Features Introduced in Cortex XDR Agent 7.5

Describes the new features introduced in Cortex XDR agent 7.5 releases.
The following topics describe the new features introduced in Cortex XDR agent 7.5 releases according to the supported agent operating systems.

Features Introduced in Cortex XDR Agent 7.5.1

No new features were introduced in this release.

Features Introduced in Cortex XDR Agent 7.5

Cross-Platform Features

The following features were added to Cortex XDR agents running on Windows, Mac, and Linux endpoints:
Feature
Description
Improved Security Content
*Starting with PTU 200 and later
To ensure your network is constantly protected against the latest and newest threats in the wild, the Cortex XDR research team will now start releasing more frequent content updates in-between major content versions. When you enable minor content updates, the Cortex XDR agent receives minor content updates, starting with the next content releases. Otherwise, if you do not wish to deploy minor content updates, your Cortex XDR agents will keep receiving content updates for major releases which usually occur on a weekly basis.
The content version numbering format remains XXX-YYYY, where XXX indicates the version and YYYY indicates the build number. To distinguish between major and minor releases, XXX is rounded up to the nearest ten for every major release, and incremented by one for a minor release. For example, 180-<build_num> and 190-<build_num> are major releases, and 181-<build_num>, 182-<build_num>, and 191-<build_num> are minor releases.
To enable this capability, you need to update the Global Agent Settings for your tenant.
Simplified Network Bandwidth Allocation for Security Content Updates
For optimized performance and reduced bandwidth consumption, ensure you install new agents with the distribution package available for Windows Cortex XDR agents 7.3 and later. Otherwise, if you deploy the agent installer via SCCM, it is recommended to configure the bandwidth you allocate in your organization for the Palo Alto Networks content security updates. Cortex XDR now provides two recommendations, based on the number of agents you want to update (active or future gents), and according to the time frame during which you want the update to complete (within a day or a week). You can choose one of the recommended values or enter one of your own, between 20 - 10000 Mbps.
To adjust your settings, update the Global Agent Settings for your tenant.
Gradual Rollout for Automatic Agent Upgrades
To better control the rollout of a new Cortex XDR agent release in your organization, during the first week only a single batch of agents is upgraded. After that, auto-upgrades continue to be deployed across your network in parallel batches as configured.
Granular Exceptions for BTP Alerts
You now have the option to create more granular Behavioral Threat Protection (BTP) exceptions for BTP alerts. These new additional BTP exceptions include the following Causality Group Owner (CGO) attributes:
  • CGO hash value
  • CGO signer entity (for Windows and Mac only)
  • CGO process path—directory path of the CGO process.
  • CGO command arguments—if a CGO process path is selected.
All previous BTP exception options are still available as usual.

