Cortex by Palo Alto Networks—the AI-based continuous security operations platform—extends next-generation security into cloud. This simplifies deployment and reduces infrastructure and operational overhead. You can use the hub to discover, activate, and access Cortex apps. Most Cortex apps rely on the Cortex Data Lake to analyze and report on your network, cloud, and endpoint data.

Latest Hub, Cortex Data Lake, and Log Forwarding App Releases

July 2 The Log Forwarding app can now send your Cortex XDR - Investigation and Response alerts to a Syslog or email destination.
May 30 You no longer need Panorama to start sending logs to Cortex Data Lake! Enable your firewalls to securely connect to Cortex Data lake, and start logging to the cloud now.
May 1

Security Lifecycle Review (SLR) reports now include even more threat data. Get visibility into:

  • Malware that was first detected on the endpoint.
  • Threats that are known to be connected to high-profile attacks, targeted campaigns, or malicious actors.
  • The countries most targeted by threats found on your network.
April 29

Introducing Explore!

Explore is a new app on the hub, that allows you to easily examine the  network and endpoint log data stored in Cortex Data Lake.

April 25 Get email updates when the Log Forwarding app is not able to connect to your Syslog server, so that you can quickly restore Syslog connectivity and resume log forwarding.
April 16 The hub now provides role management for apps—use the hub to manage who can access Cortex apps, and their level of access.

Cortex Infrastructure


The hub is the home for all apps built on Cortex. Use it as a launch pad to discover, use, and build apps.

Cortex Data Lake

The Cortex Data Lake stores the context-rich enhanced network logs generated by our security products, including our next-generation firewalls, GlobalProtect cloud service, and Traps management service. Cortex apps use the Cortex Data Lake to access, analyze, and report on your network data.

Directory Sync Service

The Directory Sync Service provides Cortex apps with read-only access to your Active Directory information—apps can use this data to provide user, group, and computer context for network and threat events.

Apps Built on Cortex

Cortex XDR

Cortex XDR Investigation and Response consumes data from the Cortex Data Lake and correlates logs from different network sensors to reveal threat casualties and timelines—it's your mission control for complete visibility into all your network traffic. The Cortex XDR Investigation and Response app triggers alerts based on indicators of compromise (including behavioral anomalies) and can send those alerts to the Cortex Data Lake. Cortex XDR Investigation and Response provides a single interface from which you can investigate and triage alerts, take remediation actions, and define policies to prevent future attacks.

Traps Management Service

As new malware variants pop up around the globe and new software bugs and vulnerabilities are discovered, it is challenging to ensure that your endpoints remain secure. With the Traps™ management service, a cloud-based endpoint security service, you save the time and cost of building out your own global endpoint security infrastructure. This simplified deployment, which requires no server licenses, databases, or other infrastructure to get started, enables you to quickly protect your endpoints.


Explore the Cortex Data Lake by searching, filtering, and exporting log data. This app offers you critical visibility into your enterprise's network activities by allowing you to easily examine network and endpoint log data.

Log Forwarding App

The logs stored in the Cortex Data Lake are available for queries and reports using Panorama and the Application Framework. If you need to fulfill your organization's legal compliance requirements, the Log Forwarding app enables you to easily forward logs stored in the Cortex Data Lake to external destinations. For example, you can forward logs using Syslog to a SIEM for long term storage, SOC, or internal audit obligations, and forward email notifications for critical events to an email address.

Security Lifecycle Review (SLR)