Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Good morning or afternoon, depending on which part of the world you live in. Today, we are going to talk about some of the challenges that SOCs face with legacy security information and event management technologies and how you can overcome those challenges by unleashing AI-driven superpowers to defend and protect your data metropolis. My name is Jason Spindlow, systems engineer specialist at Palo Alto Networks. Thank you very much for joining me today. If you have any questions, feel free to put them in the chart and I'll do my best to answer them at the end of the session as we go along, depending on how we decide to take some of these questions as we go. But for now, let's get started. Before we get into modern-day security solutions, let's take a quick look back at how SIEM became a security superhero nearly 20 years ago and why it no longer has the power to keep pace with today's cyber villains. In 2005, SIEM technology changed the game for SOCs everywhere by combining log management and event management systems to identify and track breaches. This centralized approach revolutionized cybersecurity by making it possible for SOC teams to monitor and analyze security-related data across their IT environments. This more efficient approach enabled faster identification and response to breaches, as well as the ability to track and log security data for compliance and auditing requirements. But even superheroes need to keep up with the times to remain relevant. For 20 years, not much has changed with SIEMs. Meanwhile, other key parts of the security infrastructure have modernized. The network has moved from a hard-shell perimeter to Zero Trust and SASE. Runtime has moved from the data center to the cloud. The endpoint has moved from antivirus to endpoint detection and response, EDR or extended detection response as we see today. But the SOC still operates a 20-year-old SIEM model. So why are SIEMs so slow to modernize? Well, first, many SIEMs are based on outdated architectures, limiting their ability to adapt to new security challenges. Next, SIEMs are often complex to implement and manage. As a result vendors maybe reluctant to make significant changes that could disrupt their customers' operations. Because the SIEM market is relatively mature and there may be limited incentives for vendors to invest in innovations, source [indiscernible] changing the underlying technology of a SIEM solution could potentially break integrations with other security tools, such as EDR systems, intrusion detection systems and its network traffic analysis tools, making it difficult for customers to manage their security operations. Finally many organizations have customized their SIEM solutions to meet their specific needs. Making significant changes to the underlying technology could require costly and time-consuming system reconfigurations. Now, quick audience participation here. If you're currently using SIEM technology to help manage your security, what are some of the challenges you're experiencing as a result of using those legacy technologies to meet your modern security requirements. Put your answers in the chat. You'll see a poll question come up momentarily and we'll -- if you want to throw it in there as well or into the chat, either way is fine. And we'll give you a couple of seconds to throw that in there as well. [Voting]

I promised last time I was going to have some elevating music but I completely forgot. So you get me again. That's as close as I can get. I'm sorry. I'll wait a couple more seconds for the input data to come through. Already seeing a couple of little things come through here. That's good. All right. Single pane of monitoring seems to be one of the big ones. Mundane task reduction. That's another good one. We'll give it a couple more seconds. All right. Let's keep going. Thank you for those. I do like a couple of those. Identification of false positives versus true positives as well. All of those are typically what we see as some of those problems that we face with those legacy solutions in today's environment. Well, to add to that and to add to organization's security challenges, a proliferation of applications, workloads, microservices and users has created an expanded attack surface that is difficult to protect. More data and devices mean, more alerts, thousands of alerts each day coming from disconnected sources. With so many alerts coming in, security teams and security analysts have to triage which alerts need attention. And that takes a lot of time. After the triage, teams only have time to address the highest-priority alerts. That leaves the majority of alerts, well, unaddressed. That's a pretty risky move to make. Historical incident investigation show that a collection of lower-priority alerts is actually part of a single attack, leaving them untouched give the hackers a big advantage. And what's another advantage for hackers? Well, time. It can take hours, days or months to identify and remediate threats. That leaves plenty of time to do plenty of damage. And you can see here, we've got a couple of these key stats we talked to from our Palo Alto Network's 2022 Unit 42 Incident Response Report. The first one that we can see is that 48% of alerts generated by security analysts go uninvestigated each day. 32% of the SOC team members' time each day is spent investigating incidents that are not real threats. 11% of incident response cases are the result of important security alerts getting lost without sufficient review and action. And 28% of successful attacks are due to poor management procedures, resulting from too many manual time-consuming processes. We got another quick question for everybody now. What is the average dwell time do you think for ransomware threats to be detected by legacy SIEM? We'll see the question come up here and we'll push that to you now. And you can see the options we've got. Is it 1 day for the dwell time before it's detected by a legacy solution, 18 days, 48 days or 90 days? And your time starts now. [Voting]

