AMPLIFY PRODUCT SUMMARY

Cortex XDR
Synopsis
Cortex XDR is an extended detection and response (XDR) platform that protects endpoint devices and provides incident
management, forensics and remediation capabilities for security operations teams.

Attributes
Attribute What Does It Do? Why Is It Important?

Prevention

Device Control The Cortex XDR endpoint agent allows for the regulation of Removable media devices can bypass network
connections to USB removable devices such as disk drives, security inspection to introduce malicious files to
CD-ROM drives, floppy disk drives, and other portable devices. an endpoint.

Endpoint Encryption The Cortex XDR endpoint agent enables encryption for Windows Encryption controls access and protects valuable
and Mac endpoints. data on endpoints by making data unusable,
unreadable, or indecipherable to unauthorized
individuals.

Exploit Protection The Cortex XDR endpoint agent prevents exploit attempts on Preventing exploit attacks removes easy entry points
system and application vulnerabilities by employing roadblocks for attackers to gain privileged host access and
(or traps) for the detection and prevention of exploit techniques. deliver malicious payloads.

Host Firewall The Cortex XDR endpoint agent includes a host firewall that A host firewall prevents attacks that originate in
controls inbound and outbound communications on Windows network communications and provides additional
and Mac endpoints. visibility into endpoint connections.

Malware Analysis The Cortex XDR endpoint agent sends unknown files to Palo Threat sandboxing mitigates the risks associated
(Cloud-delivered) Alto Networks WildFire cloud service for automatic discovery with evasive threats by automating analysis and
and deeper analysis of malware. disseminating malware verdicts.

Malware Protection The Cortex XDR endpoint agent utilizes localized artificial Immediate evaluation of endpoint files and the
intelligence and behavior analysis to prevent ransomware, monitoring of endpoint activity helps identify and
fileless attacks and sophisticated threats. analyze the chains of events for malicious activity.

Detection

Endpoint File Scanning The Cortex XDR endpoint agent scans Windows endpoints, Mac Periodic scanning of endpoints on a recurring basis
endpoints and attached removable drives for dormant malware identifies malware without waiting for it to execute.
that is not actively attempting to run.

Log Data Collection Cortex XDR uses Palo Alto Networks products as sensors to Leaving data hidden in silos across the security
collect logs and telemetry data. infrastructure delays finding threats and limits the
Cortex XDR can also receive logs and alerts from external, effectiveness of analysis.
third-party sources to capture a more complete and detailed
picture of activities.

Log Stitching Cortex XDR correlates together firewall network logs, endpoint The act of correlating logs from different sources
raw data, and cloud data across detection sensors. helps identify key attributes of security processes
and connections made over the network.

Machine Learning Cortex XDR has an analytics engine that ingests log data Machine learning accelerates sifting through the
Analytics to baseline normal behavior in order to detect and alert on deluge of alerts to triage incidents and alleviate
anomalies and indicators of compromise. alert fatigue.

Vulnerability Cortex XDR’s Host Insights module identifies endpoint security Gaining full visibility of endpoint risk exposure
Assessment vulnerabilities and quantifies risk severity. allows for proactive mitigation and patching on
all endpoints.

© 2021 Palo Alto Networks | Cortex XDR | AMPLIFY Product Summary

Attributes (Continued)
Attribute What Does It Do? Why Is It Important?

Investigation

Causality Cortex XDR uses a unique, patented analysis engine that Visualizing the attack sequence back to the root
Analysis Engine consolidates alerts into incidents. Each incident provides a cause provides essential details about each element
complete picture of an attack, with key artifacts and integrated in the sequence and makes complex attacks easy
threat intelligence details. to understand.

Identity Analytics Identity Analytics aggregates and displays suspicious Leveraging user profile information and user
user activity information collected by the Cortex XDR activity details associated with alerts helps with
analytics engine. the investigation of stolen or misused credentials,
lateral movement, credential harvesting, or
brute-force attacks.

Query Builder Query Builder is a powerful search tool at the heart of Cortex Building complex queries helps search for entities
XDR that is used to investigate any lead, expose the root cause and their attributes to expose connections that are
of an alert, perform damage assessment, and hunt for threats indicative of unwanted behaviors or activities.
from data sources.

Response

Endpoint Isolation Cortex XDR can isolate endpoints by halting all network access Isolating an endpoint prevents it from communicating
on the endpoint except for Cortex XDR communications. with other endpoints and reducing an attacker’s
mobility on the network.

File Quarantine Cortex XDR will quarantine malicious files and remove them Quarantining will move files to a location that will
from working directories. no longer pose a threat to the host and provides
the opportunity to determine if the file was falsely
identified, fix the file or completely remove it.

File Search and Destroy Cortex XDR’s Host Insights module contains a powerful Search When a file is detected as malicious, destroying
and Destroy feature to help identify and contain threats. all instances on all endpoints directly curtails its
proliferation throughout the enterprise.

Live Terminal Live Terminal allows the initiation of remote connections The Live Terminal feature lets analysts swiftly verify
to Endpoints to endpoints to navigate and manage files, manage active and contain attacks without disrupting end users by
processes, and run operating system commands or scripts. directly accessing endpoints.

