The End of the Visibility Tax

Why Attack Detection Requires High-Fidelity Data

As frontier AI threats accelerate, every blind spot becomes an immediate liability. Cortex XSIAM^® is built to eliminate those gaps with detection purpose-built for Palo Alto Networks telemetry, unlocking the full security value of Palo Alto Networks Next-Generation Firewall and Prisma^® SASE data. Best of all, with Enhanced Application log ingestion now included at no additional cost, achieving this level of deep network visibility no longer requires paying a "visibility tax."

The Hidden Risks of Missing Data

Modern security operations depend on telemetry. The challenge is collecting the rich behavioral data modern analytics actually need.

As frontier AI threats accelerate, every blind spot becomes a liability. To detect modern attacks, security teams need to track user behavior over time. Without deeper telemetry like DNS, DHCP and application-layer details, that context disappears as IP addresses change — making it far harder to baseline behavior and separate real threats from noise.

Enhanced Application logging captures the high-fidelity telemetry modern analytics require, including DNS queries, DHCP activity, HTTP headers, SSL metadata, Kerberos authentication events, usernames, failed login attempts and other behavioral signals that basic network logs simply miss.

That level of telemetry gives Cortex XSIAM and Cortex XDR^® far stronger detection context.

A brute force attack no longer looks like generic traffic between two systems. Analysts can see the actual authentication attempts, the usernames involved and whether those attempts failed or succeeded. Command-and-control (C2) activity hidden inside trusted applications becomes visible through SSL and HTTP telemetry. Insider threats stand out through unusual data movement patterns, abnormal sharing behavior and deviations from normal user activity.

This becomes even more important for unmanaged devices, contractor laptops, bring-your-own-device environments and cloud assets without endpoint agents. Without enhanced application logs, much of that activity blends into generic network traffic that is difficult to investigate.

Analytics Purpose-Built for Palo Alto Networks Data

Cortex XSIAM delivers more than 13,000 out-of-the-box detectors, including over 2,900 ML analytics models. While these detectors support many telemetry sources, Cortex XSIAM delivers precise detection for Palo Alto Networks Next-Generation Firewall and Prisma SASE environments because of the depth of telemetry that’s only available to Cortex^® analytics.

This precision is especially critical for Network Detection and Response, where unmanaged assets, like IoT devices or rogue contractor laptops, can't host traditional security agents. For these environments, enhanced application logs serve as the fundamental engine driving high-fidelity security analytics. When evaluating network security tools, the quality of your analytics comes down to three clear realities:

1. The core engine: The vast majority of our NDR analytics detectors and machine learning models rely directly on enhanced application logs to function.
2. Unmatched precision: Nearly every network detector performs with wider threat coverage and fewer false positives when powered by enhanced application logs.
3. A clear quality gap: Security operations that lack deep protocol logs simply cannot match the threat detection precision of a platform purpose-built around it.

To see this data advantage in action, look at how Cortex addresses stealthy, multistage attack tactics that standard network monitoring completely misses.

Exposing Stealthy Lateral Movement

Standard network logs only look at generic flow events — effectively seeing the "envelope" of traffic but not reading the letter inside. Because remote procedure calls (RPC) happen constantly across normal Windows networks, malicious lateral movement easily blends in with day-to-day operations.

Cortex fixes this via deep protocol parsing. Instead of just tracking connections, it extracts low-level details, interfaces and parameters to build dynamic profiles of user behavior. This advanced visibility powers out-of-the-box detectors like abnormal sensitive RPC traffic to multiple hosts. Because this traffic is overwhelmingly legitimate, running high-fidelity detections like this is fundamentally impossible without low-level protocol extraction.

Identifying Covert C2 Activity

Adversaries frequently hide C2 or exfiltration traffic inside trusted web channels to mask their operations as standard employee web browsing. Without enhanced application logs, these lateral movements and data transfers remain completely invisible to traditional SIEMs.

To expose these threats, Cortex extracts normalized JA3 fingerprints (identifying the specific SSL/TLS client application signature) and pairs them directly with HTTP user-agents. This multidimensional analysis feeds out-of-the-box detectors like abnormal communication with a rare combination of TLS and HTTP user agent. When a highly unusual cryptographic signature pairs with an unexpected user agent, Cortex instantly knows it isn’t a standard web browser — it’s an attacker trying to hide in the noise.

Modern attacks increasingly hide inside trusted applications and legitimate credentials. Deep behavioral context is the only way to expose them. You can explore the full range of detectors fueled by this data in our Cortex Analytics Alert Reference.

Our native application-layer telemetry and the analytics designed specifically for it provide an unmatched level of insight and oversight.

Security teams gain:

• Laser-accurate, fully maintained behavioral detections.
• Reduced alert noise.
• Better visibility into stealthy threats like lateral movement, data exfiltration and insider attacks.

Modern attacks increasingly hide inside trusted applications and legitimate credentials. Behavioral context is what exposes them.

Lower Cost, Better Visibility

Organizations often export network telemetry to multiple, expensive third-party analytics and data management platforms, increasing cost and operational complexity. To stay on budget, they may attempt to filter data or reduce retention.

Palo Alto Networks is now removing ingestion fees for Enhanced Application logs for all Next-Generation Firewall and Prisma SASE customers.

Cortex XSIAM centralizes network, endpoint, cloud, identity and security telemetry in the Cortex Extended Data Lake^™, reducing the need for duplicate pipelines and external analytics tools.

Palo Alto Networks customers can ingest enhanced application logs at no cost to achieve:

• 40% more insights than traditional firewall traffic logs.^[1]
• 20–30% lower firewall data ingestion costs through free enhanced application logs^[2]
• 257% ROI with Cortex XSIAM^[3]

Security Without Compromise

In a world of machine-speed attacks, reacting after the fact is no longer enough. Modern detection depends on deep, high-fidelity telemetry — and the analytics built to understand it.

By removing ingestion fees for enhanced application logs, Palo Alto Networks is helping organizations strengthen detection coverage, reduce operational complexity and lower the cost of collecting the telemetry modern security operations require.

To learn more about how Cortex XSIAM unlocks the full value of Palo Alto Networks products, read the guide: 5 Reasons NGFW Customers Choose Cortex XSIAM.

1. Based on internal Palo Alto Networks data. ↑
2. Based on customer feedback and reported outcomes. ↑
3. The Forrester Total Economic Impact™ of Cortex XSIAM, Forrester, 2025 ↑