All right. Let's see what we get. Some more mood music. It used to be more like darker, I think, as I sit here and listen to this. I guess we've got 120 days. 120 days, it's not even an option. It's like a combination of some. That's impressive, okay. Let's see where we can go here. And I'm sorry, if 120 days is for yourself there, who has just put that through. We've got to figure out a way to get that down for you. Here we've 90, 90 to 120 days? All right. Let's see what else we've got. Who else is brave? Hopefully, nobody writes 1 day, although it could be right but I doubt it. Where are we going from here? Okay. All right. Well, let's see what the answer is and thank you, everybody, who wrote down one of those responses there. So we can see what the call out from the audience is. We've got a few there on 1 day, a couple on 18, a couple over on 90 and then 48 is that next top one there. But let's see what it actually is. It's 28 days before ransomware is detected in an environment. And additionally, it typically takes 7 to 48 days before something like business e-mail compromise, or BEC is detected and contained with a whopping median of 38 days of dwell time. So our inability to fully leverage massive scales of data for defense is like [indiscernible]. SIEMs were built to facilitate alerts and log management that rely heavily on human-driven detection and remediation. Not only is it slow but it also leaves opportunities for blind spots and errors in judgment. Combating today's threats requires us to radically reimagine how we run cybersecurity in our organizations using AI. It must be built on a new architecture designed to meet the evolving needs of modern IT environments. Overall, the design should provide things like broad and automated data integration, analysis and triage. This should provide unified workflows that enable analysts to be productive. It should also provide things like embedded intelligence and automated responses that can block attacks with minimal analyst assistance. Unlike legacy security operations, the modern SOC leads with data science have massive data sets rather than human judgment and rules designed to catch yesterday's threats. So there's a new security superhero in town, Cortex XSIAM, XSIAM or extended security intelligence and automation management is here to say today and your data with an AI-based unified platform for real-time detection and response. XSIAM unifies best-in-class functions, such as EDR, XDR, SOAR, ASM, [indiscernible], TIP and SIM for a modern approach to security. Palo Alto Networks has worked hard to address the limitations of current security solutions. Cortex XSIAM is an inflection point for how we think about cybersecurity and lean into AI in areas where machines are simply built to perform better than humans. Built on a security-specific data model and updated continuously with Palo Alto Networks' threat intelligence gathered globally across tens of thousands of customers, XSIAM uses an ML-led design to integrate massive amounts of security data, then aggregates alerts into an incident for automated analysis and triage and to respond to most incidents automatically, enabling your analysts to focus on the few threats that require human intervention. XSIAM has already proven in production, powering Palo Alto Networks' own SOC and turning over 1 trillion monthly events into a handful of analyst incidents daily. It's unlike most superheroes who have a single superpower, Cortex XSIAM does it all. It harnesses the power of machine learning and automation to block those attacks from endpoint to cloud at scale with minimal analyst involvement and SOC engineering overhead. XSIAM enables the SOC to be proactive instead of reactive. It is designed to be the center of SOC activity by replacing SIEM and point products with unified broad functionality. It is purpose-built with threat detection and response at its core. XSIAM centralizes, automates and scales security operations to fully protect the hybrid enterprise. How do you know what XSIAM is? Let's have a look at it. Cortex XSIAM features an intelligence data foundation that makes centralized security simple, simplify connections and collections for any data tools, gives you automatic data normalization and enrichment. It also gives you the ability to stitch data for rich analytics and investigation context. Plus, it's built on a cost-effective, scalable cloud architecture. What more could you ask for? Cortex XSIAM outpaces threats with cloud and attack surface visibility and threat detection. It gives you specialty endpoint, network, cloud and [indiscernible] analytics. It also gives real-time behavioral analysis and methods across