Features by
Cortex
XDR
License Type

Each Cortex XDR license enables features that are specific to license type. Each license can be used independently or in combination to add additional features.
The following table describes the capabilities associated with each
Cortex
XDR
license type. You can use either
Cortex
XDR
Prevent or a
Cortex
XDR
Pro license. There are three types of Pro licenses,
Cortex
XDR
Pro per Endpoint,
Cortex
XDR
Cloud per Host, and
Cortex
XDR
Pro per TB, that you can use independently or together for more complete coverage. If you do not know which license type you have, see Cortex XDR License Monitoring.
Feature
Cortex
XDR
Prevent
Cortex
XDR
Pro per Endpoint
Cortex
XDR
Cloud per Host
Cortex
XDR
Pro per TB
Log storage
  • Minimum of 200 endpoints
  • 30 day log retention
  • Minimum of 200 endpoints
  • 30 day log retention
  • Minimum of 50 endpoints
  • 30 day log retention
  • Minimum 5TB log storage
  • 30 day log retention
Kubernetes Host Support
Cortex
XDR
Add-on Licenses
Add-on licenses are required on top of a
Cortex
XDR
license
Host Insights, including:
  • Host Inventory
  • Vulnerability Assessment
  • File Search and Destroy
Without the add-on license, Host Insights is available with
Cortex
XDR
Pro per Endpoint for a 1-month trial period.
Without the add-on license, Host Insights is available with Cloud Host Protection for
Cortex
XDR
for a 1-month trial period.
Forensics
Without the add-on license, Forensics is available with
Cortex
XDR
Pro per Endpoint for a 1-month trial period.
Without the add-on license, Forensics is available with Cloud Host Protection for
Cortex
XDR
for a 1-month trial period.
Compute Unit
Without the add-on license, Compute unit is available with
Cortex
XDR
Pro per Endpoint for a 1-month trial period.
Without the add-on license, Compute unit is available with Cloud Host Protection for
Cortex
XDR
for a 1-month trial period.
Without the add-on license, Compute unit is available with
Cortex
XDR
Pro per TBfor a 1-month trial period.
Period Based Retention (Hot Storage)
Period Based Retention (Cold Storage)
GB Event Forwarding
Endpoints Event Forwarding
Endpoint Prevention Features
Endpoint management
Device control
Host firewall
Disk encryption
Response Actions
Live Terminal
Endpoint isolation
External dynamic list (EDL)
Script execution
Remediation analysis
Incident Scoring Rules
Featured Alert Fields
Widget Library
Assets
Asset Management
Palo Alto Networks IoT Security
Analysis
Analytics, including Identity Analytics
Alert and Log Collectors
Cortex
XDR
agent alerts
Prisma Cloud and Prisma Cloud Compute
Palo Alto Networks IoT Security
Third-Party Cloud Security Data (AWS, Azure, Google)
Enhanced data collection for EDR and other Pro features
Other alerts (from Palo Alto Networks and third-party sources)
(API)
Other logs (from Palo Alto Networks and third-party sources)
Integrations
Threat intelligence (AutoFocus, VirusTotal)
Outbound integration and notification forwarding (Slack, Syslog)
+ agent audit logs
+ agent audit logs
Broker VM
Agent Proxy
Syslog Collector
Apache Kafka Collector
CSV Collector
Database Collector
Files and Folders Collector
FTP Collector
NetFlow Collector
Network Mapper
Pathfinder
Windows Event Collector
MSSP
MSSP (requires additional MSSP license)
Managed Threat Hunting (requires an additional Managed Threat Hunting License)
+ a minimum of 500 endpoints

Recommended For You