XDR as "SIEM" (challenge for discussion)

tlmarques — Fri, 14 Nov 2025 18:25:39 GMT

I wanted to leave a challenge here for discussion in the group.

Why not use XDR as if it were a SIEM, in order to analyze more events with better accuracy, and to create more correlation and data enrichment?

I’m referring to an environment with:
XDR, XSOAR, Palo Alto/Fortigate firewalls, Windows and Linux systems, and O365.

For systems that don’t have direct integration support, you could even use a SYSLOG broker and then centralize all the logs in the XDR.

This way, you would only need to purchase log ingestion space for the XDR.

Does anyone see any issues with this approach?

Re: XDR as "SIEM" (challenge for discussion)

susekar — Thu, 26 Feb 2026 13:41:53 GMT

Hello @tlmarques ,

Greetings for the day.

While using Cortex XDR as a SIEM replacement is technically possible using the Pro per GB license model, Palo Alto Networks specifically designed Cortex XSIAM (Extended Security Intelligence & Automation Management) to fulfill this requirement. XSIAM is built on XDR, XSOAR, and Xpanse foundations to automate the manual work typically associated with traditional SIEMs.

Using XDR alone as a SIEM involves several technical considerations and limitations regarding data enrichment, correlation, and ingestion.

1. (Log Ingestion and Data Modeling)

License Requirement:

Ingesting network, cloud, and third-party logs (such as FortiGate or Microsoft 365) into Cortex XDR requires a Cortex XDR Pro per GB license.

Broker VM vs. Native Ingestion:

While you can use a Broker VM with the Syslog Collector applet for third-party systems, logs ingested via syslog often lack the "log stitching" and Enhanced Application Logs (EALs) provided by native integrations like the Cloud Logging Collection Service (CLCS).

Third-Party Limitations:

Logs from vendors like FortiGate ingested via syslog may not automatically feed into the Analytics or Causality engines. They often require manual creation of correlation rules and custom parsing rules to extract searchable fields.

2. Correlation and Real-Time Detection:

Correlation Latency:

In XDR, correlation rules typically run on a schedule (for example, every 10 minutes) over a customizable data window. XSIAM, by contrast, is optimized for real-time alerts triggered upon single-event ingestion.

Detection Engines:

XDR Analytics and BIOCs (Behavioral Indicators of Compromise) are primarily tuned for normalized logs from supported sensors. Unknown syslog sources usually do not automatically feed these advanced detection engines.

3. Potential Performance and Management Issues:

Ingestion Quotas:

XDR Pro per GB licenses calculate usage based on a 7-day average. If high-volume logs (such as firewall traffic) exceed the daily quota, the system may generate notifications and eventually cause processing delays.

Source-Side Filtering:

Licensing costs are incurred upon raw data receipt. To optimize costs, you must implement filtering at the source (Broker VM or Log Sender) to drop unwanted logs before they enter the cloud pipeline.

Endpoint Contention:

Deploying both XDR and traditional SIEM agents on the same endpoint is not considered best practice and can cause performance issues due to resource contention.

Export Limitations:

If you eventually need to forward raw EDR telemetry from XDR to external storage or another tool, the native syslog forwarding feature only supports alerts and audit logs—not comprehensive high-volume endpoint telemetry.

Summary of Comparison:

Feature	Cortex XDR	Cortex XSIAM (SIEM Replacement)
Primary Focus	Endpoint & Network Detection/Response	Centralized Log Management & SOC Automation
Correlation	Scheduled rules (every X minutes)	Real-time ingestion triggers
SaaS/Cloud Visibility	Stitched causality for Microsoft 365 audit logs	Broad ingestion across cloud services & applications
Automation	Basic response actions	Advanced orchestration via integrated XSOAR
NGFW Integration	Traffic/Threat logs (stitching via CLCS)	Full log set including System/Auth/GlobalProtect

In summary, while Cortex XDR Pro per GB can technically function as a limited SIEM solution, Cortex XSIAM is purpose-built to replace traditional SIEM platforms with real-time detection, broader log ingestion, and advanced automation capabilities.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

topic Re: XDR as "SIEM" (challenge for discussion) in Cortex XDR Discussions