Features by Cortex® XDR™ License Type

Each Cortex® XDR™ license enables features that are specific to license type. Each license can be used independently or in combination to add additional features.
The following table describes the capabilities associated with each Cortex XDR license type. You can use either Cortex XDR Prevent or a Cortex XDR Pro license. There are three types of Pro licenses, Cortex XDR Pro per Endpoint, Cortex XDR Cloud per Host, and Cortex XDR Pro per TB, that you can use independently or together for more complete coverage. If you do not know which license type you have, see Cortex® XDR™ License Monitoring.
Feature
Cortex XDR Prevent
Cortex XDR Pro per Endpoint
Cortex XDR Cloud per Host
Cortex XDR Pro per TB
Log storage
  • Minimum of 200 endpoints
  • 30 day log retention
  • Minimum of 200 endpoints
  • 30 day log retention
  • Minimum of 50 endpoints
  • 30 day log retention
Minimum 5TB log storage
Kubernetes Host Support
Cortex XDR Add-on Licenses
Add-on licenses are required on top of a Cortex XDR license
Host Insights, including:
  • Host Inventory
  • Vulnerability Assessment
  • File Search and Destroy
Without the add-on license, Host Insights is available with Cortex XDR Pro per Endpoint for a 1-month trial period.
Without the add-on license, Host Insights is available with Cloud Host Protection for Cortex XDRfor a 1-month trial period.
Forensics
Without the add-on license, Forensics is available with Cortex XDR Pro per Endpoint for a 1-month trial period.
Without the add-on license, Forensics is available with Cloud Host Protection for Cortex XDR for a 1-month trial period.
Compute Unit
Without the add-on license, Compute unit is available with Cortex XDR Pro per Endpoint for a 1-month trial period.
Without the add-on license, Compute unit is available with Cloud Host Protection for Cortex XDR for a 1-month trial period.
Without the add-on license, Compute unit is available with Cortex XDR Pro per TBfor a 1-month trial period.
XDR RTN (retention)
Endpoint Prevention Features
Endpoint management
Device control
Host firewall
Disk encryption
Response Actions
Live Terminal
Endpoint isolation
External dynamic list (EDL)
Script execution
Remediation analysis
Incident Scoring Rules
Featured Alert Fields
Widget Library
Assets
Asset Management
Analysis
Analytics
Alert and Log Collectors
Cortex XDR agent alerts
Prisma Cloud and Prisma Cloud Compute
Third-Party Cloud Security Data (AWS, Azure, Google)
Enhanced data collection for EDR and other Pro features
Other alerts (from Palo Alto Networks and third-party sources)
(API)
Other logs (from Palo Alto Networks and third-party sources)
Integrations
Threat intelligence (AutoFocus, VirusTotal)
Outbound integration and notification forwarding (Slack, Syslog)
+ agent audit logs
+ agent audit logs
Broker VM
Agent Proxy
Syslog Collector
CSV Collector
Database Collector
Files and Folders Collector
FTP Collector
NetFlow Collector
Network Mapper
Pathfinder
Windows Event Collector
MSSP
MSSP (requires additional MSSP license)
Managed Threat Hunting (requires an additional Managed Threat Hunting License)
+ a minimum of 500 endpoints

Recommended For You