In a lot of conversations recently I've found that many, many people are confused by the names and functions of Cortex - especially given the rapid expansion of the platform. In this post I'm going to try to distill the basics of each product with as little jargon as I can and help people figure out which things they are and are not looking for from the platform.
"Cortex"-> name of the overall product platform for enabling Security Operations teams, technologies, and workflows. All other components referenced below are a part of this platform
Cortex XDR Prevent-> Endpoint Protection agent. Table of capabilitieshere. Modules and OS coveragehere. This solution is designed to protect endpoints from various types of compromise and builds upon the concepts of Anti-Virus and NGAV that the industry have leveraged for years. This includes, but is not limited to, the protections of our legacy endpoint protection tool "Traps"
Cortex XDR Pro (for endpoint)-> same agent as above, but with EDR functionality enabled. EDR gathers important forensic data from endpoints and feeds into the combined Cortex platform (architecture described here) to allow Palo Alto Networks to detect many more types of threats in your environment. Detection coverage discussed within our docshere (see sections that include 'XDR agent' as data sources) as well asanalyzed by MITRE, a 3rd party organization.
Cortex XDR Pro (per TB)-> same Cortex platform for analytics and threat detection, but augmenting the EDR data set with Firewall logs and 3rd party data. Seehere to understand use case coverage (all sections that do not require the XDR agent can be accomplished with this license alone).
Cortex XSOAR -> Orchestration and Automation platform for designing, documenting, and automating security and incident response workflows. Some top use cases are referencedhere
This has many, many applications. For example, when acquiring or merging with another business it can allow you to do strong due diligence on their security posture before your unify your organizations or complete a purchase.
Or when a new vulnerability is released such as CVE-2021-21985 and Ars Technica writes that Shodan has already discovered 5K vulnerable servers on the internet on the same day, you might be thinking 'uh oh, is one of them ours? do we need to go into full incident response mode?". Normally you'd go try to pull some asset inventory or something to figure it out, but hey maybe someone spun up something you didn't know about in an IaaS provider and it isn't encompassed in there. That's stressful ... well XPanse, by scanning the whole internet, would be able to tell you if you needed to get to work ASAP or if you can sit this one out!