What is the cortex XDR service?

Table of Contents Show

Cortex XDR Architecture
Cortex XDR Key Capabilities
Beyond XDR Security With Cynet’s Autonomous Breach Protection

Web browser interface Yes

Using the web interface All features and functionality are primarily delivered through the web interface.This includes the initial setup, system-configuration, on-boarding and operational functions such as monitoring and reporting.

A role-based access control (RBAC) system is in place to enforce the relevant access and configuration permissions requirements for certain types of individual users or groups.

Web interface accessibility standard None or don’t know

How the web interface is accessible The web interface is accessible via a subdomain of traps.paloaltonetworks.com (e.g. organisation.aperture.paloaltonetworks.com) or via apps.paloaltonetworks.com. IP Whitelisting can be utilised to restrict access to the management web interface.

Web interface accessibility testing N/A

API Yes

What users can and can't do using the API Get Incidents,Get Extra Incident Data,Update an Incident,Insert CEF Alerts,Insert Parsed Alerts,Isolate Endpoints,Un-isolate Endpoints,Get Endpoints,Get All Endpoints,Scan Endpoints,Cancel Scan Endpoints,Delete Endpoints,Get Policy,Get Device Violations,Get Distribution Version,Create Distributions,Get Distribution Status,Get Distribution URL,Get Audit Management Log,Get Audit Agent Report,Blacklist Files,Whitelist Files,Quarantine Files,Get Quarantine Status,Restore File,

Retrieve File

API automation tools Other

Other API automation tools Python/Go Modules available

API documentation Yes

API documentation formats

Command line interface Yes

Command line interface compatibility

Linux or Unix
Windows
MacOS

Using the command line interface The CLI is primarily used for debugging and support purposes of the endpoint software. It is not used for general purposes.

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at . Tell them what format you need. It will help if you say what assistive technology you use.

This is a bot-free zone. Please check the box to let us know you're human.

One of our sales specialists will be in touch shortly.

Read complimentary reports and insightful stories in the
Trustwave Resource Center

Palo Alto Networks offers an XDR platform called Cortex XDR, packaged as two main versions. Cortex XDR Prevent provides protection for endpoints, and Cortex XDR Pro adds capabilities for networks, cloud resources, and third-party products. The basic functionalities of Cortex XDR include an app for tracking visibility and a data lake for logging. Advanced capabilities feature an analytics engine, next-generation firewalls, agents, and alerts.

In this article, you will learn:

Palo Alto’s Cortex XDR is an extended detection and response platform that monitors and manages cloud, network, and endpoint events and data. Cortex XDR combines features for incident prevention, detection, analysis, and response into a centralized platform.

There are two available versions of Palo Alto’s Cortex XDR security:

Cortex XDR Prevent—provides protection for endpoints and includes device control, disk encryption, and host firewall features. It also includes an incident engine, integrated response capabilities, and an optional threat intelligence feed.
Cortex XDR Pro—provides the same protections as Prevent but for endpoints, networks, cloud resources, and third-party products. It also includes features for behavior analytics, rule-based detection, accelerated investigation, and optional managed threat hunting.

Both versions include alert retention for 30 days and optional extended data retention. The Pro version also includes XDR data retention for both endpoint and network data for 30 days.

Check out our guide about XDR security solutions, which compares the top 10 XDR solutions offered by leading vendors, including Palo Alto, Cisco, Microsoft, McAfee, and more.

Cortex XDR Architecture

The Cortex XDR architecture varies slightly between the product versions but includes several standard components. Both editions rely on the Cortex Data Lake and are designed to correlate your log data across your devices.

Basic platform components include:

Cortex XDR app—a user interface (UI) that provides visibility into your Data Lake. From this UI, you can triage and investigate alerts, take action for remediation, and define your detection and response policies.
Cortex Data Lake—a storage resource for cloud-based logging that is designed to hold your log data from all sources. The Data Lake centralizes your data, enabling the XDR engine to correlate events and create alerts.

