11-14-2025 10:25 AM
I wanted to leave a challenge here for discussion in the group.
Why not use XDR as if it were a SIEM, in order to analyze more events with better accuracy, and to create more correlation and data enrichment?
I’m referring to an environment with:
XDR, XSOAR, Palo Alto/Fortigate firewalls, Windows and Linux systems, and O365.
For systems that don’t have direct integration support, you could even use a SYSLOG broker and then centralize all the logs in the XDR.
This way, you would only need to purchase log ingestion space for the XDR.
Does anyone see any issues with this approach?
02-26-2026 05:41 AM
Hello @tlmarques ,
Greetings for the day.
While using Cortex XDR as a SIEM replacement is technically possible using the Pro per GB license model, Palo Alto Networks specifically designed Cortex XSIAM (Extended Security Intelligence & Automation Management) to fulfill this requirement. XSIAM is built on XDR, XSOAR, and Xpanse foundations to automate the manual work typically associated with traditional SIEMs.
Using XDR alone as a SIEM involves several technical considerations and limitations regarding data enrichment, correlation, and ingestion.
Ingesting network, cloud, and third-party logs (such as FortiGate or Microsoft 365) into Cortex XDR requires a Cortex XDR Pro per GB license.
While you can use a Broker VM with the Syslog Collector applet for third-party systems, logs ingested via syslog often lack the "log stitching" and Enhanced Application Logs (EALs) provided by native integrations like the Cloud Logging Collection Service (CLCS).
Logs from vendors like FortiGate ingested via syslog may not automatically feed into the Analytics or Causality engines. They often require manual creation of correlation rules and custom parsing rules to extract searchable fields.
In XDR, correlation rules typically run on a schedule (for example, every 10 minutes) over a customizable data window. XSIAM, by contrast, is optimized for real-time alerts triggered upon single-event ingestion.
XDR Analytics and BIOCs (Behavioral Indicators of Compromise) are primarily tuned for normalized logs from supported sensors. Unknown syslog sources usually do not automatically feed these advanced detection engines.
XDR Pro per GB licenses calculate usage based on a 7-day average. If high-volume logs (such as firewall traffic) exceed the daily quota, the system may generate notifications and eventually cause processing delays.
Licensing costs are incurred upon raw data receipt. To optimize costs, you must implement filtering at the source (Broker VM or Log Sender) to drop unwanted logs before they enter the cloud pipeline.
Deploying both XDR and traditional SIEM agents on the same endpoint is not considered best practice and can cause performance issues due to resource contention.
If you eventually need to forward raw EDR telemetry from XDR to external storage or another tool, the native syslog forwarding feature only supports alerts and audit logs—not comprehensive high-volume endpoint telemetry.
| Feature | Cortex XDR | Cortex XSIAM (SIEM Replacement) |
|---|---|---|
| Primary Focus | Endpoint & Network Detection/Response | Centralized Log Management & SOC Automation |
| Correlation | Scheduled rules (every X minutes) | Real-time ingestion triggers |
| SaaS/Cloud Visibility | Stitched causality for Microsoft 365 audit logs | Broad ingestion across cloud services & applications |
| Automation | Basic response actions | Advanced orchestration via integrated XSOAR |
| NGFW Integration | Traffic/Threat logs (stitching via CLCS) | Full log set including System/Auth/GlobalProtect |
In summary, while Cortex XDR Pro per GB can technically function as a limited SIEM solution, Cortex XSIAM is purpose-built to replace traditional SIEM platforms with real-time detection, broader log ingestion, and advanced automation capabilities.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
