Features Introduced in Cortex XDR Agent 7.4

Describes the new features introduced in Cortex XDR agent 7.4 releases.
The following topics describe the new features introduced in Cortex XDR agent 7.4 releases according to the supported agent operating systems.

Features Introduced in Cortex XDR Agent 7.4.2

The following feature was added to Cortex XDR agents running on Windows endpoints:
Microsoft Exchange Vulnerability Protection
Requires a Cortex XDR agent 7.4.2 and PTU 193-68672
Palo Alto Networks strongly recommends that you upgrade your operating system as soon as possible to address the vulnerability known as ProxyShell CVE-2021-34473.
The Cortex XDR agent provides additional coverage to identify known public POCs of the Microsoft Exchange SSRF Vulnerability associated with CVE-2021-34473 and ProxyShell. Two new behavioral threat protection alerts have been added to address these exploitation attempts:
  • exchange_autodiscover_cve_2021_34473_unpatched_server
    —When using PTU 193-68672, this rule reports of unpatched endpoints that are attacked so you can proceed to patch them and mitigate the risk. Palo Alto Networks strongly recommends that you do not disable these notifications until your endpoint is patched.
  • exchange_autodiscover_cve_2021_34473_patched_server
    —Reports of already patched endpoints where an exploitation attempt took place but failed since the machine is patched. This low severity alert is designed to inform you that your endpoint was targeted and requires no immediate action. You can disable this alert directly from Cortex XDR if you are no longer interested in receiving it.
To enable the Cortex XDR agent generate the alerts, follow these steps:
  1. Ensure Behavioral Threat Protection (BTP) rules are enabled in your Malware Security Profile.
  2. Verify the content version number on the endpoint is PTU 193-68672. You can do so either from the
    Endpoint Administration
    page, or by running the
    cytool info query
    command on the endpoint. Otherwise, if the content number is different, perform check-in from the Cortex XDR agent console to retrieve latest PTU version.
  3. Check the Cortex XDR agent version running on the endpoint. If the agent has already been upgraded to 7.4.2, you must restart the Cortex XDR agent so when the
    process is launched, the new policy is already in place and applied. Otherwise, if an earlier agent version is running on the endpoint, proceed to upgrade to the Cortex XDR agent to the 7.4.2 release and no agent restart is needed.
  4. Restart Microsoft Internet Information Services (IIS) on the endpoint using the
    command on the endpoint. The Cortex XDR agent rules work only with the default installation paths for Exchange server and IIS
  5. The new BTP rules are applied by default.
  6. For your patched endpoints, you can stop receiving alerts by right-clicking an alert generated by the
    rule in Cortex XDR and selecting
    Exclude Alert

Features Introduced in Cortex XDR Agent 7.4.1

No new features were introduced in this release.

Features Introduced in Cortex XDR Agent 7.4

Cross-Platform Features

The following features were added to Cortex XDR agents running on Windows, Mac, and Linux endpoints:
Cortex XDR Agent Installer and Content Caching on the Broker VM
Requires Broker VM 12.0.58 and later
To reduce external bandwidth usage and time required for Cortex XDR agent installations, upgrades, and content updates, Cortex XDR now offers an additional option to cache the files on your Cortex XDR Broker VM.
When both P2P and Broker VM download sources are selected, the agent first queries a peer agent for the files. If the files are unavailable or the process fails, the agent queries the Broker VM where the files are stored for a 30-days retention period since an agent last asked for them. If the download from the Broker VM fails as well, the agent retrieves the files directly from the Cortex XDR server. The option to retrieve the files from the Server is always enabled.
To enable the Broker VM caching option, you must first:
  1. On your Broker VM settings, configure an FQDN address and enable agent caching in your
    Local Agent
  2. In your Agent Settings profile, add Broker VM as a
    Download Source
    and configure the Broker VM FQDN address.
For the detailed workflow on how to set up caching on the Broker VM, refer to the Cortex XDR administrator’s guide.
Peer-to-Peer Distribution of Cortex XDR Agent Installers
To reduce bandwidth load when distributing installers from Cortex XDR to the Cortex XDR agents, Cortex XDR now leverages P2P distribution to include agent installers, in addition to content updates. In your Agent Settings profile, you can choose the download source from which agents retrieve release upgrades and content updates: P2P, Palo Alto Networks Broker VM, and the Cortex XDR server. Peer-to-peer distribution is enabled by default in the Agent Settings profile, and requires that you enable UDP and TCP over port 33221 (You can change this port number later on through the Agent Settings profile).

Windows Features

The following features were added to Cortex XDR agents running on Windows endpoints:
Cortex XDR Agent Deployment with Installer and Content Update Package
To reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent, Cortex XDR now offers an agent installation and content update package. The package includes the agent installer and the latest supported content available at the time of the bundle download, eliminating the Content Update download phase from the Cortex XDR Server post agent installation. You can deploy the package using a third party tool such as SCCM, or manually on the endpoint.
For more information on the installation process, refer to the Cortex XDR Agent administrator guide.
Improved Accuracy for Malware Protection
Starting with this release, WildFire introduces analysis scores for files with Benign verdict to indicate the level of confidence WildFire has in the Benign verdict. For example, a file by a trusted signer or a file that was tested manually would get a high confidence Benign score, whereas a file that did not display any suspicious behavior at the time of testing would get a lower confidence Benign score. Files with a low confidence score are displayed as Benign Low Confidence (LC).
When Cortex XDR receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile settings you currently have in place (Run local analysis to determine the file verdict, Allow, or Block).
As soon as you deploy your Cortex XDR 7.4 agents, Cortex XDR will enforce this new behavior according to the settings you already have in your existing Malware Security profile for files unknown to WildFire. If you want to change it, you need to change the existing settings.
Device Control Enforcement on Previously Connected USB Devices
When the Cortex XDR agent starts enforcing Device Control on the endpoint, it now enforces the policy rules not only on newly connected devices, but also on devices that were previously connected to the endpoint before the policy enforcement was applied.

Mac Features

The following features were added to Cortex XDR agents running on Mac endpoints:
Native Support for Apple M1
Starting with this release, you can install the Cortex XDR agent on macOS based devices with Apple M1. To resolve issues that could occur, refer to the Cortex XDR 7.4 agent list of known issues.
Context-based Global Exceptions for the Gatekeeper Enhancement Protection Module
Now when the Cortex XDR Gatekeeper Enhancement security module raises an alert, you can create a global exception for this specific source-child combination only, while allowing Cortex XDR to continue enforcing the Gatekeeper Enhancement protection module on the source process running other child processes.
Cortex XDR Agent Silent Uninstall
Starting with this release, when you uninstall the Cortex XDR agent from the Cortex XDR management console, the process is silent and does not prompt the end-user for approvals on the endpoint.

Linux Features

No additional features were added to Cortex XDR agents running on Linux endpoints.

Recommended For You