Configure Global Agent Settings - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-19
Category
Administrator Guide
Abstract

The different Cortex XDR agents that operate on your endpoints require configuration of different global settings.

On top of customizable Agent Settings Profiles for each Operating System and different endpoint targets, you can set global Agent Configurations that apply to all the endpoints in your network.

  1. From the Cortex XDR management console, select Settings ConfigurationsGeneralAgent Configurations.

  2. Set global uninstall password.

    The uninstall password is required to remove a Cortex XDR agent and to grant access to the agent security component on the endpoint. You can use the default uninstall Password1 defined in Cortex XDR or set a new one and Save. This global uninstall password applies to all the endpoints (excluding mobile) in your network. If you change the password later on, the new default password applies to all new and existing profiles to which it applied before. If you want to use a different password to uninstall specific agents, you can override the default global uninstall password by setting a different password for those agents in the Agent Settings profile. The selected password must satisfy the requirements enforced by Password Strength indicator.

    A new password must satisfy the Password Strength indicator requirements:

    • Must be 8 to 32 characters.

    • Contain at least one upper-case, at least one lower-case letter, at least one number, and at least one of the following characters: !@#%.

  3. Manage the content updates bandwidth and frequency in your network.

    • Enable bandwidth control—Palo Alto Networks allows you to control your Cortex XDR agent network consumption by adjusting the bandwidth it is allocated. Based on the number of agents you want to update with content and upgrade packages, active or future agents, the Cortex XDR calculator configures the recommended amount of Mbps (Megabits per second) required for a connected agent to retrieve a content update over a 24 hour period or a week. Cortex XDR supports between 20 - 10000 Mbps, you can enter one of the recommended values or enter one of your own. For optimized performance and reduced bandwidth consumption, it is recommended that you install and update new agents with Cortex XDR agents 7.3 and later include the content package built in using SCCM.

    • Enable minor content version updates—The Cortex XDR research team releases more frequent content updates in-between major content versions to ensure your network is constantly protected against the latest and newest threats in the wild. Enabled by default, the Cortex XDR agent receives minor content updates, starting with the next content releases. To learn more about the minor content numbering format, refer to the About Content Updates topic.

  4. Configure content bandwidth allocated for all endpoints.

    To control the amount of bandwidth allocated in your network to Cortex XDR content updates, assign a Content bandwidth management value between 20-10,000 Mbps. To help you with this calculation, Cortex XDR recommends the optimal value of Mbps based on the number of active agents in your network, and including overhead considerations for large content updates. Cortex XDR verifies that agents attempting to download the content update are within the allocated bandwidth before beginning the distribution. If the bandwidth has reached its cap, the download will be refused and the agents will attempt again at a later time. After you set the bandwidth, Save the configuration.

  5. Configure the Cortex XDR agent auto upgrade scheduler and number of parallel upgrades.

    If Agent Auto Upgrades are enabled for your Cortex XDR agents, you can control the automatic upgrade process in your network. To better control the rollout of a new Cortex XDR agent release in your organization, during the first week only a single batch of agents is upgraded. After that, auto-upgrades continue to be deployed across your network with number of parallel upgrades as configured.

    • Amount of Parallel Upgrades—Set the number of parallel agent upgrades, while the maximum is 500 agents.

    • Days in week—You can schedule the upgrade task for specific days of the week and a specific time range. The minimum range is four hours.

  6. Configure automated Advanced Analysis of Cortex XDR Agent alerts raised by exploit protection modules.

    Advanced Analysis is an additional verification method you can use to validate the verdict issued by the Cortex XDR agent. In addition, Advanced Analysis also helps Palo Alto Networks researchers tune exploit protection modules for accuracy.

    To initiate additional analysis you must retrieve data about the alert from the endpoint. You can do this manually on an alert-by-alert basis or you can enable Cortex XDR to automatically retrieve the files.

