* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Cortex XDR 3.3: Redefinin...

# Cortex XDR 3.3: Redefining SecOps with Global Analytics \& Event Forwarding

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcortex-xdr-3-3-redefining-secops-with-global-analytics-event-forwarding-and-more%2F)  
[](https://twitter.com/share?text=Cortex+XDR+3.3%3A+Redefining+SecOps+with+Global+Analytics+%26%23038%3B+Event+Forwarding&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcortex-xdr-3-3-redefining-secops-with-global-analytics-event-forwarding-and-more%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fcortex-xdr-3-3-redefining-secops-with-global-analytics-event-forwarding-and-more%2F&title=Cortex+XDR+3.3%3A+Redefining+SecOps+with+Global+Analytics+%26%23038%3B+Event+Forwarding&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/cortex-xdr-3-3-redefining-secops-with-global-analytics-event-forwarding-and-more/&ts=markdown)  
\[\](mailto:?subject=Cortex XDR 3.3: Redefining SecOps with Global Analytics \& Event Forwarding)  
Link copied  
By [Kasey Cross](https://www.paloaltonetworks.com/blog/author/kasey-cross/?ts=markdown "Posts by Kasey Cross")  
May 16, 2022  
6 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Cortex XDR 3.3](https://www.paloaltonetworks.com/blog/tag/cortex-xdr-3-3/?ts=markdown)  
[Event Forwarding](https://www.paloaltonetworks.com/blog/tag/event-forwarding/?ts=markdown)  
[Extended Detection and Response](https://www.paloaltonetworks.com/blog/tag/extended-detection-and-response/?ts=markdown)  
[Global Analytics](https://www.paloaltonetworks.com/blog/tag/global-analytics/?ts=markdown)  
[XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown)

Outpacing adversaries requires constant innovation. If we, as defenders, stand still, we invite threat actors to develop techniques to bypass our defenses. To stay ahead of quickly evolving threats, we must continually update our security with groundbreaking features that simplify operations and stop attacks in new and unexpected ways.

Since our monumental [Cortex XDR 3.0 release last August](https://www.paloaltonetworks.com/blog/2021/08/third-generation-xdr-has-arrived/), we have added a wealth of capabilities that take your security operations to the next level. With [Cortex XDR 3.1](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/features-introduced/features-introduced-in-2021#features-introduced-in-2021_idefc57631-f937-42cf-951d-dcf9b803c54b), we expanded your data universe with out-of-the-box data collectors and cloud inventory capabilities. [Cortex XDR 3.2](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/features-introduced/features-introduced-in-2022#idc4ccb05b-e3f2-42b7-96d8-2490d183e3cf_tempid4cb246db-07b4-406c-80dd-42770080d58d) put threats on ice with [cold storage](https://register.paloaltonetworks.com/cortexxdr32-putthreatsonicewithcoldstorage).

Our [Cortex XDR 7.7 Agent](https://docs.paloaltonetworks.com/cortex/cortex-xdr/7-7/cortex-xdr-agent-release-notes/cortex-xdr-agent-release-information/features-introduced-in-cortex-xdr-agent#features-introduced-in-cortex-xdr-agent-7.3_idede97ad4-2b44-4291-9b4e-472f78227644) release introduced a much-anticipated user-space agent for Linux - an alternative to our existing Linux kernel-space agent that runs completely in user space. It also extended a powerful Java anti-exploit module to Windows endpoints, fortifying your endpoints and cloud workloads from vulnerabilities such as [Log4Shell](https://www.paloaltonetworks.com/blog/security-operations/how-cortex-xdr-blocks-log4shell-exploits-with-java-deserialization-exploit-protection/) and [SpringShell](https://www.paloaltonetworks.com/blog/security-operations/cortex-xdr-springshell/).

## **Elevate Detection and Response with Cortex XDR 3.3**

The drumbeat of innovation continues with Cortex XDR 3.3. Adding over thirty new features, this release dramatically improves security operations and endpoint agent management. Now, it's easier than ever to hunt for threats, integrate data from even more sources, and monitor and control your endpoints.

Key features in Cortex XDR 3.3 include:

* Global Analytics
* Event Forwarding
* CIS Benchmarks
* Expanded Data Collection
* Enhanced Endpoint and Policy Management

## **Harness the Power of Cross-Customer Insights with Global Analytics**

Stopping supply chain attacks, like the [SolarStorm attack](https://www.paloaltonetworks.com/blog/2020/12/solarwinds-statement-solarstorm/), isn't easy. If adversaries compromise a software vendor, they can insert malicious code into the vendor's trusted and signed application. Crafty adversaries can bypass defenses by avoiding the use of known indicators of compromise (IoCs) and attack techniques.

With this in mind, how do we detect when good software goes bad? With Global Analytics, we're applying machine learning and cross-customer insights to tackle this intractable challenge.

