Features Introduced in Cortex XDR Agent 7.4

Describes the new features introduced in Cortex XDR agent 7.4 releases.
The following topics describe the new features introduced in Cortex XDR agent 7.4 releases according to the supported agent operating systems.

Features Introduced in Cortex XDR Agent 7.4

Cross-Platform Features

The following features were added to Cortex XDR agents running on Windows, Mac, and Linux endpoints:
Feature
Description
Cortex XDR Agent Installer and Content Caching on the Broker VM
(
Requires Broker VM 12.0.58 and later
)
To reduce external bandwidth usage and time required for Cortex XDR agent installations, upgrades, and content updates, Cortex XDR now offers an additional option to cache the files on your Cortex XDR Broker VM.
When both P2P and Broker VM download sources are selected, the agent first queries a peer agent for the files. If the files are unavailable or the process fails, the agent queries the Broker VM where the files are stored for a 30-days retention period since an agent last asked for them. If the download from the Broker VM fails as well, the agent retrieves the files directly from the Cortex XDR server. The option to retrieve the files from the Server is always enabled.
To enable the Broker VM caching option, you must first:
  1. On your Broker VM settings, configure an FQDN address and enable agent caching in your
    Local Agent
    applet.
  2. In your Agent Settings profile, add Broker VM as a
    Download Source
    and configure the Broker VM FQDN address.
For the detailed workflow on how to set up caching on the Broker VM, refer to the Cortex XDR administrator’s guide.
Peer-to-Peer Distribution of Cortex XDR Agent Installers
To reduce bandwidth load when distributing installers from Cortex XDR to the Cortex XDR agents, Cortex XDR now leverages P2P distribution to include agent installers, in addition to content updates. In your Agent Settings profile, you can choose the download source from which agents retrieve release upgrades and content updates: P2P, Palo Alto Networks Broker VM, and the Cortex XDR server. Peer-to-peer distribution is enabled by default in the Agent Settings profile, and requires that you enable UDP and TCP over port 33221 (You can change this port number later on through the Agent Settings profile).

Windows Features

The following features were added to Cortex XDR agents running on Windows endpoints:
Feature
Description
Cortex XDR Agent Deployment with Installer and Content Update Package
To reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent, Cortex XDR now offers an agent installation and content update package. The package includes the agent installer and the latest supported content available at the time of the bundle download, eliminating the Content Update download phase from the Cortex XDR Server post agent installation. You can deploy the package using a third party tool such as SCCM, or manually on the endpoint.
For more information on the installation process, refer to the Cortex XDR Agent administrator guide.
Improved Accuracy for Malware Protection
Starting with this release, WildFire introduces analysis scores for files with Benign verdict to indicate the level of confidence WildFire has in the Benign verdict. For example, a file by a trusted signer or a file that was tested manually would get a high confidence Benign score, whereas a file that did not display any suspicious behavior at the time of testing would get a lower confidence Benign score. Files with a low confidence score are displayed as Benign Low Confidence (LC).
When Cortex XDR receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile settings you currently have in place (Run local analysis to determine the file verdict, Allow, or Block).
As soon as you deploy your Cortex XDR 7.4 agents, Cortex XDR will enforce this new behavior according to the settings you already have in your existing Malware Security profile for files unknown to WildFire. If you want to change it, you need to change the existing settings.
Device Control Enforcement on Previously Connected USB Devices
When the Cortex XDR agent starts enforcing Device Control on the endpoint, it now enforces the policy rules not only on newly connected devices, but also on devices that were previously connected to the endpoint before the policy enforcement was applied.

Mac Features

The following features were added to Cortex XDR agents running on Mac endpoints:
Feature
Description
Native Support for Apple M1
Starting with this release, you can install the Cortex XDR agent on macOS based devices with Apple M1. To resolve issues that could occur, refer to the Cortex XDR 7.4 agent list of known issues.
Context-based Global Exceptions for the Gatekeeper Enhancement Protection Module
Now when the Cortex XDR Gatekeeper Enhancement security module raises an alert, you can create a global exception for this specific source-child combination only, while allowing Cortex XDR to continue enforcing the Gatekeeper Enhancement protection module on the source process running other child processes.
Cortex XDR Agent Silent Uninstall
Starting with this release, when you uninstall the Cortex XDR agent from the Cortex XDR management console, the process is silent and does not prompt the end-user for approvals on the endpoint.

Linux Features

No additional features were added to Cortex XDR agents running on Linux endpoints.

Recommended For You