    After Cortex XDR receives the data, it automatically analyzes the memory contents and renders a verdict. When the analysis is complete, Cortex XDR displays the results in the Advanced Analysis field of the Additional data view for the data retrieval action on the Action Center. If the Advanced Analysis verdict is benign, you can avoid subsequent blocked files for users that encounter the same behavior by enabling Cortex XDR to automatically create and distribute exceptions based on the Advanced Analysis results.

    1. Configure the desired options:

      • Enable Cortex XDR to automatically upload defined alert data files for advanced analysis. Advanced Analysis increases the Cortex XDR exploit protection module accuracy.

      • Automatically apply Advanced Analysis exceptions to your Global Exceptions list. This will apply all Advanced Analysis exceptions suggested by Cortex XDR, regardless of the alert data file source.

    2. Save the Advanced Analysis configuration.

  7. Configure the Cortex XDR Agent license revocation and deletion period.

    This configuration applies to standard endpoints only and does not impact the license status of agents for VDIs or Temporary Sessions.

    1. Configure the desired options:

      • Connection Lost (Days)—Configure the number of days after which the license should be returned when an agent loses the connection to Cortex XDR. Default is 30 days; Range is 2 to 60 days. Where day one is counted as the first 24 hours with no connection.

      • Agent Deletion (Days)—Configure the number of days after which the agent and related data is removed from the Cortex XDR management console and database. Default is 180 days; Range is 3 to 360 days and must exceed the Connection Lost value. Where day one is the first 24 hours of lost connection.

    2. Save the Agent Status configuration.

  8. Enable WildFire analysis scoring for files with Benign verdicts.

    The WildFire analysis score for files with a Benign verdict is used to indicate the level of confidence WildFire has in the Benign verdict. For example, a file by a trusted signer or a file that was tested manually gets a high confidence Benign score, whereas a file that did not display any suspicious behavior at the time of testing gets a lower confidence Benign score. To add an additional verification method to such files, enable this setting. Then, when Cortex XDR receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile settings you currently have in place (Run local analysis to determine the file verdict, Allow, or Block).

    Note

    Disabling this capability takes immediate effect on new hashes, fresh agent installations, and existing security policies. It could take up to a week to take effect on existing agents in your environment pending agent caching.

  9. Enable Informative BTP Alerts.

    Behavioral threat protection (BTP) alerts have been given unique and informative names and descriptions, to provide immediate clarity into the events without having to drill down into each alert. Enable to display of the informative BTP rule alert names and descriptions. After you update the settings, new alerts include the changes while already existing alerts remain unaffected.

    Note

    If you have any Cortex XDR filters, starring policies, exclusion policies, scoring rules, log forwarding queries, or automation rules configured for XSOAR/3rd party SIEM, we advise you to update those to support the changes before activating the feature. For example, change the query to include the previous description that is still available in the new description, instead of searching for an exact match.

  10. Configure settings for periodic cleanup of duplicate entities in the endpoint administration table.

    When enabled, Periodic duplicate cleanup removes all duplicate entries of an endpoint from the endpoint table based on the defined parameters, leaving only the last occurrence of the endpoint reporting to the server. This enables you to streamline and improve the management of your endpoints. For example, when an endpoint reconnects after a hardware change, it may be re-registered, leading to confusion in the endpoint administration table regarding the real status of the endpoint. The cleanup leaves only the latest record of the endpoint in the table.

    • Define whether to clean up according to Host Name, Host IP Address, MAC Address, or any combination of them. If not selected, the default is Host Name. When you select more than one parameter, duplicate entries are removed only if they include all the selected parameters.

    • Configure the frequency of the cleanup—every 6 hours, 12 hours, 1 day, or 7 days. You can also select to perform an immediate One-time cleanup.

    Data for a deleted endpoint is retained for 90 days since the endpoint’s last connection to the system. If a deleted endpoint reconnects, Cortex XDR recovers its existing data.