Analytics sensors - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide

To detect anomalous behavior, Cortex XDR can analyze logs and data from a variety of sensors.

Note

Cortex XDR Pro per Endpoint agents without the XTH add-on can enable Analytics and Identity Analytics. Due to the limits and filters applied to the data collected, results will differ from agents with the XTH add-on. See the Cortex XDR Analytics Alert Reference guide for a complete list of supported sensors.

Sensor

Description

Palo Alto Networks sensors

Firewall traffic logs

Palo Alto Networks firewalls perform traditional and next-generation firewall activities. The Cortex XDR Analytics engine can analyze Palo Alto Networks firewall logs to obtain intelligence about the traffic on your network. A Palo Alto Networks firewall can also enforce Security policies based on IP addresses and domains associated with Analytics alerts with external dynamic lists.

Enhanced application logs (EAL)

To provide greater coverage and accuracy, you can enable enhanced application logging on your Palo Alto Networks firewalls. Enhanced Application Logs (EAL) are collected by the firewall to increase visibility into network activity for Palo Alto Networks apps and services, like Cortex XDR.

Types of data collected by EAL include, amongst others, records of DNS queries, the HTTP header User Agent field that specifies the web browser or tool used to access a URL, and information about DHCP automatic IP address assignment. For example, with DHCP information, Cortex XDR can trigger an alert when it detects unusual activity based on hostname instead of IP address. This enables the security analyst to meaningfully assess whether the user’s activity is within the scope of their role, and if not, to stop the activity.

GlobalProtect and Prisma Access logs

If you use GlobalProtect or Prisma Access to extend your firewall security coverage to your mobile users, Cortex XDR can analyze VPN traffic to detect anomalous behavior on mobile endpoints.

Firewall URL logs (part of firewall threat logs)

Palo Alto Networks firewalls can log threat log entries when traffic matches one of the Security Profiles attached to a security rule on the firewall. Cortex XDR can analyze entries for Tthreat logs relating to URLs and trigger alerts that indicate malicious behavior such as command and control, and exfiltration.

Cortex XDR agent endpoint data

With a Cortex XDR Pro per Endpoint license, you can deploy Cortex XDR agents on your endpoints to protect them from malware and software exploits. The Analytics engine can also analyze the EDR data collected by the agent to trigger alerts. To collect EDR data, you must install Cortex XDR agent 6.0 or a later release on your Windows endpoints (Windows 7 SP1 or later).

The Cortex XDR Analytics engine can analyze activity and traffic based solely on endpoint activity data sent from Cortex XDR agents. For increased coverage and greater insight during investigations, use a combination of Cortex XDR agent data and firewalls to supply activity logs for analysis.

Pathfinder data collector

In a firewall-only deployment where the Cortex XDR agent is not installed on your endpoints, you can use Pathfinder to monitor endpoints. Pathfinder scans unmanaged hosts, servers, and workstations for malicious activity. The Analytics engine can also analyze the Pathfinder data collector in combination with other data sources to increase coverage of your network and endpoints, and to provide more context when investigating alerts.

Directory Sync logs

If you use the Cloud Identity Engine to provide Cortex XDR with Active Directory data, the Analytics engine can also trigger alerts on your Active Directory logs.

External sensors

Third-party firewall logs

If you use non-Palo Alto Networks firewalls - Check Point, Fortinet, Cisco ASA - in addition to or instead of Palo Alto Networks firewalls, you can set up a syslog collector to facilitate log and alert ingestion. By sending your firewall logs to Cortex XDR, you can increase detection coverage and take advantage of Cortex XDR analysis capabilities. When Cortex XDR analyzes your firewall logs and detects anomalous behavior, it triggers an alert.

Third-party authentication service logs

If you use an authentication service—Microsoft Azure AD, Okta, or PingOne—you can set up log collection to ingest authentication logs and data into authentication stories.

Windows Event Collector logs

The Windows Event Collector (WEC) runs on the Broker VM collecting event logs from Domain Controllers (DCs). The Analytics engine can analyze these event logs to trigger alerts such as for credential access and defense evasion.