* [Blog](https://www2.paloaltonetworks.com/blog) * [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/) * [Announcement](https://www2.paloaltonetworks.com/blog/category/announcement/) * The Third Generation of X... # The Third Generation of XDR Has Arrived! [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F08%2Fthird-generation-xdr-has-arrived%2F) [](https://twitter.com/share?text=The+Third+Generation+of+XDR+Has+Arrived%21&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F08%2Fthird-generation-xdr-has-arrived%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F08%2Fthird-generation-xdr-has-arrived%2F&title=The+Third+Generation+of+XDR+Has+Arrived%21&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2021/08/third-generation-xdr-has-arrived/&ts=markdown) \[\](mailto:?subject=The Third Generation of XDR Has Arrived!) Link copied By [Tim Junio](https://www.paloaltonetworks.com/blog/author/tim-junio/?ts=markdown "Posts by Tim Junio") Aug 23, 2021 6 minutes [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown) [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown) [cloud](https://www.paloaltonetworks.com/blog/tag/cloud/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [Machine Learning](https://www.paloaltonetworks.com/blog/tag/machine-learning/?ts=markdown) [multi-cloud](https://www.paloaltonetworks.com/blog/tag/multi-cloud/?ts=markdown) [XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown) *Announcing Cortex XDR 3.0, the* *third-generation XDR platform that allows security teams to identify and investigate attacks across all endpoint, network, cloud and identity sources from a single console.* When we launched Cortex XDR in 2019, it was the first XDR product in the industry. We wanted to provide a modern cloud-based platform leveraging the latest in machine learning, analytics and automation to fight the many cyber attacks businesses face every day. We were driven by the principle that you can identify and stop the most sophisticated cyber attacks **if and only if** you can integrate the right set of security data sources and analyze them in real-time. Since Cortex XDR's inception, our approach has continually proven itself to be the most effective means of preventing and detecting sophisticated cyber attacks, like [SolarStorm](https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/) and those emulated by the [MITRE ATT\&CK Evaluations](https://www.paloaltonetworks.com/cortex/cortex-xdr/mitre). Today, we released Cortex XDR 3.0, taking a significant step in our mission to know about and stop all cybersecurity attacks. XDR 3.0 extends the key tenets of our XDR platform to cloud environments, ensuring SOC teams can run prevention, detection and response on their cloud assets. The new platform also integrates a rich set of identity data sources and built-in analytics to address a variety of identity-based threats. Importantly, the third generation of XDR will provide utmost flexibility to security teams by allowing them to ingest data from any third-party source and correlate with other native data sources for richer, deeper investigations. And that's not all! We are also very excited to bring security teams a set of forensic investigation capabilities as an add-on module to XDR 3.0. This offering makes generally available the advanced tools we have been using within Palo Alto Networks' [Unit 42 Security Consulting Group](https://www.paloaltonetworks.com/unit42). Read on for more details! ## New Capabilities in XDR 3.0 **Cortex XDR Extends Native Analytics to Cloud Data, Enabling SOC Teams to Prevent, Detect and Respond to Threats Across Hybrid and Multi-Cloud Environments** SOC threat monitoring teams rely on threat detection and response platforms for holistic visibility and investigations, but are often left in the dark when it comes to cloud security. Cortex XDR 3.0 integrates cloud telemetry (including host data, traffic logs, audit logs and data from the Palo Alto Networks Prisma Cloud solution) with non-cloud endpoint, network and identity data, delivering organization-wide threat detection and response. We've added dozens of cloud-specific detection rules targeting common cloud-threat vectors, like cloud escape and cloud-jacking. ![Cortex XDR third generation screen shot monitoring charts of various alerts — incidents by severity, cloud caller locations, top 10 downloaders.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/08/word-image-19.png) *With Cortex XDR 3.0 you have the confidence that your cloud assets are protected, and when a threat is detected, you will have more context into the scope of the attack to ensure a more complete response.* XDR 3.0 also delivers endpoint detection and response (EDR)-level protection for cloud assets, including Windows and Linux virtual machines and Kubernetes containers. These new cloud capabilities in Cortex XDR 3.0 complement our industry-leading Prisma Cloud solution. Together, they address the unique requirements of both cloud security teams requiring DevOps speed and SOC analysts requiring visibility across their entire enterprise. ## Cortex XDR Expands UEBA Capabilities with Deeper Identity Analytics to Combat Malicious User Activity Almost all cyber attacks involve compromised identities, which is why analyzing user authentication and access is critical to stopping attacks early in their lifecycle. With Cortex XDR 3.0, we are leveraging ML-based threat detectors against an extensive set of identity data sources, including Active Directory, Identity and Access Management products (including Okta, Ping and Azure AD), human resources (HR) platforms (like Workday) and SASE gateways. Our HR integration with Workday is particularly important --- XDR 3.0 adds valuable context to identity-related investigations including a user's department, manager, phone number, hire date and other details tied into broader multi-dataset incident and causality views. ![Screenshot showing the third generation Cortex XDR chart of risk score trends and incidents.