Features Introduced in Cortex XDR Agent 7.6
Describes the new features introduced in Cortex XDR agent 7.6 releases.
The following topics describe the new features introduced in Cortex XDR agent 7.6 releases according to the supported agent operating systems.
Features Introduced in Cortex XDR Agent 7.6
The following features were added to Cortex XDR agents running on Windows, Mac, and Linux endpoints:
Informative BTP Rule Alert Names and Descriptions
Requires a Cortex XDR Pro license)
Now Behavioral threat protection (BTP) alerts have been given unique and informative names and descriptions, to provide immediate clarity into the events without having to drill down into each alert:
To start displaying the new BTP rule alert names and descriptions, you must enable this capability in your global agent settings. Once you update the settings, new alerts will include the changes while already existing alerts will remain unaffected.
If you have any Cortex XDR filters, starring policies, exclusion policies, scoring rules, log forwarding queries, or automation rules configured for XSOAR/3rd party SIEM, we advise you to update those to support the changes before activating the feature (for example, change the query to include the previous description that is still available in the new description, instead of searching for an exact match).
Improved Security Content
*Starting with PTU 200 and later
To ensure your network is constantly protected against the latest and newest threats in the wild, the Cortex XDR research team will now start releasing more frequent content updates in-between major content versions. When you enable minor content updates, the Cortex XDR agent receives minor content updates, starting with the next content releases. Otherwise, if you do not wish to deploy minor content updates, your Cortex XDR agents will keep receiving content updates for major releases which usually occur on a weekly basis.
The content version numbering format remains XXX-YYYY, where XXX indicates the version and YYYY indicates the build number. To distinguish between major and minor releases, XXX is rounded up to the nearest ten for every major release, and incremented by one for a minor release. For example, 180-<build_num> and 190-<build_num> are major releases, and 181-<build_num>, 182-<build_num>, and 191-<build_num> are minor releases.
To enable this capability, you need to update the Global Agent Settings for your tenant.
Simplified Network Bandwidth Allocation for Security Content Updates
For optimized performance and reduced bandwidth consumption, ensure you install new agents with the distribution package available for Windows Cortex XDR agents 7.3 and later. Otherwise, if you deploy the agent installer via SCCM, it is recommended to configure the bandwidth you allocate in your organization for the Palo Alto Networks content security updates. Cortex XDR now provides two recommendations, based on the number of agents you want to update (active or future gents), and according to the time frame during which you want the update to complete (within a day or a week). You can choose one of the recommended values or enter one of your own, between 20 - 10000 Mbps.
To adjust your settings, update the Global Agent Settings for your tenant.
Gradual Rollout for Automatic Agent Upgrades
To better control the rollout of a new Cortex XDR agent release in your organization, during the first week only a single batch of agents is upgraded. After that, auto-upgrades continue to be deployed across your network in parallel batches as configured.
Granular Exceptions for BTP Alerts
You now have the option to create more granular Behavioral Threat Protection (BTP) exceptions for BTP alerts. These new additional BTP exceptions include the following Causality Group Owner (CGO) attributes:
All previous BTP exception options are still available as usual.
The following features were added to Cortex XDR agents running on Windows endpoints:
Supported Operating Systems
To expand operating support, Cortex XDR agent supports Windows 11 and Windows Server 2022.
New Persistence Tables
Requires a Forensics add-on license and a Cortex XDR agent 7.6 or later for Windows)
To expand your forensics investigation capabilities, Cortex XDR introduces the following new
Permanently Delete Quarantined files
To help you better manage malicious files which have been quarantined and avoid any potential mistake of restoring unwanted files, you can now permanently delete quarantined files on the endpoint from the File Quarantine Details page.
Agent Uninstall Password Security Enhancements
For an added layer of security when configuring the agent uninstall password, Cortex XDR now displays a password strength indicator to ensure that unauthorized users are not able to uninstall the Cortex XDR agent.
When defining the
Uninstall Passwordin the
Agent Configurationspage and
Agent Setting profile, the selected password must now obtain the Cortex XDR requirements enforced by password strength indicator.
Malware Exception Profile Update Capabilities
To expand your endpoint management capabilities during investigation, Cortex XDR now enables you to add a file path to the allow list of your endpoint
Malware Security Profiledirectly from the right-click pivot menu of the:
New Comprehensive Forensics Add-On
Requires a Forensics add-on license and a Cortex XDR agent 7.4 or later)
Cortex XDR now offers a new add-on that enables you to perform comprehensive forensic investigations on your Windows endpoints.
With its deep data collection, the Forensics add-on enables you to find the source and scope of an attack, and determine what, if any, data was accessed. As an end-to-end solution, Cortex XDR Forensics helps you with every step of an incident response, from data collection, analysis, threat hunting, and remediation.
