Learn more about the Cortex XDR architecture.
The following diagram shows the high-level architecture for key Cortex XDR components and integrations:
The architecture varies slightly between product licenses, but includes these standard components:
Cortex XDR provides a single interface from which you can investigate and triage alerts, take remediation actions, and define policies to detect malicious activity in the future.
The XDR data layer within your Cortex XDR tenant stores the logs from all the data types.
The Cortex XDR analytics can also consume endpoint data to detect and report post-intrusion threats automatically. The analytics engine can leverage endpoint data to generate alerts for abnormal network behavior, such as port scan activity.
Cortex Native Data Lake is a cloud-based logging infrastructure that allows you to centralize the collection and storage of logs generated by your Cortex XDR agents regardless of location. The Cortex XDR agents and Cortex XDR forward all logs to the Cortex Native Data Lake. You can view the logs for your agents in Cortex XDR. With the Log Forwarding app, you can also forward logs to an external syslog receiver.
Cortex XDR consumes data from identity sources that connect to the Cloud Identity Engine (CIE), which provides the necessary Active Directory or Okta context for User/Entity Behavior Analytics (UEBA).
The Cloud Identity Engine enables Palo Alto Networks cloud-based applications to leverage computer, user, and group attributes from your from your organization’s directories for security policies and endpoint management. This cloud-based service synchronizes attribute data from various sources, including On-prem directories like Active Directory and cloud-based directories such as Microsoft Entra ID, Okta, and Google Cloud Identity. The Cortex XDR tenant and the CIE must be deployed in the same region.
WildFire Cloud Service identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls and Cortex XDR can use to then detect and block that malware. When the Cortex XDR agent detects an unknown sample, such as a macro, DLL, or executable file, Cortex XDR can automatically forward the sample for WildFire analysis. Based on the properties, behaviors, and activities the sample displays when analyzed and executed in the WildFire sandbox, WildFire determines the sample to be benign, grayware, phishing, or malicious. WildFire then generates signatures to recognize the newly discovered malware and makes the latest signatures globally available every five minutes.
Additional optional architecture components include:
Palo Alto Networks next-generation firewalls, on-prem or virtual firewalls, enforce network security policies in your campus, branch offices, and cloud data centers.
PANW sources such as Prisma Access and Global Protect, enable you to extend your firewall security policy to mobile users and remote networks. You can also forward related traffic logs, including IoT logs, to Cortex Native Data Lake. The analytics engine can then analyze those logs and raise alerts on anomalous behavior.
External firewalls and alerts enable Cortex XDR to ingest traffic logs and use the analytics engine to analyze those logs and raise alerts on anomalous behavior.
External alert sources can add additional context to your incidents. You can send Cortex XDR alerts from external sources using the Cortex XDR API.