* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Cutting Through the Noise... # Cutting Through the Noise: Simplifying SIEM Alerts with Cortex [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcutting-through-the-noise-simplifying-siem-alerts-with-cortex%2F) [](https://twitter.com/share?text=Cutting+Through+the+Noise%3A+Simplifying+SIEM+Alerts+with+Cortex&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcutting-through-the-noise-simplifying-siem-alerts-with-cortex%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcutting-through-the-noise-simplifying-siem-alerts-with-cortex%2F&title=Cutting+Through+the+Noise%3A+Simplifying+SIEM+Alerts+with+Cortex&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/cutting-through-the-noise-simplifying-siem-alerts-with-cortex/&ts=markdown) \[\](mailto:?subject=Cutting Through the Noise: Simplifying SIEM Alerts with Cortex) Link copied By [Nadav Shai Kanon](https://www.paloaltonetworks.com/blog/author/nadav-shai-kanon/?ts=markdown "Posts by Nadav Shai Kanon") Oct 16, 2024 6 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown) [SIEM](https://www.paloaltonetworks.com/blog/tag/siem/?ts=markdown) [Splunk](https://www.paloaltonetworks.com/blog/tag/splunk/?ts=markdown) [XSOAR](https://www.paloaltonetworks.com/blog/tag/xsoar/?ts=markdown) ### **A Deluge of Data** Like many of us in the world of cybersecurity, your SecOps team has likely been overwhelmed by the volume of alerts flooding your SIEM systems. We've all been there---sifting through endless alerts, trying to figure out which ones actually matter. This deluge not only tires you out but could make you miss real threats among the false alarms. The kicker? A lot of these alerts are false positives---alerts that look scary but turn out to be benign activity---and they can quickly drain your resources and obscure your visibility. Addressing these false positives effectively is crucial to staying on top of genuine threats and keeping your security posture strong. For organizations who leverage Splunk as their SIEM solution, integrating Cortex XSOAR^®^ with Splunk isn't just an operational upgrade---it's a game changer for your daily workflow. By pairing XSOAR with Splunk, we create a powerful duo that turns the tide on false positives. XSOAR's industry-leading automation, paired with Splunk's deep data insights, paves the way for a more accurate and efficient workflow. > Alerts went from 10,000 per week to roughly 500---a staggering 95% reduction stemming largely from swift resolution of false positives and duplicate incidents, thanks to automated playbooks and historical cross-correlation. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-330117-1.png) Let's dive into how this integration can cut through the noise, simplify your alert triage process, and bring measurable value to your organization. ### **Crafting Automated Workflows with Splunk and XSOAR** Let's look at a common use case---excessive failed login attempts---and how XSOAR synergizes with Splunk to analyze potential threats. **Defining Alerts** Start by defining what events should trigger an alert in Splunk. In the case of excessive failed login attempts, an alert could mean several things: * A threat actor could be attempting to brute force user credentials. * An authorized user may have forgotten their password (false positive). * An automated process may be configured with incorrect credentials. Determining the root cause of the alert may require an analyst, but we can collect a lot of data now about the event and automate decision making to isolate high-risk situations. **Fetch and Enrich with XSOAR** Once Splunk raises the flag, the alert engages XSOAR, where a tailored playbook---*your strategic plan for investigation*---determines the risk level of the alert. Playbooks are at the heart of the Cortex XSOAR system. They enable you to automate many of your security processes including, but not limited to, handling your investigations and managing your alerts. Your playbook will further enrich the alert by asking additional questions about the dataset and looking for contextual clues about the event. Enrichments include: * IP Origin/Reputation * User Context (account activity, permission level, etc.) * Device Security Status For our use case, we've used four out-of-the-box (OOTB) playbooks and merged them to a single master playbook, which allows us to rapidly assemble a solution to a common problem. These are the OOTB playbooks we chose: * IP Enrichment - Generic * Account Enrichment - Generic * Active Directory - Get User Manager Details * Access Investigation - Generic These playbooks will query external threat intelligence databases to assess the reputation of the IP involved. They'll also retrieve user and endpoint data and examine them for details like the user's last successful login attempt or whether the endpoint has a security agent installed. We check for the latter using EDR, SIEM, and other tool integrations to ensure we get a comprehensive view of user and endpoint activity, providing a detailed picture of potential risks and the overall security posture. ![Figure 1: Enriching the incident entities](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-330117-2.png) Figure 1: Enriching the incident entities **Automating Informed Decisions** The goal of our playbook is to measure the risk associated with the event. For this use case, we want to filter as many false positives as we can, so our analysts aren't distracted by red herrings. We quantify the acceptable risk level of an event through an **exoneration score**. The exoneration score is at the heart of our playbook and plays a pivotal role in distinguishing the real threats from false positives. This can be tailored to accommodate your risk appetite, enabling you to mold these OOTB solutions for your specific needs. For our use case, we wanted to know the following information about the event: * **Last successful login attempt?