End-of-Life (EoL)
Features Introduced in Cortex XDR Agent 7.1
Describes the new features introduced in Cortex XDR agent
7.1 releases.
The following topics describe the new features introduced
in Cortex XDR agent 7.1 releases according to the supported agent
operating systems.
Features Introduced in Cortex XDR Agent 7.1.4
Agent Features | Description |
---|---|
Support for Debian 10 | You can now install the Cortex XDR agent
on Linux endpoints running Debian 10. For all supported kernel versions,
see the Latest kernel module version
support. The kernel modules will be available with content
version PTU-160. |
Features Introduced in Cortex XDR Agent 7.1.3
Agent Features | Description |
---|---|
Enhanced Cortex XDR Agent Alerts | When the Cortex XDR agent triggers an alert
for Behavioral threat protection rules associated with MITRE ATT&CK
tactics and MITRE ATT&CK techniques, the tactics and technique
are now reported and visible in Cortex XDR. |
Features Introduced in Cortex XDR Agent 7.1.2
Agent Features | Description |
---|---|
Extended Protection for Additional Kernels Running
on Linux RHEL6 and CentOS6 | The Cortex XDR agent 7.1.0 and later release
now extends its protection capabilities to Linux endpoints running
RHEL6 or CentOS6 with kernel versions 2.6.32-573 or later. These
protection capabilities include Behavioral Threat Protection, ELF
file analysis, and endpoint data collection and sharing for EDR.
For all supported kernel versions, see Supported kernel versions. |
Support for SUSE Linux Enterprise Server 15
SP0 | You can install the Cortex XDR agent 7.0.3
on Linux endpoints running SUSE 15 SP0. To enable the Cortex XDR
agent to work in synchronous mode, you must disable UEFI Secure
Boot on the endpoint. For more details, see known issue CPATR-6346. |
macOS 11.0 Support | You can install the Cortex XDR agent 7.1.2
on endpoints running macOS 11.0 Big Sur. For complete compatibility
information, see the Palo Alto Networks Compatibility
Matrix. |
Features Introduced in Cortex XDR Agent 7.1.1
Feature | Change to Behavior |
---|---|
Support for SUSE Linux Enterprise Server 11
SP4 | You can now install the Cortex XDR agent
7.1.1 and later releases on endpoints running SUSE Linux Enterprise
Server 11 SP4. For full compatibility information, see the Compatibility Matrix. |
Features Introduced in Cortex XDR Agent 7.1
Cross-Platform Features
Cross-Platform Agent Features | Description |
---|---|
Script Execution ( Requires a
Cortex XDR Pro Per Endpoint license ) | You can now run Python 3.7 scripts on your
endpoints directly from Cortex XDR. Cortex XDR provides pre-canned
scripts for common endpoint remediation and endpoint management
actions. You can also write and upload your own Python scripts and
code snippets into Cortex XDR. Cortex XDR enables you to manage,
run, and track the script execution on the endpoints, as well as
store and display the execution results per endpoint. To learn
more about script execution, see Run Scripts on an Endpoint. |
Full
Visibility into the Cortex XDR Agent Operational Status | From the Cortex XDR management console,
you now have full visibility into the Cortex XDR agent operational
status on the endpoint, which indicates whether the agent is providing
protection according to its predefined security policies and profiles.
