Features by Cortex XDR License Type
Cortex
XDR
License TypeEach Cortex XDR license enables features that are specific
to license type. Each license can be used independently or in combination
to add additional features.
The following table describes the capabilities associated
with each
Cortex
XDR
license
type. You can use either Cortex
XDR
Prevent or a Cortex
XDR
Pro license. There are three types of Pro licenses, Cortex
XDR
Pro per Endpoint, Cortex
XDR
Cloud per Host, and Cortex
XDR
Pro per TB, that you
can use independently or together for more complete coverage. If
you do not know which license type you have, see Cortex XDR License Monitoring.The
Cortex
XDR
Pro per TB license grants a monthly ingestion quota
of 1 TB per month and no more than 33GB per day. In addition, each
license enables storing 1 TB of data for 30 days. For more information,
see Manage Your Log Storage within Cortex XDR.Feature | Cortex XDR Prevent | Cortex XDR Pro per Endpoint | Cortex XDR Cloud per Host | Cortex XDR Pro per TB |
|---|---|---|---|---|
| 
| 
| 
| |
Log storage |
|
|
|
|
Kubernetes Host Support | — | — |  | — |
Cortex XDR Add-on LicensesAdd-on licenses are required
on top of a Cortex XDR license | ||||
Host Insights, including:
| — | Without the
add-on license, Host Insights is available with Cortex XDR Pro per Endpoint for a 1-month trial
period. | Without the
add-on license, Host Insights is available with Cloud Host Protection
for Cortex XDR for a
1-month trial period. | — |
Forensics | — | Without the
add-on license, Forensics is available with Cortex XDR Pro per Endpoint for a 1-month trial period. | Without the
add-on license, Forensics is available with Cloud Host Protection
for Cortex XDR for a
1-month trial period. | — |
Compute Unit | — | Without the
add-on license, Compute unit is available with Cortex XDR Pro per Endpoint for a 1-month trial
period. | Without the
add-on license, Compute unit is available with Cloud Host Protection
for Cortex XDR for a
1-month trial period. | Without the
add-on license, Compute unit is available with Cortex XDR Pro per TBfor a 1-month trial period. |
Period Based Retention (Hot Storage) | — | | | |
Period Based Retention (Cold Storage) | — | | | |
GB Event Forwarding | — | — | — | |
Endpoints Event Forwarding | — | | | — |
Endpoint Prevention Features | ||||
Endpoint management | | | | — |
Device control | | | | — |
Host firewall | | | | — |
Disk encryption | | | | — |
Response Actions | ||||
Live Terminal | | | | — |
Endpoint isolation | | | | — |
External dynamic list (EDL) | — | | | |
Script execution | — | | | — |
Remediation analysis | — | | | — |
Incident Scoring Rules | — | | | |
Featured Alert Fields | — | | | |
Widget Library | — | | | |
Assets | ||||
Asset Management | — | | | |
Analysis | ||||
Analytics, including Identity Analytics | — | | | |
Alert and Log Collectors | ||||
Cortex XDR agent alerts | | | | — |
Prisma Cloud and Prisma Cloud Compute | — | — | — | |
Palo Alto Networks IoT Security | — | — | — | |
Third-Party Cloud Security Data (AWS, Azure, Google) | — | — | — | |
Enhanced data collection for EDR and other
Pro features | — | | | — |
Other alerts (from Palo Alto Networks and third-party sources) | — | (API) | | |
Other logs (from Palo Alto Networks and third-party sources) | — | — | — | |
Integrations | ||||
Threat intelligence (AutoFocus, VirusTotal) | | | | |
Outbound integration and notification forwarding (Slack,
Syslog) | + agent audit logs | + agent audit logs | | |
Broker VM | ||||
Agent Proxy | | | | |
Syslog Collector | — | — | — | |
Apache Kafka Collector | — | — | — | |
CSV Collector | — | — | — | |
Database Collector | — | — | — | |
Files and Folders Collector | — | — | — | |
FTP Collector | — | — | — | |
NetFlow Collector | — | — | — | |
Network Mapper | — | | | |
Pathfinder | — | | | |
Windows Event Collector | — | — | — | |
MSSP | ||||
MSSP (requires additional MSSP license) | | | | |
Managed Threat Hunting (requires an additional Managed
Threat Hunting License) | — | + a minimum of 500 endpoints | | — |
