Cortex XDR, for example, correlates data across these domains to identify patterns and techniques that might otherwise go unnoticed. It also automatically groups related alerts into a single incident, helping analysts understand the broader context more quickly.
“That’s one of the biggest problems in a SOC,” Vish explains. “You may have all of these alerts happening independently, only to find out they’re all related. Automatically grouping those and creating a story speeds everything up.”
READ MORE: Customized security operations center training elevates cyber skills.
Automation Becomes Essential at Scale
As alert volumes skyrocket, automation is no longer optional. Vish notes that Palo Alto Networks’ own SOC processes nearly 100 billion alerts per day — yet only a handful require human review. “We’re striving to automate everything a Level 1 and Level 2 analyst does,” he says. “Not to eliminate those roles, but to let people focus on the more sophisticated attacks.”
Automation in Cortex XDR spans a wide range of tasks, from correlating alerts and initiating investigations to triggering response actions such as quarantining endpoints or isolating parts of a network. The platform can also automatically collect forensic data when suspicious activity is detected, reducing the time analysts spend gathering information.
A key component of this approach is the use of predefined playbooks and artificial intelligence-driven agents, which execute response actions at machine speed. Organizations can tailor these workflows to match their risk tolerance — for example, automatically isolating certain systems while flagging others for human review.
The goal is straightforward: reduce mean time to detection (MTTD) and mean time to response (MTTR). “I’d much rather stop something in seconds than minutes, hours or days,” Vish says. “That’s how you keep the blast radius small.”
And it’s working: Vish notes that more than 60% of its Cortex XDR Extended Security Intelligence and Automation Management (XSIAM) customers now report an MTTR of less than 10 minutes.
Click the banner below to learn why a comprehensive approach to cyber threats is best.
