* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Company \& Culture](https://www2.paloaltonetworks.com/blog/category/company-culture/)
* Hasta La Vista Human Powe...

# Hasta La Vista Human Powers --- Automating the Automation

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2023%2F05%2Fautomating-the-automation%2F)  
[](https://twitter.com/share?text=Hasta+La+Vista+Human+Powers+%E2%80%94+Automating+the+Automation&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2023%2F05%2Fautomating-the-automation%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2023%2F05%2Fautomating-the-automation%2F&title=Hasta+La+Vista+Human+Powers+%E2%80%94+Automating+the+Automation&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2023/05/automating-the-automation/&ts=markdown)  
\[\](mailto:?subject=Hasta La Vista Human Powers — Automating the Automation)  
Link copied  
By [Dena De Angelo](https://www.paloaltonetworks.com/blog/author/ddeangelo/?ts=markdown "Posts by Dena De Angelo")  
May 25, 2023  
6 minutes  
[Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown)  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Interview](https://www.paloaltonetworks.com/blog/tag/interview/?ts=markdown)  
[SOC](https://www.paloaltonetworks.com/blog/tag/soc/?ts=markdown)  
[SOC automation](https://www.paloaltonetworks.com/blog/tag/soc-automation/?ts=markdown)  
[This is how we do it](https://www.paloaltonetworks.com/blog/tag/this-is-how-we-do-it/?ts=markdown)

"*This is How We Do It: The True Story of How Palo Alto Networks Runs Security Operations* " is a new video and [blog series](https://www.paloaltonetworks.com/blog/tag/this-is-how-we-do-it/) that features interviews with various members of our SOC team. We discuss how we run our own SOC and apply our own products while openly sharing our practices.

At Palo Alto Networks, our SOC is highly optimized because we actively choose to break away from the traditional four-tier SOC approach. This ranges from tier 1 analysts who monitor, prioritize and investigate SIEM alerts, to tier 4 SOC managers responsible for recruitment, security strategy and reporting to management. Taking more of a hybrid approach, the Palo Alto Networks SOC team follows a general philosophy:

* 50% of the SOC staff has previous SOC experience while others are skilled in various technical areas.
* Cross-train the SOC team in all domains, including alert triage, incident response, threat hunting and others.
* Provide a well-funded annual training budget for all analysts.

Our Rationale:

* Maintain a nimble team, able to pivot between responsibilities.
* Support business continuity.
* Provide a more engaging atmosphere and reduce staff burnout.
* Promote an environment of continuous learning.
* Provide greater coverage with less staff by relying on the right technology to get the job done.

### Episode 1: "*Hasta la Vista Human Powers-Automating the Automation*" -- An Interview with Devin Johnstone, SOC Operations Specialist at Palo Alto Networks

Devin Johnstone shares how the SOC team handles the large volume of security alerts that they receive every day. Devin reveals that the Palo Alto SOC ingests nearly 56 terabytes of raw log data per day, and more than half of that comes from the cloud. Devin and his team take this raw data and filter it down to a manageable number of alerts. They achieve this by using machine learning in their products, as well as their own knowledge to reduce the number of important alerts that require a ticket.

Palo Alto Networks has tens of thousands of companies where we help protect millions of people from cyberthreats and data compromise. Devin believes our company's responsibility is to protect the infrastructure behind the services we offer:

"As much as we are working for Palo Alto Networks specifically, our  
responsibility is protecting all of the infrastructure behind the services that we  
offer. Our SOC is really focused on making sure everything behind the scenes  
is safe, as well as our employees, and monitoring what they do on a  
day-to-day basis."

Devin says that every single alert that comes into the SOC is automated in some way. The goal is to fully automate as many alerts as possible, so the team can focus on more important tasks, such as threat hunting. They use [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar) to automate the investigation and response to security alerts.

Devin explains further:

"Once those 130-ish alerts get into Cortex XSOAR, which is both our ticketing  
system and running the XSOAR playbooks to help us with the SOC response,  
there's a portion of them (about 15%) that are fully automated end-to-end.  
So the playbook picks it up, does all of the background research it needs to do  
and then closes.

That is marked as something the SOC handled, but we didn't put any hands  
on it. Every single other one of those alerts has some automation to help it  
along...which will run proactively, start the investigation, and response in the  
SOC will finish it, or vice versa. Sometimes we'll start an investigation and  
then we'll reach a decision path where we can hand it over to XSOAR and say,  
'close this off for me.'"

Even with this workflow, Devin believes there will always be a need for human analysts to understand the context of a situation. Overall, the SOC's approach is to *embrace* automation to help them handle the large volume of alerts they receive every day.

"I get asked often: Is this automation ever going to take your job? And my  
answer is, I hope not. I think there's still going to be an aspect where we need  
to be focused on threat hunting, because that's where we provide value as  
humans --- understanding the context of a situation, thinking like the attacker  
and giving the repetitive stuff to the automation. I think our jobs are safe, but  
they're going to get even more interesting, because we're going to be able to  
focus on more important stuff rather than just looking at the same tickets  
every single day."

With the sheer volume of alerts and events coming into the SOC each day, it's essential to have a system in place that can handle as much of the low-level work as possible. This would leave the analysts to focus on the more complex and nuanced threats, such as those seen from attacks, like SolarWinds:

"When the SolarWinds attack happened, we had already been using  
SolarWinds for some time. There was a signed, trusted update that was  
pushed down and it started trying to call out to a command \& control. There  
were multiple analytics-based detections... without us having to configure  
those detections in advance.

This is one of the areas where we excel because now it's not up to the SOC to  
imagine all of these potential scenarios and try to predict the future. We have  
machine learning today that can do that type of behavioral detection and  
prevention for things we have never seen before."

One thing that's clear from speaking with Devin -- automation isn't seen as a threat to his team's jobs, but rather as a tool to enhance their capabilities. By leveraging the power of machine learning and AI, they're able to analyze vast amounts of data and identify potential threats faster than ever before. By automating many of the repetitive tasks, they can free up time for their analysts to focus on what they do best -- using their knowledge and expertise to outsmart attackers.

As the threat landscape continues to evolve and cybercriminals become more sophisticated and aggressive, it's clear that the role of the SOC is more critical than ever. By embracing automation and applying the latest technologies, teams like Devin's can stay one step ahead of the attackers and protect their organizations from even the most advanced threats.

**Watch the [full interview](https://www.youtube.com/watch?v=oAQz_BTFkbU&ab_channel=CortexbyPaloAltoNetworks) on the Cortex YouTube Channel.**

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Artificial Intelligence --- Beyond the Algorithms](https://www2.paloaltonetworks.com/blog/2023/09/artificial-intelligence-beyond-the-algorithms/)

### [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Cracking the Code --- How Machine Learning Supercharges Threat Detection](https://www2.paloaltonetworks.com/blog/2023/06/cracking-the-code-how-machine-learning-supercharges-threat-detection/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Beyond the Hype --- Where AI Can Shine in Security](https://www2.paloaltonetworks.com/blog/2024/01/where-ai-can-shine-in-security/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Threat Hunting to Find the Good Stuff](https://www2.paloaltonetworks.com/blog/2023/10/threat-hunting-to-find-the-good-stuff/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Data --- The Lifeblood of Security and Detection Engineering](https://www2.paloaltonetworks.com/blog/2023/09/security-and-detection-engineering/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Multiplying Force with Automation --- Reducing the Soul Crushing Work](https://www2.paloaltonetworks.com/blog/2023/08/multiplying-force-with-automation/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language