![Diagram, schematic Description automatically generated](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/diagram-schematic-description-automatically-gene-1.png)

When threat actors execute supply chain attacks, they typically try to stay under the radar. Rather than broadly attacking all clients of a compromised software vendor at once, they will carefully select their victims. With Global Analytics, Cortex XDR can identify these attacks by detecting when the behavior of signed applications deviates from the behavior observed by the same application in peer environments.

How does Global Analytics work? It all starts with the endpoint. The Cortex XDR agent continuously monitors endpoint behavior, collects granular process data, and sends this data to the cloud-based Cortex XDR application. The Cortex XDR application automatically analyzes this data to generate behavioral profiles of signed processes for each customer. Profiles include which domains and IP addresses a process accessed, which protocols and ports it used, which modules it dynamically loaded, and much more.

If Cortex XDR detects aberrant process behavior for a subset of customers, it will automatically generate an alert. For example, if an accounting software application suddenly starts dialing out to a new IP address using an unusual port, and Cortex XDR only observes this behavior for a small percentage of Cortex XDR tenants that have deployed the accounting software, it would automatically trigger an alert of a behavior with a low global prevalence.

Global Analytics can detect supply chain attacks, as well as additional techniques used by attackers, such as DLL side-loading, rootkit-based thread injection, zero-day exploits and more. Global Analytics allows Cortex XDR to detect extremely sophisticated attacks automatically with machine learning, cross-customer intelligence, and insights.

## **Stream Data to the Storage Solution of Your Choice with Event Forwarding**

With Cortex XDR 3.3, you can forward Cortex XDR event logs, including endpoint data, to third-party security or log management solutions. While Cortex XDR has allowed you to forward alerts, audit logs, and management events since its inception, our new Event Forwarding option lets you send raw endpoint event data and parsed network, cloud, and third-party events to external storage platforms.

Whether you want to integrate Cortex XDR telemetry with data stored in your security information and event management (SIEM) platform, or you'd like to analyze event data in your scalable data lake, our new Event Forwarding option has you covered.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/blog-image.png)

## **Understand Risk Levels and Configuration Weaknesses with CIS Benchmarks**

Developed by the Center for Internet Security (CIS), CIS Benchmarks are globally recognized standards for safeguarding systems and data. CIS Benchmarks provide best practices and more than one hundred configuration guidelines for securing systems against attacks.

Cortex XDR now includes [CIS Critical Security Controls](https://www.cisecurity.org/controls) for Linux, Docker, and Kubernetes platforms. A new **Cloud Compliance** dashboard displays compliance rates and violation information based on CIS Benchmarks. It also offers detailed context on misconfigurations to help you quickly remediate issues.

![A screenshot of a computer screen Description automatically generated with medium confidence](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/a-screenshot-of-a-computer-screen-description-aut-1.png)

*Cortex XDR Cloud Compliance Dashboard*

## **Broaden the Scope of Investigations with Expanded Data Collection**

Cortex XDR 3.3 introduces new, out-of-the-box data collectors for Google Workspace, Apache Kafka and Palo Alto Networks IoT Security data that let you extend hunting and investigations to more data sources than ever before. This release also enhances the existing Microsoft Office 365 and Workday data collectors and adds additional log ingestion formats for the Files and Folders Collector and the FTP Collector.

## **Up-level Endpoint Management with Enhanced Policies and Management Options**

To simplify operations, ease management, and improve access controls, Cortex XDR supports an array of new endpoint policy and administration features. With Cortex XDR 3.3, you can:

* Filter, group, and search for endpoint agents with a new endpoint tagging feature.
* Easily identify agents with outdated security content and generate tokens on demand when a password token is required to perform an action on the agent.
* Import and export endpoint policies and profiles to apply consistent policies across multiple tenants.
* Control which endpoint group policies and profiles your Cortex XDR users can manage with scope-based access control (SBAC)

For a complete list of new capabilities in this feature-packed release, see the [Cortex XDR 3.3 release notes](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-release-notes/release-information/features-introduced/features-introduced-in-2022.html).

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-1.jpeg)

## **Hear Best Practices, Insights, and Tales from the Trenches at Symphony 2022**

[Save your seat now for Symphony](https://symphony.paloaltonetworks.com/), our annual Cortex user conference! During this year's virtual event, SecOps practitioners will share tips to improve threat hunting and investigation skills, and more. Hear from the brightest minds in cybersecurity, including our Chief Product Officer Lee Klarich and special guest speaker Brian Krebs.

*** ** * ** ***

## Related Blogs

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Cortex Copilot - Another Step Forward in SOC Transformation](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/cortex-copilot-another-step-forward-in-soc-transformation/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex: New Innovations for Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Through the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle East and Africa](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex XDR Global Analytics Protects Against Supply Chain Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/how-cortex-xdr-global-analytics-protects-against-supply-chain-attacks/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 2022 MITRE Engenuity ATT\&CK Evaluations Results](https://origin-researchcenter.paloaltonetworks.com/blog/2022/03/mitre-engenuity-evaluations-round-4-results/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language