Cortex XDR Privacy Datasheet The purpose of this document is to provide customers of Palo Alto Networks with information needed to assess the impact of this service on their overall privacy posture by detailing how personal information may be captured, processed, and stored by and within the service. Product Summary Cortex XDR™ by Palo Alto Networks is a cloud-based service that leverages logs, alerts, and information from Palo Alto Networks and third-party security products. It also manages the Cortex XDR agent, which enforces security policies on endpoints, preventing malware and data loss. Cortex XDR performs analytics on data gathered by different sensors within the customer network and integrates endpoint, network, and cloud data to stop sophisticated attacks; correlates security alerts and network logs with the endpoint processes that generated the alerts; and allows customers to investigate security alerts, search for security threats, and remotely respond to threats. Cortex XDR can also automatically scan and analyze endpoints through an on-premises server called Cortex XDR – Pathfinder. Cortex XDR comprises three different product offerings: ● Cortex XDR Prevent provides endpoint protection focused on security alerts and security events collected by the Cortex XDR agent. ● Cortex XDR Pro includes endpoint protection as well as detection, investigation, and response based on agent, firewall, and cloud data. ● Cortex XDR Managed Threat Hunting is an add-on service for Cortex XDR Pro that offers round-the-clock monitoring from Palo Alto Networks employees on the Unit 42 threat research team to discover advanced attacks in the customer’s organization based on data from Cortex XDR Pro. Information Processed by Cortex XDR Prevent Cortex XDR Prevent processes security alerts and security events from the agent, making these visible to the security analyst or Cortex XDR administrator, as described in the following. Information from Endpoints Information Collected by Cortex XDR Agents For Cortex XDR Prevent, information collected by Cortex XDR agents includes alerts and threat information. Alerts in the user interface include information from the endpoint that caused the alerts, including the user and process responsible for the activity: Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 1
● Threat logs contain information about all security events logged by the Cortex XDR agent (e.g., malware/exploit pre- ventions, post-detection events, restriction notifications). ● Audit logs contain information about changes to the agent software, policy, or services. Information Uploaded by Cortex XDR Administrators To help with troubleshooting of agent functionality or security events, administrators can manually upload the following types of information to Cortex XDR Prevent: ● Tech support file—an aggregation of all endpoint logs and configuration files to aid troubleshooting and diagnosis of system issues. ● Security event data—an aggregation of all forensic data, such as memory dumps, associated with a security event. The Cortex XDR agent sends these files to Cortex XDR Prevent, where they are available for 30 days. Security event data and tech support files are not transferred to Cortex™ Data Lake. Information from Active Directory via Directory Sync Service Optionally, customers can configure Cortex XDR Prevent to read information from the Directory Sync service, which allows the user interface to display more accurate information about devices and users. The Directory Sync service enables Palo Alto Networks cloud-based applications to leverage users, computers, groups, containers, and organizational units (OUs) from customers’ on-premises Microsoft Active Directory® for use in policy and endpoint management. The Directory Sync service uses an on-premises agent to query computer, user, and group attribute data from Active Directory and stores said data in the Directory Sync service. A temporary instance of the Active Directory information is stored in Cortex XDR Prevent for availability and fast response. Information from Threat Intelligence Lookups Information from WildFire Palo Alto Networks WildFire® malware prevention service identifies previously unknown malware and generates signatures that Palo Alto Networks products can use to detect and block the malware. A Cortex XDR agent can be configured to automatically forward unknown samples to WildFire for in-depth analysis. WildFire analyzes unknown files and email links in a scalable sandbox environment, and then makes the report available within the user interface. Information from AutoFocus Palo Alto Networks AutoFocus™ contextual threat intelligence service receives threat analysis reports and network session information from WildFire. If enabled, these reports and information are also processed and available to view in the Cortex XDR user interface. Information from VirusTotal VirusTotal® is a third-party service that inspects items with more than 70 antivirus scanners and URL/domain block-list services. If enabled, when the information in a security event matches information from VirusTotal, that information is processed and available to view in the Cortex XDR user interface. Information Processed by Cortex XDR Pro Cortex XDR Pro performs analytics and allows for deep investigation of alerts from multiple sources. This includes logs from Palo Alto Networks Next-Generation Firewalls, Prisma™ Access logs, security Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 2
