Cortex® XDR™ Prevent Architecture

This section describes the app ecosystem and data sources for the Cortex XDR app.
As new malware variants pop up around the globe and new software bugs and vulnerabilities are discovered, it is challenging to ensure that your endpoints remain secure. With Cortex XDR, a cloud-based endpoint security service, you save the time and cost of building out your own global endpoint security infrastructure. This simplified deployment, which requires no server licenses, databases, or other infrastructure to get started, enables you to quickly protect your endpoints.
With Cortex XDR, Palo Alto Networks deploys and manages the security infrastructure globally to manage endpoint security policy for both local and remote endpoints and to ensure that the service is secure, resilient, up to date, and available to you when you need it. This allows you to focus less on deploying the infrastructure and more on defining the polices to meet your corporate usage guidelines.
Cortex XDR is comprised of the following components:
  • Cortex XDR web interface
    —A cloud-based security infrastructure service that is designed to minimize the operational challenges associated with protecting your endpoints. From Cortex XDR, you can manage the endpoint security policy, review security events as they occur, and perform additional analysis of associated logs.
    You can host your Cortex XDR tenant in either the US Region or EU Region.
  • Cortex XDR Agents
    —Each local or remote endpoint is protected by the Cortex XDR agent, which is installed and continuously runs on the endpoint. The Cortex XDR agent enforces your security policy on the endpoint and sends a report when it detects a threat. Cortex XDR agents support secure communication with Cortex XDR using Transport Layer Security (TLS) 1.2.
  • Palo Alto Networks cloud-delivered security services:
    • Cortex Data Lake
      —A cloud-based logging infrastructure that allows you to centralize the collection and storage of logs generated by your Cortex XDR agents regardless of location. The Cortex XDR agents and Cortex XDR forward all logs to the Cortex Data Lake. You can view the logs for your agents in Cortex XDR. With the Log Forwarding app, you can also forward logs to an external syslog receiver.
      You can host your Cortex Data Lake instance in either the United States (US) Region or European Union (EU) Region.
    • Directory Sync Service
      —The Directory Sync Service enables Palo Alto Networks cloud-based applications to leverage computer, user, and group attributes from your on-premises Active Directory for use in policy and endpoint management. The Directory Sync Service uses an on-premises agent to collect those attributes from your on-premises Active Directory. The Directory Sync Service agent runs in the background to collect the Active Directory information and syncs it with the cloud-based Directory Sync Service that you configure using the Hub.
      You can host your Directory Sync Service instance in either the US Region or EU Region.
    • WildFire cloud service
      —The WildFire® cloud service identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls and Cortex XDR can use to then detect and block that malware. When a Cortex XDR agent detects an unknown sample (an attempt to run a macro, DLL, or executable file), Cortex XDR can automatically forward the sample for WildFire analysis. Based on the properties, behaviors, and activities the sample displays when analyzed and executed in the WildFire sandbox, WildFire determines the sample to be benign, grayware, phishing, or malicious. WildFire then generates signatures to recognize the newly-discovered malware and makes the latest signatures globally available every five minutes. For more information, see WildFire® Analysis Concepts.

Recommended For You