* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Stopping Cross-Domain Att... # Stopping Cross-Domain Attacks with Cortex XDL + Cortex XSIAM [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstopping-cross-domain-attacks-with-cortex-xdl-cortex-xsiam%2F) [](https://twitter.com/share?text=Stopping+Cross-Domain+Attacks+with+Cortex+XDL+%2B+Cortex+XSIAM&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstopping-cross-domain-attacks-with-cortex-xdl-cortex-xsiam%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fstopping-cross-domain-attacks-with-cortex-xdl-cortex-xsiam%2F&title=Stopping+Cross-Domain+Attacks+with+Cortex+XDL+%2B+Cortex+XSIAM&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/stopping-cross-domain-attacks-with-cortex-xdl-cortex-xsiam/&ts=markdown) \[\](mailto:?subject=Stopping Cross-Domain Attacks with Cortex XDL + Cortex XSIAM) Link copied By [Dena De Angelo](https://www.paloaltonetworks.com/blog/author/ddeangelo/?ts=markdown "Posts by Dena De Angelo") Oct 02, 2025 7 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Atlas Lion](https://www.paloaltonetworks.com/blog/tag/atlas-lion/?ts=markdown) [Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown) [Cortex XDL](https://www.paloaltonetworks.com/blog/tag/cortex-xdl/?ts=markdown) [Email Security](https://www.paloaltonetworks.com/blog/tag/email-security/?ts=markdown) [endpoint security](https://www.paloaltonetworks.com/blog/tag/endpoint-security/?ts=markdown) [Incident Response](https://www.paloaltonetworks.com/blog/tag/incident-response/?ts=markdown) [security analytics](https://www.paloaltonetworks.com/blog/tag/security-analytics/?ts=markdown) [Security Automation](https://www.paloaltonetworks.com/blog/tag/security-automation/?ts=markdown) [security data lake](https://www.paloaltonetworks.com/blog/tag/security-data-lake/?ts=markdown) [SIEM](https://www.paloaltonetworks.com/blog/tag/siem/?ts=markdown) [Threat Detection](https://www.paloaltonetworks.com/blog/tag/threat-detection/?ts=markdown) [threat intelligence](https://www.paloaltonetworks.com/blog/tag/threat-intelligence/?ts=markdown) [unified security data](https://www.paloaltonetworks.com/blog/tag/unified-security-data/?ts=markdown) ## **The Invisible Crisis in Your Security Operations** Picture this: your security team is drowning in an ocean of alerts while sophisticated attackers move through your environment undetected. Each security tool---endpoint protection, email gateways, network monitors, cloud security platforms---generates its own stream of data in incompatible formats. Your analysts spend their days playing detective, manually connecting dots across disconnected systems while threats evolve at machine speed. This isn't just an operational headache---it's a critical security gap that attackers actively exploit. According to [Unit 42's Global Incident Response Report 2025](https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report), 75% of security incidents had evidence scattered across logs, but data silos prevented detection. Even more alarming, research from the same report shows that in nearly one in five cases, data exfiltration now occurs *within the first hour* of compromise, giving security teams minimal time to detect and respond. When identity becomes the beachhead for sophisticated attacks, only a unified, AI-ready data foundation can deliver the timely, cross-domain detection that modern threats demand. The siloed security architectures of the past simply cannot keep pace with today's identity-driven attacks. ## **Real-World Impact: The Atlas Lion Campaign** The sophisticated tactics of Atlas Lion (also tracked as STORM-0539) perfectly demonstrate why unified data matters. This financially motivated threat actor has perfected cloud-first, long-dwell identity operations, particularly targeting retail organizations through a methodical four-stage approach. 1. **Initial Access:** Atlas Lion launches carefully crafted phishing and smishing campaigns directing victims to counterfeit Microsoft 365 portals---tailored, convincing replicas designed to harvest credentials from specific targets. 2. **Reconnaissance:** Once inside, attackers methodically mine SharePoint and OneDrive repositories for organizational charts, workflow documentation, and remote access guides, building a detailed operational map of the target organization. 3. **Lateral Movement:** Armed with this intelligence, Atlas Lion launches internal phishing campaigns from compromised Office 365 mailboxes. These communications appear to come from trusted colleagues, making them exceptionally difficult to identify as threats. 4. **Persistence:** The attackers establish multiple stealth mechanisms: configuring inbox rules to hide activities, moving sent emails to deleted folders, registering rogue authenticator apps, and enrolling unauthorized devices to evade multi-factor authentication. ## **The Gift Card Angle** Atlas Lion's focus on gift card fraud represents the perfect criminal opportunity: rapid monetization with minimal traceability, weak access controls despite high monetary values, broad internal permissions for business operations, and limited audit logging compared to traditional financial systems. ## **Detection in Cortex** The Atlas Lion campaign triggered multiple Cortex detection layers: * Inbox forwarding rule configured from suspicious location * Sent emails systematically moved to deleted items * Suspicious SSO access from unusual ASN * Impossible traveler patterns across authentication events * Massive SaaS application data downloads * SSO authentication from new operating system ## **Why Traditional Architectures Miss These Attacks** The Atlas Lion campaign perfectly illustrates why siloed security architectures fail against sophisticated threats: **Incompatible Data Formats:** Email security systems record suspicious login attempts differently than identity providers, making automatic correlation nearly impossible. An endpoint agent might log device enrollment while the email gateway separately flags forwarding rules---but without unified data, these related events appear as isolated incidents. **Timing Drift Across Systems:** Events that occur within milliseconds of each other can appear minutes apart across different security tools due to clock synchronization issues and processing delays. This timing drift makes it difficult to reconstruct the true attack sequence and understand causation. **Lost Context in Data Pipelines:** Critical contextual information gets stripped away as data moves between tools. A suspicious login might lose its connection to the user's recent email activity or the device's security posture, making it impossible to assess the full risk. **Scale Limitations of Rule-Driven Correlation:** Traditional SIEM platforms struggle to correlate data across multiple domains simultaneously. They're forced to choose between