events and endpoint activity logs from Cortex XDR agents, and logs and data from third-party security products. Information from Endpoints Cortex XDR Pro processes all information processed by Cortex XDR Prevent as listed previously in addition to the information listed in the following. Information Collected by Pathfinder If enabled, Pathfinder automatically logs in and scans end-points to collect the information shown in table 1 when devices are newly discovered, anomalous network activity is detected, or an administrator performs an on-demand scan. Pathfinder analyzes the collected information and sends select processes, executables, and modules to WildFire for threat intelligence lookups. Information Collected by Cortex XDR Agents Cortex XDR agents can be enabled to collect endpoint activity logs, threat logs, and audit logs on an ongoing basis. These logs can be collected from Windows®, Linux, and macOS® endpoints. To accurately detect threats, enforce security policies, and help with troubleshooting of agent functionality, the logs described in the following sections are forwarded to Cortex Data Lake for processing by Cortex XDR Pro. Process Activity Logs Process activity logs contain data about users and how the process is executed. This includes the user who started the process, with name and directory path. The data also contains unique information about the process to help with analytics, including its hash values, thread IDs, and any command line arguments the process uses on execution. File Activity Logs File activity logs contain information on operations to specific binaries and applications. This information includes the user or process that renamed or wrote information of the file. Network Activities Logs Network activities logs contain information about outgoing and incoming network connections performed by a user, process, or network. This includes information such as user, process, source and destination IP addresses, ports, protocol, local hostname, remote hostname, and destination country. Registry Activity Logs Registry activity logs contain information about Windows registry keys, including the value, type of key, and any name of the key. Information about users or processes that create or change registry keys is also logged. Event Logs Event logs contain records of system, security, and application notifications stored by the Windows operating system (OS) and can aid in the investigation of a compromised system. Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 3
Miscellaneous Information Miscellaneous information that describes the operating system and hashes of files on the endpoint is also collected. Change events related to user logins or logouts, and changes to the Windows OS, such as reboots and agent restarts, are also collected. Information from Firewall Logs Cortex XDR Pro is able to process logs and security events from both Palo Alto Networks firewalls and third-party firewalls. Information from Palo Alto Networks Firewalls The customer can fully configure which of the available types of logs to send to Cortex Data Lake. Cortex XDR Pro analyzes firewall traffic logs, which contain basic information about internal and external network connections. Cortex XDR Pro also analyzes URL Filtering logs, which contain information about websites accessed by devices and users. Cortex XDR Pro also processes security alerts which contain information about security violations or threats in a customer network. Finally, Cortex XDR Pro analyzes enhanced application logs, which contain information about how devices are connected to the internal network, such as Dynamic Host Configuration Protocol logs when a device joins a Wi-Fi network, and the types of requests devices make to other hosts, such as DNS queries and responses. Analysis identifies network connectivity patterns from users and devices. Alerts are triggered and automatically grouped into incidents using detection algorithms that compare current network and application patterns against historical and peer-group patterns. Information from Third-Party Firewalls Cortex XDR Pro analyzes traffic logs, sometimes called session logs, from third-party firewalls. Cortex XDR Pro also processes security alerts from third-party firewalls. Information from Domain Controllers Event logs from domain controllers (DCs) can be forwarded to Cortex XDR for processing. These event logs contain information about user authentication attempts within the network. Information from Third-Party Authentication Providers Logs from single-sign-on (SSO) authentication providers (Okta® Verify, PingID®, and Azure® Active Directory) can be forwarded to Cortex XDR for processing. These logs contain information about user authentication attempts to company resources, such as software as a service (SaaS) applications. Information Processed by Cortex XDR Managed Threat Hunting The Cortex XDR Managed Threat Hunting service processes, in read-only format, all information processed by Cortex XDR Pro as listed previously. Purpose of Information Processed by Cortex XDR All information processed by Cortex XDR allows the customer to view on the user interface all alerts generated by the covered customer’s security and networking products, as well as manage and configure the endpoint agents and security policies. The interface also provides customers with the ability to view the description of the alerts, and with options to analyze the alerts in more detail through information in the Cortex Data Lake or from information collected by the Cortex XDR agent. Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 4
