About Content Updates

To increase security coverage and quickly resolve any issues in policy, Palo Alto Networks can seamlessly deliver software packages called content updates.
To increase security coverage and quickly resolve any issues in policy, Palo Alto Networks can seamlessly deliver software packages for Cortex XDR called content updates. Content updates can contain changes or updates to any of the following:
Starting with the Cortex XDR 7.1 agent release, Cortex XDR delivers to the agent the content update in parts and not as a single file, allowing the agent to retrieve only the updates and additions it needs.
  • Default security policy including exploit, malware, restriction, and agent settings profiles
  • Default compatibility rules per module
  • Protected processes
  • Local analysis logic
  • Trusted signers
  • Processes included in your block list by signers
  • Behavioral threat protection rules
  • Ransomware module logic including Windows network folders susceptible to ransomware attacks
  • Windows Event Logs
  • Python scripts provided by Palo Alto Networks
  • Python modules supported in script execution
  • Maximum file size for hash calculations in File search and destroy
  • List of common file types included in File search and destroy
When a new update is available, Cortex XDR notifies the Cortex XDR agent. The Cortex XDR agent then randomly chooses a time within a six-hour window during which it will retrieve the content update from Cortex XDR. By staggering the distribution of content updates, Cortex XDR reduces the bandwidth load and prevents bandwidth saturation due to the high volume and size of the content updates across many endpoints. You can view the distribution of endpoints by content update version from the Cortex XDR Dashboard.
To adjust content update distribution for your environment, you can configure the following optional settings:
Otherwise, if you want the Cortex XDR agent to retrieve the latest content from the server immediately, you can force the Cortex XDR agent to connect to the server in one of the following methods:
  • (Windows and Mac only)
    Perform manual check-in from the Cortex XDR agent console.
  • Initiate a check-in using the
    Cytool checkin
    command.

Recommended For You