Using a host timeline, you can view user activity across multiple forensic artifacts in a single table. For a more detailed view, right-click on any row in the timeline for a complete listing of all fields for that item. The historical artifacts collected by the Forensics add-on can provide investigators with insight into Windows file access and process execution, even for files and executables that have been deleted from the host.
The triage functionality in the Forensics add-on collects detailed system information, including a full file listing for all of the connected drives, full event logs, and registry hives, so you can get a complete holistic picture of an endpoint.
You can perform a deep dive on a single endpoint or search for artifacts across all your endpoints from the Forensics workbench. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud and identity data.
You can access the Forensics add-on from the Add-Ons tab, under which the Host Insights add-on is also available (if licensed). Also, the configuration options that were previously labeled as
Forensicsare now labeled as
Enhancements to the Cortex XDR Host Firewall
Now the Cortex XDR host firewall offers improved enforcement capabilities, better policy management, and greater visibility and troubleshooting capabilities into your network:
For more details, refer to the Cortex XDR administrator guide.
Cortex XDR 3.0 host firewall includes new features which are supported only with Cortex XDR agents 7.6 and later, such as multiple IP addresses, reporting mode, and more. For an older agent release, existing host firewall rules remain unaffected. However, if you create a rule from Cortex XDR 3.0, or edit an already existing rule that was created in an old Cortex XDR release and add one of these unsupported parameters, the agent could display unexpected behavior and the host firewall policy will be disabled on the endpoint.
Network Packet Inspection Engine
To address the threats surfacing with the growing remote workforce in your organization and the growing corporate network boundaries, the new Network Packet Inspection Engine provides coverage already at the network level. By analyzing the network packet data, the Cortex XDR agent can detect malicious behavior, and block or report it back to Cortex XDR.
The new engine leverages both Palo Alto Networks NGFW content rules, and new Cortex XDR content rules created by the Research Team.
To enable this capability, edit your Malware Security Profile settings.
Separate Actions for Files Unknown to WildFire and Files with Benign LC Score
To better manage your anti-malware flow, you can now configure separate actions for files that are unknown to WildFire and files with Benign Low Confidence score. To adjust your settings, refer to the Malware Security Profile settings.
Configurable Device Control Enforcement Pop-Up Message
You can now personalize the Cortex XDR notification pop-up on the endpoint when the user attempts to connect a USB device that is either blocked on the endpoint or allowed in read-only mode.
To enable this, refer to your Agent Settings Profile.
Support for Azure-based Virtual Environments
Support is now available for Cortex XDR agents running on Microsoft Azure-based VMs and virtual desktops (WVD or AVD).
Microsoft Exchange Vulnerability Protection
Requires PTU 193-68672, or PTU 194-68995 and later)
The Cortex XDR agent provides additional coverage to identify known public POCs of the Microsoft Exchange SSRF Vulnerability associated with CVE-2021-34473 and ProxyShell. Two new behavioral threat protection alerts have been added to address these exploitation attempts:
To enable the Cortex XDR agent generate the alerts, follow these steps:
The following features were added to Cortex XDR agents running on Mac endpoints:
Host Firewall macOS 11 Support and Enhancements
To streamline management of your Host Firewall rules and profiles, Cortex XDR now supports host firewall for macOS versions 11 and above and introduces the following enhancements:
macOS Host Firewall Profile
Cortex XDR Agent Tampering Protection for macOS
You can now prevent unauthorized access or tampering with the Cortex XDR agent components on macOS. With this configuration, manual upgrades and changes to any of the daemons, files, or processes will now require entering the agent uninstall password.
Extending Gatekeeper Protection to Bundles
The Cortex XDR Gatekeeper Enhancement protection module now provides coverage also for suspicious bundle executions.
Audit Log for Unauthorized Agent Shutdown
Now when a deliberate termination of the agent is detected on the endpoint, an audit log is reported to Cortex XDR.
The following features were added to Cortex XDR agents running on Linux endpoints:
Cortex XDR Agent for Kubernetes Hosts
Requires a Cortex XDR Cloud per Host license)
Starting with this release, you can deploy the Cortex XDR agent on Kubernetes Clusters as a daemonSet on any Kubernetes cluster. Being natively integrated in Kubernetes using the deamonSet, the agent provides visibility into containers and ensures full coverage of your critical production workloads.
To deploy the agent, you must have the new license type Cloud per Host and then create a Cortex XDR agent YAML installation package in Cortex XDR which allows you to configure attributes such as namespace default value and nodeselector. Once the Kubernetes agent is running on the endpoint, Cortex XDR displays the Kubernetes Cluster and includes in the causality card a visual indication on processes that are running within containers, including information about the container itself such as its name, ID, image, etc.
For more information, refer to Cortex XDR agent administrator guide.
Quarantine Malicious ELF Files
Improved Logs Protection
The Cortex XDR agent logs directory is now accessible to privileged users only.
Recommended For You
Recommended videos not found.