Learn more about the Cortex XSIAM architecture.
The following diagram shows the high-level architecture for key Cortex XSIAM components and integrations:
The architecture varies slightly between product licenses, but includes these standard components:
Cortex XSIAM provides a single interface from which you can investigate and triage alerts, take remediation actions, and define policies to detect malicious activity in the future.
The XDR data layer within your Cortex XSIAM tenant stores the logs from all the data types.
The Cortex XSIAM analytics can also consume endpoint data to automatically detect and report on post-intrusion threats. The analytics engine can use endpoint data to raise alerts about abnormal network behavior (for example, port scan activity).
Cortex Native Data provides unified data normalization and automation. It centralizes all telemetry, ensuring a single, intelligent source of truth, including the following:
Cortex XDR agents forward all data directly to Cortex Native Data Lake. This data is accessible for query and investigation within Cortex XSIAM.
When a Cortex XDR agent detects an unknown sample (an attempt to run a macro, DLL, or executable file), Cortex XSIAM can automatically forward the sample for WildFire analysis. WildFire Cloud Service identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls and Cortex XSIAM can use to detect and block that malware.
Based on the properties, behaviors, and activities the sample displays when analyzed and executed in the WildFire sandbox, WildFire determines whether the sample is benign, grayware, phishing, or malicious. WildFire then generates signatures to recognize the newly discovered malware and makes the latest signatures globally available every five minutes.
Cortex XSIAM consumes data from identity sources that connect to the Cloud Identity Engine, which provides the necessary Active Directory or Okta context for User/Entity Behavior Analytics (UEBA).
The Cloud Identity Engine (CIE) enables Palo Alto Networks cloud-based applications to use computer, user, and group attributes from your organization’s directories for security policies and endpoint management. This cloud-based service synchronizes attribute data from various sources, including On-prem directories like Active Directory and cloud-based directories such as Microsoft Entra ID, Okta, and Google Cloud Identity.
The Cortex XSIAM tenant and the CIE must be deployed in the same region.
Additional optional architecture components include:
Palo Alto Networks' next-generation firewalls, on-prem or virtual firewalls, enforce network security policies in your campus, branch offices, and cloud data centers.
PANW sources such as Prisma Access and Global Protect, enable you to extend your firewall security policy to mobile users and remote networks. You can also forward related traffic logs, including IoT logs, to Cortex Native Data Lake. The analytics engine can then analyze those logs and raise alerts on anomalous behavior.
External firewalls and alerts enable Cortex XSIAM to ingest traffic logs and use the analytics engine to analyze those logs and raise alerts on anomalous behavior.
External alert sources can add additional context to your incidents. You can send Cortex XSIAM alerts from external sources using the Cortex XSIAM API.
Detailed architecture
This diagram illustrates components and their connections without differentiating between Cloud and On-Premises environments.