Cortex XDR Concepts


With Endpoint Detection and Response (EDR), enterprises rely on endpoint data as a means to respond to cybersecurity incidents. As cybercriminals and their tactics have become more sophisticated, the time to identify and time to contain breaches has only increased. XDR goes beyond the traditional EDR approach of using only endpoint data to identify and respond to threats by applying machine learning across all your enterprise, network, cloud, and endpoint data. This approach enables you to quickly find and stop targeted attacks and insider abuse and remediate compromised endpoints.


Cortex XDR™ – Investigation and Response uses your existing Palo Alto Networks products as sensors to collect logs and telemetry data.
A sensor can be any of the following Palo Alto Networks products that forwards data to the Cortex Data Lake:
  • Virtual (VM-Series) or physical firewalls—identifies known threats in your network and cloud data center environments
  • Cortex XDR™ – Analytics—Identifies anomalous behavior in your network
  • Traps—Identifies threats on your endpoints and halts any malicious behavior or files
While more sensors increases the amount of data Cortex XDR™ – Investigation and Response can analyze, you only need to deploy one type of sensor, such as next-generation firewalls or Traps, to begin detecting and stopping threats with Cortex XDR.

Log Stitching

To provide a complete picture of the events and activity surrounding an event, Cortex XDR™ – Investigation and Response correlates network, endpoint, and cloud data across your detection sensors. The act of correlating logs from different sources is referred to as log stitching. For example, if your firewalls detect malicious network activity, the app can correlate that activity with endpoint logs to observe the impact of the activity and identify the cause of the behavior.
Log stitching streamlines detection and reduces response time by eliminating the need for manual analysis across different data sensors.

Causality Analysis Engine

The Causality Analysis Engine™ is the heart of Cortex XDR™ – Investigation and Response. The Causality Analysis Engine correlates activity from all detection sensors to establish causality chains that identify the root cause of every alert. The Causality Analysis Engine also identifies a complete forensic timeline of events that helps you to determine the scope and damage of an attack, and provide immediate response.

Causality Chain

When a malicious file, behavior, or technique is detected, Cortex XDR™ – Investigation and Response correlates available data across your detection sensors to display the sequence of activity that led to the alert. This sequence of events is called the causality chain. The causality chain is built from processes, events, and alerts associated with the activity. During alert investigation you should review the entire causality chain to fully understand why the alert occurred.

Causality Group Owner (CGO)

The Causality Group Owner (CGO) is the process in the causality chain that the Causality Analysis Engine identified as being responsible for or causing the activities that led to the alert.

Related Documentation