By observing the operational status on the endpoint, you can identify
when the agent suffers from a technical issue or misconfiguration
that interferes with the agent’s protection capabilities or interaction
with Cortex XDR and other applications. The Cortex XDR agent reports
the operational status as follows:
You can monitor
the operational status of your endpoints from the Endpoint
Administration table. See Monitoring Agent Operational
Status for the implications the operational status has on
the endpoint. |
MAC Address Reporting | To gain better visibility into endpoints
in your network, the Cortex XDR agent now reports the endpoint MAC
address and corresponding IP address to Cortex XDR. You can search
and filter endpoints in Cortex XDR according to the MAC address,
and can also use the Query Builder to search events by the reporting
endpoint MAC address. |
Incremental Content Updates | Content updates are delivered to the agent
in parts and not as a single file, allowing the agent to retrieve
only the updates and additions it needs. Cortex XDR now delivers
incremental content updates default to Cortex XDR agents running
on Windows, Mac, and Linux endpoints and support both direct and
P2P content updates. |
Content Rollout Control | You can now control the content roll-out
for your Cortex XDR agents by disabling or delaying automatic content
updates. This is useful for example if your organization is in a
change-freeze period, or if you want to deploy new content in stages
within the organization. When you disable automatic content
updates, the agent stops retrieving content updates from Cortex
XDR and keeps working with the current content installed on the
endpoint. When you delay content updates, the Cortex XDR agent will
retrieve the content update according to the configured delay. For
example, if you configure a delay period of two days, the agent
will not use any content released in the last 48 hours. You can
disable or delay content updates for Cortex XDR agents running on
Windows, Mac, and Linux endpoints in the Agent Settings Profile
and apply it to a policy rule. When
your Cortex XDR agents are not using the latest content provided
by Palo Alto Networks, it may affect the security level in your
organization. To configure the content rollout for
your agents, see Add a New Agent Settings Profile.. |
Restricting Response Actions on the Endpoint | If you want to prevent Cortex XDR from accessing
your endpoint and performing invasive actions, you can permanently
disable the option for Cortex XDR to perform all, or a combination,
of the following actions on endpoints running a Cortex XDR agent:
initiate a Live Terminal remote session on the endpoint, execute
Python scripts on the endpoint, and retrieve files from the endpoint
to Cortex XDR. You disable these actions when you install the Cortex
XDR agent on the endpoint. Disabling any of these actions is irreversible,
so if you later want to enable the action on the endpoint, you must
uninstall the Cortex XDR agent and install a new package on the
endpoint. |
Windows
Windows Agent Feature | Description |
---|---|
User-Initiated Endpoint Scan | You can now initiate an on-demand file scan
from a Windows endpoint and get an immediate verdict from
WildFire, before the file is ever executed on the endpoint. To initiate
the scan, you can right-click a file or folder on the endpoint and
select Scan with Cortex XDR . You can monitor
the progress of a scan from the Cortex XDR agent console and view
the verdict results for completed scans. On-demand scans support
the same file types as scheduled scans: Microsoft Office files with
macros, DLLs, and executables. You can scan up to 100 items simultaneously,
including files or folders. If you scan an unsupported file type,
the Cortex XDR agent console will not show a notification for it,
and the file will be considered non-malicious. |
Disk Encryption Using BitLocker | Cortex XDR now provides visibility into
Windows endpoints that encrypt their hard drives using BitLocker,
the Microsoft Windows built-in encryption tool. To enable disk encryption visibility,
you set Disk Encryption profiles and apply them to Policy rules
on your Windows endpoints. Additionally, you can apply Disk Encryption
profiles to your enforce the BitLocker encryption or decryption
of the endpoint operating system disk. To provide visibility
and interoperability into the encrypted endpoints, Cortex XDR leverages
the Microsoft Windows APIs for BitLocker. The Cortex XDR agent applies
the Microsoft Windows BitLocker rules on the endpoint according
to the Disk Encryption settings configured in the Cortex XDR management
console. |
Host
Firewall for Cortex XDR Agents | To reduce the attack surface originating
in network communications to and from the endpoint, you can now
control all inbound and outbound communications on your Windows
endpoints with the Cortex XDR Host Firewall.
To use the host firewall, you set rules that allow or block the
traffic on the endpoints and apply them to your endpoints using
Cortex XDR policy rules. To fine tune the network communication
configuration on the endpoint, you can apply host firewall rules
according to the following:
To
control inbound and outbound communication of your endpoints, Cortex
XDR leverages the Microsoft Windows Filtering Platform APIs. The
Cortex XDR agent applies the Microsoft Windows Filtering Platform
rules on the endpoint according to the settings configured in the
Cortex XDR management console. |
Network Location
Resolution for Windows Endpoints | Cortex XDR can now determine whether the
Cortex XDR agent is within the organization network or outside.
