Many organisations face the same dilemma: they know they need better visibility into what is happening across their environment, but a full SIEM platform feels like a significant undertaking — expensive, complex to manage, and heavy to implement. What if there is a more pragmatic path?
At Nomios, we see with many of our clients that Cortex XDR from Palo Alto Networks can fill that role excellently. Not as a replacement for an enterprise SIEM in every scenario, but as a mature, centralised detection and analytics platform that gives most organisations more than enough to bring their security posture to the desired level.
More than endpoint protection
Most organisations know Cortex XDR through the Cortex XDR Endpoint Pro licence — one of the strongest EDR/XDR solutions on the market. But the platform offers more. With the right licence, organisations can ingest additional log sources and effectively use Cortex XDR as a central security data platform: a SIEM light.
That is not marketing. It is an architectural choice that proves highly practical for many organisations.
Broad log ingestion, straight out of the box
What makes Cortex XDR so well-suited as a SIEM light? The breadth of supported log sources is impressive and covers the stack that most organisations have in place.
Network and firewall Check Point, Cisco ASA/AnyConnect, Fortinet FortiGate, Zscaler Internet Access and Private Access, Corelight Zeek, AWS VPC Flow Logs, Azure Network Watcher — most common network infrastructure is supported out of the box.
Cloud and SaaS AWS CloudTrail, GCP Pub/Sub, Google Workspace, Microsoft 365 and Office 365, Azure Event Hub, Okta, OneLogin, PingFederate, PingOne, Salesforce, Box, Dropbox, Workday and ServiceNow CMDB. For organisations operating heavily in the cloud, this delivers immediate visibility across the most critical platforms.
Endpoint and infrastructure Beyond the native Cortex XDR agent, Windows DHCP logs, Elasticsearch Filebeat data, NetFlow records, Syslog sources, Apache Kafka events, and even CSV files and database data can all be ingested.
Security tools BeyondTrust Privilege Management, Forcepoint DLP, Proofpoint TAP and external alerts via an HTTP Log Collector — specific security tooling can be integrated as well.
For the vast majority of organisations, this is more than sufficient to build a complete picture of what is happening across the environment.
Compliance: data retention without a dedicated SIEM
One of the most common arguments for a SIEM is compliance: organisations are required to retain log data for a defined period, whether driven by NIS2, ISO 27001, or sector-specific regulations.
Cortex XDR offers an elegant solution here. After a configured number of days, log data can be automatically exported to external storage. That can be a cloud-based solution such as an AWS S3 bucket — cost-effective, scalable and reliable — or an on-premises storage solution such as a NAS or local object store, for organisations that prefer to keep data within their own infrastructure. In both cases, the data remains available for audits and forensic investigation if needed, without having to run a full SIEM platform solely for archiving purposes.
The result: compliance with data retention requirements, at a fraction of the cost of a dedicated SIEM.
Managed by the Nomios SOC — including XSOAR automation
A platform is only as strong as the people and processes behind it. The Nomios SOC team manages Cortex XDR environments for clients who prefer not to handle this in-house. We combine deep Palo Alto Networks expertise with a modern SOC methodology.
Central to that approach is Cortex XSOAR, Palo Alto Networks' automation platform. XSOAR enables us to automate repetitive tasks, accelerate alert handling, and run playbooks that are consistent and auditable. Less noise, faster response, more focus on real threats.
For organisations looking to build a managed detection and response capability without the overhead of an in-house SOC team, this is a realistic and cost-effective route.
The right choice for the right situation
A full enterprise SIEM has its place — for organisations with complex multi-tenant environments, advanced correlation requirements, or specific compliance frameworks that mandate a dedicated solution. But that is not every organisation.
For many organisations, Cortex XDR as a SIEM light is the better choice: faster to deploy, easier to manage, and optionally operated by the Nomios SOC. Combined with a smart data export strategy to external storage for retention purposes, the result is a complete, compliant security architecture — without unnecessary complexity.
Want to know whether this approach fits your organisation? Get in touch with Nomios for a no-obligation conversation.
Our team is ready for you
Do you want to know more about this topic? Leave a message or your number and we'll call you back. We are looking forward to helping you further.
