New Features: May 2019

FeatureDescription
Mobile Endpoint Coverage through GlobalProtect and GlobalProtect Cloud Service
The Cortex XDR™ – Analytics app can now detect threats on mobile endpoints that roam outside of your firewall-protected environment by examining GlobalProtect™ and GlobalProtect cloud service VPN traffic. After you identify the IP address pools of your mobile user, the app analyzes user VPN traffic and creates a Mobile VPN device type based on the username-associated traffic. The app raises the same alerts as with a firewall-only deployment, and associates the alerts to a Mobile VPN device type.
New DNS Tunneling Alert
When the Cortex XDR – Analytics app detects unusual DNS queries or responses, the app can now raise the DNS Tunneling alert. DNS queries are a common function of internet traffic, but DNS traffic can also be used for communication between malware and a command-and-control server or used to exfiltrate data from your network.
New Alert for Recurring Rare IP Access
Cortex XDR – Analytics can now raise the Recurring Rare IP Access alert when it identifies activity that is consistent with command and control activity. To identify this type of activity, the app analyzes recurring connections to external hosts to determine whether those connections are anomalous for endpoints within your network. The app can detect this behavior using either firewall or endpoint activity logs. For higher detection accuracy, you can also enable Enhanced Application logs on your firewalls.
Alerts for Endpoint Behavior
If you use Traps to monitor endpoint activity, Cortex XDR – Analytics can now raise the following alerts based on uncommon or rare endpoint behavior:
Additional Endpoint-Generated Alert Support
The app can now detect alerts, which previously required firewall logs, in Traps-only deployments without next-generation firewalls:
  • Failed Connections
  • Large Upload (Generic)
  • SMB/KRB Traffic from Non-Standard Process
  • High Connection Rate
See Possible Cortex XDR – Analytics Alerts for all alerts by log source.

Related Documentation