Cortex XDR

Defining the New Category of

Business Benefits Enterprise-Scale Prevention,
• Detect advanced attacks with analytics: Uncover
threats with AI, behavioral analytics, and custom
Detection, and Response
detection rules. Security teams can’t detect and stop active attacks quick-
ly. Even though they’ve deployed countless security tools,
• Reduce alerts by 50 times: Avoid alert fatigue
they lack the enterprise-wide visibility and deep analytics
with a game-changing unified incident engine that
needed to find threats. These siloed tools generate endless
intelligently groups related alerts.
alerts and force analysts to pivot from console to console
• Investigate eight times faster: Verify threats quickly to verify threats, resulting in missed attacks and incom-
by getting a complete picture of attacks with root plete investigations. Faced with a shortage of cybersecu-
cause analysis. rity professionals, teams must simplify operations.
• Stop attacks without degrading performance: Obtain
the most effective endpoint protection available with
a lightweight agent.
Prevent, Detect, Investigate,
• Maximize ROI: Use ­existing ­infrastructure for data
and Respond to All Threats
­collection and control to lower costs by 44%. Cortex XDR™ defines the new category for enterprise-
scale prevention, detection, and response that integrates
endpoint, network, and cloud data to stop sophisticated

Cortex by Palo Alto Networks | Cortex XDR | Datasheet 1

attacks. As the market’s first and leading XDR category Investigate and Respond at
­Lightning Speed
­product, Cortex XDR unifies prevention, detection, investiga-
tion, and response in one platform for ­unrivaled security and
operational efficiency. Cortex XDR accelerates investigations by providing a complete
picture of every threat and automatically revealing the root

Block the Most Endpoint Attacks cause. Intelligent alert grouping and alert deduplication sim-
plify triage and reduce the experience required at every stage of
with Best-in-Class Prevention security operations. Tight integration with enforcement points
lets analysts respond to threats quickly.
The Cortex XDR agent safeguards endpoints from malware,
exploits, and fileless attacks with industry-best, AI-­driven
local analysis and behavior-based protection. Organizations Get MDR Services from Our
­Industry-Leading Partners
can stop never-before-seen threats with a single cloud-­
delivered agent for endpoint protection, detection, and re-
sponse. The integrated Device Control module granularly Powered by Cortex XDR, our managed detection and response
manages USB access to prevent data loss and malware de- (MDR) partners’ services relieve the day-to-day burden of
livery from malicious devices. The agent shares protections security operations and provide the instant maturity of a 24/7
across network and cloud security offerings from Palo Alto SOC, delivering a range of services from alert management
Networks to provide ironclad, consistent security across the to incident response and threat hunting. Cortex XDR enables
entire enterprise. the next generation of MDR services, allowing for compre-
hensive prevention, detection, and response across network,

Detect Stealthy Threats with endpoint, and cloud in a unified, fully integrated technology
stack. Get help with custom tuning and deployment to get
­Machine Learning and Analytics up and running in weeks, not years, and immediately benefit
from decades of investigations, forensics, and security oper-
Cortex XDR identifies evasive threats with unmatched accuracy ations expertise. Break through the limitations of managed
by continuously profiling user and endpoint behavior with an- services built on point products and achieve a guaranteed
alytics. Machine learning models analyze data from Palo Alto reduction of mean time to detect (MTTD) and mean time to
Networks and third-party sources to uncover stealthy attacks respond (MTTR) to 60 minutes or less.
targeting managed and unmanaged devices.

