Architecture - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Learn more about the Cortex XDR Prevent architecture.

Alert Alert Exclusion Analytics behavioral indicators of compromise Attack Surface Management Behavioral indicators of compromise Bring Your Own Machine Learning Broker Virtual Machine Broker Virtual Machine Fully Qualified Domain Name Causality Chain Causality Group Owner Causality View Cloud Detection and Response Cortex Copilot Cortex Data Model Cortex Query Language Dataset Elasticsearch Filebeat Endpoint Detection and Response Endpoint Protection Platform Exception Exception vs Alert Exclusion Extended Detection and Response External Dynamic List Filebeat Forensics Fully Qualified Domain Name Identity Threat Detection and Response Incident Indicators of compromise IT Metrics Dashboard Managed Threat Hunting Management, Reporting, and Compliance Master Boot Record Protection MITRE ATT&CK Framework Coverage Dashboard Next-Generation Firewall Notebooks On-write File Protection PlaybookPrisma ScriptSecurity Orchestration, Automation, and Response Security Information and Event Management Threat Intelligence Platform User and Entity Behavior Analytics Unified Extensible Firmware Interface Protection Virtual Machine Vulnerability Assessment Windows Event Collector XSIAM Command Center

As new malware variants pop up around the globe and new software bugs and vulnerabilities are discovered, it is challenging to ensure that your endpoints remain secure. With Cortex XDR, a cloud-based endpoint security service, you save the time and cost of building out your own global endpoint security infrastructure. This simplified deployment, which requires no server licenses, databases, or other infrastructure to get started, enables you to quickly protect your endpoints.


With Cortex XDR, Palo Alto Networks deploys and manages the security infrastructure globally to manage endpoint security policy for both local and remote endpoints and to ensure that the service is secure, resilient, up-to-date, and available to you when you need it. This allows you to focus less on deploying the infrastructure and more on defining the policies to meet your corporate usage guidelines.

Cortex XDR is comprised of the following components:

  • Cortex XDR web interface—A cloud-based security infrastructure service that is designed to minimize the operational challenges associated with protecting your endpoints. From Cortex XDR, you can manage the endpoint security policy, review security events as they occur, and perform additional analysis of associated logs.


    You can host your Cortex XDR tenant in either the US Region or EU Region.

  • Cortex XDR Agents—Each local or remote endpoint is protected by the Cortex XDR agent, which is installed and continuously runs on the endpoint. The Cortex XDR agent enforces your security policy on the endpoint and sends a report when it detects a threat. Cortex XDR agents support secure communication with Cortex XDR using Transport Layer Security (TLS) 1.2 only.

  • Palo Alto Networks cloud-delivered security services:

    • Strata Logging Service—A cloud-based logging infrastructure that allows you to centralize the collection and storage of logs generated by your Cortex XDR agents regardless of location. The Cortex XDR agents and Cortex XDR forward all logs to the Strata Logging Service. You can view the logs for your agents in Cortex XDR. With the Log Forwarding app, you can also forward logs to an external syslog receiver.


      You can host your Strata Logging Service instance in either the United States (US) Region or European Union (EU) Region.

    • Directory Sync Service—The Directory Sync Service enables Palo Alto Networks cloud-based applications to leverage computer, user, and group attributes from your on-premises Active Directory for use in policy and endpoint management. The Directory Sync Service uses an on-premises agent to collect those attributes from your on-premises Active Directory. The Directory Sync Service agent runs in the background to collect the Active Directory information and syncs it with the cloud-based Directory Sync Service that you configure using the Hub.


      You can host your Directory Sync Service instance in either the US Region or EU Region.

    • WildFire cloud service—The WildFire cloud service identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls and Cortex XDR can use to then detect and block that malware. When a Cortex XDR agent detects an unknown sample (an attempt to run a macro, DLL, or executable file), Cortex XDR can automatically forward the sample for WildFire analysis. Based on the properties, behaviors, and activities the sample displays when analyzed and executed in the WildFire sandbox, WildFire determines the sample to be benign, grayware, phishing, or malicious. WildFire then generates signatures to recognize the newly-discovered malware and makes the latest signatures globally available every five minutes.