Architecture - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Learn more about the Cortex XDR architecture.

Alert Alert Exclusion Analytics behavioral indicators of compromise Attack Surface Management Behavioral indicators of compromise Broker Virtual Machine Broker Virtual Machine Fully Qualified Domain Name Causality Chain Causality Group Owner Causality View Cloud Detection and Response Cortex Data Model Cortex Query Language Dataset Elasticsearch Filebeat Endpoint Detection and Response Endpoint Protection Platform Exception Exception vs Alert Exclusion Extended Detection and Response External Dynamic List Filebeat Forensics Fully Qualified Domain Name Identity Threat Detection and Response Incident Indicators of compromise Managed Threat Hunting Management, Reporting, and Compliance Next-Generation Firewall PlaybookPrisma ScriptSecurity Orchestration, Automation, and Response Security Information and Event Management Threat Intelligence Platform User and Entity Behavior Analytics Virtual Machine Windows Event Collector


Cortex XDR consumes data from the Data Layer to provide cloud-based storage within the Cortex XDR tenant including all sources streamed into Cortex XDR — endpoints, firewalls, cloud sources, and third-party data. Cortex XDR can correlate and stitch together this data from logs across your different log sensors to derive event causality and timelines.

  • Cortex XDR—The Cortex XDR app provides complete visibility into all your data in the Data Layer. The app provides a single interface from which you can investigate and triage alerts, take remediation actions, and define policies to detect malicious activity in the future.

  • Data Layer—A data layer within your Cortex XDR tenant that stores the logs from across all the data types.

  • Cortex XDR Pro per GB:

    • Analytics engine—The Cortex XDR analytics engine is a security service that utilizes network data to automatically detect and report post-intrusion threats. The analytics engine does this by identifying good (normal) behavior on your network so that it can notice bad (anomalous) behavior.

    • Palo Alto Networks next-generation firewalls—On-premises or virtual firewalls that enforce network security policies in your campus, branch offices, and cloud data centers.

    • Palo Alto Networks Prisma Access and GlobalProtect—If you extend your firewall security policy to mobile users and remote networks using Prisma Access or GlobalProtect, you can also forward related traffic logs, including IoT logs, to Data Lake. The analytics engine can then analyze those logs and raise alerts on anomalous behavior.

    • External firewalls and alertsCortex XDR can ingest traffic logs from external firewall vendors—such as Check Point—and use the analytics engine to analyze those logs and raise alerts on anomalous behavior. For additional context in your incidents, you can also send alerts from external alert sources.

  • Cortex XDR Pro per Endpoint:

    • Analytics engine—The Cortex XDR analytics can also consume endpoint data to automatically detect and report on post-intrusion threats. The analytics engine can use endpoint data to raise alerts for abnormal network behavior (for example port scan activity).

    • Cortex XDR agents—Protects your endpoints from known and unknown malware and malicious behavior and techniques. Cortex XDR agents perform their own analysis locally on the endpoint but also consume WildFire threat intelligence. The Cortex XDR agent reports all endpoint activity to the Data Layer for analysis by Cortex XDR apps.

    • External alert sources—To add additional context to your incidents, you can send Cortex XDR alerts from external sources using the Cortex XDR API.