Understand the Cortex XSIAM product licenses: NG-SIEM, Enterprise, and Premium.
Cortex XSIAM is available in the following subscription tiers, designed to support specific security use cases:
Note
You can upgrade your license by purchasing add-ons or moving to a different XSIAM license.
Cortex XSIAM NG-SIEM
Cortex XSIAM NG-SIEM is an analytics subscription tier that includes data collection and full automation, suitable for users who want to enhance their security without immediately replacing their existing SIEM and endpoint solutions.
Key features include:
Feature | Description |
|---|---|
AI and Big Data | Integrates data analytics, AI/ML, and automation into a unified platform. |
Comprehensive Data Collection | Offers extensive cloud data collection with out-of-the-box analytics, detection, and cloud asset discovery. |
Advanced Analytics | Provides capabilities for threat hunting, analysis, response, and automation. |
User and Entity Behavior Analytics (UEBA) | Uses machine learning to profile users and entities, alerting on anomalous behavior that could indicate a compromised account or insider threat |
Cortex XSIAM Enterprise
Cortex XSIAM Enterprise includes all the features of Cortex XSIAM NG-SIEM and builds upon them by adding advanced endpoint visibility and data collection:
Key additions include:
Feature | Description |
|---|---|
Cortex XDR agent | Entitles you to one Cortex XDR agent per endpoint, which provides tailored endpoint data and third-party logs collection to optimize detection and investigation visibility. |
Extended Detection and Response (XDR) | Incorporates extended data collection and ingestion of endpoint logs and alerts, firewalls, and third-party audit and flow logs through Host Insights and Extended Threat Hunting Data. |
Cortex XSIAM Premium
Cortex XSIAM Premium is the most comprehensive tier, providing the highest level of security by combining all Enterprise features together with the following capabilities:
Feature | Details |
|---|---|
Cloud Posture Security | Delivers comprehensive visibility and continuous monitoring of cloud environments to ensure configurations meet security best practices, compliance standards, and vulnerability management. This bundle includes the following advanced modules:
|
Cloud Runtime Security | Prevents attackers from exploiting risks present in your cloud environment. Provides real-time protection, detection, and response for cloud workloads, crucial for applications, containers, serverless functions, and APIs. Includes
Cortex XSIAM Premium users can install an XDR agent on endpoints and on any host or cloud workload, including Kubernetes hosts, based on the user's per-unit subscription parameters and workload demands. The XDR agent offers cloud-based endpoint protection and detection support, along with tailored endpoint and third-party log data collection. For more information about the license relationship between the XDR agent on endpoints and the XDR agent on host or cloud workloads, and how the licenses are allocated, see License allocation. |
Threat Intel Management | Investigates indicators and files, applies indicator rules, generates reports, and integrates feed integrations. |
Attack Surface Management | Provides internet-facing assets and ASM enrichment, external services, external IP ranges, attack surface rules and alerts, ASM widgets, and report capabilities. |
Note
Existing users who have a Cortex XSIAM Enterprise Plus license retain all Cortex XSIAM Enterprise features, with cloud agent features. You can deploy agents for runtime detection on cloud sources, such as Kubernetes nodes, OpenShift clusters, or cloud VMs, whether in the cloud or on-premises. If you want the full cloud posture security bundle (Cloud Posture Security or Cloud Runtime Security), you need to upgrade to Cortex XSIAM Premium.
Some add-ons, such as Advanced Email Security and Exposure Management, are only available for Cortex XSIAM Premium, Enterprise, and NG-SIEM licenses.
Cortex offers a modular set of license packages that work interchangeably with each other, allowing them to become add-ons to subsequent products seamlessly. The table below shows the breakdown of each type of license package:
Feature | Description | Cortex XSIAM NG SIEM | Cortex XSIAM Enterprise | Cortex XSIAM Premium |
|---|---|---|---|---|
Core Analytics | Detects anomalies and threats using machine learning and behavioral models. | Included in license | ||
Automation | Orchestrates and automates security workflows with prebuilt and customizable playbooks. | |||
Data Ingestion |
| |||
Enterprise Runtime Security (XDR) | Comprehensive endpoint and server protection by combining AI-driven analytics, endpoint controls, next-generation antivirus, and automated investigation to detect and respond to threats across various environments. | Add-on | Included in license | Included in license |
Cloud Posture Security | Agentless comprehensive visibility across your cloud environment. Includes:
NoteFor Cortex XSIAM Enterprise and NG SIEM, if purchasing Cloud Posture Security only, a minimum number of workloads is required. If you purchase Cloud Runtime Security or Cortex XSIAM Premium, this add-on is included with the subscription. | Add-on | Add-on | Included with Cloud Runtime Security |
Cloud Runtime Security | Full cloud protection, detection, and response. In addition to Cloud Posture Security:
NoteFor all Cortex XSIAM license plans, a minimum number of workloads is required. | Add-on (priced per cloud workload) | Add-on (priced per cloud workload) | Included capability (priced per cloud workload) |
Application Security | Comprehensive protection for your software development lifecycle (SDLC) from code-to-cloud, offering visibility, detection, contextual analysis, prioritization, prevention, and remediation. License requirements To access the Application Security module, you must have a Cloud Posture Security, Cloud Runtime Security, or Cortex XSIAM Premium license. The following features are automatically included with these licenses:
Add-on component: Code Security Code Security requires the purchase of a separate Application Security add-on in addition to your Cloud Posture Security, Cloud Runtime Security, or Cortex XSIAM Premium license. | Add-on | Add-on | Add-on |
Threat Intelligence Management | Investigates indicators and files, uses indicator rules, reports, and feed integrations. | Add-on | Add-on | Included in license |
Attack Surface Management | Provides internet-facing assets and ASM enrichment, external services, external IP ranges, attack surface rules and alerts, ASM widgets, and report capabilities. | Add-on | Add-on | Included in license |
Identity Threat Detection & Response | Enables asset role configuration, advanced analytics alert layout, Risk Management dashboard, User/Host Risk view, designated analytics for compromised accounts, and insider threat coverage. This solution helps organizations proactively secure identities, accelerate threat response, and reduce the complexity of security operations. | Add-on | Add-on | Add-on |
Forensics | Detect attacker activity by reviewing key artifacts such as event logs, registry keys, browser history, etc. Forensics simplifies investigations so you can trace every move an adversary made and swiftly contain threats from one place without needing to pivot between security tools. | Add-on | Add-on | Add-on |
Host Insights | Host Insights combines Vulnerability Management, Host Inventory, and a powerful Search and Destroy feature to help you identify and contain threats. It offers a holistic approach to endpoint visibility and attack containment, helping reduce your exposure to threats so you can avoid future breaches. | Add-on | Included in license | Included in license |
Extended Threat Hunting | Investigates everyday activities in real time and analyzes patterns to discover new threats, aiming to proactively minimize risk for an organization. | Add-on | Included in license | Included in license |
Data Retention | Retention per dataset ensures extended access to data, strengthening threat investigation, compliance, and long-term visibility. | Add-on | Add-on | Add-on |
Extended Compute Units | Additional computing resources beyond the annual allocation. You can purchase more units or enable dynamic allocation for flexible access. This ensures uninterrupted service, supports scaling during peak workloads, and optimizes resource management to maintain performance during high-demand periods. | Add-on | Add-on | Add-on |
Endpoint Event Forwarding | Enables exporting the raw telemetry collected by XDR Agents and event data from cloud endpoints to external systems (if relevant). | Add-on | Add-on | Add-on |
GB Event Forwarding | Enables exporting parsed logs to an external SIEM for storage, so you can keep data in your own storage in addition to the Cortex XSIAMdata layer, for compliance requirements and machine learning purposes. | Add-on | Add-on | Add-on |
Advanced Email Security | Investigate and respond to threats within modern, distributed email infrastructures. The module is a scalable, API-based solution that passively analyzes cloud-hosted email environments to detect threats. It ingests data from messages, attachments, and user identities to identify early-stage threats and high-risk behaviors without requiring any changes to mail flow. | Add-on | Add-on | Add-on |
Exposure Management | Gain comprehensive visibility, actionable prioritization, and automation-first remediation to help security teams proactively assess and respond to organizational exposures. | Add-on | Add-on | Add-on |
DLP (Data Loss Prevention) | The Cortex Data Loss Prevention (DLP) module provides a unified and flexible solution to prevent sensitive data exfiltration. It continuously enforces policies on endpoints (even offline) across web, local, and USB channels, protecting both on-premise and cloud environments. | Add-on | Add-on | Add-on |