Features by Cortex XDR License Type

Each Cortex XDR license enables features that are specific to license type. Each license can be used independently or in combination to add additional features.
The following table describes the capabilities associated with each Cortex XDR license type. You can use either Cortex XDR Prevent or a Cortex XDR Pro license. There are two types of Pro licenses, Cortex XDR Pro per Endpoint and Cortex XDR Pro per TB, that you can use independently or together for more complete coverage. If you do not know which license type you have, see Cortex® XDR™ License Monitoring.
The Cortex XDR Pro per TB license grants a monthly ingestion quota of 1 TB per month and no more than 33GB per day. In addition, each license enables storing 1 TB of data. For more information, see Allocate Log Storage for Cortex XDR.
Cortex XDR Prevent
Cortex XDR Pro per Endpoint
Cortex XDR Pro per TB
Log storage
  • Minimum of 200 endpoints
  • 30 day log retention
  • Minimum of 200 endpoints
  • 30 day log retention
Minimum 5TB log storage
Cortex XDR Add-on Licenses
Add-on licenses are required on top of a Cortex XDR license
Host Insights, including:
  • Host Inventory
  • Vulnerability Assessment
  • File Search and Destroy
Without the add-on license, Host Insights is available with Cortex XDR Pro per Endpoint for a 1-month trial period.
Identity Analytics
The add-on is currently free, however will entail an additional cost in the future.
Endpoint Prevention Features
Endpoint management
Device control
Host firewall
Disk encryption
Response Actions
Live Terminal
Endpoint isolation
External dynamic list (EDL)
Script execution
Remediation analysis
Incident Scoring Rules
Featured Alert Fields
Widget Library
Alert and Log Ingestion
Cortex XDR agent alerts
Enhanced data collection for EDR and other Pro features
Other alerts (from Palo Alto Networks and third-party sources)
Other logs (from Palo Alto Networks and third-party sources)
Threat intelligence (AutoFocus, VirusTotal)
Outbound integration and notification forwarding (Slack, Syslog)
+ agent audit logs
+ agent audit logs
Broker VM
Agent Proxy
Syslog Collector
CSV Collector
Network Mapper
Windows Event Collector
MSSP (requires additional MSSP license)
Managed Threat Hunting (requires an additional Managed Threat Hunting License)
+ a minimum of 500 endpoints

Recommended For You