Cortex XDR consumes data from the Data Layer to provide cloud-based storage within the Cortex XDR tenant including all sources streamed into Cortex XDR — endpoints, firewalls, cloud sources, and third-party data. Cortex XDR can correlate and stitch together this data from logs across your different log sensors to derive event causality and timelines.
Cortex XDR—The Cortex XDR app provides complete visibility into all your data in the Data Layer. The app provides a single interface from which you can investigate and triage alerts, take remediation actions, and define policies to detect malicious activity in the future.
Data Layer—A data layer within your Cortex XDR tenant that stores the logs from across all the data types.
Cortex XDR Pro per TB:
Analytics engine—The Cortex XDR analytics engine is a security service that utilizes network data to automatically detect and report post-intrusion threats. The analytics engine does this by identifying good (normal) behavior on your network so that it can notice bad (anomalous) behavior.
Palo Alto Networks next-generation firewalls—On-premises or virtual firewalls that enforce network security policies in your campus, branch offices, and cloud data centers.
Palo Alto Networks Prisma Access and GlobalProtect—If you extend your firewall security policy to mobile users and remote networks using Prisma Access or GlobalProtect, you can also forward related traffic logs, including IoT logs, to Data Lake. The analytics engine can then analyze those logs and raise alerts on anomalous behavior.
External firewalls and alerts— Cortex XDR can ingest traffic logs from external firewall vendors—such as Check Point—and use the analytics engine to analyze those logs and raise alerts on anomalous behavior. For additional context in your incidents, you can also send alerts from external alert sources.
Cortex XDR Pro per Endpoint:
Analytics engine—The Cortex XDR analytics can also consume endpoint data to automatically detect and report on post-intrusion threats. The analytics engine can use endpoint data to raise alerts for abnormal network behavior (for example port scan activity).
Cortex XDR agents—Protects your endpoints from known and unknown malware and malicious behavior and techniques. Cortex XDR agents perform their own analysis locally on the endpoint but also consumes WildFire threat intelligence. The Cortex XDR agent reports all endpoint activity to the Data Layer for analysis by Cortex XDR apps.
External alert sources—To add additional context to your incidents, you can send Cortex XDR alerts from external sources using the Cortex XDR API.