comprehensive visibility and fast response times, often sacrificing one for the other. ## **How Cortex XDL Changes the Game** ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/10/word-image-345731-1.png) Cortex Extended Data Lake (XDL) fundamentally transforms security operations by creating the industry's most advanced AI-ready security data foundation. This isn't just another data collection system---it's the enabler of truly platformized security operations. ### **Collect Once, Analyze Infinitely** Cortex XDL's unified approach delivers what we call "collect once, analyze infinitely" efficiency. Rather than each security tool maintaining its own siloed data collection and storage infrastructure, Cortex XDL serves as the foundational data layer---centralizing ingestion while making this rich dataset available to every security module that needs it. The transformative power lies in having **all your security data unified within Cortex XDL's foundation**. This comprehensive data lake becomes the bedrock for specialized security modules. When you enable Advanced Email Security, it immediately leverages endpoint and network context already present in the platform. When you deploy Exposure Management, it instantly correlates vulnerability data with actual network activity and user behavior patterns captured across your environment. As an extensible platform, Cortex XDL doesn't perform detection itself---instead, it empowers a growing ecosystem of purpose-built security modules to tackle any security use case. Each new capability becomes exponentially more powerful because it builds upon the complete, contextualized data foundation that Cortex XDL provides. This architecture ensures that adding new security capabilities enhances rather than fragments your security posture. ### **Universal Normalization and Stitching** Cortex XDL automatically translates data from hundreds of security tools into a common schema, enabling seamless correlation across previously incompatible systems. Identity events, SaaS activity, email communications, endpoint telemetry, and network traffic all speak the same language, making cross-domain analysis possible for the first time. ### **Real-Time Enrichment at Ingestion** As data enters Cortex XDL, it's automatically enriched with threat intelligence, asset context, user behavior baselines, and environmental information. This enrichment happens at ingestion time, ensuring that security analysts and AI algorithms always have complete context for every security event. ### **AI-Optimized Data Structure** Unlike generic data lakes, Cortex XDL structures security data specifically for machine learning algorithms. Pre-computed features, relationship mapping, and behavioral baselines enable AI models to identify subtle attack patterns that would be computationally impossible with raw, unstructured data. This foundation powers over **10,000 pre-built detectors and 2,600 ML models** that continuously analyze security events. ### **Enterprise Scale Without Compromise** Cortex XDL handles **11+ petabytes of security data daily**, automatically normalizing and pre-stitching raw telemetry into AI-ready intelligence. The platform maintains sub-second query response times across months of historical data, enabling real-time analysis at unprecedented scale. ## **The Outcomes You Can Expect** Organizations implementing Cortex XDL see transformational improvements across their security operations: * [**98% reduction in Mean Time to Resolution (MTTR)**](https://www.paloaltonetworks.com/blog/2025/04/introducing-cortex-xsiam-3-dot-0/)through automation and unified context that eliminates manual correlation work * [**99% reduction in vulnerability noise**](https://www.paloaltonetworks.com/blog/2025/04/introducing-cortex-xsiam-3-dot-0/)as Cortex exposure management leverages unified data to prioritize risks that actually threaten your business * **Discovery of approximately** [**30% more security tools**](https://www.forrester.com/report/the-external-attack-surface-management-landscape-q1-2023/RES178691)**than teams knew they had**, providing comprehensive visibility across previously unknown shadow IT * **Access to 10,000+ pre-built and automatically enabled detectors** compared to the 100-200 correlation rules most SOCs maintain internally The economic impact is equally significant: organizations reduce data storage costs by eliminating redundant tools and data lakes while dramatically improving detection accuracy through full data integration that was previously impossible. ## **Transform Your Security Operations** Imagine your security analysts arriving at work energized rather than overwhelmed. Instead of facing thousands of disconnected alerts, they see a clear, prioritized view of genuine threats that require their expertise. They spend their time hunting sophisticated adversaries like Atlas Lion and building stronger defenses, not wrestling with data correlation across multiple tools. This transformation isn't just about technology---it's about giving your people the foundation they need to do their best work. Your team deserves a platform that amplifies their expertise rather than burdening them with busywork. **Ready to see how unified security data transforms threat detection?** Experience how Cortex XDL enables comprehensive attack story reconstruction on your own data.[Request a demo](https://www.paloaltonetworks.com/cortex/request-demo) to see how platformized security operations can defend against today's most sophisticated identity-driven attacks. [**Download the Solution Brief today!**](https://www.paloaltonetworks.com/resources/techbriefs/cortex-extended-data-lake) *** ** * ** *** ## Related Blogs ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### The Data Digestion Revolution: Why Cortex XDL is the Foundation of Modern Security](https://www2.paloaltonetworks.com/blog/security-operations/the-data-digestion-revolution-why-cortex-xdl-is-the-foundation-of-modern-security/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Think You Have Visibility? Think Again.](https://www2.paloaltonetworks.com/blog/security-operations/think-you-have-visibility-think-again/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://www2.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### What's Next in Cortex: New Innovations for Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### XSOAR 8 On-Premises Now Available!](https://www2.paloaltonetworks.com/blog/security-operations/xsoar-8-on-premises-now-available/) ### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Beyond the Cloud Dashboard: Exposure Management Requires Full-Scope Visibility and Real Action](https://www2.paloaltonetworks.com/blog/security-operations/beyond-the-cloud-dashboard-exposure-management-requires-full-scope-visibility-and-real-action/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language