all data. It's protecting you with continuous intel and learning from 85,000 customers and over 200 analysts, researchers and engineers from our Unit 42 team. Finally, Cortex XSIAM flexes its ability to accelerate response times while minimizing and optimizing analyst actions by delivering things like alert grouping, incident enrichment and prioritization, automatic execution of common activities, delivering intelligent in-line playbook functions and a rich library of actions and responses and also helping with unifying and automating broad SOC functions. XSIAM draws on AI and machine learning to revolutionize security. It uses AI and ML algorithms to analyze the behavior of endpoints and detect anomalies that may indicate the presence of a threat. The platform applies ML algorithms to analyze large volumes of threat intelligence data and identify patterns and trends that may indicate an emerging threat. It uses its AI-powered automation to respond to threats in real time without the need for human intervention. The platform in total leverages machine learning algorithms to analyze historical data and predict potential threats, helping organizations proactively protect against future attacks. XSIAM's ML algorithms continuously learn from new data and adjust their model, improving the platform's accuracy and effectiveness over time. XSIAM is unique in its automation of the incident management flow. The analytics within XSIAM provide technique-based intelligence, allowing alerts to be grouped to incidents fully enriched with relevant context. Embedded automation and in-line playbooks apply analytic results for intelligent execution, fully processing and closing alerts or incidents whenever possible. The analyst incident management view provides a full summary of actions automatically taken, results and suggested actions that remain. When further investigation and response activity is required, the analyst is presented with a drilled-down incident time line and broad XSIAM intelligence from all analytics and functions. Remediation and response actions can leverage in-line playbooks. And to manage endpoints, XSIAM provides one-click remediation action options along with powerful live terminal access and forensics tool. Cortex XSIAM is a true SOC platform and a game changer for the traditional multi-tool, human-driven SOC operating model. Overwhelmingly, organizations using a legacy SOC model all have similar pain about their existing security architecture management. Cortex XSIAM was built by security practitioners who have lived through these pains. Only Cortex XSIAM can replace outmoded SIEM, centralize and act on true security intelligence. Only XSIAM can consolidate disparate SOC tools for efficient and cost-effective operations team-wide. Only XSIAM can give you machine-driven security at scale while analysts focus on high-value tasks. Cortex XSIAM extends SOC visibility and control to cloud and dynamic resources. With XSIAM, you can depend on threat detection that's proven to protect the entire enterprise endpoint to cloud. And XSIAM protects endpoint targets from laptops to data center systems to cloud workloads. It covers everything. XSIAM by Cortex by Palo Alto Networks is a superhero in a league all of its own. Cortex XSIAM is helping some of our customers around the world fight cybercrime and Imagination Technologies Group is one of those customers. The graphics, computer and AI processor manufacturer needed a solution that would enable them to automate repetitive data analysis tasks to improve productivity and allow more time for value-added security operations. They also wanted to unite endpoint, network, cloud and identity data to detect advanced threats with precision and to simplify investigation. With Cortex XSIAM, they can easily ingest starter and normalize it, they can centralize all threat information in vectors. They can be more confident in their security decisions and they're freeing up time for the SOC teams to focus on other tasks. Our industry-leading cybersecurity experts can also help you optimize your deployments by applying technical expertise, professional services and operational processes to maximize the security investments. XSIAM deployment services enable greater adoption of Cortex XSIAM features and accelerates time to value. It accelerates protection for sophisticated threats across all enforcement points, endpoint tuning, policy tuning, correlation creation, security operations best practices, incident management methodologies and playbook creation, reduce the deployment risks using best practices with the systems from our experts. That's why they're there, ensure ongoing effective operations, administration of management with knowledge transferred to your team. We provide a full range of expert services for XSIAM from Palo Alto Network Unit 42 with more than 200 analysts, researchers and engineers, like I talked about before. Unit 42 is trusted by the global CSOs out there. This team seasoned analysts supply in-depth threat hunting and forensics knowledge to identify and contain threats before they become a breach. Our Unit 42 MTH or Managed Threat Hunting service, includes proactive threat hunting for advanced threats based on the analysis of suspicious signals, Unit 42 research and Cortex analytics. Customers will receive detailed reporting and direct access to the Unit 42 team 