Learn more about the Cortex XSIAM architecture.
The following diagram shows the high-level architecture for key Cortex XSIAM components:
Cortex XSIAM includes the following core capabilities:
SIEM
EDR/XDR
CDR (Cloud Detection and Response), including Cloud Posture and Cloud Runtime Security
NDR (Network Detection and Response)
SOAR
Cortex Extended Data Lake (XDL) provides unified data normalization, AI, and automation. It centralizes all telemetry, ensuring a single, intelligent source of truth, including the following:
Feature
Description
Endpoint
Cortex XDR agents forward all data directly to Cortex XDL. This data is accessible for query and investigation within Cortex XSIAM.
When a Cortex XDR agent detects an unknown sample (an attempt to run a macro, DLL, or executable file), Cortex XSIAM can automatically forward the sample for WildFire analysis. WildFire Cloud Service identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls and Cortex XSIAM can use to detect and block that malware.
Based on the properties, behaviors, and activities the sample displays when analyzed and executed in the WildFire sandbox, WildFire determines whether the sample is benign, grayware, phishing, or malicious. WildFire then generates signatures to recognize the newly discovered malware and makes the latest signatures globally available every five minutes.
Network & SASE
Centralizes logs from Palo Alto Networks sources. It utilizes the Strata Logging Service to ingest and normalize network logs from Next-Generation Firewalls (NGFW) and Prisma Access.
Note
If you plan to stream data from a Strata Logging Service instance, it must reside in the same region as your Cortex XSIAM tenant.
Cloud, Apps & CI/CD
Provides comprehensive visibility across your cloud infrastructure, version control systems (VCS), and delivery pipelines to detect risks, such as exposed secrets, Software Composition Analysis (SCA) vulnerabilities, and IaC misconfigurations.
Identity
Consumes data from identity sources that connect to the Cloud Identity Engine, which provides the necessary Active Directory or Okta context for User/Entity Behavior Analytics (UEBA).
The Cloud Identity Engine (CIE) enables Palo Alto Networks cloud-based applications to use computer, user, and group attributes from your organization’s directories for security policies and endpoint management. This cloud-based service synchronizes attribute data from various sources, including On-prem directories like Active Directory and cloud-based directories such as Microsoft Entra ID, Okta, and Google Cloud Identity.
The Cortex XSIAM tenant and the CIE must be deployed in the same region.
Vulnerabilities and exposures
ASM performs DNS lookups and scans hosts to identify security flaws before they can be exploited. The intelligence gathered from these lookups and scans is transformed into actionable data, such as vulnerabilities and exposures.
Open ecosystem (any source)
Facilitates the ingestion of third-party security and management vendor telemetry, custom logs, and external alerts from any environment. These sources are integrated into Cortex XDL using an HTTP Log Collector or through the Broker VM, which runs specialized applets for Syslog, Database, CSV, Kafka, and FTP collection
You can extend Cortex XSIAM by adding advanced capabilities, such as ITDR (Identity Threat Detection and Response) for domain controller protection, Threat Intelligence Platform (TIP), Attack Surface Management (ASM), Email Advanced Security, and Exposure Management.
Cortex Agentic Assistant is the autonomous "brain" of Cortex XSIAM. It utilizes AI agents that plan, reason, and investigate complex threats, such as cloud identity theft or container breaches.
Cortex XSIAM ecosystem
This diagram illustrates how XSIAM serves as a central command center, connecting diverse data sources and proactive security functions. It represents the full system architecture.
Product Architecture and the Broker VM
Broker VM acts as a secure on-prem gateway. It centralizes data collection from security devices that cannot send data directly to the cloud, providing a secure proxy for agents and collectors in restricted or air-gapped networks. It runs specialized applets to handle different data types. Data is collected and ingested into Cortex XDL.
For more information, see What is the Broker VM?