For Cortex XDR Pro, the interface also allows customers to search through the logs in Cortex Data Lake as well as create and apply rules that can generate alerts by analyzing such logs. The Cortex XDR Pro service can identify user and device patterns across the network as well as detect anomalies from such patterns. For customers using the Cortex XDR Managed Threat Hunting service, Cortex XDR data from each customer is processed by applying detection algorithms as well as manual searching, viewing, and validation to uncover new threats. Any new threat discovered triggers an incident with a report for review in the customer’s Cortex XDR user interface so that the customer can determine which incidents require additional investigation and reach out to affected end users. The information Cortex XDR processes can be grouped into five categories, described here. This information provides context for security analysts investigating alerts or searching for threats in their environments. 1. User Information User information is used to associate patterns of activity with a specific user’s network account. This helps security teams attribute anomalous network activity or processes to a more reliable source, whether an individual or a shared account, rather than relying only on the IP address. 2. Device Information Device information—in the form of hostnames, fully qualified hostnames, and MAC addresses—is used to identify the source and destination of anomalous network and end-point activity, which could be a laptop, workstation, server, internet-connected device, or network infrastructure device. This helps security teams investigate anomalous activity even when it cannot be attributed to a specific user. 3. Network Addresses Network addresses—in the form of IP subnets or IP addresses—are used to identify the sources and destinations of anomalies. This helps security teams investigate anomalous activity even when it cannot be attributed to a specific user account or network device. It also helps security teams investigate possible attacks targeting high-risk servers or parts of the network. 4. Endpoint Information Endpoint information—in the form of executable files, loaded modules and processes, event and system logs, and file and registry activity—is used to identify the digital source of anomalous network activity and alert security teams to potential zero-day attacks. This also helps security teams authorize network activity related to software or users performing their job functions, such as administrators using specific tools. 5. Other Information Other information, such as URLs and domains, can help identify the destination or possible source of network activity. Websites often contain malicious payloads or can be used as servers to control internal devices. Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 5
Examples of Information Processed by Cortex XDR Prevent, Pro, and Managed Threat Hunting Service Table 1: Information Processed by Cortex XDR Prevent, Pro, and Managed Threat Hunting (MTH) Category Source Info Processed by Example(s) Processed By Cortex XDR Firewall logs, Cortex XDR agent Domain and company\\ johnsmith Prevent, Pro, and logs, and Directory Sync service username MTH Cortex XDR agent logs Username Jsmith or Jane.Doe Prevent, Pro, and (Windows) MTH Cortex XDR agent logs (Linux) Username root or postgres or mysql Prevent, Pro, and MTH Cortex XDR agent Workgroup Marketing-Group Prevent, Pro, and MTH Directory Sync service User distinguished CN=Username1, OU=Americas, Prevent, Pro, and name OU=Users, OU=Company, MTH DC=Company, DC=Local User Info Directory Sync service Full name or display John W. Smith Prevent, Pro, and name [email protected] MTH Firewall logs and Directory Sync service Email address Pro and MTH Directory Sync service Organization unit Company/Users/Americas Prevent, Pro, and from Active Directory MTH Directory Sync service Phone number 444-555-6666 Prevent, Pro, and MTH Pathfinder Username Johnsmith Pro and MTH Windows Event Collector Username company\\ johnsmith or Pro and MTH Johnsmith SSO Authentication Logs Username Johnsmith Pro and MTH SSO Authentication Logs Email Address [email protected] Pro and MTH SSO Authentication Logs Company Name my_company Pro and MTH Palo Alto Networks firewall logs MAC address 00-11-22-AA-BB-CC Pro and MTH (enhanced application log) Device Cortex XDR agent logs Hostname of devices ABCD-WIN-LAPTOP Prevent, Pro, and Info Hostname of devices 123-MACBOOK MTH Palo Alto Networks firewall logs (enhanced application log) ABCD-WIN-LAPTOP Pro and MTH 123-MACBOOK Firewall logs (enhanced Domain name www.google.com Pro and MTH application log) www.badsite.com internalserver.company.com Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 6