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/08/word-image-20.png) *With a 360-degree user view and historical risk scores, analysts can prioritize investigations on high-risk users and monitor user behavior trends over time.* **Cortex XDR's Third-Party Data Engine Now Delivers the Ability to Ingest, Normalize, Correlate, Query and Analyze Data **from Virtually Any Source**** When it comes to investigations, the more context, the better. Many customers' logging efforts run into scalability and efficiency issues, and SOC analysts often need to look into multiple consoles for an investigation to span their various security data. XDR 3.0 offers new functionality for users to: * Ingest and normalize any data source, including databases, files, FTP, CSV, Syslog, Windows Event Collection (WEC) and more. * Allow any data to be correlated with threat activity and tagged with MITRE ATT\&CK TTPs to help provide a more detailed picture of adversarial movement. * Facilitate ad-hoc searching across all third-party data sources using XDR's native query language (XQL), designed and optimized specifically for investigations and threat hunting. ## Built-In Forensics Module Brings Native Forensics Capabilities Used by ​Palo Alto Networks Unit 42 Elite Incident Responders to Customers and Partners The ability to perform forensic analysis in-house is critical to fully understand the attack and speed remediation. The XDR Forensics Module eliminates the need for deploying, managing and integrating a separate forensics toolkit for collecting and analyzing historical artifacts from endpoints. XDR 3.0 collects program execution, file access, browsing activity, event logs, network sessions and other forensic artifacts, and integrates them into the XDR user interface. The Forensics Module also facilitates data collection for offline endpoints, which is important because network isolation is often one of the first response actions to an attack. ![Example of the Cortex XDR 3.0 interface display with notifications and charts.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/08/word-image-21.png) *A newly designed incident management interface provides the complete story, surfacing all related artifacts, hosts and users with an interactive one-click UI. An at-a-glance view of correlated alerts, mapped to the MITRE ATT\&CK framework, enables fast incident scoping.* ## Committed to Creating a Safer, More Secure Future With these innovations, XDR continues to redefine how security operations teams address complex modern threats and drive greater efficiencies. By tackling the system integration problem of gathering, integrating and analyzing data (and coupling that with the ability to kick off highly optimized and automated workflows), XDR helps solve the challenges of detection, investigation and response at scale in a consolidated manner. Learn more by registering for our "[Next Has Arrived" launch event](https://start.paloaltonetworks.com/xdr-next-has-arrived.html?utm_source=blog&utm_medium=social&utm_campaign=7014u000001kW7VAAU) in September to hear about this monumental release: * **A fireside chat from the attacker's view ---** Hear the adversary perspective from Chris Tarbell, former FBI team member who brought down Silk Road, and Hector Monsegur, former "Black Hat" who led the hacker collective Anonymous/LulzSec. * **An industry panel discussing the defender's view ---** Hear what tools, processes and strategies defenders are prioritizing. * **An overview and demo of Cortex XDR 3.0 ---** See the new capabilities first-hand and discover how our third-generation XDR innovations equip defenders to level the playing field. *** ** * ** *** ## Related Blogs ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### What's Next in Cortex - Expanded Visibility and Enhanced Protections with Latest Cortex Innovations](https://www2.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-expanded-visibility-and-enhanced-protections-with-latest-cortex-innovations/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown) [#### Made for Taiwan: New Palo Alto Networks Cloud Location Includes Cortex](https://www2.paloaltonetworks.com/blog/security-operations/made-for-taiwan-new-palo-alto-networks-cloud-location-includes-cortex/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown) [#### Detection and Response for Identity Threats](https://www2.paloaltonetworks.com/blog/security-operations/detection-and-response-for-identity-threats/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### What's Next with Cortex](https://www2.paloaltonetworks.com/blog/2023/03/whats-next-in-cortex/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### 2022 MITRE Engenuity ATT\&CK Evaluations Results](https://www2.paloaltonetworks.com/blog/2022/03/mitre-engenuity-evaluations-round-4-results/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown) [#### A Leader in the 2025 Gartner Magic Quadrant for EPP --- 3 Years Running](https://www2.paloaltonetworks.com/blog/2025/07/named-a-leader-gartner-magic-quadrant/) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language