Cortex XDR – Analytics Components and Architecture

Cortex XDR – Analytics is comprised of a collection of software components, some installed on-premise, some in the cloud.
Cortex XDR™ – Analytics is a cloud-based application that works by observing the activity on your network. For the most part, the app performs this observation by examining the contents of your Palo Alto Networks Next Generation Firewall logs. These logs contain a wealth of information regarding the traffic on the network in your enterprise. Cortex XDR – Analytics gains access to these logs through the use of the Palo Alto Networks Cortex Data Lake.
The app examines your network activity, as recorded in your firewall logs, it establishes a baseline for what is normal traffic for your network. The establishment of this baseline takes time (days to weeks) and is constantly being the app. Eventually the app will use your logs to notice and alert on abnormal activity on your network, when compared to its established baseline.
In addition to your firewall logs, Cortex XDR – Analytics can make use of the Pathfinder VM, and Traps. The app uses Pathfinder and Traps to examine your hosts, servers, and workstations (endpoints) in your network for malicious or risky software. Traps protect endpoints by preventing known and unknown malware running on those endpoints, and forwards endpoint activity to the Cortex Data Lake. If you choose not to use Traps on certain hosts, or do not enable Traps Data Collection, you can install a Pathfinder VM locally on your network to detect suspicious network activity. Pathfinder interrogates your endpoints using remote procedure calls (RPCs) when Traps is not configured to collect data on the endpoint.
Cortex XDR – Investigation and Response identifies the path of anomalous behavior, with which you can investigate alerts, take remediation actions, and define policies to detect the malicious activity in the future.
Finally, Cortex XDR – Analytics makes use of other Palo Alto Networks software to aid it in its analytics and reporting functions. For example, the app uses the WildFire cloud service to analyze suspicious files that Pathfinder might identify on your endpoints.
magnifier-architecture.png
Component
Purpose
Cortex XDR – Analytics Application
This application runs on the Palo Alto Network Cortex Platform, and is responsible for performing all automated data analysis. It also raises alerts, logs alerts, and allows you to track alerts. Finally, it provides both the Administrative and the Analyst user interfaces.
Contains the firewall logs and other data used by the Cortex XDR – Analytics analytics engine to identify both normal and abnormal activity on your network. Use of the Logging Service is required for the app to function.
The Cortex Data Lake is a core service within the Palo Alto Network Application Framework.
The app also writes alerts to the Cortex Data Lake so that applications beyond Cortex XDR – Analytics can make use of the alert information.
Provides centralized control and management for Palo Alto Networks next-generation firewalls.
Panorama is required because it is used to forward your firewall logs to the Cortex Data Lake.
Performs traditional and next-generation firewall activities.
The app analyzes Palo Alto Networks firewall logs to obtain intelligence about the traffic currently occurring on your network. This intelligence is used in combination with the Pathfinder investigation of your endpoints to identify both normal and abnormal activity on your network.
A Palo Alto Networks firewall can also enforce security policy based on IP addresses and domains associated with Cortex XDR – Analytics alerts—to get started, Set up a Cortex XDR – Analytics Block List to be the source of a firewall external dynamic list (EDL).
Caches Active Directory user, group, and role information in the Palo Alto Networks Cortex Platform. With your permission, this information is used by the Cortex Platform apps and services that want to correlate network traffic to the users and hosts that are performing it.
Cortex XDR – Analytics uses the Directory Sync Service to obtain the richest possible metadata about your network activity. This information is used to enable helpful details in triage and alert pages so that you can quickly identify who or what is performing network activity.
Directory Sync Service is a core service in the Palo Alto Network Cortex Platform.
Locally installed software that retrieves Microsoft Active Directory information, and sends it to your Directory Sync Service which is running in the Palo Alto Network Cortex Platform.
Responsible for investigating your network endpoints. This investigation is performed using Remote Procedure Calls (RPCs). Endpoint evaluation, or interrogation is usually performed automatically, such as when the Cortex XDR – Analytics application observes problematic traffic coming from an endpoint and then uses Pathfinder to interrogate it. You can also manually perform a Pathfinder interrogation if your investigative activities require it.
One or more Pathfinder virtual machines are installed on your network, and they are responsible for sending interrogation results to the app for analysis.
Provides advanced threat protection to protect your endpoints from known and unknown malware and halt any attempts to leverage software exploits and vulnerabilities. To use Traps with Cortex XDR – Analytics, you must install Traps 6.0 or a later release on your Windows endpoints (Windows 7 SP1 or later) and enable data collection. This enables Traps to monitor activity on the endpoint and collect forensic information that Cortex XDR – Analytics can use to detect suspicious behavior.
Cloud-based service used to determine whether suspicious files are malware or grayware.
Cortex XDR™ – Investigation and Response
Cortex XDR – Investigation and Response is a preemptive incident response solution, which identifies causality chains within forensic data to provide thread-level host visibility. The Cortex XDR – Investigation and Response triggers alerts based on indicators of compromise and behavioral indicators of compromise and reports alerts to the Cortex Data Lake. Cortex XDR – Investigation and Response also provides a single interface from which you can investigate and triage alerts, take remediation actions, and define policies to detect malicious activity in the future.

Related Documentation