Cortex XDR Licenses

Cortex XDR License Types

The following table describes the different license types that are available for Cortex XDR. You can use either Cortex XDR Prevent or a Cortex XDR Pro license. You can also use both Pro licenses for the most coverage. If you do not know which license type you have, see License Monitoring.
Feature
Cortex XDR Prevent
Cortex XDR Pro per Endpoint
Cortex XDR Pro per TB
license-cortex-xdr-prevent.png
license-cortex-xdr-pro-endpoint.png
license-cortex-xdr-pro-network.png
Log storage
  • Minimum of 200 endpoints
  • 30 day log retention
  • Minimum of 200 endpoints
  • 30 day log retention
Minimum 5TB log storage
Cortex XDR Adds-ons
Host insights add-on, including:
  • System visibility and Host inventory
  • Vulnerability management
  • File search and destroy
This Add-on is limited to a 3 month free trial period.
check-mark.png
Endpoint Prevention Features
Endpoint management
check-mark.png
check-mark.png
Device control
check-mark.png
check-mark.png
Host firewall
check-mark.png
check-mark.png
Disk encryption
check-mark.png
check-mark.png
Response Actions
Live Terminal
check-mark.png
check-mark.png
Endpoint isolation
check-mark.png
check-mark.png
Script execution
check-mark.png
External dynamic list (EDL)
check-mark.png
Analysis
Analytics
check-mark.png
check-mark.png
Alert and Log Ingestion
Cortex XDR agent alerts
check-mark.png
check-mark.png
EDR data
check-mark.png
Other alerts (from Palo Alto Networks and third-party sources)
check-mark.png
(API)
check-mark.png
Other logs (from Palo Alto Networks and third-party sources)
check-mark.png
Integrations
Threat intelligence (AutoFocus, VirusTotal)
check-mark.png
check-mark.png
check-mark.png
Outbound integration and notification forwarding (Slack, Syslog)
check-mark.png
+ agent audit logs
check-mark.png
+ agent audit logs
check-mark.png
MSSP
MSSP (requires additional MSSP license)
check-mark.png
check-mark.png
check-mark.png
Managed Threat Hunting (requires an additional Managed Threat Hunting License)
check-mark.png
+ a minimum of 500 endpoints

License Allocation

With Cortex XDR Prevent and Cortex XDR Pro per Endpoint licenses, Cortex XDR manages licensing for all endpoints in your organization. Each time you install a new Cortex XDR agent on an endpoint, the Cortex XDR agent registers with Cortex XDR to obtain a license. In the case of non-persistent VDI, the Cortex XDR agent registers with Cortex XDR as soon as the user logs in to the endpoint.
Cortex XDR issues licenses until you exhaust the number of license seats available. Cortex XDR also enforces a license cleanup policy to automatically return unused licenses to the pool of available licenses. The time at which a license returns to the license pool depends on the type of endpoint:
Endpoint Type
License Return
Agent Removal from Cortex XDR console
Agent Removal from Cortex XDR Database
Standard and mobile devices
After 30 days
After 180 days
After 180 days
The agent cannot be restored after this period of time.
(Non-Persistent) VDI and Temporary Session
Immediately after log-off for VDI, otherwise after 90 minutes
After 6 hours
After 7 days
If after a license is revoked the agent connects to Cortex XDR, reconnection will succeed as long as the agent has not been deleted.
It can take up to an hour for Cortex XDR to display revived endpoints.
Cortex XDR will notify you if you exceed the number of available licenses.

License Expiration

After your Cortex XDR license expires, Cortex XDR allows access to your tenant for an additional grace period of 48 hours. After the 48-hour grace period, Cortex XDR disables access to the Cortex XDR app until you renew the license.
For the first 30 days of your expired license, Cortex XDR continues to protect your endpoints and/or network and retains data in the Cortex Data Lake according to your Cortex Data Lake data retention policy and licensing. After 30 days, the tenant is decommissioned and agent prevention capabilities cease.

License Monitoring

From the
gear.png
Cortex XDR License
dialog, you can view the license type associated with your Cortex XDR instance.
license-info.png
For each license you have, Cortex XDR displays a tile that has the expiration date of your license and additional details specific to your license type:
  • Cortex XDR Prevent—Displays the total number of concurrent agents permitted by your license. You can also view a graph of the current license allocation (total and percentage).
  • Cortex XDR Pro per Endpoint—Displays the total number of installed in addition to the number and percentage of agents that have EDR data collection enabled. Below the license card, you can also view the storage retention policy, total amount of storage allocated for endpoint XDR, and the actual data usage.
  • Cortex XDR Pro per TB—Displays the amount of total storage included with your license and the amount of storage used.
  • Combination of Cortex XDR Pro per Endpoint and Cortex XDR Pro per TB—Cortex XDR Pro per Endpoint displays the total number of installed agents, while Cortex XDR Pro per TB displays how many agents are enabled with endpoint data collection, allowing them to collect and send data to the server.
Cortex XDR will send you a notification if you exceed the number of allowed agents.
To keep you informed of updates made to your license and avoid service disruptions, Cortex XDR now displays a notification of changes made to your license, if any actions are required from you, when you log in.

Recommended For You