Cortex XSOAR Energy Utility Case Study

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker
No ratings

Keeping the SOC Lights On

Cortex XSOAR in an Electric Utility Company


Industry Energy/Electric Utilities



  • SIEM
  • Forensics and malware analysis
  • Ticketing
  • Data analytics


  • High volume of alerts
  • Detection of duplicates and related incidents
  • Time-consuming case management/ticketing

This electric utility company used Cortex XSOAR to:

  • Automate duplicate alert detection and consolidation
  • Orchestrate workflows across products on one platform
  • Correlate threat intel from multiple sources, including open source tools
  • Detect similarities between cases for better insights and training opportunities
  • Accelerate case management reporting

Cortex XSOAR enabled the company to:

  • Reduce case volume by 30%, seeing time savings of approximately one full-time analyst
  • Deploy aggressive detection without negatively impacting analyst workload
  • Speed up monthly risk audit reporting with case management information in one place



The Customer

As one of the largest electric utility companies providing energy-related services in the US, aggressive detection was a priority for this customer’s security operations center (SOC) team. The team also wanted to ensure its security analysts were not spending inordinate amounts of time investigating duplicate alerts.


The Problem

The SOC team had a mix of ingestion and detection sources to deal with, ranging from security vendor products and open source platforms to in-house tools and proprietary solutions. While the team had a security information and event management (SIEM) solution to aggregate logs, the analysts spent a great deal of time investigating duplicate alerts instead of hunting threats. Case management was also bogged down with the need to pivot between multiple screens, often resulting in the analysts cutting and pasting information manually.


In ­addition, there was a need to chase down analysts at the end of each month to get details for case management reports. These low-level tasks prevented analysts from focusing on data interpretation and problem solving, which ultimately led to longer resolution times and lower productivity.


The Solution

The SOC team first deployed Cortex™ XSOAR playbooks to identify and remove duplicate alerts generated by its cybersecurity tools. The team also leveraged Cortex XSOAR to automate case metrics tracking and reporting. With the expanded visibility across cases, the team was able to derive similarities and surface trends that weren’t visible before.


As ­analysts tracked their actions within Cortex XSOAR, this facilitated monthly risk audit reporting since case data and analyst actions were now archived and easily retrievable from one ­location. This common knowledge repository enabled a smoother transition of knowledge between analyst shift changes and served as a training resource for lower level analysts. 


The case management lifecycle managed within Cortex XSOAR includes ticketing. By automating and integrating the ticketing process, the SOC managers were able to free up analysts from doing tedious tasks, such as manually copying information from one system to another, so they could focus on threat hunting and decision-making. 


As the SOC team is very focused on metric data-driven decisions, there are plans to integrate Cortex XSOAR with in-house visualization platforms for advanced reporting and insights.


Outcomes with Cortex XSOAROutcomes with Cortex XSOAR


The Results

Cortex XSOAR enabled the SOC team to be as aggressive as necessary in alert settings without worrying about impacting analyst workload. As a result of automating deduplication efforts, the SOC team was able to reduce alert volume by 30% within the first month of operation. This netted out to time savings approximately equal to a full-time analyst.


An added benefit was in the area of metrics. As SIEM users know, the process of extracting metrics from an SIEM to identify similarities across cases can be onerous. The SOC team was able to leverage Cortex XSOAR playbooks to automate some of these tasks, producing previously undetected insights into problem areas related to people, processes, and technology. For example, the team discovered multiple malware ­cases associated with specific machines or user accounts. This was an unexpected benefit with the expanded visibility into

case-related metrics.


As the SOC team builds out its automation efforts, the goal is to map alerts and threat behavior to the MITRE ATT&CK™ framework to better understand security risk against adversarial threat behavior as well as aid in planning better defenses and verifying the effectiveness of existing defenses.

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎05-20-2020 05:15 PM
Updated by:
Retired Member