Cortex XDR – Investigation and Response Architecture

Cortex XDR – Investigation and Response consumes data from the Cortex Data Lake and can correlate and stitch together logs across your different log sensors to derive event causality and timelines. A Cortex XDR – Investigation and Response deployment which uses the full set of sensors can include the following components:
  • Cortex XDR – Investigation and Response—The Cortex XDR – Investigation and Response app provides complete visibility into all your data in the Cortex Data Lake. The app provides a single interface from which you can investigate and triage alerts, take remediation actions, and define policies to detect the malicious activity in the future.
  • Palo Alto Networks next-generation firewalls—On-premise or virtual firewalls that enforce network security policies in your campus, branch offices, and cloud data centers.
  • Cortex Data Lake—A cloud-based logging infrastructure that allows you to centralize the collection and storage of logs from your log data sources.
  • Cortex XDR – Analytics—Cloud-based network security service that utilizes data from the Cortex Data Lake to automatically detect and report on post-intrusion threats. Cortex XDR – Analytics does this by identifying good (normal) behavior on your network, so that it can notice bad (anomalous) behavior.
  • Traps—Protects your endpoints from known and unknown malware and malicious behavior and techniques. Traps performs its own analysis locally on the endpoint but also consumes WildFire threat intelligence. The Traps agent reports all endpoint activity to the Cortex Data Lake for analysis by Cortex XDR apps.

Related Documentation