To determine the current network location of a device, Cortex XDR
performs a domain controller connectivity test and DNS test. |
Aggressive Ransomware Protection | If you suspect your network has been infected
with ransomware, you can now apply Aggressive protection mode
to your Windows endpoints. When set to Aggressive protection
mode, Ransomware Protection exposes more applications in your environment
to the Cortex XDR agent decoy files to increase the module coverage.
This could result in more cases where benign applications and users
will report that the decoy files are visible on the endpoint.To
enable Aggressive Ransomare Protection, change
your Malware security profile settings. |
Mac
Mac Agent Feature | Description |
---|---|
Dormant Malware Scanning | In addition to blocking the execution of
malware, the Cortex XDR agent can now scan the system drives of
your Mac endpoints for dormant malware that is not actively attempting
to run. During a malware scan, the Cortex XDR agent leverages WildFire
to examine mach-O files and system drives only. When a malicious
file is detected, the Cortex XDR agent reports the malware to Cortex
XDR so that you can manually take action to remove the malware before
it attempts to harm the endpoint. While unsupported file types excluded
from the scan, additional agent protection capabilities continue
to monitor and evaluate those files. |
Linux
Linux Agent Feature | Description |
---|---|
Agent Installation through Package Manager | You can now create Cortex XDR agent installation
packages in .rpm or .deb formats,
which are deployed on the endpoint using a Linux package manager.
Additionally, you can choose to upgrade existing Cortex XDR agents
using the new formats, even if they were installed or upgraded using
the Shell installer previously.For the detailed workflow,
see Create an Agent Installation
Package. |
Enhanced Support for Temporary Network Workloads | For Cortex XDR agents deployed on temporary
instances spawned from/on a Linux virtual machine, you can now use
a temporary workload installation to ensure the Cortex XDR agent
license returns back to the license pool after 90 minutes of session
inactivity. Using the new Cortex XDR agent installation options,
you can choose your preferred workflow:
See
the Cortex XDR agent administrator’s guide for Linux for more information. |
Dynamic Upload of Kernel Modules for Cortex XDR
Agents | The Cortex XDR agent kernel modules for
Linux endpoints are now uploaded dynamically on the endpoint, ensuring
the agent retrieves from Cortex XDR only new and updated agent kernels
that were specifically compiled for the current distribution and
version running on the endpoint. Removing the kernel modules from
the agent installation package and delivering them through content
updates instead eliminates the need to upgrade the agent in order
to obtain them, as well as significantly reduces the size of the
agent installation package. If no kernel modules are available
for the endpoint, then the agent operates in asynchronous mode on
the endpoint and reports the corresponding agent operational status
back to Cortex XDR. |
Enhanced Local Privilege Escalation Protection Module | The Local Privilege Escalation Protection
module for the Cortex XDR agent has been significantly improved.
The new kernel-based mechanism prevents attacks synchronously at
their earliest stage, while covering a broader range of attack vectors
and detecting advanced techniques. |
New Distribution Support | You can now install the Cortex XDR agent
on Linux endpoints running RHEL8, CentOS8, Oracle 8, and SUSE 15
SP1 distributions. See know issues for
these distributions. The Cortex XDR
agent does not enforce injection-based protection modules (ROP Mitigation,
SO Hijacking Protection, and Brute Force Protection) on 32-bit processes
running on 64-bit SUSE 15 SP1 endpoints. All other exploit and malware
protection modules work as expected. EDR
is supported only on SUSE 12 SP5, not all SUSE 12 versions. Additionally,
the Cortex XDR agent now supports the kernel module for SUSE 12. For
full compatibility information, see the Compatibility Matrix. |
Android
Android Agent Feature | Description |
---|---|
New Deployment Options for MDM | You can now deploy the Cortex XDR Agent
app to multiple devices without requiring the end user to enter
data by using the following options in your managed configuration
profile:
For more information, refer to the
Cortex XDR Agent Administrator Guide. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.