Features Introduced in Cortex XDR Agent 7.3

Describes the new features introduced in Cortex XDR agent 7.3 releases.
The following topics describe the new features introduced in Cortex XDR agent 7.3 releases according to the supported agent operating systems.

Features Introduced in Cortex XDR Agent 7.3

Windows Features

Feature
Description
Unpatched Vulnerabilities Protection (Windows)
(
Requires a Cortex XDR agent 7.1 or a later version
)
Palo Alto Networks strongly recommends that you upgrade your operating system as soon as possible to address vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094. For more information, refer to the Microsoft Security Response Center.
For Cortex XDR agents 7.1 and later releases running on unpatched Windows endpoints, a new capability in the Exploit Security profile will modify IP4 and IPv6 settings temporarily on the endpoint as a workaround to protect unpatched endpoints from these known vulnerabilities. After the endpoint is patched with a fix for these vulnerabilities, the Cortex XDR agent automatically reverts all modified Windows system settings to their values before modification.
Before applying this workaround on your endpoints, refer to the Cortex XDR Administrator’s Guide for the full details and impact this workaround could have on your network.
Remote Malicious Causality Chains Response
When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypt endpoint files—the agent can now block the IP address to close all existing communication and block new connections from this IP address to the endpoint.
You can view the list of all blocked IP addresses per endpoint from the Cortex XDR
Action Center
, as well as unblock them to re-enable communication as appropriate. You set the action mode in your Malware Security profile where you can also add a specific and known safe IP address or IP address range to the IP addresses allow list. This capability is supported for network connections made in IPv4 only.
When Cortex XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules.
Live Terminal Enhancements (Windows and Mac)
To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light ( live-terminal-indication.png ) on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress. Both settings are optional and you can configure them independently.
Enhanced Local Analysis Prevention
The Local Analysis module, which prevents the execution of malicious Portable Executables (PEs) and Office documents with macros, now includes a new rule-based static engine that provides an additional layer of protection. The new engine provides additional context to Cortex XDR alerts by matching the samples that are under agent examination to static rules that inspect multiple file attributes and features.
The Local Analysis rules are maintained by the Palo Alto Networks Research team and are updated through content updates. You cannot add, modify, or remove rules from the Local Analysis module.
Vulnerable Drivers Protection
Cortex XDR can now leverage the latest threat research to quickly deploy behavioral threat protection (BTP) rules that detect attempts to load vulnerable drivers. As with other BTP rules, Cortex XDR can deliver changes to vulnerable driver rules with content updates.
To configure vulnerable drivers protection, you must enable
Behavioral Threat Protection
and configure the
Action mode for vulnerable drivers protection
as part of a Malware Security Profile.
By default, Cortex XDR blocks all identified attempts to run vulnerable drivers. If you change the default (
Block
), you can
Report
(and allow) vulnerable drivers or disable the module. If needed, you can also configure exceptions to allow specific drivers to run.
Device Control for VDI
Cortex XDR now extends Device Control policy for USB devices to include virtual desktop infrastructure (VDI). The Cortex XDR agent enforces the Device Control policy rules on USB devices after the end user logs on to the VDI instance. USB Devices that were connected prior to the agent enforcing the Device Control policy rules are not blocked after the fact.
Note the following limitations:
  • Virtual environments leverage different stacks that might not be subject to the Device Control policy rules that are enforced by the Cortex XDR agent and, therefore, could lead to USB devices that are allowed to connect to the VDI instance in contrast to the configured policy rules.
  • The Cortex XDR agent provides best-effort enforcement of the Device Control policy rules on VDI instances that are running on physical endpoints where a Cortex XDR agent is not deployed.
Extended Device Control to Read-Only Disk Drives (Windows and Mac)
(
Requires a Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints
)
You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.

Mac Features

Feature
Description
Network Isolation of Endpoints (macOS 10.15.4 and later)
Cortex XDR now extends the Network isolation response action to macOS endpoints. To prevent a compromised macOS endpoint from communicating, you can now isolate your endpoint to halt all network access on the endpoint except for traffic to Cortex XDR. After you isolate an endpoint, the Cortex XDR agent reports an Isolated check-in status and the endpoint remains isolated from the network until you cancel this isolation from Cortex XDR.
Note the following limitations:
  • If during isolation you need the Cortex XDR agent to communicate with an application or proxy, add the process to the Network Isolation Allow List Network Isolation Allow List.
  • To ensure that an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
Search and Destroy Malicious Files on Endpoints (macOS 10.15.4 and later)
(
Requires a Cortex XDR Pro per Endpoint license and Host-Insights Add-on
)
Cortex XDR now extends the File Search and Destroy response action to Mac endpoints. You can use search and destroy to take immediate action on known and suspected malicious files. You can search from Cortex XDR for a file by hash or path on endpoints and, after you identify the presence of the file, you can immediately destroy the file from any or all endpoints on which the file exists.
Live Terminal Enhancements (Windows and Mac)
To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light ( live-terminal-indication.png ) on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress. Both settings are optional and you can configure them independently.
Extended Device Control to Read-Only Disk Drives (Windows and Mac)
(
Requires a Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints
)
You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.
Peer-to-Peer Content Distribution (Mac and Linux)
Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
Agent Installation Using a Unified Configuration Profile File for MDMs
For a seamless installation of the Cortex XDR agent that does not require end user interaction, Palo Alto Networks now provides a unified configuration profile that you can upload to any third party deployment software of your choice. You can download a configuration profile already signed by Palo Alto Networks, or an unsigned configuration profile, if you prefer or are required to sign using your own signing certificate. You can use the unified configuration profile to deploy any version of the Cortex XDR agent. For more information, refer to Install the Cortex XDR Agent Using a Unified Configuration Profile for MDMs.

Linux Features

Feature
Description
Peer-to-Peer Content Distribution (Mac and Linux)
Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
Custom Agent Installation Directory
You can now install your Cortex XDR agent in a custom directory on the endpoint instead of using the default
./opt
directory. To do this, set the custom path in a new installation variable
--install-path=/
<some/path>
. After you install the Cortex XDR to the custom path, all following upgrades and the removal of the agent from the endpoint are executed in the same location.
New Operating Systems Support
You can now install the Cortex XDR agent on Linux endpoints that are running on:
  • Debian 10, OpenSuse Leap 15.1, or SUSE 15 SP2.
  • Ubuntu Server 16, Ubuntu Server 18, and Ubuntu Server 20 with AWS kernel modules.
For all supported kernel versions, see the Latest kernel module version support
.

Recommended For You