Understand the Cortex XSIAM license plan - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Learn more about the available Cortex XSIAM licenses and add-ons.

Cortex XSIAM is managed by a base layer that contains the data storage, ingestion, query, and reporting capabilities. A tenant must have a base layer, which includes the data ingestion license and one of the available license plans, XSIAM Enterprise or XSIAM Enterprise Plus.

You receive log storage based on the amount of storage associated with your license. Generally, this capacity is determined by factors such as your daily ingestion needs and the number of users in your deployment.

The following provides a summary of what is included in the Cortex XSIAM license plans:

Cortex XSIAM Enterprise

This license is intended for on-prem environments and includes:

  • Three Cortex XDR Pro per Endpoint agent licenses, which provide tailored endpoint data and third-party logs collection to optimize detection and investigation visibility.

  • Extended data collection and ingestion of endpoint logs and alerts, firewalls, and third-party audit and flow logs using Host Insights and Extended Threat Hunting Data (XTH).

  • On-prem out-of-the-box analytics, detection, on-prem asset discovery, threat-hunting, analysis, response, automation, user, and entity behavior analytics (UEBA) of endpoints, firewalls, and third-party logs.

Cortex XSIAM Enterprise Plus

This license includes all of the features available in Cortex XSIAM Enterprise along with additional capabilities for the cloud:

  • Three Cortex XDR Pro per Endpoint agent licenses, which provide tailored endpoint data and third-party logs collection to optimize detection and investigation visibility.

  • Two Cortex XDR Cloud per Host agent licenses that can be installed on any physical endpoint or cloud workload, including Kubernetes hosts. The agent provides a cloud-based endpoint protection and detection support with tailored endpoint and third-party logs data collection.

  • Comprehensive cloud data collection that provides out-of-the-box analytics, detection, cloud asset discovery, threat-hunting, analysis, response, automation, user, and entity behavior analytics (UEBA).

The following table lists the add-ons available for purchase for both Cortex XSIAM Enterprise and Cortex XSIAM Enterprise Plus licenses:

Feature

Description

Attack Surface Management (ASM)

Provides internet-facing assets and ASM enrichment, external services, external IP ranges, attack surface rules and alerts, ASM widgets, and report capabilities.

Threat Intelligence Management (TIM)

Enables indicators, sample analysis, sessions and submissions, indicator rules, reports, automation, and feed integrations.

Forensics

Forensic file, registry, and log search capabilities. Available for a one-month trial period. Can be purchased as an annual or monthly add-on with a 31-day retention included.

Identity Threat Detection and Response (ITDR)

Enables asset role configuration, advanced analytics alert layout, Risk Management dashboard, User/Host Risk view, designated analytics for compromised accounts, and insider threat coverage.

Compute Unit

Additional compute units to run queries. Requires a minimum of 50 units. Available for a one-month trial period.

Endpoint Event Forwarding

Enables exporting raw endpoint data for Cortex XSIAM Pro Endpoint and cloud endpoints.

GB Event Forwarding

Enables exporting parsed logs for Cortex XDR Pro per GB to an external SIEM for storage, so you can keep data in your own storage in addition to the Cortex XSIAM data layer, for compliance requirements and machine learning purposes.

To view the license types and add-ons associated with your Cortex XSIAM instance, go to SettingsCortex XSIAM License.

Getstarted-license.png