Security and Compliance - Hosted Service Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Hosted Service Guide

Cortex XSOAR
Creation date
Last date published
Hosted Service Guide

The Palo Alto Networks Cortex XSOAR production environment has SOC 2 Type II and ISO 27001 certification. Palo Alto Networks is dedicated to strong security policies and internal controls. The Palo Alto Networks SOC monitors servers 24/7 for vulnerability compliance. The annual penetration test report and the SOC 2 report can be provided upon request.


Development instances in the hosted service are not SOC 2 compliant.

Security measures include but are not limited to:

  • Inbound traffic is allowed only on port 443. Inbound traffic to the web interface can be limited to specific CIDRs, by submitting a support ticket. Up to 100 custom rules per environment are supported.

  • No customer operated or owned agents can be installed on hosted service components (instance, network, load balancer, etc.)

  • Penetration testing is performed annually, while additional ongoing tests are done as part of the Cortex XSOAR development process.

  • Docker hardening is applied by default and Docker is upgraded with system upgrades, as needed.

  • Integration credentials are stored encrypted in the database.

AWS Specific Security Measures

  • DDOS protection is provided through an AWS load balancer.

  • AWS is the SSL certificate provider. Certificates managed in the AWS Certificate Manager (ACM) use RSA keys with a 2048-bit modulus and SHA-256.

  • Data at rest is encrypted using AWS EBS volume encryption with a dedicated CMK key.

Cortex XSOAR Key Management Policy

  • Each customer has their own AWS KMS key, generated by AWS.

  • AWS KMS keys are rotated yearly.

  • Palo Alto Networks secures the AWS KMS key via IAM and the AWS KMS key policy.

  • Only managers and administrators have key administrator privileges.

  • AWS EBS service has permissions to encrypt, decrypt, and/or re-encrypt.

  • If vulnerabilities are found, the master keys can be rotated manually and the EBS volume can be re-encrypted as needed.

The outbound IP is static and can be used to make connections from the hosted instance to your internal devices using the allow list. The inbound IP changes and is managed by Amazon Web Services.

Access to information in Cortex XSOAR is by default restricted to the customer’s users, to Palo Alto Networks DevOps team members who have been granted user permissions by the customer, and to customer support and success teams when a support case is opened. Customers are responsible for reviewing the information they submit to Palo Alto Networks and for omitting any data they do not wish to include and that is not required for support purposes. Access to telemetry data is limited to DevOps, customer success, product management and engineering.

In addition to security measures specific to Cortex XSOAR hosted service, the Cortex XSOAR application supports advanced methods of authentication via Active Directory, SSO, and a variety of other services to ensure that only users with a business need can access Cortex XSOAR. Passwords and API keys are encrypted when stored at rest. Data in Cortex XSOAR is encrypted at rest via volume encryption. All communications are TLS encrypted between Cortex XSOAR components and between Cortex XSOAR and third-party tools.

For more information about how data may be captured, processed, and stored by and within the service, please refer to Cortex XSOAR (Hosted) Privacy (PDF).