerbating this frustration is the sheer amount of time, effort and cost it takes to write playbooks for automated incident remediation.  Additionally, playbooks must be maintained over time to keep up with the latest Tactics, Techniques and Procedures (TTP) that are constantly changing. However, if the SOAR isn’t finding the incidents or cannot monitor the data at scale (as is necessary), those playbooks that automate remediation are of little value.

As we announced last fall, the Respond Analyst integrates with Palo Alto Networks XSOAR (formerly Demisto). This integration allows Respond to take the heavy lifting of front-end alert monitoring, triage and scoping off of XSOAR. Once incidents are identified and false positives are discarded, the Respond Analyst forwards only the malicious incidents that require remediation. From there, XSOAR will automate remediation actions to close the incident.

Unlocking SOAR with eXtended Detection and Response (XDR)

The Respond Analyst, an XDR Engine from Respond Software, enables organizations to unlock the true automation capabilities of their SOAR deployments by managing the up-front analysis and triage of events before they are passed to the SOAR system. The Respond Analyst is scalable to handle millions of events, escalating actionable and malicious incidents into SOAR for remediation, while filtering out false positives. However, unlike SOAR, the Respond Analyst does not require coding, customization or maintenance over time, therefore, time to value can be recognized in hours. Leveraging the Respond Analyst with SOAR reduces attack dwell time, remediates security issues faster through additional automation, and elevates analyst collaboration.

The Respond Analyst and Palo Alto Networks Integration – how it works

The Respond Analyst monitors events, asks questions about them and then makes decisions if they need to be scoped together to create an incident or if the data is not significant to any malicious behavior.  If the later is true, then the event(s) are discarded as false positives.  However, if a new incident is created, it  can be fetched by Palo Alto Networks XSOAR and stored there until it is remediated.  The screen shot below shows a sample incident that has been detected in the last 24 hours in the Respond Analyst console.

Drilling into the incident in the Respond Analyst console will provide an overview of it along with the supporting evidence.  In this case, the incident is “Suspicious Activity” because it involved assets from past incidents and an executable was run with a contradicting file extension.

With Palo Alto XSOAR running in the environment, the incident can be fetched from the Respond Analyst and sent to the XSOAR console via JSON.  Over time, as the Respond Analyst monitors new and relevant events, the incident continues to be scoped and subsequently fetched from XSOAR.

Once the analyst confirms the incident, they can assign a user from XSOAR to the Respond Analyst.  When the incident is remediated, the analyst can close the incident in XSOAR, which automatically calls the Respond Analyst to do the same.  Feedback from the incident can shared with the Respond Analyst resulting in improved decision-making in the future.


The Respond Analyst investigates, scopes, triages and correlates events, increasing the incident remediation capabilities of XSOAR. The Respond Analyst enables security analysts to stop looking at consoles all day and start investigating incidents, a more valuable use of their time. The combination of the Respond Analyst and XSOAR will result in reduced attack dwell time for customers that have or are considering the use of both solutions.

For more information on the Respond Analyst and SOAR:

Is the Respond Analyst a SOAR Tool?
Putting the Automation into SOAR

The post Palo Alto Networks XSOAR Integration: Maximizing Automation for Incident Detection and Remediation appeared first on Respond Software.

*** This is a Security Bloggers Network syndicated blog from Blog – Respond Software authored by Mike Reynolds. Read the original post at: