Cortex XSIAM License - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Learn more about the Cortex XSIAM licenses that are split into two license tiers.

Cortex XSIAM collects and ingests endpoint, network, cloud, and identity data. The Cortex XSIAM license is split into two license tiers allowing you to select the most suitable detection and protection capabilities, log ingestion, retention, and the number of users required.

Each license tier offers the following investigation and response capabilities by default per endpoint:

  • Cortex XSIAM Enterprise

    Cortex XSIAM Enterprise is intended for on-prem environments. Collection and ingestion of endpoint logs and alerts, firewalls, and third-party data audit and flow logs that include:

    • Three Cortex XDR Pro per Endpoint agent licenses, which provide tailored endpoint data and third-party logs collection to optimize detection and investigation visibility.

    • Extended data collection and ingestion of endpoint logs and alerts, firewalls, and third-party audit and flow logs using Host Insights and Extended Threat Hunting Data (XTH).

    • On-prem out-of-the-box analytics, detection, on-prem asset discovery, threat-hunting, analysis, response, automation, user, and entity behavior analytics (UEBA) of endpoints, firewalls, and third-party logs.

  • Cortex XSIAM Enterprise Plus

    Cortex XSIAM Enterprise Plus contains all the features available in Cortex XSIAM Enterprise with more capabilities expanded for the cloud. Enhanced data collection, detection, automation, and response capabilities of cloud sources, endpoint logs and alerts, firewalls, and third-party audit and flow logs using Host Insights and Extended Threat Hunting Data (XTH).

    • Three Cortex XDR Pro per Endpoint agent licenses, which provide tailored endpoint data and third-party logs collection to optimize detection and investigation visibility.

    • Two Cortex XDR Cloud per Host agent licenses that can be installed on any physical endpoint or cloud workload, including Kubernetes hosts. The agent provides a cloud-based endpoint protection and detection support with tailored endpoint and third-party logs data collection.

    • Comprehensive cloud data collection providing out-of-box analytics, detection, cloud asset discovery, threat-hunting, analysis, response, automation, user, and entity behavior analytics (UEBA).

Cortex XSIAM is managed by a Base layer containing the data storage, ingestion, query, and reporting capabilities. You receive log storage based on the amount of storage associated with your license. Generally, this capacity is determined by factors such as your daily ingestion needs and the number of users in your deployment.

Note

A tenant must have a Base layer; which includes the data ingestion license, and only one of the two tiers: XSIAM Enterprise or XSIAM Enterprise Plus.

To expand your capabilities, Cortex XSIAM offers several add-ons that allow for more granular investigation. The following table lists the add-ons available for purchase for both Cortex XSIAM Enterprise and Cortex XSIAM Enterprise Plus licenses.