Figure 1: Cortex XDR triage and investigation view

Cortex by Palo Alto Networks | Cortex XDR | Datasheet 2

Key Capabilities It collects data from Palo Alto Networks products as well as
third-party logs and alerts, enabling you to broaden the
Safeguard Your Assets with Industry-Best scope of intelligent decisions across all network segments.
­Endpoint Protection Third-party alerts are dynamically integrated with endpoint
Prevent threats and collect data for detection and response data to reveal root cause and save hours of analysts’ time.
with a single, cloud native agent. The Cortex XDR agent ­offers Cortex XDR examines logs collected from third-party fire-
a complete prevention stack with cutting-edge protection for walls with behavioral analytics, enabling you to find critical
exploits, malware, ransomware, and fileless attacks. It in- threats and eliminate any visibility blind spots.
cludes the broadest set of exploit protection modules avail-
able to block the exploits that lead to malware infections. Discover Threats with Continuous ML-Based
Every file is examined ­by an adaptive AI-driven local analy- Threat Detection
sis engine that’s always learning to counter new attack tech- Find stealthy threats with analytics and out-of-the-box rules
niques. A Behavioral Threat ­Protection engine examines the that deliver unmatched MITRE ATT&CK™ coverage. Cortex
behavior of multiple, related processes to uncover attacks as XDR automatically detects active attacks, allowing your team
they occur. Integration with the Palo Alto Networks WildFire® to triage and contain threats before the damage is done. Using
malware prevention service boosts security accuracy and cov- machine learning, Cortex XDR continuously profiles user and
erage. Read more about endpoint protection. endpoint behavior to detect anomalous activity indicative of
attacks. By applying analytics to an integrated set of data, in-
Securely Manage USB Devices cluding ­security alerts and rich network, endpoint, and cloud
Protect your endpoints from malware and data loss with logs, ­Cortex XDR meets and exceeds the detection capabilities
­Device Control. The Cortex XDR agent allows you to moni- of siloed network traffic analysis (NTA), endpoint detection
tor and ­secure USB access without needing to install another and response (EDR), and user behavior analytics (UBA) tools.
agent on your hosts. You can restrict usage by vendor, type, Automated detection works all day, every day, providing you
endpoint, and Active Directory® group or user. Granular pol- peace of mind.
icies allow you to assign write or read-only permissions per
USB device. You can easily manage USB access settings from Investigate Eight Times Faster
the ­Cortex XDR management interface and gain peace of mind Automatically reveal the root cause of every alert. With ­Cortex
that you’ve mitigated USB-based threats. XDR, your analysts can examine alerts from any source—­
including third-party tools—with a single click, streamlin-
Get Full Visibility Based on Good Data ing investigations. Cortex XDR automatically reveals the root
Break security silos by integrating all data. Cortex XDR au- cause, reputation, and sequence of events associated with each
tomatically stitches together endpoint, network, and cloud alert, lowering the experience level needed to verify an attack.
data to accurately detect attacks and simplify investigations. By consolidating alerts into incidents, Cortex XDR slashes