24/7. Now Unit 42 MDR service puts experts in your corner to strengthen and scale our security coverage with proactive threat hunting, vulnerability assessments, manage investigation and response, as well as instead of just 24/7, 24/7/365 coverage. At Palo Alto Networks, we've reimagined security operations and the Cortex platform is how we enable the modern SOC. Now let me take you through a quick demo on Cortex XSIAM. And we'll cover off the things that we've looked at today and show you a little bit of that new platform and how it looks in the field and also one of our new dashboards that's come through in the 2.0 release that we are launching on December 7, like we talked about before. I'll click across that other screen, there with you in one moment. And hopefully, we don't lose you in the process. In this specific example, we're pulling in data as logs and alerts from over 68 sources, including endpoints with Cortex XDR. You can see the alerts that are created or pulled in, the analytics and AI in the middle to group and fuse alerts as they come in and the output to either a resolved incident or highly contextualized and automatically correlated incident sent to an analyst for remediation. Looking at another view with the console dashboard, you'll see that there are multiple widgets to look at to get deeper clarity of what is being seen and responded to in the platform. We're not doing the legacy AV and EDR view of pointing out each alert. We're giving you the new ability to see the efficiency of the system with your data to help understand meantime to remediate and how effectively all your data sources are being used. So before an analyst has had their first coffee for the day, XSIAM has already resolved incidents that it can automatically close out with AI and analytics to understand what particular activities means, be it machine learning, from malware with static analysis and the endpoint, using playbooks in the system for automation to push or alter configurations or to allow an analyst to look deeply into never before seen anomalous activity. No one is doing this in a single platform and in the way that XSIAM can do this for you. It's important to note the average alerts per incident and the average sources per incident. This is an innovative way of telling us that multiple data sources are being combined together using AI and analytics to understand data we have ingested, matches to a singular threat activity and is providing the context to understand what is happening, something only an integrated SOC platform such as XSIAM can deliver. We can see the breakdown of the resolution of incidents. And while this is a demo environment, the meantime to remediate by XSIAM automatically is just over 6 minutes from start to finish. My analysts can then choose to go in and check the closed incidents as a final triage step to understand what occurred. And if there is any further follow-up required, be it user training or deeper threat investigations or all the way a playbook response to an incident. But this is all proactive activity that heighten the capabilities of the SOC in the future and reduce the workload at all levels at the start and reduce the reactive approach most SOCs today have to work in. The fact is that whilst company A out there is either only just starting to realize something is going on and scrambling to figure out what systems are impacted, being an XSIAM user you would have already dealt with and mitigated the risk in your environment. So on the left-hand side, we can see in the dashboards and reports sections where custom dashboards can be created and used for report templates, providing an easily customized experience for the different user types of the system. From security managers to analysts, from XDR responders to attack service management information, it's all at your hands to access with role and scope-based access control assisting the team to see only what they should be seeing. XSIAM is designed to step visibility and reporting up to the next level, showing the incredible ROI of your next-generation SOC, as well as enhancing your existing tool set. Moving into incident response. We can look at all the incidents and hunt through the current open and under-investigation issues or we can use a search function along the top here to find a key incident to look at in a certain time frame or with a particular source. Only Cortex XSIAM groups alerts in such a way that instead of being bombarded by hundreds or thousands of single alerts, you get a singular incident that doesn't need to be filled out with additional context. It's already there and ready to action. You can use the query builder to build out search queries across all data sources or a set of data. XSIAM gives you never-before-seen query capabilities with normalized data sets for granular search capability. We have the ability to perform forensics using the agent on the endpoint as well as build out host inventory of applications, [indiscernible], services, users and shares as well as identifying vulnerability. Nothing hides from XSIAM. It's not always about prevention and being able to use the same agent for forensic data collection from endpoints instead of another stand-alone tool, it needs to be the mantra at the heart of your SOC. Response actions can also be accessed to isolate devices, find quarantine [ faults ] and run scripts