Case Study

Banco de Galicia y Buenos Aires automates incident response in the SOC with Cortex XSOAR

One of Argentina’s largest private banks, Banco de Galicia y Buenos Aires S.A. (Banco Galicia) chooses Cortex® XSOAR by Palo Alto Networks through NeoSecure to automate incident response at the company’s SOC.

In brief


Banco de Galicia y
Buenos Aires S.A.


Finance, Banking

Products and Services

Finance, Banking

Organization Size

350 offices, 5,764 employees



  • Automate repeatable tasks that involve human decision-making and accelerate incident investigation.
  • Gain a comprehensive end-to-end understanding of incidents so security teams can respond better.
  • Provide a unified response with detailed data visualization in the form of correlation, triage, documentation, and measurements of incidents.
  • Automate incident response in the SOC.
  • Prepare playbooks or workflows that need to integrate with different technologies used by the company.
  • Carry out programmed/automated responses to incidents.
  • Installation of Cortex XSOAR in two virtual machines, to be carried out in the Palo Alto Networks cloud.
  • Installation of different virtual machines, according to the resulting architecture, to fulfill the automation of tasks.
  • Integration of the different technologies used by Banco Galicia to carry out automation tasks.
  • Configuration of Banco Galicia’s automation use cases by NeoSecure.

Cortex XSOAR—the industry’s most open and comprehensive SOAR platform—lets security teams take actions on threat intelligence, standardize processes and automate repeatable tasks to efficiently manage incidents across their security product stack and reduce response times.

Download PDF Share

Automation everywhere

Through some 350 offices, Banco de Galicia y Buenos Aires S.A. offers loans to a client base primarily of businesses and individuals. It also provides consumer, corporate, investment banking, insurance, and other services. Security is a top priority for this company that relies on the principles of banking responsibly.

With such companies constantly under the threat of getting attacked by phishing, malware, data exfiltration, ransomware, and privilege escalation, the SOC team is overwhelmed with low-level tasks.


In the first stage of deployment, we attack the most critical alerts and update the IoCs. Every now and then, we receive many common alerts from our SIEM and repetitive questions from other areas of the company. With the implementation of Cortex XSOAR, we are able to manage them almost fully automatically. What took us several minutes before is now managed in seconds.

– Pablo Lopez Gutierrez, SoC & IR Manager, Banco Galicia


Banco Galicia’s security challenge was automating incident response at its SOC. NeoSecure also needed to prepare playbooks to integrate Banco Galicia’s different technologies and perform automated response to incidents.


Banco de Galicia required automation and the possibility to integrate with multiple platforms, plus operative efficiency.


Jointly with our partner, NeoSecure, we carried out a test in which the bank’s platforms were integrated with XSOAR. The customer was able to see XSOAR’s capabilities for simple use cases and the potential to automate more advanced processes, leading to a more efficient SOC.

NeoSecure worked jointly with Palo Alto Networks to do a full implementation. NeoSecure also engaged a sales engineer and a project manager to oversee the correct deployment of XSOAR.


XSOAR is integrated with a variety of solutions, including Arbor, CrowdStrike, Trend Micro, FortiGate, Office 365, as well as content services, such as VirusTotal, BrightCloud, X-Force, and AbuseIPDB, to automate and orchestrate the management of indicators of compromise (IoCs), phishing incidents, DLP, and privilege escalation.

A playbook was defined for a known IoC.

Playbook “Alimentación IoCs”: This playbook will extract IoCs from received emails and then validate if the IoCs are classified as malicious in VirusTotal, X-Force and AbuseIPDB. The playbook will also verify that the IoCs exist in the ecosystem and load them.

Playbook “Detección de Phishing”: This playbook validates if the email message is phishing. It analyzes domains and IP addresses and their reputation. If malicious, they will be blocked in Office 365, CrowdStrike and Apex One.

Playbook “Investigación IoCs”: This playbook searches for and validates that the IoCs are classified as malicious in VirusTotal, X-Force, CrowdStrike and Trend Micro. The IoCs are manually loaded in the war room and could be URLs, IPs, or hashes.

Playbook “DLP”: This playbook automates notifying when there is an email to a help desk alias, searches in Active Directory® for the user’s manager, and then sends a notification via email to the manager and the user.

Playbook “Bloqueo IoCs”: This playbook generates a specific tag so that the necessary IoC blocking tasks can be executed on the defined integrations and consoles.

To learn more about Cortex XSOAR, visit