// What is XSOAR?
Cortex XSOAR (Security Orchestration, Automation, and Response) is Palo Alto Networks' SOAR platform. It connects your security tools, automates repetitive analyst tasks, and orchestrates incident response workflows through a visual playbook engine.
In a mature SOC, XSOAR sits between the SIEM (which generates alerts) and the analyst (who investigates). It handles the initial enrichment � querying threat intel, looking up IPs, checking hashes against VirusTotal � automatically, so analysts spend time on decisions rather than data gathering.
XSOAR was formerly known as Demisto before Palo Alto Networks acquired it in 2019. You'll still see "Demisto" referenced in older integrations, scripts, and documentation.
// SOAR Concepts
Orchestration
Connecting disparate tools so they work together � XSOAR sends commands to your firewall, EDR, ticketing system, and threat intel feeds through a single interface.
Automation
Replacing manual, repetitive tasks with scripts � enriching an IP, blocking a hash, sending a Slack notification � executed automatically without analyst intervention.
Response
Taking action as part of the investigation workflow � isolating a host in the EDR, disabling a user in Active Directory, creating a ticket � all from within XSOAR.
Metrics
XSOAR tracks MTTR (Mean Time to Respond), analyst workload, and playbook performance � giving management visibility into SOC efficiency.
// Console Overview
| Section | Purpose |
|---|---|
| Incidents | Central queue for all incidents ingested from integrated sources or created manually |
| War Room | Per-incident collaboration and investigation workspace � all actions and outputs logged here |
| Playbooks | Visual workflow editor for building and managing automated response flows |
| Indicators | IOC management � IPs, domains, hashes, URLs with reputation scores and context |
| Dashboards | Configurable widgets for incident metrics, SLA tracking, and workload distribution |
| Marketplace | Pre-built integrations, playbooks, and scripts for hundreds of security tools |
| Settings | Integrations, user management, classifier rules, incident types |
// Incident Management
Incidents in XSOAR are created automatically (via integrations pulling from a SIEM or EDR) or manually. Each incident has a type � Phishing, Malware, Network Attack, etc. � which determines which playbook runs automatically.
Key incident fields
| Field | Description |
|---|---|
| Incident ID | Unique identifier � referenced in war room commands |
| Type | Incident classification � determines playbook and layout |
| Severity | Unknown / Informational / Low / Medium / High / Critical |
| Status | Active / Pending / Done / Archive |
| Owner | Assigned analyst |
| SLA | Time remaining to respond � configurable per incident type |
| Labels | Searchable tags � source system, affected team, campaign name |
// Playbooks
Playbooks are the core of XSOAR. They are visual flowcharts that define an automated response workflow � each step either runs a command, calls a sub-playbook, asks a human for input, or makes a conditional decision based on data in context.
Task types
| Task type | What it does |
|---|---|
| Automated | Runs a script or integration command without analyst input |
| Manual | Pauses playbook and waits for analyst to complete a task (e.g. "Review findings and classify") |
| Conditional | Branches the playbook based on context data � e.g. "If VT score > 50, isolate host" |
| Sub-playbook | Calls another playbook inline � promotes reuse (e.g. a generic "Enrich IP" playbook called from many parent playbooks) |
| Section header | Organisational grouping � no logic, just a label for readability |
Example: Phishing playbook flow
Trigger: New incident type = Phishing
? Extract IOCs from email (URLs, sender IP, attachments)
? Enrich sender IP (VirusTotal, AbuseIPDB)
? Check URLs against proxy / URL scanner
? Hash attachment ? check against VirusTotal
? [Conditional] If any IOC is malicious:
? Notify SOC lead via Slack
? Block sender domain in email gateway
? Search mailboxes for similar emails (O365 integration)
? [Manual] Analyst reviews and approves remediation
? Delete emails from all affected mailboxes
? Close incident
? [Else] Mark as false positive ? close// War Room
The War Room is the investigation workspace for each incident. Every automated action, analyst command, file attachment, and note is logged here chronologically � creating a full audit trail of the investigation.
Running commands in the War Room
You can run integration commands directly from the War Room using the command input bar. Commands follow the pattern !integration-command argument=value.
!ip ip=1.2.3.4
!url url=http://evil.example.com
!file file=d41d8cd98f00b204e9800998ecf8427e
!whois query=evil.example.com
!ad-get-user username=jsmith
!cortex-xdr-isolate-endpoint endpoint_id=abc123War Room outputs are automatically parsed into context data (structured key-value data). You can reference these outputs in playbook conditions and subsequent commands � e.g. ${IP.VirusTotal.Score} from a previous !ip call.
// Context Data
Context is XSOAR's data store for an incident � a structured JSON object that accumulates information as the playbook runs. Commands write their output into context paths, and playbook conditions read from those paths.
${IP.Address} � IP address of the indicator
${IP.Malicious.Vendor} � Which vendor flagged it as malicious
${File.MD5} � File hash
${URL.Data} � The URL string
${Account.Username} � Username from AD lookup
${Endpoint.Hostname} � Hostname from EDR query
${DBotScore.Score} � Normalised reputation score (0-3)The DBotScore is a standardised reputation format: 0 = Unknown, 1 = Good, 2 = Suspicious, 3 = Bad. Most threat intel integrations populate this automatically so playbook conditions can branch on it without knowing the specific vendor format.
// Integrations
XSOAR's value comes from its integrations � connectors to external tools. The Marketplace has hundreds of pre-built integrations. Key categories:
| Category | Examples |
|---|---|
| Threat Intelligence | VirusTotal, AbuseIPDB, Recorded Future, Shodan, MISP |
| EDR / XDR | Cortex XDR, Microsoft Defender for Endpoint, CrowdStrike Falcon |
| SIEM | Microsoft Sentinel, Splunk, IBM QRadar |
| Identity | Active Directory, Microsoft Entra ID, Okta |
| Email Security | Microsoft Exchange, O365, Proofpoint, Mimecast |
| Ticketing | ServiceNow, Jira, PagerDuty |
| Communication | Slack, Microsoft Teams, email |
| Firewall / Network | Palo Alto NGFW, Fortinet, Cisco |
| Sandboxing | Any.Run, Joe Sandbox, VirusTotal Files |
// Automation Scripts
XSOAR scripts are Python (or JavaScript) functions that run in the platform sandbox. They can manipulate context data, call integration commands, and perform logic that can't be expressed with built-in tasks.
import re
def main():
text = demisto.args().get('text', '')
urls = re.findall(r'https?://[^\s\'"<>]+', text)
unique_urls = list(set(urls))
return_results({
'Type': entryTypes['note'],
'ContentsFormat': formats['json'],
'Contents': unique_urls,
'HumanReadable': f'Found {len(unique_urls)} URLs',
'EntryContext': {'ExtractedURLs': unique_urls}
})
main()// Tips & Best Practices
Build modular playbooks. Avoid one large monolithic playbook. Build small, reusable sub-playbooks � "Enrich IP", "Enrich Hash", "Isolate Endpoint" � and call them from multiple parent playbooks. Easier to maintain and test.
Use Manual tasks for decision gates. Don't fully automate response actions that carry risk (isolating hosts, deleting emails). Add a manual task for analyst review before the action runs � keeps a human in the loop where it matters.
Test playbooks in a lab incident. Create a test incident manually and run your playbook against it before pointing it at live alerts. XSOAR has a playbook debugger that lets you step through tasks and inspect context at each stage.
Rate limits on integrations. Threat intel APIs (VirusTotal, AbuseIPDB) have rate limits. If your playbook queries them for every indicator in every alert, you'll hit limits fast. Cache results in context or use batch lookups where supported.