Figure 2: Customizable dashboard

Cortex by Palo Alto Networks | Cortex XDR | Datasheet 3

the number of individual alerts to review and alleviates alert Threat Hunting service. With this service, Unit 42 threat
­fatigue. Each incident provides a complete picture of an attack, ­researchers continuously surface the stealthiest attacks target-
with key artifacts and integrated threat intelligence details, ing your enterprise, giving you peace of mind in your security
­accelerating investigations. posture. You’ll gain the confidence to take decisive response
actions with deep context on identified attacks and proactive
Manually Hunt for Threats with Powerful Impact Reports that help you stay ahead of emerging threats
Search Tools Cortex XDR Managed Threat Hunting is available to try through
Uncover hidden malware, targeted attacks, and insider threats. our limited-time Community Access offering.
Your security team can search, schedule, and save queries to
identify hard-to-find threats. Flexible searching capabilities Tightly Integrate with Security Orchestration,
let your analysts hunt threats and search for both indicators of Automation, and Response (SOAR)
compromise (IOCs) and behavioral indicators of compromise Standardize and automate response processes across your
(BIOCs) without learning a new query language. By incorporat- security product stack. Cortex XDR integrates with Demisto®,
ing threat intelligence from Palo Alto Networks with a complete enabling your teams to feed incident data into Demisto for
set of network, endpoint, and cloud data, your team can catch automated, playbook-driven response that spans more than
malware, external threats, and internal attacks whether the in- 300 third-party tools and promotes cross-team collabora-
cidents are in progress or have occurred in the past. tion. Demisto playbooks can automatically ingest Cortex XDR
incidents, retrieve related alerts, and update incident fields
Coordinate Response Across Endpoint, in Cortex XDR as playbook tasks. You can leverage Demisto’s
­Network, and Cloud Enforcement Points case management to monitor and correlate Cortex XDR inci-
Stop threats with fast and accurate remediation. Cortex XDR dents with other alerts in your organization.
lets your security team instantly contain endpoint, network,
and cloud threats from one console. Your analysts can quickly Unify Management, Reporting, Triage, and
stop the spread of malware, restrict network activity to and ­Response in One Intuitive Console
from devices, and update prevention lists like bad domains Maximize productivity with a seamless platform experience.
through tight integration with enforcement points. The pow- The management console offers end-to-end support for all
erful Live Terminal feature lets Tier 1 analysts swiftly inves- Cortex XDR capabilities, including endpoint policy manage-
tigate and shut down attacks without disrupting end users by ment, detection, investigation, and response. You can quickly
directly accessing endpoints; running Python®, PowerShell® assess the security status of your organization’s or individual
or system commands and scripts; and managing files and endpoints with customizable dashboards, and summarize in-
processes from graphical file and task managers. cidents and security trends with graphical reports that can be
scheduled or generated on demand. ­Public APIs extend man-
Find Every Attack with Unit 42 Threat Hunters agement to third-party tools, enabling you to retrieve and
Constantly Working on Your Behalf update incidents, collect agent information, and contain end-
Augment your security team with the Cortex XDR M
­ anaged point threats from the management p ­ latform of your choice.

Cortex XDR

Cortex Data Lake

NGFW VM-
Series

Network Endpoint Cloud Third party

Figure 2: Analysis of data from any source for detection and response

Cortex by Palo Alto Networks | Cortex XDR | Datasheet 4

 Operational Benefits
Block known and unknown attacks with powerful endpoint protection: Leverage AI-based local analysis and Behavioral
Threat Protection to stop the most malware, exploits, and fileless attacks in the industry.
Gain visibility across network, endpoint, and cloud data: Collect and correlate data from Palo Alto Networks and third-party
tools to detect, triage, investigate, hunt, and respond to threats.
Automatically detect sophisticated attacks 24/7: Use always-on AI-based analytics and custom rules to detect advanced
­persistent threats and other covert attacks.
Avoid alert fatigue and personnel turnover: Simplify investigations with automated root cause analysis and a unified incident
engine, resulting in a 98% reduction in alerts and lowering the skill required to triage alerts.
Drastically reduce false positive alerts: Apply knowledge from every investigation to refine behavioral detection rules and
speed future analysis, decreasing noise and risk.
Increase SOC productivity: Consolidate endpoint security policy management and monitoring, investigation, and response
across your network, endpoint, and cloud environments in one console, increasing SOC efficiency.
Eradicate threats without business disruption: Shut down attacks with surgical precision while avoiding user or system
downtime.
Eliminate advanced threats: Protect your network against malicious insiders, policy violations, external threats, ransomware,
fileless and memory-only attacks, and advanced zero-day malware.
Supercharge your security team: Disrupt every stage of an attack by detecting IOCs, anomalous behavior, and malicious
patterns of activity.
Continually improve your security posture: Save threat hunting searches as behavioral rules to detect similar threats in the
future. Flexible informational alerts improve timeline analysis by identifying suspicious behavior and making complex events
easy to understand.
Extend detection, investigation, and response to third-party data sources: Enable behavioral analytics on logs collected from
third-party firewalls while integrating third-party alerts into a unified incident view and root cause analysis for faster, more
effective investigations.

Ease Deployment with Cloud Delivery as Next-Generation Firewalls or Cortex XDR agents, to detect
Get started in minutes. The cloud native Cortex XDR plat- and stop threats, but additional sources can eliminate blind
form offers streamlined deployment, eliminating the need to spots. Easily store data in Cortex Data Lake, a scalable and ef-
deploy new on-premises network sensors or log collectors. ficient cloud-based data repository. By integrating data from
You can use your Palo Alto Networks products or third-par- multiple sources together, automating tasks, and simplifying
ty firewalls to collect data, reducing the number of products management, Cortex XDR delivers a 44% cost savings com-
you need to manage. You only need one source of data, such pared to siloed security tools.

