Features Introduced in Cortex XDR Agent 7.1

Describes the new features introduced in Cortex XDR agent 7.1 releases.
The following topics describe the new features introduced in Cortex XDR agent 7.1 releases according to the supported agent operating systems.

Features Introduced in Cortex XDR Agent 7.1.3

Agent Features
Description
Enhanced Cortex XDR Agent Alerts
When the Cortex XDR agent triggers an alert for Behavioral threat protection rules associated with MITRE ATT&CK tactics and MITRE ATT&CK techniques, the tactics and technique are now reported and visible in Cortex XDR.

Features Introduced in Cortex XDR Agent 7.1.2

Agent Features
Description
Extended Protection for Additional Kernels Running on Linux RHEL6 and CentOS6
The Cortex XDR agent 7.1.0 and later release now extends its protection capabilities to Linux endpoints running RHEL6 or CentOS6 with kernel versions 2.6.32-573 or later. These protection capabilities include Behavioral Threat Protection, ELF file analysis, and endpoint data collection and sharing for EDR. For all supported kernel versions, see Supported kernel versions.
Support for SUSE Linux Enterprise Server 15 SP0
You can install the Cortex XDR agent 7.0.3 on Linux endpoints running SUSE 15 SP0. To enable the Cortex XDR agent to work in synchronous mode, you must disable UEFI Secure Boot on the endpoint. For more details, see known issue CPATR-6346.

Features Introduced in Cortex XDR Agent 7.1.1

Feature
Change to Behavior
Support for SUSE Linux Enterprise Server 11 SP4
You can now install the Cortex XDR agent 7.1.1 and later releases on endpoints running SUSE Linux Enterprise Server 11 SP4.
For full compatibility information, see the Compatibility Matrix.

Features Introduced in Cortex XDR Agent 7.1

Cross-Platform Features

Cross-Platform Agent Features
Description
Script Execution
(
Requires a Cortex XDR Pro Per Endpoint license
)
You can now run Python 3.7 scripts on your endpoints directly from Cortex XDR. Cortex XDR provides pre-canned scripts for common endpoint remediation and endpoint management actions. You can also write and upload your own Python scripts and code snippets into Cortex XDR. Cortex XDR enables you to manage, run, and track the script execution on the endpoints, as well as store and display the execution results per endpoint.
To learn more about script execution, see Run Scripts on an Endpoint.
Full Visibility into the Cortex XDR Agent Operational Status
From the Cortex XDR management console, you now have full visibility into the Cortex XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent suffers from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications. The Cortex XDR agent reports the operational status as follows:
  • Protected
    —Indicates that the Cortex XDR agent is running as configured and did not report any exceptions to Cortex XDR.
  • Partially protected
    —Indicates that the Cortex XDR agent reported Cortex XDR one or more exceptions.
  • Unprotected
    —Indicates that the Cortex XDR agent reported Cortex XDR exceptions about the Malware protection module, and Behavioral threat protection or Exploit modules.
You can monitor the operational status of your endpoints from the
Endpoint Administration
table. See Monitoring Agent Operational Status for the implications the operational status has on the endpoint.
MAC Address Reporting
To gain better visibility into endpoints in your network, the Cortex XDR agent now reports the endpoint MAC address and corresponding IP address to Cortex XDR. You can search and filter endpoints in Cortex XDR according to the MAC address, and can also use the Query Builder to search events by the reporting endpoint MAC address.
Incremental Content Updates
Content updates are delivered to the agent in parts and not as a single file, allowing the agent to retrieve only the updates and additions it needs. Cortex XDR now delivers incremental content updates default to Cortex XDR agents running on Windows, Mac, and Linux endpoints and support both direct and P2P content updates.
Content Rollout Control
You can now control the content roll-out for your Cortex XDR agents by disabling or delaying automatic content updates. This is useful for example if your organization is in a change-freeze period, or if you want to deploy new content in stages within the organization.
When you disable automatic content updates, the agent stops retrieving content updates from Cortex XDR and keeps working with the current content installed on the endpoint. When you delay content updates, the Cortex XDR agent will retrieve the content update according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours. You can disable or delay content updates for Cortex XDR agents running on Windows, Mac, and Linux endpoints in the Agent Settings Profile and apply it to a policy rule.
When your Cortex XDR agents are not using the latest content provided by Palo Alto Networks, it may affect the security level in your organization.
To configure the content rollout for your agents, see Add a New Agent Settings Profile..
Restricting Response Actions on the Endpoint
If you want to prevent Cortex XDR from accessing your endpoint and performing invasive actions, you can permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint, execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. You disable these actions when you install the Cortex XDR agent on the endpoint. Disabling any of these actions is irreversible, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package on the endpoint.