on endpoints for direct response. XSIAM becomes your direct response method when facing a threat in your environment. No bolt-on tool sets or additional agents, XSIAM has been built from the ground up to reduce your tool spread. Within playbooks, this is where you can build a set of tasks that can be run automatically on an incident to close out each individual alert and resolve the incident when no analyst intervention is required. For this specific containment plan, isolate device, if we scroll all the way to the bottom to see where the playbook closes out the incident, you can see that here as we go through all the different tasks that we're looking at. The marketplace within XSIAM has a massive amount of integrations built out of the box that are constantly growing and are able to meet your needs for different security and networking integrations. XSIAM was built to bring in any and every data source and integrate with a continuously growing set of technologies. Our customers love XSIAM because it's not just another black hole for your logs and investments to go into. Looking back at the incidents tab, you can see XSIAM's unique power of combining 37 alerts in a single incident. You can see what sources the alerts came from, the playbooks in action or waiting for user input, the assets involved, key artifacts detected throughout the attack time line and where the tactics and techniques align to the minor attack framework. We can look more focused at the key assets and artifacts that XSIAM has correlated automatically for us and pulled into the incident or each individual alert and insights. And I can right-click on any of these and pivot the view across to a work plan view across each alert to see what automated playbook is executing to close out, bit similar to what we saw with the playbooks tab before. We can see what the investigation has picked up with indicators to align the threat intelligence feeds. And something else that no one is doing within a single platform, is seeing a specific incidents war room to see any collaboration, automatic or analyst to identify any breach further also. Execution will give us a causality chain of what each malicious artifact or action did. The power of XSIAM here shows exactly what we talked about earlier by providing every single piece of information that an analyst needs to close out an incident. And if it's known malicious activity or through AI identified as a threat, all of this can be used to close out the incident. That gives your team the time to be proactive and build out defenses even further. Most of the solutions will have you constantly sitting in their tool for as long as possible. With a shortage of threat analysts in the industry and the increasing number of threats we face on a daily basis, how better to defeat [ SOCzilla ] than by using AI and automation as a force multiplier tool offenders. We want you to be effective in XSIAM, not caught in a loophole of threat hunting and investigation without automated correlation and analytics. Under detection and threat intel, looking at detection you'll see -- we can see IOCs and behavioral IOCs. We can create correlations of your existing ones for the different data sources directly within the SOC platform and we can enable attack surface rules to allow specific threats to be identified for externally facing assets. Typically, most organizations are focused on the inside-out threats, not the outside-in. Knowing your external and public-facing assets, either on-premise or cloud-based, will only drive down the size of the attack surface of your organization. Having XSIAM bring in this highly unique viewpoint combining with the full capabilities of the solution, your organization is better placed to proactively reduce your attack surface and build out the correct risk-mitigation strategies. You can also purchase the threat intelligence add-on and see threat intel indicators, analyze samples and create indicator rules. Having threat intelligence in the same solution as where the threats are reduces time to remediate and makes XSIAM a no-brainer for your environment. It also uniquely gives visibility into all assets. It steps up over other disparate toolings to understand your internal and external IP ranges, domain suffixes for analytics profiling and assesses your attack surface. It also looks at vulnerability and also user scores. These are where you can see behavioral activity and a 30-day rolling analytical view of user activity, create custom scores if threats occur on specific devices or users to give a higher priority for focused remediation. So we've identified through the pain of our own SOC challenges and evolution the best way to drive efficiency in the SOC is not to throw more siloed products and resources at the problem but to utilize the products and resources you have to work smarter and more effectively. Let's look to see how this solution can work for you with a deeper dive into your tools, processes and resource issues and find a way to give your team back their ability to be proactive and build out your security road map further in the future. So back on camera now. So hopefully, that quick demo briefly showed you through the platform there and answered a couple of questions. Hopefully, that also answered a bit of -- we've got one question on the chat today so far around -- it states a lot of SOC analysts' time