CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

The Target of Evaluation (TOE) is the Palo Alto Networks Cortex^[1] XSOAR Server 6.6.  Cortex XSOAR combines security orchestration, incident management, and interactive investigation into a seamless experience.  The orchestration component is designed to automate security product tasks and weave in human analyst tasks and workflows.  The Server provides UI functionality and playbook detection/response functionality.

The evaluated configuration is the Cortex XSOAR Server 6.6.  The TOE runs on an operating system that includes RHEL 8, RHEL 7, Ubuntu (18.04, 20.04), Oracle Linux 7, or Amazon Linux 2.  The TOE was tested on RedHat Enterprise Linux v8.4.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance.  The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017.  The product, when delivered and configured as identified in the Palo Alto Networks Common Criteria Evaluated Configuration Guide (CCECG) Cortex XSOAR Server and Engine 6.6, September 16, 2022 document, satisfies all of the security functional requirements stated in the Palo Alto Networks Cortex XSOAR Server 6.6 Security Target, Version 1.0, September 16, 2022.  The project underwent CCEVS Validator review.  The evaluation was completed in September 2022.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11291-2022) prepared by CCEVS.

The logical boundaries of the Palo Alto Networks Cortex XSOAR Server are realized in the security functions that it implements. Each of these security functions is summarized below.

Cryptographic support:

The TOE implements CAVP validated cryptographic algorithms that provide key management, random bit generation, encryption/decryption, digital signatures, cryptographic hashing and keyed-hash message authentication features in support of cryptographic protocols such as TLS.

User data protection:

The TOE provides no access to hardware resources or sensitive information repositories. The TOE restricts network communication to application-initiated communication between the Server and Engine(s), and remotely user-initiated communication from administrators. All sensitive application data (e.g., API keys, passphrase) are stored encrypted using AES-256 in CBC mode.

Identification and authentication:

The TOE authenticates all users using password-based or X509v3 certificate-based method. This is configurable and by default, password-based method is used.

Security management:

The TOE provides access to the security management functions via the web UI. Identification and authentication are required before accessing the UI. In addition, the operating system can provide some configuration options for TOE. In that case, the operating system I&A method and privileges will be used and enforced.

Privacy:

The TOE does not transmit PII over the network.

Protection of the TSF:

The TOE implements a number of functions to ensure that it is protected against tampering and corruption.  These mechanisms include utilizing platform APIs, memory mapping, and stack-based buffer overflow protection. Palo Alto Networks provides customers with a means of updating their TOE using trusted updates. These trusted updates (signed RPM package) are securely delivered over HTTPS website and verified using approved digital signature methods. All of these updates are properly signed using RSA 2048 with SHA-256 and is verified by the operating system mechanism. In addition, the TOE image is protected with FIPS Software integrity test at power-up (e.g., when the application is started or is reloaded).

Trusted path/channels:

The TOE protects interactive communication with remote administrators using HTTP over TLS (HTTPS). TLS ensures both integrity and disclosure protection.

Vendor Information