Cortex XDR licenses are provided on the basis of detection and protection capabilities, log ingestion, retention, and the number of users.
Cortex XDR Prevent
Next-Generation Antivirus - Block malware, ransomware, and exploits attacks
Endpoint Protection - Safeguard endpoints with device control, firewall, and disk encryption
Cortex XDR Pro
Enhanced Data Collection on the endpoint
Detection, Response, and Remediation analysis
Host Insights - Forensics, Vulnerability Assessment, Host Inventory, and File Search and Destroy
Cortex Pro license is split into 3 license tiers that you can use independently or together for complete coverage:
Cortex XDR Pro per Endpoint
Cortex XDR Cloud per Host
Cortex XDR Pro per TB
Retention
All of the Cortex XDR licenses provide you with a default retention period of 30 days for your integrated data and 180 days for your alert and incident data.
To extend your license retention, depending on your requirements, you can select the following add-on capabilities:
Hot Storage - Fully searchable storage, for investigation and threat hunting. Available for Ingested and Alert/Incident data.
Cold Storage - Cheaper storage for long-term compliance needs with limited search options. Available only for Ingested data.
Incident and alert data are retained according to the last Update Date and Creation Date, respectively. Data collected within these dates is kept and displayed for 180 days. To ensure the accuracy of incidents, Cortex XDR provides a grace period of up to 30 days for alerts displayed in the Incidents View, Alerts table, and Casualty View.
For XQL Search capabilities, Cortex XDR enforces retention on all log-type datasets excluding Host Inventory, Vulnerability Assessment, Metrics, and Users.
You can view your retention storage duration in the Data Management page.
The following table lists the features offered with each type of license.
Feature | Cortex XDR Prevent | Cortex XDR Pro per Endpoint | Cortex XDR Cloud per Host | Cortex XDR Pro per TB |
|---|---|---|---|---|
 |  |  |  | |
Log storage | Minimum of 200 endpoints | Minimum of 200 endpoints | Minimum of 50 endpoints |
|
Retention |
|
|
|
|
Kubernetes Host Support | — | — |  | — |
Cortex XDR Add-on Licenses Add-on licenses are required on top of a Cortex XDR license | ||||
Host Insights, including:
| — | Without the add-on license, Host Insights is available with Cortex XDR Pro per Endpoint for a 1-month trial period. | Without the add-on license, Host Insights is available with Cloud Host Protection for Cortex XDRfor a 1-month trial period. | — |
Forensics | — | Without the add-on license, Forensics is available with Cortex XDR Pro per Endpoint for a 1-month trial period. | Without the add-on license, Forensics is available with Cloud Host Protection for Cortex XDR for a 1-month trial period. | — |
Compute Unit | — | Without the add-on license, Compute unit is available with Cortex XDR Pro per Endpoint for a 1-month trial period. | Without the add-on license, Compute unit is available with Cloud Host Protection for Cortex XDR for a 1-month trial period. | Without the add-on license, Compute unit is available with Cortex XDR Pro per TBfor a 1-month trial period. |
Period Based Retention (Hot Storage) | — |
|
|
|
Period Based Retention (Cold Storage) | — | Cold storage EP Minimum of 6 months storage for ingested data |
| Cold storage GP Minimum of 6 months storage for ingested data |
GB Event Forwarding | — | — | — | |
Endpoints Event Forwarding | — | | | — |
Identity Threat Module
| — | — | — | Available for a free trial period ending on July 31, 2023. After this date, the module will be available as an Add-on. |
Endpoint Prevention Features | ||||
Endpoint management | | | | — |
Device control | | | | — |
Host firewall | | | | — |
Disk encryption | | | | — |
Response Actions | ||||
Live Terminal | | | | — |
Endpoint isolation | | | | — |
External dynamic list (EDL) | — | | | |
Script execution | — | | | — |
Remediation analysis | — | | | — |
Incident Scoring Rules | — | | | |
Featured Alert Fields | — | | | |
Widget Library | — | | | |
Assets | ||||
Asset Management | — | | | |
Palo Alto Networks IoT Security | — | — | — | |
Analysis | ||||
Analytics, including Identity Analytics | — | | | |
Alert and Log Collectors | ||||
Cortex XDR agent alerts | | | | — |
Collection Integrations | — | — | — | |
Prisma Cloud and Prisma Cloud Compute | — | — | — | |
Palo Alto Networks IoT Security | — | — | — | |
Third-Party Cloud Security Data (AWS, Azure, Google) | — | — | — | |
Enhanced data collection for EDR and other Pro features | — | | | — |
Other alerts (from Palo Alto Networks and third-party sources) | — | (API) | | |
Other logs (from Palo Alto Networks and third-party sources) | — | — | — | |
Integrations | ||||
Threat intelligence (AutoFocus, VirusTotal) | | | | |
Outbound integration and notification forwarding (Slack, Syslog) | + agent audit logs | + agent audit logs | | |
Broker VM | ||||
Agent Proxy | | | | |
Syslog Collector | — | — | — | |
Apache Kafka Collector | — | — | — | |
CSV Collector | — | — | — | |
Database Collector | — | — | — | |
Files and Folders Collector | — | — | — | |
FTP Collector | — | — | — | |
NetFlow Collector | — | — | — | |
Network Mapper | — | | | |
Pathfinder | — | | | |
Windows Event Collector | — | — | — | |
MSSP | ||||
MSSP (requires additional MSSP license) | | | | |
Managed Threat Hunting (requires an additional Managed Threat Hunting License) | — | + a minimum of 500 endpoints | | — |