is also spent in validating with the user about suspicious activity that may have triggered from users machines, user ID, et cetera, basically to conclude whether an activity is true, false positive. Is there a solution through this -- through XSIAM? So you should be able to see, hopefully, from that last part of the demo just there and included as other components, when you look within the information that's being collected, we collect that from all different sources, including identification or authentication-type logs. User ID is used as a component of that. The IP address is connected. If someone is connecting through multifactor authentication externally, if we have logs being fed in, we start to use that to build out like what I talked about, that 30-day rolling view of a threat actor and what they're doing. So this is all the pieces of XSIAM that can absolutely be used for what we -- what that question covers off with regards to identifying users. And if it is true or false positive -- like true positive or false positive type activity, one of the things you probably saw on that second page, the main dashboard, was also those incidents that were closed out automatically by XSIAM itself. And you could actually see within that little pie chart there that we had some that were closed out as false positive as well as the ones that were closed out by true positive. So the system starts learning and the stuff that it isn't sure on, that's where it sends that back to an analyst. So again, we talk shifting and moving around that old mindset from the legacy SOC, where the majority of that analysis had to be done by a human. With XSIAM, we've got the majority being done by the AI. Then the last little piece is that we need to verify and train that system on, we do with the human responding to those particular incidents. But they have more time to do that, which makes it easy for them in their role. Look, thank you so much for joining me today. If you've got any other questions about anything we've discussed, feel free to put them into the chat. I'm happy to take on any more questions that we've got.

The -- I see another one quickly that's come through now. The question is around, is vulnerability assessment done by the endpoint agent? So yes, absolutely. It's a part of what the agent does, it pulls telemetry data from the endpoint, almost like a sensor, think of it as that side. And part of that is to understand what patches are missing from the operating systems. So hopefully, that answers your question there with that one as well. Another question comes through, same person. Excellent. Will the PA XDR agent be able to perform vulnerability assessment? So the XDR agent already does vulnerability assessment. So we already do that within the XDR Pro solution offering that we have, prevent -- doesn't cover that side. Prevent is just looking at the new traditional machine learning-based analysis for prevention instead of the detection and response. But if you look at what XDR Pro does, part of that, we have Host Insights component or a subscription as part of that service, which will pull through any of those missing patches, tell you the attack [indiscernible] and the level of those and on what systems they're on. Is it possible to export the use case list? If you could write a little bit more on that, that would be great. I can try and answer that a little bit more fully, with a little bit more detail. If you mean use cases, just break that down a little bit more, what you mean by use case for me. We've got another question through. Is Cortex XSIAM available in other countries? Richard, I'm not sure which country you're coming from currently but it is available in most countries. If you're talking about where the data sovereignty is, where it's sitting from a data center perspective, we have a whole batch. And you can probably go to our website right now and see all the different countries that we have a local data location for or data store within the data centers that we provide as an option at this present point. But that's constantly growing as well. And if you let us know what country you're in, if you're not on that list, we can absolutely add that to the list and get a validation if we can do something there. Another question here, will XSIAM be able to identify custom applications developed within the environment? So if you're talking about an application and an executable, you typically would put those in as hashes or systems that you would know within the platform and put those on to allow lists to make sure that nothing gets blocked there. The sensor does do the XDR piece as well if you're using it for the prevention piece as well and the detection and response side of things. And therefore, you may be looking at things like our export prevention or protection modules, which you may need to ensure, are mapped correctly to your customer application as well, just to make sure that there's nothing there with an application we don't know about. It's been coded slightly differently, which typically starts to raise concerns from our side if we see an exploit technique being utilized. It's things like that to bear in mind. Good giant run of questions there. If you've got more, I'm happy to answer a couple more. Is it possible to export correlations and behavioral indicators of compromise? You can absolutely pull