Cortex XDR Architecture

With Cortex XDR, you can integrate with your network, endpoint, cloud, and third-party data sensors.
cortex-xdr-arch.png
Cortex XDR consumes data from the Cortex Data Lake and can correlate and stitch together logs across your different log sensors to derive event causality and timelines. A Cortex XDR deployment which uses the full set of sensors can include the following components:
  • Cortex XDR
    —The Cortex XDR app provides complete visibility into all your data in the Cortex Data Lake. The app provides a single interface from which you can investigate and triage alerts, take remediation actions, and define policies to detect the malicious activity in the future.
  • Cortex Data Lake
    —A cloud-based logging infrastructure that allows you to centralize the collection and storage of logs from your log data sources.
  • Cortex XDR Pro per TB:
    • Analytics engine
      —The Cortex XDR analytics engine is a security service that utilizes network data to automatically detect and report on post-intrusion threats. The analytics engine does this by identifying good (normal) behavior on your network, so that it can notice bad (anomalous) behavior.
    • Palo Alto Networks next-generation firewalls
      —On-premise or virtual firewalls that enforce network security policies in your campus, branch offices, and cloud data centers.
    • Palo Alto Networks Prisma Access and GlobalProtect
      —If you extend your firewall security policy to mobile users and remote networks using Prisma Access or GlobalProtect, you can also forward related traffic logs to Cortex Data Lake. The analytics engine can then analyze those logs and raise alerts on anomalous behavior.
    • External firewalls and alerts
      —Cortex XDR can ingest traffic logs from external firewall vendors—such as Check Point—and use the analytics engine to analyze those logs and raise alerts on anomalous behavior. For additional context in your incidents, you can also send alerts from external alert sources.
  • Cortex XDR Pro per Endpoint:
    • Analytics engine
      —The Cortex XDR analytics can also consume endpoint data to automatically detect and report on post-intrusion threats. The analytics engine can use endpoint data to raise alerts for abnormal network behavior (for example port scan activity).
    • Cortex XDR agents
      —Protects your endpoints from known and unknown malware and malicious behavior and techniques. Cortex XDR agents perform its own analysis locally on the endpoint but also consumes WildFire threat intelligence. The Cortex XDR agent reports all endpoint activity to the Cortex Data Lake for analysis by Cortex XDR apps.
    • External alert sources
      —To add additional context to your incidents, you can send Cortex XDR alerts from external sources using the Cortex XDR API.

Recommended For You