There are functional differences between the Traps™ Endpoint Security Manager (ESM) and Cortex XDR.
The following table compares capabilities between the Traps™ Endpoint Security Manager (ESM) and Cortex XDR.
Feature | Endpoint Security Manager | Cortex XDR |
|---|---|---|
Visibility | ||
Visibility into all file executions—including when Office files open and DLL files load into sensitive processes—and the file’s associated WildFire Report. | Hash Control | Enhanced file activity monitoring and visibility within investigation and search when enhanced data collection is enabled. |
Administrative control to override verdicts for files that ran previously. Set verdicts from Benign to Malware and Malware to Benign. | Hash Control | → → and Block List |
Import never seen hashes and set verdicts for them. | Hash Control | → → From the Action Center, you can also add hashes individually to the block list or allow list. |
Display quarantined files that are eligible to be restored to their original location on the endpoint. | Hash Control | → → |
Security events search criteria | Security Events—Endpoint, user name, and process. | Multi-faceted filters and search capabilities. |
Log forwarding | SIEM, Syslog, Panorama, Email | Log forwarding to a Syslog receiver or email server is available with the Log Forwarding app. |
Policy Management | ||
Exception creation and policy configuration | You can create almost any policy rule that Palo Alto Networks Research teams (often at the instruction of Support) can create. You can also allow very specific flows including adding to allow list specific DLL files for EPMs, and allowing specific child processes. | Palo Alto Networks can also create granular policy changes, using either support exceptions or content updates. You can also edit profiles, create exceptions, and disable specific capabilities, such as for a specific module or process. |
Exceptions for Active Directory (AD) objects | Assign rules to any AD object. | Assign rules to any AD object. |
Change mode per process | Report or block an event based on the process. | Report or block an event based on the category and not the process. |
View protected processes | Visibility from the ESM Console ( → → ). | Visibility from Cortex XDR (select or search for Protected Processes in the relevant exploit protection capability from → → → → → ). |
View policy from the Traps console | The Traps console displays the policy rules and exceptions that apply on the agent. | N/A |
Conditions | → —Conditions based on file properties and registry values. | → → —Create dynamic groups based on conditions such as host name, domain, workgroup, IP addressing, endpoint type (for example, VDI), endpoint operating system, and agent version. Does not support conditions based on registry values. |
Agent and ESM settings | Granular control over settings such as the Heartbeat Interval (the frequency at which the Traps agent attempts to check in), the Reporting Interval (the frequency at which the Traps agent sends report notifications, including changes in service, crash events, and new processes), and the Heartbeat Grace Period (the allowable time period for a Traps agent that has not responded, after which the status changes to disconnected). | Fixed settings but reduced heartbeat interval (5 minutes) and reporting interval (1 hour). |
Content updates | Choice of manual or automated content update installation. | Automated content updates delivered directly to your Cortex XDR tenant by Palo Alto Networks. |
Endpoint and Tenant Management | ||
Role-based access control | Granular access control for different areas and flows in the ESM Console. | Predefined roles to allow access to Cortex XDR features. |
Agent revocation | Automatic and manual license revocation. | Automatic license revocation and manual endpoint removal capability. |
Custom notification message | Customizable notification messages. | Customizable notification messages. |