Differences between Endpoint Security Manager and Cortex XDR

There are functional differences between the Traps™ Endpoint Security Manager (ESM) and Cortex® XDR™.
The following table compares capabilities between the Traps™ Endpoint Security Manager (ESM) and Cortex® XDR™.
Endpoint Security Manager
Cortex® XDR™
Visibility into all file executions—including when Office files open and DLL files load into sensitive processes—and the file’s associated WildFire Report.
Hash Control
Enhanced file activity monitoring and visibility within investigation and search when enhanced data collection is enabled.
Administrative control to override verdicts for files that ran previously. Set verdicts from Benign to Malware and Malware to Benign.
Hash Control
Action Center
Allow List
Block List
Import never seen hashes and set verdicts for them.
Hash Control
Action Center
Import Hash Exceptions
From the Action Center, you can also add hashes individually to the block list or allow list.
Display quarantined files that are eligible to be restored to their original location on the endpoint.
Hash Control
Action Center
Security events search criteria
Security Events
—Endpoint, user name, and process.
Multi-faceted filters and search capabilities.
Log forwarding
SIEM, Syslog, Panorama, Email
Log forwarding to a Syslog receiver or email server is available with the Log Forwarding app.
Policy Management
Exception creation and policy configuration
You can create almost any policy rule that Palo Alto Networks Research teams (often at the instruction of Support) can create.
You can also allow very specific flows including adding to allow list specific DLL files for EPMs, and allowing specific child processes.
Palo Alto Networks can also create granular policy changes, using either support exceptions or content updates. You can also edit profiles, create exceptions, and disable specific capabilities, such as for a specific module or process.
Exceptions for Active Directory (AD) objects
Assign rules to any AD object.
Assign rules to any AD object.
Change mode per process
Report or block an event based on the process.
Report or block an event based on the category and not the process.
View protected processes
Visibility from the ESM Console (
Process Management
Visibility from Cortex XDR (select or search for
Protected Processes
in the relevant exploit protection capability from
Policy Management
+ New Profile
Exploit Profile
View policy from the Traps console
The Traps console displays the policy rules and exceptions that apply on the agent.
—Conditions based on file properties and registry values.
Endpoint Management
Endpoint Groups
—Create dynamic groups based on conditions such as host name, domain, workgroup, IP addressing, endpoint type (for example, VDI), endpoint operating system, and agent version. Does not support conditions based on registry values.
Agent and ESM settings
Granular control over settings such as the
Heartbeat Interval
(the frequency at which the Traps agent attempts to check in), the
Reporting Interval
(the frequency at which the Traps agent sends report notifications, including changes in service, crash events, and new processes), and the
Heartbeat Grace Period
(the allowable time period for a Traps agent that has not responded, after which the status changes to disconnected).
Fixed settings but reduced heartbeat interval (5 minutes) and reporting interval (1 hour).
Content updates
Choice of manual or automated content update installation.
Automated content updates delivered directly to your Cortex XDR tenant by Palo Alto Networks.
Endpoint and Tenant Management
Role-based access control
Granular access control for different areas and flows in the ESM Console.
Predefined roles to allow access to Cortex XDR features.
Agent revocation
Automatic and manual license revocation.
Automatic license revocation and manual endpoint removal capability.
Custom notification message
Customizable notification messages.
Customizable notification messages.

Recommended For You