Learn more about the available Cortex XSIAM licenses and add-ons.
Cortex XSIAM collects and ingests endpoint, network, cloud, and identity data. The Cortex XSIAM license is split into three license tiers allowing you to select the most suitable detection and protection capabilities, log ingestion, retention, and the number of users required.
Each license tier offers the following investigation and response capabilities by default per endpoint:
Cortex XSIAM NG SIEM is intended for on-prem and cloud environments. Collection and ingestion of endpoint logs and alerts, firewalls, and third-party data audit and flow logs that include:
Extended data collection and ingestion of endpoint logs and alerts, firewalls, and third-party audit and flow logs.
Comprehensive cloud data collection providing out-of-box analytics, detection, cloud asset discovery, threat-hunting, analysis, response, automation, user and entity behavior analytics (UEBA).
Cortex XSIAM Enterprise is intended for on-prem environments and includes:
One Cortex XDR Pro per Endpoint agent licenses, which provide tailored endpoint data and third-party logs collection to optimize detection and investigation visibility.
Extended data collection and ingestion of endpoint logs and alerts, firewalls, and third-party audit and flow logs using Host Insights and Extended Threat Hunting Data (XTH).
On-prem out-of-the-box analytics, detection, on-prem asset discovery, threat-hunting, analysis, response, automation, user, and entity behavior analytics (UEBA) of endpoints, firewalls, and third-party logs.
Cortex XSIAM Enterprise Plus contains all the features available in Cortex XSIAM Enterprise with more capabilities expanded for the cloud. This includes: enhanced data collection, detection, automation, and response capabilities of cloud sources, endpoint logs and alerts, firewalls, and third-party audit and flow logs using Host Insights and Extended Threat Hunting Data (XTH).
Note
An Enterprise Plus license is required to allow detection from any cloud sources, Kubernetes, or Openshift in the cloud or on-prem.
One Cortex XDR Pro per Endpoint agent license provides tailored endpoint data and third-party logs collection to optimize detection and investigation visibility.
One Cortex XDR Cloud per Host agent license can be installed on any physical endpoint or cloud workload, including Kubernetes hosts. The agent provides cloud-based endpoint protection and detection support with tailored endpoint and third-party logs data collection.
Comprehensive cloud data collection that provides out-of-the-box analytics, detection, cloud asset discovery, threat-hunting, analysis, response, automation, user and entity behavior analytics (UEBA).
Cortex XSIAM add-ons
Cortex XSIAM is managed by a base layer containing the data storage, ingestion, query, and reporting capabilities. Log storage is provided based on the amount allocated to your license. Typically, this capacity is determined by factors such as your daily ingestion needs and the number of users in your deployment.
A tenant must have a base layer; which includes the data ingestion license, and only one of the three tiers: XSIAM NG-SIEM, XSIAM Enterprise, or XSIAM Enterprise Plus.
To expand your capabilities, Cortex XSIAM offers several add-ons that allow for more granular investigation. The following table lists the add-ons available for purchase for Cortex NG SIEM, Cortex XSIAM Enterprise, and Cortex XSIAM Enterprise Plus licenses:
To view the license types and add-ons associated with your Cortex XSIAM instance, go to → .