Table 1: Information Processed by Cortex XDR Prevent, Pro, and Managed Threat Hunting (MTH) (continued) Category Source Info Processed by Example(s) Processed By Cortex XDR Firewall logs Other names used by vsys1 or trust-zone or Pro and MTH firewall configuration untrust-zone or US-DMZ Directory Sync service Host distinguished CN=Computer1, OU=Region, Prevent, Pro, and name OU=Computers, OU=Company, MTH DC=Company, DC=Local Directory Sync service Organizational unit Company/Computers/Region Prevent, Pro, and Directory Sync service Operating system MTH Device Info Prevent, Pro, and MTH Windows 10 Enterprise Directory Sync service Operating system 10.0 (14393) Prevent, Pro, and version MTH Firewall logs Name of firewall NA-Firewall or DC1-Firewall Pro and MTH SSO Authentication Logs Name of zone Company_IP_Zone1 Pro and MTH Cortex XDR agent logs IP address or subnet 10.1.1.10, 10.10.10.10, 192.168.1.16, Prevent, Pro, and (e.g., source device, 172.16.0.0/16 MTH destination device) Cortex XDR agent logs IP address of network 10.1.1.1, 192.168.1.254 Prevent, Pro, and infrastructure devices MTH (e.g., NAT devices, routers, DNS servers, DHCP servers, domain controllers, mail servers) Network Firewall logs IP address or subnet 10.1.1.10, 10.10.10.10, 192.168.1.16, Pro and MTH Addresses (e.g., source device, 172.16.0.0/16 destination device) Firewall logs IP address of network 10.1.1.1, 192.168.1.254 Pro and MTH infrastructure devices (e.g., NAT devices, routers, DNS servers, DHCP servers, domain controllers, mail servers) SSO Authentication Logs Source IP Address 100.100.100.100 Pro and MTH Destination IP Address Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 7
Table 1: Information Processed by Cortex XDR Prevent, Pro, and Managed Threat Hunting (MTH) (continued) Category Source Info Processed by Example(s) Processed By Cortex XDR Pathfinder List of running C:\\Windows\\System32\\ Pro and MTH processes, loaded svchost.exe modules, installed executables, and their command arguments C:\\Program Files\\Microsoft Office\\ office15\\excel.exe -dde Pathfinder Installed and portable C:\\Windows\\System32\\ping. exe Pro and MTH executable files, server.company.com loaded modules, autoruns, and their C:\\Program Files\\Realtek\\ audio\\ command arguments hda\\ravbg64.exe /im Cortex XDR agent Installed programs, C:\\Program Prevent, Pro, including working Files\\Nmap\\Nmap.exe and MTH directory Cortex XDR agent (Windows) Process activity logs Process: Prevent, Pro, c:\\Windows\\System32.net.exe” and MTH user Administrator MyPassword Process: C:\\Program Files\\7- Zip\\7zFM.exe Started with CMD: “C:\\Program Files\\7- Zip\\7zFM.exe” “C:\\Users\\ MarySmith\\Downloads\\ suspicious_file.zip” Endpoint Cortex XDR agent Process activity logs Process: /usr/bin/passwd Prevent, Pro, Info (Linux or macOS) Started with CMD: /usr/bin/ and MTH passwd alincoln Cortex XDR agent (Windows) File activity logs Type: File Create Path: C:\\ Pro and MTH Users\\JDo\\ Desktop\\Data.zip. tmp Type: File Rename Path: C:\\ Users\\JDo\\ Desktop\\Data.zip Cortex XDR agent File activity logs Type: File Read Path: /home/ Pro and MTH (Linux or macOS) alincoln/a.txt or Type: File Read Path: /Users/alincoln/a.txt Type: Network Outgoing Source: Cortex XDR agent (Windows, Network activity logs 10.201.113.22:2563 to Pro and MTH Linux, and macOS) 192.168.1.100:443 (server. company.com) Cortex XDR agent (Windows) Registry activity logs Type: Registry Key Create Key: Pro and MTH HKEY_USERS\\S-1-5-21- 937295531-4040087734- 563264647-1111\\Software\\ Microsoft\\Windows\\ CurrentVersion\\Explorer\\ RunMRU Value: null Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 8
Table 1: Information Processed by Cortex XDR Prevent, Pro, and Managed Threat Hunting (MTH) (continued) Category Source Info Processed by Example(s) Processed By Cortex XDR Cortex XDR agent Endpoint event logs Task Scheduler started Pro and MTH “CUSTOM-NAME” task for user Endpoint Info “COMPANY\\PC1” Starting periodic policy processing for user DEMO-CORP\\ Administrator Cortex XDR agent (Windows, Miscellaneous logs Host Status: Logon Pro and MTH Linux, and macOS) Host Status: Logoff Palo Alto Networks firewall URLs https://outlook.office365. Prevent, Pro, logs (URL filtering logs com/EWS/ Exchange.asmx and MTH and enhanced application logs) and possibly https://mg.mail.yahoo.com/ neo/m/ launch?&filterBy=&- third-party firewall logs fid=Inbox&fidx= 1&ac=DST- VMBzTbaVaamXPZAnd cVW- Z22g-&rand=1966219345&nsc https://www.linked.com/ johnsmith SSO Authentication Logs Geolocation San Jose, California, US Pro and MTH latitude: 11.111111, Tech support file (if a Prevent, Pro, support case is open) longitude:-22.2222 and MTH Other Agent logs, including agent settings, Info agent actions, security events Windows OS event logs: Application, HardwareEvents, Security, System Custom event logs: ““Palo-Alto-Networks”,” Certificates and Certificate Stores Firewall settings Security event file Memory dump, recently opened documents as cached Prevent, Pro, by the application related to the security event and MTH Browser open tabs File metadata: file extension, file size, creation date, last modified, file version, signer, trusted, last accessed Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 9
