Compliant Product - Palo Alto Networks Cortex XSOAR Engine 6.6
Certificate Date: 2022.10.05CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11325-2022
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Functional Package for TLS Version 1.1
Protection Profile for Application Software Version 1.4
CC Testing Lab: Gossamer Security Solutions
The Target of Evaluation (TOE) is the Palo Alto Networks Cortex XSOAR Engine 6.6. Cortex XSOAR combines security orchestration, incident management, and interactive investigation into a seamless experience. The orchestration component is designed to automate security product tasks and weave in human analyst tasks and workflows. The Engine is used to efficiently share the workload (e.g., load-balancing) with the XSOAR Server in the operational environment, thereby speeding up execution time.
 Cortex was formerly known as Demisto.
The evaluated configuration is the Cortex XSOAR Engine 6.6. The TOE runs on an operating system that includes RHEL 8, RHEL 7, Ubuntu (18.04, 20.04), Oracle Linux 7, or Amazon Linux 2. The TOE was tested on RedHat Enterprise Linux v8.4.
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Palo Alto Networks Common Criteria Evaluated Configuration Guide (CCECG) Cortex XSOAR Server and Engine 6.6, September 16, 2022 document, satisfies all of the security functional requirements stated in the Palo Alto Networks Cortex XSOAR Engine 6.6 Security Target, Version 1.1, September 30, 2022. The project underwent CCEVS Validator review. The evaluation was completed in October 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11325-2022) prepared by CCEVS.
The logical boundaries of the Palo Alto Networks Cortex XSOAR Engine are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE implements CAVP validated cryptographic algorithms that provide key management, random bit generation, encryption/decryption, digital signature and cryptographic hashing and keyed-hash message authentication features in support of cryptographic protocols such as TLS.
User data protection:
The TOE accesses the network connectivity of its’ platform to communicate with the Server. The TOE does not access any sensitive information repositories.
Identification and authentication:
The TOE authenticates all users using password-based or X509v3 certificate-based method.
The TOE provides access to the security management functions via configuration files. Identification and authentication are required by the operating system before accessing the files. In addition, the operating system can provide some configuration options for TOE. In that case, the operating system I&A method and privileges will be used and enforced.
The TOE does not transmit PII over the network.
Protection of the TSF:
The TOE implements a number of functions to ensure that it is protected against tampering and corruption. These mechanisms include utilizing platform APIs, memory mapping, and stack-based buffer overflow protection. Palo Alto Networks provides customers with a means of updating their TOE using trusted updates. These trusted updates (signed RPM package) are securely delivered over HTTPS website and verified using approved digital signature methods. All of these updates are properly signed using RSA 2048 with SHA-256 and is verified by the operating system mechanism. In addition, the TOE image is protected with FIPS Software integrity test at power-up (e.g., when the application is started or is reloaded).
The TOE protects communication with Server, in the operational environment, using TLS to ensure both integrity and disclosure protection.
Palo Alto Networks, Inc.