Differences between Applications - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

There are functional differences between the Traps™ Endpoint Security Manager (ESM) and Cortex XDR.

The following table compares capabilities between the Traps™ Endpoint Security Manager (ESM) and Cortex XDR.


Endpoint Security Manager

Cortex XDR


Visibility into all file executions—including when Office files open and DLL files load into sensitive processes—and the file’s associated WildFire Report.

Hash Control

Enhanced file activity monitoring and visibility within investigation and search when enhanced data collection is enabled.

Administrative control to override verdicts for files that ran previously. Set verdicts from Benign to Malware and Malware to Benign.

Hash Control

ResponseAction CenterAllow List and Block List

Import never seen hashes and set verdicts for them.

Hash Control

ResponseAction CenterImport Hash Exceptions

From the Action Center, you can also add hashes individually to the block list or allow list.

Display quarantined files that are eligible to be restored to their original location on the endpoint.

Hash Control

ResponseAction CenterQuaratine

Security events search criteria

Security Events—Endpoint, user name, and process.

Multi-faceted filters and search capabilities.

Log forwarding

SIEM, Syslog, Panorama, Email

Log forwarding to a Syslog receiver or email server is available with the Log Forwarding app.

Policy Management

Exception creation and policy configuration

You can create almost any policy rule that Palo Alto Networks Research teams (often at the instruction of Support) can create.

You can also allow very specific flows including adding to allow list specific DLL files for EPMs, and allowing specific child processes.

Palo Alto Networks can also create granular policy changes, using either support exceptions or content updates. You can also edit profiles, create exceptions, and disable specific capabilities, such as for a specific module or process.

Exceptions for Active Directory (AD) objects

Assign rules to any AD object.

Assign rules to any AD object.

Change mode per process

Report or block an event based on the process.

Report or block an event based on the category and not the process.

View protected processes

Visibility from the ESM Console (PoliciesExploitProcess Management).

Visibility from Cortex XDR (select or search for Protected Processes in the relevant exploit protection capability from EndpointsPolicy ManagementProfiles+ New Profile<platform>Exploit Profile).

View policy from the Traps console

The Traps console displays the policy rules and exceptions that apply on the agent.



SettingsConditions—Conditions based on file properties and registry values.

EndpointsEndpoint ManagementEndpoint Groups—Create dynamic groups based on conditions such as host name, domain, workgroup, IP addressing, endpoint type (for example, VDI), endpoint operating system, and agent version. Does not support conditions based on registry values.

Agent and ESM settings

Granular control over settings such as the Heartbeat Interval (the frequency at which the Traps agent attempts to check in), the Reporting Interval (the frequency at which the Traps agent sends report notifications, including changes in service, crash events, and new processes), and the Heartbeat Grace Period (the allowable time period for a Traps agent that has not responded, after which the status changes to disconnected).

Fixed settings but reduced heartbeat interval (5 minutes) and reporting interval (1 hour).

Content updates

Choice of manual or automated content update installation.

Automated content updates delivered directly to your Cortex XDR tenant by Palo Alto Networks.

Endpoint and Tenant Management

Role-based access control

Granular access control for different areas and flows in the ESM Console.

Predefined roles to allow access to Cortex XDR features.

Agent revocation

Automatic and manual license revocation.

Automatic license revocation and manual endpoint removal capability.

Custom notification message

Customizable notification messages.

Customizable notification messages.