Summary of Data Sources Table 2: Data Sources Customers Can Enable and Configure* Data Category Configuration Possible? Palo Alto Networks Next-Generation Firewall Yes, by policy (source, user, destination) Palo Alto Networks Cortex XDR agent Yes, by policy (user, device) Palo Alto Networks Directory Sync service Yes, one or more Active Directory domains Pathfinder, through Broker VM Yes, enabled by network segment Third-party firewalls Yes, by firewall configuration Domain controllers (DC) through event log forwarding No, enabled per DC; actual event logs from the DC cannot be changed by customer Authentication logs from SSO providers No, must be enabled across entire organization Uploaded/Retrieved items (e.g., support file or retrieved No, must be enabled by the administrator for all files) endpoints *By default, these data sources are disabled. How Cortex XDR Addresses EU Data Protection Laws Processing personal data to ensure network and information security—for instance, through the Security Operating Platform® and Cortex products—is broadly recognized as a legitimate interest and is specifically called out as such in the EU General Data Protection Regulation: (49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.1 Where a service provider, such as Palo Alto Networks, processes personal data to ensure network and information security, this is a legitimate interest of the service provider and its customers. Such legitimate interest provides a basis for the processing of personal data by Palo Alto Networks under EU data protection laws. This legitimate interest generally also provides a basis for customers 1 \"GDPR, recital 49; see also Article 29 Working Party Opinion 06/2014 on the notion of legitimate interest of the data controller, WP217, adopted 9 April 2014, p. 24–25. Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 10
analyzing personal data through Cortex XDR, in accordance with privacy or regulatory requirements that may prevent customers from sharing certain data. In such an event, customers can limit data processing or access to data by using their privacy options, as described herein, when configuring their firewalls. How Palo Alto Networks Complies with Data Protection Rules Palo Alto Networks is committed to protecting personal data processed by Cortex XDR. We will not access the content of the information in a way that would allow us to acquire meaningful information about natural persons except where it is necessary for identifying security threats or investigating suspicious activities indicative of attacks. Any logs stored on or processed by Palo Alto Networks systems are secured with state-of-the-art technologies, and Palo Alto Networks operates rigorous technical and organizational security controls. Logs and information forwarded to a given regional data center will be kept in that region. As Palo Alto Networks is a multinational company, there may be a need, in some cases, to share logs and information with Palo Alto Networks offices in other regions. We will do so in compliance with applicable requirements for transfer of personal data, including the EU Standard Contractual Clauses as approved by the European Commission, or other legal instruments for the transfer of personal data, provided for in EU data protection law. Subprocessors Data processed by Cortex XDR is hosted in Google Cloud Platform (GCP®) data centers in the regions the customer selects. Customer Privacy Options Customers can designate a Cortex XDR region, among those available, for the storage and processing of their data. Customers may also assign each Cortex XDR instance to a regional instance of Cortex Data Lake and Directory Sync service. Accordingly, Cortex XDR, Cortex Data Lake, and Directory Sync service data is stored in the chosen region. The Cortex XDR Managed Threat Hunting tenant will also run in the same region. Access by the Cortex XDR Managed Threat Hunting team is global. While travelling, Cortex XDR agents will be able to query the closest region for a hash verdict from WildFire, but they will only upload the files for analysis to the chosen region. Customers’ system administrators can use the granular policy settings in Cortex XDR to manage or restrict uploads of unknown files to WildFire as well as select which file formats to upload to WildFire. Customers can configure job roles to limit the functions of the administrator or security analysts, such as gathering support files from the Cortex XDR agent or allowing read-only access to the Cortex XDR user interface. Retention Cortex XDR applies retention policies that purge data once it is no longer needed for the purpose for which it was collected. Cortex XDR retains copies of the most recent three days of logs. It also aggregates logs into summary logs for efficient processing and stores these for 30 days. To enable customers to perform queries in a timely manner, Cortex XDR processes and stores copies of query Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 11
