With Cortex® XDR™, you can integrate with your network,
endpoint, cloud, and third-party data sensors.
Cortex® XDR™ consumes data from Cortex® Data Lake—which
is a kind of a cloud logging service for endpoints, firewalls, cloud
sources, and third-party data—and can correlate and stitch together
logs across your different log sensors to derive event causality
A Cortex XDR deployment which uses the full set
of sensors can include the following components:
—The Cortex XDR app provides complete
visibility into all your data in the Cortex Data Lake. The app provides
a single interface from which you can investigate and triage alerts,
take remediation actions, and define policies to detect the malicious
activity in the future.
Cortex Data Lake
—A cloud-based logging infrastructure
that allows you to centralize the collection and storage of logs
from your log data sources.
Cortex XDR Pro per TB:
Cortex XDR analytics engine is a security service that utilizes
network data to automatically detect and report on post-intrusion
threats. The analytics engine does this by identifying good (normal)
behavior on your network, so that it can notice bad (anomalous)
Palo Alto Networks next-generation firewalls
or virtual firewalls that enforce network security policies in your
campus, branch offices, and cloud data centers.
Palo Alto Networks Prisma Access and GlobalProtect
you extend your firewall security policy to mobile users and remote
networks using Prisma Access or GlobalProtect, you can also forward
related traffic logs to Cortex Data Lake. The analytics engine can
then analyze those logs and raise alerts on anomalous behavior.
External firewalls and alerts
—Cortex XDR can ingest
traffic logs from external firewall vendors—such as Check Point—and
use the analytics engine to analyze those logs and raise alerts
on anomalous behavior. For additional context in your incidents,
you can also send alerts from external alert sources.
Cortex XDR Pro per Endpoint:
Cortex XDR analytics can also consume endpoint data to automatically
detect and report on post-intrusion threats. The analytics engine
can use endpoint data to raise alerts for abnormal network behavior
(for example port scan activity).
Cortex XDR agents
—Protects your endpoints from known
and unknown malware and malicious behavior and techniques. Cortex
XDR agents perform its own analysis locally on the endpoint but
also consumes WildFire threat intelligence. The Cortex XDR agent
reports all endpoint activity to the Cortex Data Lake for analysis
by Cortex XDR apps.
External alert sources
—To add additional context to
your incidents, you can send Cortex XDR alerts from external sources
using the Cortex XDR API.