Advanced platform components include:

Analytics engine—a security service that uses network and endpoint data to detect and respond to threats. It applies behavioral analytics to identify both known and unknown threats through comparison to known and accepted user or device behaviors.
Next-generation firewalls—virtual or on-premise firewalls that you can use to enforce secure traffic policies in your network. These firewalls include machine learning technologies to help detect known and unknown threats.
Prisma Access and GlobalProtect—services you can use to extend your firewall protections to remote and mobile users. These services enable you to forward remote traffic logs to your Data Lake to allow joint correlation with local logs.
External firewalls and alerts—through integration, you can ingest external firewall logs and alerts into your Cortex XDR system. This is possible through the Cortex XDR API. These data points can then be combined with your Cortex data to provide more context for events and enable more thorough response.
Cortex XDR agents—software installed on endpoints that are used to collect and forward data. These agents can also perform local analyses and can consume WildFire threat intelligence for improved detection of threats. All collected data is also sent to the Data Lake for joint analysis.

Different XDR security solutions offer different architectures. For information about McAfee XDR or Cisco XDR check out our in-depth guides.

Cortex XDR Key Capabilities

Cortex XDR provides several key capabilities, designed to secure an organization’s networks and devices.

Safeguard assets with endpoint protection

Cortex XDR provides endpoint protection against malware, fileless attacks, ransomware, and exploits. Any downloaded files are examined by an analysis engine with AI capabilities.

Additionally, behavioral analyses help identify and stop malicious data transfers or processes. Organizations can also integrate with Palo Alto Networks WildFire malware prevention service for increased security and protection.

Securely manage USB devices

Cortex XDR includes Device Control, a feature designed to monitor and secure USB access to devices. The feature is agentless. It enables organizations to restrict device usage according to endpoint, type, vendor, or Active Directory identities. Device control also enables organizations to limit read and write permissions according to USB device ID.

Protect endpoint data with host firewall and disk encryption

Firewalls and disk encryption protect endpoints from malicious traffic and reduce the damage done if attackers bypass firewalls. The Cortex XDR firewall provides controls for inbound and outbound communications.

Disk encryption can be directly integrated with BitLocker and organizations can encrypt and decrypt data on endpoint devices. Firewall and encryption settings are managed from the UI console.

Hunt for threats

The Cortex XDR Pro version includes optional features for managed threat hunting and features for manual hunting. Threat hunting can help uncover insider threats, targeted attacks, and hidden malware. It requires carefully searching through system and event data to identify suspicious or malicious activity.

The manual features included in Cortex XDR enable organizations to use flexible search features to identify a range of indicators of compromise (IOCs) or behavioral indicators of compromise (BIOCs). IOCs or BIOCs are threat signatures, hashes, addresses, or metadata used to identify known threats.

Managed options provide 24/7 support with dedicated threat hunting experts. These hunters search through an organization’s data and provide detailed threat reports on their findings.

Natively integrate with Cortex XSOAR

Cortex XSOAR (security orchestration, automation, and response) is a solution that can be integrated into Cortex XDR. SOAR solutions are designed to enable automated responses to, typically low-level threats, and can help significantly speed response time.

The Cortex XSOAR solution enables organizations to define automation playbooks for incident response. These playbooks can be used to define actions across 370 third-party tools. Playbooks can also ingest incident data, access alerts, and update Cortex XDR incident fields.

Beyond XDR Security With Cynet’s Autonomous Breach Protection

Cynet 360 is an autonomous breach protection platform that works in three levels, providing XDR, SOAR, and 24/7 MDR in one unified solution. Cynet natively integrates these three services into an end to end, fully-automated breach protection.

Cynet’s XDR layer includes the following capabilities:

Endpoint protection—multilayered protection against malware, ransomware, exploits and fileless attacks.
Network protection—protecting against scanning attacks, MITM, lateral movement and data exfiltration.
User protection—preset behavior rules coupled with dynamic behavior profiling to detect malicious anomalies.
Deception—wide array of network, user, file decoys to lure advanced attackers into revealing their hidden presence.

Cynet 360 can be deployed across thousands of endpoints in less than two hours. It can be immediately used to uncover advanced threats and then perform automatic or manual remediation, disrupt malicious activity and minimize damage caused by attacks.

Get a free trial of Cynet 360 and experience the world’s only integrated XDR, SOAR and MDR solution.