results. Older copies will be deleted as the temporary storage reaches capacity, and all copies are deleted upon termination of the service. If an algorithm or rule triggers an alert, Cortex XDR retains the processed information for 180 days for the purposes of investigation. If enabled, endpoint and user information collected by Pathfinder will be available in Cortex XDR for 30 days if there are no alerts attributed to that endpoint or user. If alerts are attributed to an endpoint, information collected by Pathfinder will be available for 180 days to give security analysts the information they need for investigation at a later time. If collected, endpoint activity logs from Cortex XDR agents will be available in the Cortex Data Lake for 30 days or as configured by the customer. Upon termination of the Cortex XDR service, the information generated by Pathfinder as well as all data in Cortex XDR will be marked for deletion. Upon expiration of the Cortex XDR Managed Threat Hunting license, the service and access to the data by the Managed Threat Hunting team will be phased out within seven days. Upon termination of the Cortex XDR service, access to the user interface and collection of agent logs are disabled after two days, while firewall logs are processed by Cortex XDR for up to 30 days after termination. Afterward, data in active systems in Cortex XDR will be marked inactive and removed from the active systems. Permanent deletion of all data may take up to an additional 180 days. Access and Disclosure Access by Customers Customers can access the information about the alerts through the Cortex XDR user interface, including WildFire reports, if applicable to the alert. Customers can also access information about endpoint activity logs and firewall logs through the Cortex XDR user interface. Additionally, to access firewall and Prisma Access logs in Cortex Data Lake, customers can use the Panorama™ network security management interface and the Explore app. If enabled, Cortex XDR processes enhanced application logs separately from other logs within Cortex Data Lake. Customers can view the results of such processing through the Cortex XDR user interface. To access the Cortex XDR user interface, customers must configure roles for users in their organization. Depending on the role assigned to the user, they will be able to only view certain screens or can be limited to performing certain actions. For more details, see the technical documentation about Cortex XDR roles. Access by Palo Alto Networks Access to information in Cortex XDR and Cortex Data Lake is restricted to Palo Alto Networks Site Reliability Engineers (SREs), threat research and analytics teams, and—when a support case is opened—customer support teams. Access is allowed for the purposes of troubleshooting, solving issues, and improving the effectiveness of security protections. All access is recorded and audited. Access privileges are managed by Engineering leadership. When a customer initiates the Cortex XDR Managed Threat Hunting service, this automatically grants read-only access by Palo Alto Networks to the Cortex XDR tenant. Additionally, the Cortex XDR Managed Threat Hunting service has write access to the customer's Cortex XDR service solely to generate incidents with reports. Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 12
Security of Data Palo Alto Networks has achieved SOC 2 Type II certification for Cortex Data Lake and Cortex XDR to demonstrate its strong security policies and internal controls environment. For information about security protections in the data centers where Cortex XDR data resides, please visit the Google Compliance resource center. Information processed by Cortex XDR is encrypted both in transit and at rest. Logs from third-party firewalls and Windows event logs from domain controllers are sent to an on-premises broker VM, encrypted in transit, and sent to Cortex XDR Pro in the region the customer selects. Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 13
Resources See the following resources for additional information about Cortex and related Palo Alto Networks products and services: ● Cortex XDR ● Cortex Data Lake ● Panorama ● Palo Alto Networks hub ● Explore app ● Directory Sync service ● WildFire ● Trust Center ● Cortex XDR Managed Threat Hunting Other Information Multiple elements of Palo Alto Networks services work directly with Cortex XDR. Cortex Data Lake Cortex Data Lake is a cloud-based logging infrastructure that lets customers centralize the collection and storage of logs generated by Cortex XDR agents, Next-Generation Firewalls, Prisma Access, and third-party products. WildFire WildFire is a malware prevention service that identifies previously unknown malware and generates signatures that Palo Alto Networks Next-Generation Firewalls and Cortex XDR agents can use to detect and block the malware. When an agent detects an unknown sample, such as attempts to run a macro, DLL, or executable file, Cortex XDR can be configured to automatically forward the sample to WildFire for in-depth analysis. WildFire analyzes unknown files and email links in a scalable sandbox environment. About This Datasheet Please note that the information provided with this paper concerning technical or professional subject matter is for general awareness only, may be subject to change, and does not constitute legal or professional advice, warranty of fitness for a particular purpose, or compliance with applicable laws. 3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. Santa Clara, CA 95054 A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com Cortex by Palo Alto Networks | Cortex XDR Privacy | Datasheet | 14
Search
Read the Text Version
- 1 - 14
Pages:
