Features Introduced in Cortex XDR Agent 7.6

Describes the new features introduced in Cortex XDR agent 7.6 releases.
The following topics describe the new features introduced in Cortex XDR agent 7.6 releases according to the supported agent operating systems.

Features Introduced in Cortex XDR Agent 7.6

Cross-Platform Features

The following features were added to Cortex XDR agents running on Windows, Mac, and Linux endpoints:
Informative BTP Rule Alert Names and Descriptions
Requires a Cortex XDR Pro license
Now Behavioral threat protection (BTP) alerts have been given unique and informative names and descriptions, to provide immediate clarity into the events without having to drill down into each alert:
  • Alert names have been completely revised.
  • New alert descriptions are now displayed alongside the existing descriptions. The module name remains Behavioral threat protection.
To start displaying the new BTP rule alert names and descriptions, you must enable this capability in your global agent settings. Once you update the settings, new alerts will include the changes while already existing alerts will remain unaffected.
If you have any Cortex XDR filters, starring policies, exclusion policies, scoring rules, log forwarding queries, or automation rules configured for XSOAR/3rd party SIEM, we advise you to update those to support the changes before activating the feature (for example, change the query to include the previous description that is still available in the new description, instead of searching for an exact match).
Improved Security Content
*Starting with PTU 200 and later
To ensure your network is constantly protected against the latest and newest threats in the wild, the Cortex XDR research team will now start releasing more frequent content updates in-between major content versions. When you enable minor content updates, the Cortex XDR agent receives minor content updates, starting with the next content releases. Otherwise, if you do not wish to deploy minor content updates, your Cortex XDR agents will keep receiving content updates for major releases which usually occur on a weekly basis.
The content version numbering format remains XXX-YYYY, where XXX indicates the version and YYYY indicates the build number. To distinguish between major and minor releases, XXX is rounded up to the nearest ten for every major release, and incremented by one for a minor release. For example, 180-<build_num> and 190-<build_num> are major releases, and 181-<build_num>, 182-<build_num>, and 191-<build_num> are minor releases.
To enable this capability, you need to update the Global Agent Settings for your tenant.
Simplified Network Bandwidth Allocation for Security Content Updates
For optimized performance and reduced bandwidth consumption, ensure you install new agents with the distribution package available for Windows Cortex XDR agents 7.3 and later. Otherwise, if you deploy the agent installer via SCCM, it is recommended to configure the bandwidth you allocate in your organization for the Palo Alto Networks content security updates. Cortex XDR now provides two recommendations, based on the number of agents you want to update (active or future gents), and according to the time frame during which you want the update to complete (within a day or a week). You can choose one of the recommended values or enter one of your own, between 20 - 10000 Mbps.
To adjust your settings, update the Global Agent Settings for your tenant.
Gradual Rollout for Automatic Agent Upgrades
To better control the rollout of a new Cortex XDR agent release in your organization, during the first week only a single batch of agents is upgraded. After that, auto-upgrades continue to be deployed across your network in parallel batches as configured.
Granular Exceptions for BTP Alerts
You now have the option to create more granular Behavioral Threat Protection (BTP) exceptions for BTP alerts. These new additional BTP exceptions include the following Causality Group Owner (CGO) attributes:
  • CGO hash value
  • CGO signer entity (for Windows and Mac only)
  • CGO process path—directory path of the CGO process.
  • CGO command arguments—if a CGO process path is selected.
All previous BTP exception options are still available as usual.

Windows Features

The following features were added to Cortex XDR agents running on Windows endpoints:
Supported Operating Systems
To expand operating support, Cortex XDR agent supports Windows 11 and Windows Server 2022.
New Persistence Tables
Requires a Forensics add-on license and a Cortex XDR agent 7.6 or later for Windows
To expand your forensics investigation capabilities, Cortex XDR introduces the following new
  • Drivers
  • Registry
  • Scheduled Tasks
  • Services
  • Shim Databases
  • Startup Folders
  • WMI
Permanently Delete Quarantined files
To help you better manage malicious files which have been quarantined and avoid any potential mistake of restoring unwanted files, you can now permanently delete quarantined files on the endpoint from the File Quarantine Details page.
Agent Uninstall Password Security Enhancements
For an added layer of security when configuring the agent uninstall password, Cortex XDR now displays a password strength indicator to ensure that unauthorized users are not able to uninstall the Cortex XDR agent.
When defining the
Uninstall Password
in the
Agent Configurations
page and
Agent Setting profile
, the selected password must now obtain the Cortex XDR requirements enforced by password strength indicator.
Malware Exception Profile Update Capabilities
To expand your endpoint management capabilities during investigation, Cortex XDR now enables you to add a file path to the allow list of your endpoint
Malware Security Profile
directly from the right-click pivot menu of the:
  • Alerts Table
  • Events table of a process causality node
  • XQL search result table
New Comprehensive Forensics Add-On
Requires a Forensics add-on license and a Cortex XDR agent 7.4 or later
Cortex XDR now offers a new add-on that enables you to perform comprehensive forensic investigations on your Windows endpoints.
With its deep data collection, the Forensics add-on enables you to find the source and scope of an attack, and determine what, if any, data was accessed. As an end-to-end solution, Cortex XDR Forensics helps you with every step of an incident response, from data collection, analysis, threat hunting, and remediation.
Using a host timeline, you can view user activity across multiple forensic artifacts in a single table. For a more detailed view, right-click on any row in the timeline for a complete listing of all fields for that item. The historical artifacts collected by the Forensics add-on can provide investigators with insight into Windows file access and process execution, even for files and executables that have been deleted from the host.
The triage functionality in the Forensics add-on collects detailed system information, including a full file listing for all of the connected drives, full event logs, and registry hives, so you can get a complete holistic picture of an endpoint.
You can perform a deep dive on a single endpoint or search for artifacts across all your endpoints from the Forensics workbench. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud and identity data.
You can access the Forensics add-on from the Add-Ons tab, under which the Host Insights add-on is also available (if licensed). Also, the configuration options that were previously labeled as
are now labeled as
Alerts Data.
Enhancements to the Cortex XDR Host Firewall
Now the Cortex XDR host firewall offers improved enforcement capabilities, better policy management, and greater visibility and troubleshooting capabilities into your network:
  • Rules enforcement
    —The Cortex XDR host firewall rules are integrated with the Windows Security Center, and you can configure rules for all IP protocols, using multiple IP address notations, and more parameters.
  • Policy management
    —Now the policy consists of rule groups that are reusable across all profiles, and there are default inbound and outbound rule groups provided by Palo Alto Networks. Additionally, you can import your rules directly into Cortex XDR.
  • Visibility and troubleshooting
    —The Cortex XDR agent now reports aggregated host firewall enforcement events, and you can also view all single activities the agent performed in your network by retrieving a detailed log file. For Cortex XDR Pro customers, the host firewall events are now also queryable via XQL to enable data and network analysis.
For more details, refer to the Cortex XDR administrator guide.
Cortex XDR 3.0 host firewall includes new features which are supported only with Cortex XDR agents 7.6 and later, such as multiple IP addresses, reporting mode, and more. For an older agent release, existing host firewall rules remain unaffected. However, if you create a rule from Cortex XDR 3.0, or edit an already existing rule that was created in an old Cortex XDR release and add one of these unsupported parameters, the agent could display unexpected behavior and the host firewall policy will be disabled on the endpoint.
Network Packet Inspection Engine
To address the threats surfacing with the growing remote workforce in your organization and the growing corporate network boundaries, the new Network Packet Inspection Engine provides coverage already at the network level. By analyzing the network packet data, the Cortex XDR agent can detect malicious behavior, and block or report it back to Cortex XDR.
The new engine leverages both Palo Alto Networks NGFW content rules, and new Cortex XDR content rules created by the Research Team.
To enable this capability, edit your Malware Security Profile settings.
Separate Actions for Files Unknown to WildFire and Files with Benign LC Score
To better manage your anti-malware flow, you can now configure separate actions for files that are unknown to WildFire and files with Benign Low Confidence score. To adjust your settings, refer to the Malware Security Profile settings.
Configurable Device Control Enforcement Pop-Up Message
You can now personalize the Cortex XDR notification pop-up on the endpoint when the user attempts to connect a USB device that is either blocked on the endpoint or allowed in read-only mode.
To enable this, refer to your Agent Settings Profile.
Support for Azure-based Virtual Environments
Support is now available for Cortex XDR agents running on Microsoft Azure-based VMs and virtual desktops (WVD or AVD).
Microsoft Exchange Vulnerability Protection
Requires PTU 193-68672, or PTU 194-68995 and later
Palo Alto Networks strongly recommends that you upgrade your operating system as soon as possible to address the vulnerability known as ProxyShell CVE-2021-34473.
The Cortex XDR agent provides additional coverage to identify known public POCs of the Microsoft Exchange SSRF Vulnerability associated with CVE-2021-34473 and ProxyShell. Two new behavioral threat protection alerts have been added to address these exploitation attempts:
  • exchange_autodiscover_cve_2021_34473_unpatched_server
    —When using PTU 193-68672, this rule reports of unpatched endpoints that are attacked so you can proceed to patch them and mitigate the risk. Palo Alto Networks strongly recommends that you do not disable these notifications until your endpoint is patched. When using PTU 194-68995 or a later version, this rule blocks the attack on the endpoint and is named
    . The content version at time of event is very important for the distinction of a reported only or prevented attack.
  • exchange_autodiscover_cve_2021_34473_patched_server
    —Reports of already patched endpoints where an exploitation attempt took place but failed since the machine is patched. This low severity alert is designed to inform you that your endpoint was targeted and requires no immediate action. You can disable this alert directly from Cortex XDR if you are no longer interested in receiving it.
To enable the Cortex XDR agent generate the alerts, follow these steps:
  1. Ensure Behavioral Threat Protection (BTP) rules are enabled in your Malware Security Profile.
  2. Verify the content version number on the endpoint is PTU 193-68672, or PTU 194-68995 and later. You can do so either from the
    Endpoint Administration
    page, or by running the
    cytool info query
    command on the endpoint. Otherwise, if the content number is different, perform check-in from the Cortex XDR agent console to retrieve latest PTU version.
  3. Check the Cortex XDR agent version running on the endpoint. If the agent has already been upgraded to 7.4.2, you must restart the Cortex XDR agent so when the
    process is launched, the new policy is already in place and applied. Otherwise, if an earlier agent version is running on the endpoint, proceed to upgrade to the Cortex XDR agent to the 7.4.2 release and no agent restart is needed.
  4. Restart Microsoft Internet Information Services (IIS) on the endpoint using the
    command on the endpoint. The Cortex XDR agent rules work only with the default installation paths for Exchange server and IIS
  5. The new BTP rules are applied by default.
  6. For your patched endpoints, you can stop receiving alerts by right-clicking an alert generated by the
    rule in Cortex XDR and selecting
    Exclude Alert

Mac Features

The following features were added to Cortex XDR agents running on Mac endpoints:
Host Firewall macOS 11 Support and Enhancements
To streamline management of your Host Firewall rules and profiles, Cortex XDR now supports host firewall for macOS versions 11 and above and introduces the following enhancements:
Host Firewall
  • Rule Platform Visibility
    Cortex XDR now displays the corresponding platform associated with your Host Firewall rule. In the
    Host Firewall Rules Group
    Group Name
    Rules table
    , you can now view the new
    field, displaying the operating systems associated with a specific rule.
  • Improved New Policy Rule Creation
    Cortex XDR now enables you to create rules for Windows and macOS platforms in the same window. When selecting
    of type
    , in addition to the
    Windows Settings
    section, the
    macOS Settings
    is enabled for your to define.
macOS Host Firewall Profile
  • When editing or creating a macOS Host Firewall Profile, Cortex XDR has updated the configuration design to align with the Windows profile window and allows you to define Report Settings, Internal and External Rule Groups and Rules.
    With the introduction of macOS 11, Host Firewall Rules created on macOS 10 and Cortex XDR agent 7.5 and prior are managed in the Legacy Host Firewall Rules section.
  • When editing or creating new groups, Cortex XDR now displays the
    Applicable Rules Count
    field. The field displays the number of rules in the specific group that are associated with the platform profile.
  • In the
    View Rules
    table, Cortex XDR now displays the
    Group Name
    fields, and only displays rules associated with the platform profile.
Cortex XDR Agent Tampering Protection for macOS
You can now prevent unauthorized access or tampering with the Cortex XDR agent components on macOS. With this configuration, manual upgrades and changes to any of the daemons, files, or processes will now require entering the agent uninstall password.
Extending Gatekeeper Protection to Bundles
The Cortex XDR Gatekeeper Enhancement protection module now provides coverage also for suspicious bundle executions.
Audit Log for Unauthorized Agent Shutdown
Now when a deliberate termination of the agent is detected on the endpoint, an audit log is reported to Cortex XDR.

Linux Features

The following features were added to Cortex XDR agents running on Linux endpoints:
Cortex XDR Agent for Kubernetes Hosts
Requires a Cortex XDR Cloud per Host license
Starting with this release, you can deploy the Cortex XDR agent on Kubernetes Clusters as a daemonSet on any Kubernetes cluster. Being natively integrated in Kubernetes using the deamonSet, the agent provides visibility into containers and ensures full coverage of your critical production workloads.
To deploy the agent, you must have the new license type Cloud per Host and then create a Cortex XDR agent YAML installation package in Cortex XDR which allows you to configure attributes such as namespace default value and nodeselector. Once the Kubernetes agent is running on the endpoint, Cortex XDR displays the Kubernetes Cluster and includes in the causality card a visual indication on processes that are running within containers, including information about the container itself such as its name, ID, image, etc.
For more information, refer to Cortex XDR agent administrator guide.
Quarantine Malicious ELF Files
You can now configure your anti-malware flow to automatically quarantine malicious ELF files. To enable this capability, adjust your Malware Security Profile settings.
Improved Logs Protection
The Cortex XDR agent logs directory is now accessible to privileged users only.

Recommended For You