** Attackers often target old but still active user accounts to pivot undetected. Long periods of inactivity could indicate malicious activity. * **Any other relevant events?** Perhaps there are other alerts that may have been generated relevant to the same user, system, or IP address. * **Is this a service account?** Some accounts exist only to execute processes. When passwords change but processes aren't updated, these systems repeatedly attempt to connect until they lock themselves out of the network. * **Can the user provide confirmation?** Playbooks can contact the implicated user through alternate channels to verify the attempt, such as via email or multifactor authentication (MFA). Based on the enriched data, user feedback, and conditional checks, we can apply a playbook customized to our risk appetite to generate the exoneration score, which will either categorize the alert as a false positive or escalate it to an analyst for further review. ![Figure 2: Crafting the exoneration score calculator](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/670840cc490ea926716723.gif) Figure 2: Crafting the exoneration score calculator If the alert is determined to be a false positive and closed in XSOAR, this status is mirrored back to Splunk, automatically closing the corresponding alert in Splunk as well. This ensures consistency across both platforms and reduces the need for maintenance. **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/word-image-330117-4.png)** ### **The Clear Value of Automation** Most organizations have the same goal related to cybersecurity: minimize risk at the lowest possible cost. XSOAR doesn't just automate decision-making, it provides a clearer picture of the organization's attack surface. XSOAR provides efficiency, accuracy, and optimization by separating the deluge of benign data from real indicators of attack. XSOAR also easily integrates with many different systems and provides unrivaled out-of-the-box workflows for automating alerts. XSOAR can leverage communication apps like Slack or Microsoft Teams to generate real-time communication with employees and admins, and it can integrate with Active Directory and MFA solutions for advanced analytics and faster response actions. Beyond these integrations, XSOAR offers tons of pre-written playbooks and other content types that streamline various security processes. These resources are designed for immediate deployment and can be effortlessly customized to meet the specific needs of any organization. ![Figure 3: Use case packs from Cortex XSOAR marketplace](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/Blog-image-2.png) Figure 3: Use case packs from Cortex XSOAR marketplace ### **Take Automation for a Test Drive** Ready to filter out false positives and start hunting for legitimate threats? Check out our Splunk [integration guide](https://cortex.marketplace.pan.dev/marketplace/details/SplunkPy/) or contact our team for a demo of the awesome synergy between XSOAR and your SIEM solution. ![Figure 4: SIEM integrations available in Cortex XSOAR marketplace](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/10/Picture3.png) Figure 4: SIEM integrations available in Cortex XSOAR marketplace And if you are ready to move beyond automation, many organizations address these challenges by adopting Cortex XSIAM®, an autonomous SOC platform that unifies XDR, SOAR, ASM, and SIEM capabilities in one solution. XSIAM streamlines alert management by aggregating numerous alerts into actionable incidents, while using playbooks to automate and accelerate the remediation process. Click [here](https://www.paloaltonetworks.com/cortex/security-operations-automation) to learn more about Cortex's automation capabilities. *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### What's New in Cortex](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### What's Next in Cortex: New Innovations for Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### From ILOVEYOU to AI Defenders -- 25 Years of Email Evolution](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-iloveyou-to-ai-defenders-25-years-of-email-evolution/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [#### Defending against Phantom Taurus with Cortex](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/the-rise-of-phantom-taurus-unmasking-a-stealthy-new-threat-to-global-security-with-cortex/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Disrupting Legacy Vulnerability Management](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/disrupting-legacy-vulnerability-management/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language