Learn more about the Cortex XSIAM architecture.
The following diagram shows the high-level architecture for key Cortex XSIAM components and integrations:
The architecture varies slightly between product licenses, but includes these standard components:
Cortex XSIAM provides a single interface from which you can investigate and triage alerts, take remediation actions, and define policies to detect malicious activity in the future.
The XDR data layer within your Cortex XSIAM tenant stores the logs from all the data types.
The Cortex XSIAM analytics can also consume endpoint data to automatically detect and report on post-intrusion threats. The analytics engine can use endpoint data to raise alerts about abnormal network behavior (for example, port scan activity).
Cortex Native Data Lake is a cloud-based logging infrastructure that allows you to centralize the collection and storage of logs generated by your Cortex XDR agents regardless of location. The Cortex XDR agents and Cortex XSIAM forward all logs to the Cortex Native Data Lake. You can view the logs for your agents in Cortex XSIAM. With the Log Forwarding app, you can also forward logs to an external syslog receiver.
Note
You can host your Cortex Native Data Lake instance in either the United States (US) Region or European Union (EU) Region.
Directory Sync Service enables Palo Alto Networks cloud-based applications to leverage computer, user, and group attributes from your on-prem Active Directory for use in policy and endpoint management. The Directory Sync Service uses an on-prem agent to collect those attributes from your on-prem Active Directory. The Directory Sync Service agent runs in the background to collect the Active Directory information and syncs it with the cloud-based Directory Sync Service that you configure using the Hub.
Note
You can host your Directory Sync Service instance in either the US Region or EU Region.
WildFire Cloud Service identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls and Cortex XSIAM can use to then detect and block that malware. When a Cortex XDR agent detects an unknown sample (an attempt to run a macro, DLL, or executable file), Cortex XSIAM can automatically forward the sample for WildFire analysis. Based on the properties, behaviors, and activities the sample displays when analyzed and executed in the WildFire sandbox, WildFire determines the sample to be benign, grayware, phishing, or malicious. WildFire then generates signatures to recognize the newly discovered malware and makes the latest signatures globally available every five minutes.
Additional optional architecture components include:
Palo Alto Networks' next-generation firewalls, on-prem or virtual firewalls, enforce network security policies in your campus, branch offices, and cloud data centers.
PANW sources such as Prisma Access and Global Protect, enable you to extend your firewall security policy to mobile users and remote networks. You can also forward related traffic logs, including IoT logs, to Cortex Native Data Lake. The analytics engine can then analyze those logs and raise alerts on anomalous behavior.
External firewalls and alerts enable Cortex XSIAM to ingest traffic logs and use the analytics engine to analyze those logs and raise alerts on anomalous behavior.
External alert sources can add additional context to your incidents. You can send Cortex XSIAM alerts from external sources using the Cortex XSIAM API.
Detailed product architecture
This diagram illustrates components and their connections without differentiating between Cloud and On-Premises environments.