About Content Updates

To increase security coverage and quickly resolve any issues in policy, Palo Alto Networks can seamlessly deliver software packages called content updates.
To increase security coverage and quickly resolve any issues in policy, Palo Alto Networks can seamlessly deliver software packages for Cortex XDR called content updates. Content updates can contain changes or updates to any of the following:
Starting with the Cortex XDR 7.1 agent release, Cortex XDR delivers to the agent the content update in parts and not as a single file, allowing the agent to retrieve only the updates and additions it needs.
  • Default security policy including exploit, malware, restriction, and agent settings profiles
  • Default compatibility rules per module
  • Protected processes
  • Local analysis logic
  • Trusted signers
  • Processes included in your block list by signers
  • Behavioral threat protection rules
  • Ransomware module logic including Windows network folders susceptible to ransomware attacks
  • Event Log for Windows event logs and Linux system authentication logs
  • Python scripts provided by Palo Alto Networks
  • Python modules supported in script execution
  • Maximum file size for hash calculations in File search and destroy
  • List of common file types included in File search and destroy
  • Network Packet Inspection Engine rules
When a new update is available, Cortex XDR notifies the Cortex XDR agent. The Cortex XDR agent then randomly chooses a time within a six-hour window during which it will retrieve the content update from Cortex XDR. By staggering the distribution of content updates, Cortex XDR reduces the bandwidth load and prevents bandwidth saturation due to the high volume and size of the content updates across many endpoints. You can view the distribution of endpoints by content update version from the Cortex® XDR™ Dashboard.
The Cortex XDR research team releases more frequent content updates in-between major content versions to ensure your network is constantly protected against the latest and newest threats in the wild. When you enable minor content updates, the Cortex XDR agent receives minor content updates, starting with the next content releases. Otherwise, if you do not wish to deploy minor content updates, your Cortex XDR agents will keep receiving content updates for major releases which usually occur on a weekly basis. The content version numbering format remains
, where
indicates the version and
indicates the build number. To distinguish between major and minor releases, XXX is rounded up to the nearest ten for every major release, and incremented by one for a minor release. For example,
are major releases, and
, and
are minor releases.
To adjust content update distribution for your environment, you can configure the following optional settings:
Otherwise, if you want the Cortex XDR agent to retrieve the latest content from the server immediately, you can force the Cortex XDR agent to connect to the server in one of the following methods:
  • (Windows and Mac only)
    Perform manual check-in from the Cortex XDR agent console.
  • Initiate a check-in using the
    Cytool checkin

Recommended For You