NGFW Policy Cortex XDR feeds IP addresses and domain names to Palo Alto Importing object information from Cortex XDR,
Integration Networks firewalls to control access by users. allows the firewall to dynamically enforce
network control without the need to make
configuration changes.

Remediation Analysis Cortex XDR offers incident responders suggestions for endpoint Providing remediation suggestions avoids the
remediation of processes, files and registry keys to restore or need to manually search for affected files and
revert changes made on the endpoint. registry settings.

Product Integrations
Product Why Is This Important?

AutoFocus AutoFocus is a cloud-delivered threat intelligence service that aggregates and contextualizes threat data from various
sources (Palo Alto Networks products, Unit 42 threat intelligence team, third-party threat feeds) to provide in-depth
research about adversaries, malware families, and attack campaigns.
Cortex XDR processes threat analysis reports from AutoFocus and makes threat information available for
investigative purposes.

Cloud Identity Engine The Cloud Identity Engine allows customers to integrate their organization’s directory service with Cortex XDR to provide
user identity context for investigative alerts.

© 2021 Palo Alto Networks | Cortex XDR | AMPLIFY Product Summary

Product Integrations (Continued)

Cortex Data Lake Cortex Data Lake is a cloud-based storage service that collects logs generated by Palo Alto Networks products.
Cortex XDR leverages the Cortex Data Lake to centralize the collection and storage of logs used for Cortex XDR analysis
and investigation.

Cortex XSOAR Cortex XSOAR is a security workflow solution that standardizes and automates security response activities.
Cortex XDR can feed incident data into Cortex XSOAR to manage incidents with automated, playbook-driven response
and promote cross-team collaboration.

Next-Generation The Next-Generation Firewall is a stream-based, single pass security architecture that conducts contextual classification
Firewall (NGFW) of all network traffic for prevention focused protection against cyberthreats.
Cortex XDR can feed firewalls IP addresses, URLs, and domain information for immediate policy enforcement on
network traffic.

Prisma Cloud Prisma Cloud is an API-based cloud service that aggregates and analyzes configuration data, user activity information and
network traffic from cloud provider environments in order to provide actionable insights.
Cortex XDR can receive Prisma Cloud alerts to gain additional visibility, improved analytics and enhanced investigations
across cloud and on-premise data.

WildFire Malware WildFire is a cloud-delivered sandboxing service that uses multiple analysis techniques to identify unknown threats.
Prevention Service Cortex XDR queries WildFire for endpoint file sample verdicts and sends unknown samples to WildFire for
in-depth analysis.

Host Insights Host Insights combines vulnerability assessment, application and system visibility, and a search and destroy feature to
(add-on) help identify and contain threats.
Cortex XDR uses Host Insights to offer endpoint visibility and attack containment. This helps reduce threat exposure and
avoids future breaches.

Managed Managed Threat Hunting is a service that provides round-the-clock monitoring from Palo Alto Networks employees on
Threat Hunting the Unit 42 threat research team.
(add-on) Cortex XDR provides the analytics, detection rules and research that managed threat hunters use to discover advanced
attacks in a customer’s organization.

What’s New
Enhancement Why Is This Important?

Add-Ons

Compute Units Cortex XDR enables customers to purchase compute units in addition to their daily compute unit quota for carrying out
(add-on) additional investigation actions.
Compute units are used to execute intricate data searches with the Cortex XDR Extended Query Language (XQL) against
collected Cortex XDR log data and imported log data from third parties.

Cortex XDR Forensics Cortex XDR Forensics is an end-to-end solution that helps with every step of incident response, from data collection,
(add-on) analysis, threat hunting, and remediation.
Cortex XDR Forensics collects detailed system information, provides investigators with insight into file access and process
execution, and allows them to perform a deep dive on a single endpoint or search for artifacts across all endpoints.

© 2021 Palo Alto Networks | Cortex XDR | AMPLIFY Product Summary

Cortex XDR For Cloud

Cloud Provider Cortex XDR ingests and normalizes cloud audit and network traffic logs from Amazon Web Services, Google Cloud
Log Ingestion Platform and Microsoft Azure.
Cloud provider log data can be used to reconstruct communication sessions for alerts and create datasets for
search queries.

Cortex XDR The Cortex XDR Endpoint agent can be deployed on any Kubernetes cluster.
Endpoint Agent for Being natively integrated in Kubernetes, the Cortex XDR endpoint agent provides visibility into containers and ensures
Kubernetes hosts full coverage of critical production workloads

Cortex XDR The Cortex XDR Endpoint agent can be deployed on Microsoft Azure-based VMs and virtual desktops to protect against
Endpoint Agent for malicious software.
Microsoft Azure

SaaS HR System Cortex XDR can ingest ServiceNow CMDB data and Workday reports data for analysis.
Data Ingestion

Want to learn more about newly released features for Cortex XDR?
Please visit the Cortex XDR Release Information webpage.

3000 Tannery Way © 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
Santa Clara, CA 95054 of Palo Alto Networks. A list of our trademarks can be found at https://www.
Main: +1.408.753.4000 paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies.
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com