out the behavioral indicators of compromise and the correlations. It depends on what you're looking to put those into. That's all. You can also upload the IOCs and things into the platform as well. Question, does XSIAM offer managed service [indiscernible] customers? Who manages the service on behalf of the customer, a partner or Palo Alto Networks? So right now, that's all in the works. We have the XDR, MDR component. And there are some pieces being fit within that to help out from an XSIAM perspective but that's all still in the works to be finalized with part of the launches that we'll see in the future. Hopefully, we'll see some of those things come more to the market. But we do have absolutely a component where either Palo Alto Networks with the XDR side or one of our ex MDR partners who are fully trained manage detection and response, partners can help respond to threats on your behalf and take that off you. So absolutely, there's 2 ways. Right now, it's more the XDR side but stay tuned in the future for other things with XSIAM. Does XSIAM have a geolocation threat map? Just trying to think. So with our attack surface management component, so there's multiple parts within the platform that would raise to you where potentially an asset was that's publicly exposed. If we see a specific threat actor and you're looking at the threat intelligence side of that, part of what you will see within that information is where we suspect that threat to be based, based off the threat intelligence that our Unit 42 team has done as part of their investigation. But it wouldn't necessarily list out on a big screen for you where the threats are coming from. And in live, a lot of those magic maps that you see, the attacks coming from here, there and everywhere, a little bit of fluff sometimes anyway. So it's best to look at it as a broader view. But absolutely, there are some things there with the Unit 42 side, they could assist you with that. I'll wait a couple more seconds for some of these questions to come through or push out. But in the meantime, if you do have any more questions, outside of today, either reach out to your local Palo Alto Networks, either the sales engineer or systems engineer or account manager and feel free to ask those questions as well or I can be reached at [email protected] as well. One of the question -- another question here, can XSIAM integrate with Microsoft Sentinel? And does Sentinel feeds into XSIAM? We can ingest really anything into XSIAM. It's -- we take anything and everything. The question is what will we do with the Sentinel data. Is it a quick set? Is it better for the data to get sent to us, for us to process first, analyze and then create a high-fidelity alert to send back out to Sentinel for log storage, from the legacy SIEM perspective? And that's probably where we'd be saying that side would go through that way. But if you wanted to ingest the SIEM logs from your Sentinel box or Sentinel service and feed that into the platform, we could do that. It just depends on what you're looking to do with that data. Typically, you're trying to push everything into Sentinel and then perform your analytics or correlation on it. It's best for us to get the data first potentially and feed it back through and less to be being fed back to Sentinel, which reduces your costs with them as well. Another question here on how will XSIAM assist in case forensic investigation, if it's required for an incident? So that's a really good question. We treat -- and you probably saw within that demo then that we have a whole war room, which is what we've pulled from the XSOAR functionality that we have for collaboration. So being able to get full details and context into that particular incident and with your question around the forensic investigation; a, we've got all the data being collected and pooled to help us build out a bigger story of what's occurring on the endpoint's network cloud, whatever information or data is feeding off network traffic back into and from an endpoint through the network, all that is being fed and being stitched into and fused into that singular incident that you saw within the platform before. Now if I take that information and then I want to say, "Well, okay, there's no such thing as 100% prevention but I've detected. Now I need to figure out what else has happened from a forensic perspective." You start looking at what the sensor does, what I talked about before with the agent we put on to the endpoints. It has, if you pull this component, through the forensics package, which will allow you to pull all the data from the database of that machine up into the cloud and analyze it and run it through your own triage tools or through an incident response tool set like what Palo Alto Networks Unit 42 has. So there's multiple ways that we can help you with that. But the platform can absolutely be used as a -- with from a forensics triaging perspective as well. So hopefully, that answers that question for you. Let's kick off. And if I see any more come through, I'll continue on just with a couple of last final pieces but happy to keep on answering as we go through. Conscious of everybody's time. So before you go, I'd like to invite you to this next webinar where we'll be launching Cortex XSIAM on -- 2.0 on December 7. So if you -- please, please, please join us for this unveiling and experience the