Cortex XDR Licenses
Cortex XDR License Types
The following table describes the different license
types that are available for Cortex XDR. You can use either Cortex
XDR Prevent or a Cortex XDR Pro license. You can also use both Pro
licenses for the most coverage. If you do not know which license
type you have, see License Monitoring.
Feature | Cortex XDR Prevent | Cortex XDR Pro per Endpoint | Cortex XDR Pro per TB |
|---|---|---|---|
| 
| 
| |
Log storage |
|
| Minimum 5TB log storage |
Cortex XDR Adds-ons | |||
Host insights add-on, including:
This Add-on is limited
to a 3 month free trial period. | — |  | — |
Endpoint Prevention Features | |||
Endpoint management | | | — |
Device control | | | — |
Host firewall | | | — |
Disk encryption | | | — |
Response Actions | |||
Live Terminal | | | — |
Endpoint isolation | | | — |
Script execution | — | | — |
External dynamic list (EDL) | — | — | |
Analysis | |||
Analytics | — | | |
Alert and Log Ingestion | |||
Cortex XDR agent alerts | | | — |
EDR data | — | | — |
Other alerts (from Palo Alto Networks and third-party sources) | — | (API) | |
Other logs (from Palo Alto Networks and third-party
sources) | — | — | |
Integrations | |||
Threat intelligence (AutoFocus, VirusTotal) | | | |
Outbound integration and notification forwarding
(Slack, Syslog) | + agent audit
logs | + agent audit
logs | |
MSSP | |||
MSSP (requires additional MSSP license) | | | |
Managed Threat Hunting (requires an additional
Managed Threat Hunting License) | — | + a minimum of
500 endpoints | — |
License Allocation
With Cortex XDR Prevent and Cortex XDR Pro per Endpoint
licenses, Cortex XDR manages licensing for all endpoints in your
organization. Each time you install a new Cortex XDR agent on an endpoint,
the Cortex XDR agent registers with Cortex XDR to obtain a license.
In the case of non-persistent VDI, the Cortex XDR agent registers
with Cortex XDR as soon as the user logs in to the endpoint.
Cortex XDR issues licenses until you exhaust the number of license
seats available. Cortex XDR also enforces a license cleanup policy
to automatically return unused licenses to the pool of available
licenses. The time at which a license returns to the license pool
depends on the type of endpoint:
Endpoint Type | License Return | Agent Removal from Cortex XDR console | Agent Removal from Cortex XDR Database |
|---|---|---|---|
Standard and mobile devices | After 30 days | After 180 days | After 180 days The agent cannot be
restored after this period of time. |
(Non-Persistent) VDI and Temporary Session | Immediately after log-off for VDI, otherwise
after 90 minutes | After 6 hours | After 7 days |
If after a license is revoked the agent connects to Cortex XDR,
reconnection will succeed as long as the agent has not been deleted.
It can take up to an hour for Cortex XDR to display revived
endpoints.
Cortex XDR will notify you if you exceed the number of available
licenses.
License Expiration
After your Cortex XDR license expires, Cortex XDR allows
access to your tenant for an additional grace period of 48 hours.
After the 48-hour grace period, Cortex XDR disables access to the
Cortex XDR app until you renew the license.
For the first 30 days of your expired license, Cortex XDR continues
to protect your endpoints and/or network and retains data in the
Cortex Data Lake according to your Cortex Data Lake data retention
policy and licensing. After 30 days, the tenant is decommissioned
and agent prevention capabilities cease.
License Monitoring
From the
dialog,
you can view the license type associated with your Cortex XDR instance.
Cortex XDR License
For each license you have, Cortex XDR displays a tile that has
the expiration date of your license and additional details specific
to your license type:
- Cortex XDR Prevent—Displays the total number of concurrent agents permitted by your license. You can also view a graph of the current license allocation (total and percentage).
- Cortex XDR Pro per Endpoint—Displays the total number of installed in addition to the number and percentage of agents that have EDR data collection enabled. Below the license card, you can also view the storage retention policy, total amount of storage allocated for endpoint XDR, and the actual data usage.
- Cortex XDR Pro per TB—Displays the amount of total storage included with your license and the amount of storage used.
- Combination of Cortex XDR Pro per Endpoint and Cortex XDR Pro per TB—Cortex XDR Pro per Endpoint displays the total number of installed agents, while Cortex XDR Pro per TB displays how many agents are enabled with endpoint data collection, allowing them to collect and send data to the server.
Cortex XDR will send you a notification if you exceed the number
of allowed agents.
To keep you informed of updates made to your license and avoid
service disruptions, Cortex XDR now displays a notification of changes
made to your license, if any actions are required from you, when
you log in.
