NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Palo Alto Networks Cortex XSOAR Engine 6.6

Certificate Date:  2022.10.05

Validation Report Number:  CCEVS-VR-VID11325-2022

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Functional Package for TLS Version 1.1
  Protection Profile for Application Software Version 1.4

CC Testing Lab:  Gossamer Security Solutions

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Target of Evaluation (TOE) is the Palo Alto Networks Cortex[1] XSOAR Engine 6.6.  Cortex XSOAR combines security orchestration, incident management, and interactive investigation into a seamless experience.  The orchestration component is designed to automate security product tasks and weave in human analyst tasks and workflows.  The Engine is used to efficiently share the workload (e.g., load-balancing) with the XSOAR Server in the operational environment, thereby speeding up execution time.

[1] Cortex was formerly known as Demisto.

Evaluated Configuration

The evaluated configuration is the Cortex XSOAR Engine 6.6.  The TOE runs on an operating system that includes RHEL 8, RHEL 7, Ubuntu (18.04, 20.04), Oracle Linux 7, or Amazon Linux 2.  The TOE was tested on RedHat Enterprise Linux v8.4.

Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance.  The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017.  The product, when delivered and configured as identified in the Palo Alto Networks Common Criteria Evaluated Configuration Guide (CCECG) Cortex XSOAR Server and Engine 6.6, September 16, 2022 document, satisfies all of the security functional requirements stated in the Palo Alto Networks Cortex XSOAR Engine 6.6 Security Target, Version 1.1, September 30, 2022.  The project underwent CCEVS Validator review.  The evaluation was completed in October 2022.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11325-2022) prepared by CCEVS.

Environmental Strengths

The logical boundaries of the Palo Alto Networks Cortex XSOAR Engine are realized in the security functions that it implements. Each of these security functions is summarized below.


Cryptographic support:

The TOE implements CAVP validated cryptographic algorithms that provide key management, random bit generation, encryption/decryption, digital signature and cryptographic hashing and keyed-hash message authentication features in support of cryptographic protocols such as TLS.

User data protection:

The TOE accesses the network connectivity of its’ platform to communicate with the Server. The TOE does not access any sensitive information repositories.

Identification and authentication:

The TOE authenticates all users using password-based or X509v3 certificate-based method.

Security management:

The TOE provides access to the security management functions via configuration files. Identification and authentication are required by the operating system before accessing the files. In addition, the operating system can provide some configuration options for TOE. In that case, the operating system I&A method and privileges will be used and enforced.


The TOE does not transmit PII over the network.

Protection of the TSF:

The TOE implements a number of functions to ensure that it is protected against tampering and corruption.  These mechanisms include utilizing platform APIs, memory mapping, and stack-based buffer overflow protection. Palo Alto Networks provides customers with a means of updating their TOE using trusted updates. These trusted updates (signed RPM package) are securely delivered over HTTPS website and verified using approved digital signature methods. All of these updates are properly signed using RSA 2048 with SHA-256 and is verified by the operating system mechanism. In addition, the TOE image is protected with FIPS Software integrity test at power-up (e.g., when the application is started or is reloaded).

Trusted path/channels:

The TOE protects communication with Server, in the operational environment, using TLS to ensure both integrity and disclosure protection.

Vendor Information

Palo Alto Networks, Inc.
Jake Bajic
Site Map              Contact Us              Home