Windows Features

The following features were added to Cortex XDR agents running on Windows endpoints:
Feature
Description
New Comprehensive Forensics Add-On
(
Requires a Forensics add-on license and a Cortex XDR agent 7.4 or later
)
Cortex XDR now offers a new add-on that enables you to perform comprehensive forensic investigations on your Windows endpoints.
With its deep data collection, the Forensics add-on enables you to find the source and scope of an attack, and determine what, if any, data was accessed. As an end-to-end solution, Cortex XDR Forensics helps you with every step of an incident response, from data collection, analysis, threat hunting, and remediation.
Using a host timeline, you can view user activity across multiple forensic artifacts in a single table. For a more detailed view, right-click on any row in the timeline for a complete listing of all fields for that item. The historical artifacts collected by the Forensics add-on can provide investigators with insight into Windows file access and process execution, even for files and executables that have been deleted from the host.
The triage functionality in the Forensics add-on collects detailed system information, including a full file listing for all of the connected drives, full event logs, and registry hives, so you can get a complete holistic picture of an endpoint.
You can perform a deep dive on a single endpoint or search for artifacts across all your endpoints from the Forensics workbench. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud and identity data.
You can access the Forensics add-on from the Add-Ons tab, under which the Host Insights add-on is also available (if licensed). Also, the configuration options that were previously labeled as
Forensics
are now labeled as
Alerts Data.
Enhancements to the Cortex XDR Host Firewall
Now the Cortex XDR host firewall offers improved enforcement capabilities, better policy management, and greater visibility and troubleshooting capabilities into your network:
  • Rules enforcement
    —The Cortex XDR host firewall rules are integrated with the Windows Security Center, and you can configure rules for all IP protocols, using multiple IP address notations, and more parameters.
  • Policy management
    —Now the policy consists of rule groups that are reusable across all profiles, and there are default inbound and outbound rule groups provided by Palo Alto Networks. Additionally, you can import your rules directly into Cortex XDR.
  • Visibility and troubleshooting
    —The Cortex XDR agent now reports aggregated host firewall enforcement events, and you can also view all single activities the agent performed in your network by retrieving a detailed log file. For Cortex XDR Pro customers, the host firewall events are now also queryable via XQL to enable data and network analysis.
For more details, refer to the Cortex XDR administrator guide.
Cortex XDR 3.0 host firewall includes new features which are supported only with Cortex XDR agents 7.5 and later, such as multiple IP addresses, reporting mode, and more. For an older agent release, existing host firewall rules remain unaffected. However, if you create a rule from Cortex XDR 3.0, or edit an already existing rule that was created in an old Cortex XDR release and add one of these unsupported parameters, the agent could display unexpected behavior and the host firewall policy will be disabled on the endpoint.
Network Packet Inspection Engine
To address the threats surfacing with the growing remote workforce in your organization and the growing corporate network boundaries, the new Network Packet Inspection Engine provides coverage already at the network level. By analyzing the network packet data, the Cortex XDR agent can detect malicious behavior, and block or report it back to Cortex XDR.
The new engine leverages both Palo Alto Networks NGFW content rules, and new Cortex XDR content rules created by the Research Team.
To enable this capability, edit your Malware Security Profile settings.
Separate Actions for Files Unknown to WildFire and Files with Benign LC Score
To better manage your anti-malware flow, you can now configure separate actions for files that are unknown to WildFire and files with Benign Low Confidence score. To adjust your settings, refer to the Malware Security Profile settings.
Configurable Device Control Enforcement Pop-Up Message
You can now personalize the Cortex XDR notification pop-up on the endpoint when the user attempts to connect a USB device that is either blocked on the endpoint or allowed in read-only mode.
To enable this, refer to your Agent Settings Profile.
Support for Azure-based Virtual Environments
Support is now available for Cortex XDR agents running on Microsoft Azure-based VMs and virtual desktops (WVD or AVD).
Microsoft Exchange Vulnerability Protection
(
Requires PTU 193-68672, or PTU 194-68995 and later
)
Palo Alto Networks strongly recommends that you upgrade your operating system as soon as possible to address the vulnerability known as ProxyShell CVE-2021-34473.
The Cortex XDR agent provides additional coverage to identify known public POCs of the Microsoft Exchange SSRF Vulnerability associated with CVE-2021-34473 and ProxyShell. Two new behavioral threat protection alerts have been added to address these exploitation attempts:
  • exchange_autodiscover_cve_2021_34473_unpatched_server
    —When using PTU 193-68672, this rule reports of unpatched endpoints that are attacked so you can proceed to patch them and mitigate the risk. Palo Alto Networks strongly recommends that you do not disable these notifications until your endpoint is patched. When using PTU 194-68995 or a later version, this rule blocks the attack on the endpoint and is named
    sync.exchange_autodiscover_cve_2021_34473_unpatched_server
    . The content version at time of event is very important for the distinction of a reported only or prevented attack.
  • exchange_autodiscover_cve_2021_34473_patched_server
    —Reports of already patched endpoints where an exploitation attempt took place but failed since the machine is patched. This low severity alert is designed to inform you that your endpoint was targeted and requires no immediate action. You can disable this alert directly from Cortex XDR if you are no longer interested in receiving it.
To enable the Cortex XDR agent generate the alerts, follow these steps:
  1. Ensure Behavioral Threat Protection (BTP) rules are enabled in your Malware Security Profile.
  2. Verify the content version number on the endpoint is PTU 193-68672, or PTU 194-68995 and later. You can do so either from the
    Endpoint Administration
    page, or by running the
    cytool info query
    command on the endpoint. Otherwise, if the content number is different, perform check-in from the Cortex XDR agent console to retrieve latest PTU version.
  3. Check the Cortex XDR agent version running on the endpoint. If the agent has already been upgraded to 7.4.2, you must restart the Cortex XDR agent so when the
    w3wp
    process is launched, the new policy is already in place and applied. Otherwise, if an earlier agent version is running on the endpoint, proceed to upgrade to the Cortex XDR agent to the 7.4.2 release and no agent restart is needed.
  4. Restart Microsoft Internet Information Services (IIS) on the endpoint using the
    iisreset
    command on the endpoint. The Cortex XDR agent rules work only with the default installation paths for Exchange server and IIS
  5. The new BTP rules are applied by default.
  6. For your patched endpoints, you can stop receiving alerts by right-clicking an alert generated by the
    exchange_autodiscover_cve_2021_34473_patched_server
    rule in Cortex XDR and selecting
    Exclude Alert
    .

Mac Features

The following features were added to Cortex XDR agents running on Mac endpoints:
Feature
Description
Extending Gatekeeper Protection to Bundles
The Cortex XDR Gatekeeper Enhancement protection module now provides coverage also for suspicious bundle executions.
Audit Log for Unauthorized Agent Shutdown
Now when a deliberate termination of the agent is detected on the endpoint, an audit log is reported to Cortex XDR.

Linux Features

The following features were added to Cortex XDR agents running on Linux endpoints:
Feature
Description
Cortex XDR Agent for Kubernetes Hosts
(
Requires a Cortex XDR Cloud per Host license
)
Starting with this release, you can deploy the Cortex XDR agent on Kubernetes Clusters as a daemonSet on any Kubernetes cluster. Being natively integrated in Kubernetes using the deamonSet, the agent provides visibility into containers and ensures full coverage of your critical production workloads.
To deploy the agent, you must have the new license type Cloud per Host and then create a Cortex XDR agent YAML installation package in Cortex XDR which allows you to configure attributes such as namespace default value and nodeselector. Once the Kubernetes agent is running on the endpoint, Cortex XDR displays the Kubernetes Cluster and includes in the causality card a visual indication on processes that are running within containers, including information about the container itself such as its name, ID, image, etc.
For more information, refer to Cortex XDR agent administrator guide.
Quarantine Malicious ELF Files
You can now configure your anti-malware flow to automatically quarantine malicious ELF files. To enable this capability, adjust your Malware Security Profile settings.
Improved Logs Protection
The Cortex XDR agent logs directory is now accessible to privileged users only.

Recommended For You