Windows

Windows Agent Feature
Description
User-Initiated Endpoint Scan
You can now initiate an on-demand file scan from a Windows endpoint and get an immediate verdict from WildFire, before the file is ever executed on the endpoint. To initiate the scan, you can right-click a file or folder on the endpoint and select
Scan with Cortex XDR
. You can monitor the progress of a scan from the Cortex XDR agent console and view the verdict results for completed scans. On-demand scans support the same file types as scheduled scans: Microsoft Office files with macros, DLLs, and executables. You can scan up to 100 items simultaneously, including files or folders. If you scan an unsupported file type, the Cortex XDR agent console will not show a notification for it, and the file will be considered non-malicious.
Disk Encryption Using BitLocker
Cortex XDR now provides visibility into Windows endpoints that encrypt their hard drives using BitLocker, the Microsoft Windows built-in encryption tool. To enable disk encryption visibility, you set Disk Encryption profiles and apply them to Policy rules on your Windows endpoints. Additionally, you can apply Disk Encryption profiles to your enforce the BitLocker encryption or decryption of the endpoint operating system disk.
To provide visibility and interoperability into the encrypted endpoints, Cortex XDR leverages the Microsoft Windows APIs for BitLocker. The Cortex XDR agent applies the Microsoft Windows BitLocker rules on the endpoint according to the Disk Encryption settings configured in the Cortex XDR management console.
Host Firewall for Cortex XDR Agents
To reduce the attack surface originating in network communications to and from the endpoint, you can now control all inbound and outbound communications on your Windows endpoints with the Cortex XDR Host Firewall. To use the host firewall, you set rules that allow or block the traffic on the endpoints and apply them to your endpoints using Cortex XDR policy rules.
To fine tune the network communication configuration on the endpoint, you can apply host firewall rules according to the following:
  • The current network location of the device (inside or outside the network).
  • The direction of the communication on the device (inbound or outbound).
  • IP address or IP address ranges.
  • Ports or port ranges.
  • The communication protocol (ICMP, TCP, UCP, and ICMPv6).
  • Specific programs running on the endpoint.
To control inbound and outbound communication of your endpoints, Cortex XDR leverages the Microsoft Windows Filtering Platform APIs. The Cortex XDR agent applies the Microsoft Windows Filtering Platform rules on the endpoint according to the settings configured in the Cortex XDR management console.
Network Location Resolution for Windows Endpoints
Cortex XDR can now determine whether the Cortex XDR agent is within the organization network or outside. To determine the current network location of a device, Cortex XDR performs a domain controller connectivity test and DNS test.
Aggressive Ransomware Protection
If you suspect your network has been infected with ransomware, you can now apply
Aggressive
protection mode to your Windows endpoints. When set to
Aggressive
protection mode, Ransomware Protection exposes more applications in your environment to the Cortex XDR agent decoy files to increase the module coverage. This could result in more cases where benign applications and users will report that the decoy files are visible on the endpoint.
To enable
Aggressive
Ransomare Protection, change your Malware security profile settings.

Mac

Mac Agent Feature
Description
Dormant Malware Scanning
In addition to blocking the execution of malware, the Cortex XDR agent can now scan the system drives of your Mac endpoints for dormant malware that is not actively attempting to run. During a malware scan, the Cortex XDR agent leverages WildFire to examine mach-O files and system drives only. When a malicious file is detected, the Cortex XDR agent reports the malware to Cortex XDR so that you can manually take action to remove the malware before it attempts to harm the endpoint. While unsupported file types excluded from the scan, additional agent protection capabilities continue to monitor and evaluate those files.

Linux

Linux Agent Feature
Description
Agent Installation through Package Manager
You can now create Cortex XDR agent installation packages in
.rpm
or
.deb
formats, which are deployed on the endpoint using a Linux package manager. Additionally, you can choose to upgrade existing Cortex XDR agents using the new formats, even if they were installed or upgraded using the Shell installer previously.
For the detailed workflow, see Create an Agent Installation Package.
Enhanced Support for Temporary Network Workloads
For Cortex XDR agents deployed on temporary instances spawned from/on a Linux virtual machine, you can now use a temporary workload installation to ensure the Cortex XDR agent license returns back to the license pool after 90 minutes of session inactivity. Using the new Cortex XDR agent installation options, you can choose your preferred workflow:
  • Pre-install method
    —Install the Cortex XDR agent only on the Linux machine you are using to create the VM template. Every instance you create using this template, will include the pre-installed Cortex XDR agent.
  • Fresh install
    —Install the Cortex XDR agent on the Linux VM after it was spawned from the VM template, as part of provisioning.
See the Cortex XDR agent administrator’s guide for Linux for more information.
Dynamic Upload of Kernel Modules for Cortex XDR Agents
The Cortex XDR agent kernel modules for Linux endpoints are now uploaded dynamically on the endpoint, ensuring the agent retrieves from Cortex XDR only new and updated agent kernels that were specifically compiled for the current distribution and version running on the endpoint. Removing the kernel modules from the agent installation package and delivering them through content updates instead eliminates the need to upgrade the agent in order to obtain them, as well as significantly reduces the size of the agent installation package.
If no kernel modules are available for the endpoint, then the agent operates in asynchronous mode on the endpoint and reports the corresponding agent operational status back to Cortex XDR.
Enhanced Local Privilege Escalation Protection Module
The Local Privilege Escalation Protection module for the Cortex XDR agent has been significantly improved. The new kernel-based mechanism prevents attacks synchronously at their earliest stage, while covering a broader range of attack vectors and detecting advanced techniques.
New Distribution Support
You can now install the Cortex XDR agent on Linux endpoints running RHEL8, CentOS8, Oracle 8, and SUSE 15 SP1 distributions. See know issues for these distributions.
The Cortex XDR agent does not enforce injection-based protection modules (ROP Mitigation, SO Hijacking Protection, and Brute Force Protection) on 32-bit processes running on 64-bit SUSE 15 SP1 endpoints. All other exploit and malware protection modules work as expected.
EDR is supported only on SUSE 12 SP5, not all SUSE 12 versions.
Additionally, the Cortex XDR agent now supports the kernel module for SUSE 12.
For full compatibility information, see the Compatibility Matrix.

Recommended For You