Table 1: Cortex XDR Features and Specifications

Detection and Investigation Features and Capabilities

Automated stitching of network, endpoint, and cloud data from

Machine learning-based behavioral analytics
Palo Alto Networks and third-party sources
Third-party alert and log ingestion from any source with required
Custom rules to detect tactics, techniques, and procedures
network information
Third-party log data from Check Point, Fortinet, and Cisco ASA
Root cause analysis of alerts
firewalls
Cloud-based malware prevention with WildFire Timeline analysis of alerts
Malware and fileless attack detection Unified incident engine
Detection of targeted attacks, malicious insiders, and risky user
Post-incident impact analysis
behavior
Network traffic analysis (NTA) and user behavior analytics (UBA) Dashboards and reporting
Endpoint detection and response (EDR) IOC and threat intelligence searches
Native integration with Demisto for security orchestration, automation, and
Threat hunting
response (SOAR)
Cortex XDR Managed Threat Hunting service Incident response and recovery

Cortex by Palo Alto Networks | Cortex XDR | Datasheet 5

 Endpoint Protection and Response Capabilities
Malware, ransomware, and fileless attack prevention Device control for USB device management
Behavioral Threat Protection Live Terminal for direct endpoint access
AI-based local analysis engine Network isolation, quarantine, process termination, file deletion, file blacklist
Integration with the cloud-based WildFire malware prevention service Public APIs for response and data collection
Child process protection Credential theft protection
Exploit prevention by exploit technique Scheduled and on-demand malware scanning
Partner-Delivered MDR Service Benefits
24/7 year-round monitoring and alert management Guaranteed reduction of MTTD and MTTR to 60 mins or less
Custom tuning of Cortex XDR for enhanced prevention, visibility,
Investigation of every alert and incident generated by Cortex XDR
and detection
Dedicated, proactive threat hunters who understand your
Direct access to partners’ analysts and forensic experts
­environment

Guided or full threat remediation actions Visibility and coverage across network, endpoint, and cloud assets

Technical Specifications
Delivery model Cloud-delivered application
Data retention 30-day to unlimited data storage
Cortex XDR Prevent subscription Endpoint protection with Cortex XDR agents
• Detection, investigation, and response across endpoint data
Cortex XDR Pro per endpoint subscription sources
• Endpoint protection with Cortex XDR agents
Detection, investigation, and response across network and cloud
Cortex XDR Pro per TB subscription
data sources, including third-party data

Collects process information from endpoints that do not have

Cortex XDR Pathfinder endpoint analysis service
­Cortex XDR agents; included with all Cortex XDR subscriptions

Reinvent Security Operations Operating System Support

with Cortex The Cortex XDR agent supports multiple endpoints across
Windows®, macOS®, Linux, and Android® operating sys-
Cortex XDR is part of Cortex™, the industry’s most com-
tems. For a complete list of system requirements and sup-
prehensive product suite for security operations, empower-
ported operating systems, please visit the Palo Alto Networks
ing enterprises with best-in-class detection, investigation,
­Compatibility Matrix. Cortex XDR Pathfinder minimum
automation, and response capabilities. The suite is built on
requirements: 2 CPU cores, 8 GB RAM, 128 GB thin-provi-
the tightly integrated offerings of Cortex XDR and Demisto,
sioned storage, VMware ESXi™ V5.1 or higher, or Microsoft
which enables you to transform your SOC operations from a
Hyper-V® 6.3.96 or higher hypervisor.
manual, reactive model that required endless resources to a
lean, proactive, and automated team that reduces both MTTD
and MTTR for every security use case.

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 cortex-xdr-013120
Support: +1.866.898.9087

www.paloaltonetworks.com