power of an automation-first strategy fortified with AI. You'll get a chance to hear from the Palo Alto Networks expert speaker set, including people like our amazing founder and CTO, Nir Zuk, where he'll share insights into the crucial roles of both precision AI and generative AI in delivering unparalleled security outcomes for customers. We'll also have Lee Klarich, our Chief Product Officer, who will speak on the current state of security, the significance of Cortex XSIAM and a visionary outlook on the future of SOC. We'll also have Parker Crook, Director of Technical Marketing Engineering, who will also be going through our products deep dive and demo to show you how XSIAM consolidates data and tool sets, automates analyst activities and eliminates security gaps. And we also have other speakers in the lineup. If you scan that QR code to sign up now, you'll get that information and be registered for it. I've seen a couple more questions come in here. There's another one here. So which threat intelligence feeds are ingested into XSIAM? So you've given WildFire as an example there. WildFire is in there by default with everything that we do. You also then take in the Unit 42 threat intelligence feed, which is slightly different when you think about what WildFire is with the sandbox and the analysis of hashes that run within that from an executable perspective but think bigger with threat intelligence. What other indicators of compromise do I need to look for? Is it a hash? Is it a URL? Is it additional information on a specific threat type that we see against an industry vertical? Those types of things also. But if you saw within that demo and you can always go back to the recording after this, there's -- you would have seen a couple of other threat intelligence feeds that we can pull into the platform that are non-Palo Alto Network-specific. So feel free to look through all of those as well. Will I be able to run XQL queries for longer durations, either 180 to 365 days? And within how much time should I be able to view the results? That's a very good question. That's going to relate to a couple of things. That's going to relate to your hot storage and your cold storage within the platform. So these are all important things to know about. The Cortex XDR XSIAM platform is that it's really how much data do you want to store for -- either in a hot or cold state. Anything that you store in a hot state is instantly searchable to create your queries on from an XQL side. So the XQL is the XDR query language that [Technical Difficulty] within our Cortex XDR or XSIAM platforms. But you can have that covered for as long as you want from a data store perspective. And typically, that's 30 days or 60 days or 90 days or whatever you want. So you can build that out and there's no limit there with that. If you go cold storage, the query can take a little longer to run but that's obviously based on -- it's sitting in cold and has to be pulled out of that to be requested to run that query on. But once it is warm, if you're running that query against that cold data for forensic purposes, as long as you're running a query against that same data set daily, you can actually keep that data up and keep it warm, so your response is a lot quicker for you. So there's multiple things that you can do to be able to increase the speed, the visibility. Typically, the data sitting within there, we have for 30 days. But that is -- again, that's just our starting point that we run our analytics on. Then you can, again, scan or analyze or do your queries against the additional data sets over a longer time, if you put those or purchase those with the system. It's just up to you depending on how you look at triaging or your incident response within the platform. So yes, you can see that QR code, it was showing a bit funny before. Hopefully, that shows a little bit better for everybody now. I'll also say that if you're interested in taking a deeper dive into Cortex XSIAM, check out the Resources panel. You should see that on the right side of the page for our recommended resources like our e-books, infographics and case studies. If you'd like to have a chart or have any other questions you want to take off-line, you can also contact us on our page here as well. I'll wait for a second to see if there's anything else coming through from the question side. But for those that are done and have no more questions, I've come to the end of today's session. I hope you enjoyed the webinar on unleashing the power of AI in your SOC with Cortex XSIAM. Thank you so much for your time. My name is Jason Spindlow and I'll see you again soon, hopefully. And again, I'll hold on for a little bit longer if there's any more questions that come through, if there's any, if not, feel free to send them through to us later on. I'm happy to respond to them at another time. All good. Looking -- and hopefully, those people that I did answer the questions for, if you've got any more questions on those, I mentioned my name a couple of times, Jason Spindlow, I'm on LinkedIn. You can absolutely send me or ping me quickly on there or send me an e-mail like I said before, I am happy to respond and talk more and get you in contact with the people that could answer locally in your area. I think we're going to finish up. So thank you again for your time. And we'll see you in the next one. Take care.