Add a New Agent Settings Profile

Agent Settings Profiles enable you to customize Cortex XDR agent settings for different platforms and groups of users.
  1. Add a new profile.
    1. From Cortex XDR, select
      Policy Management
      + New Profile
    2. Select the platform to which the profile applies and
      Agent Settings
      as the profile type.
    3. Click
  2. Define the basic settings.
    1. Enter a unique
      Profile Name
      to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy rule.
    2. To provide additional context for the purpose or business reason that explains why you are creating the profile, enter a profile
      . For example, you might include an incident identification number or a link to a help desk ticket.
  3. (
    Windows, Mac, and Linux only
    ) Configure the
    Disk Space
    to allot for Cortex XDR agent logs.
    Specify a value in MB from 100 to 10,000 (default is 5,000).
  4. (
    Windows and Mac only
    ) Configure
    User Interface
    options for the Cortex XDR console.
    By default, Cortex XDR uses the settings specified in the default agent settings profile and displays the default configuration in parenthesis. When you select a setting other than the default, you override the default configuration for the profile.
    • Tray Icon
      —Choose whether you want the Cortex XDR agent icon to be
      (default) or
      in the notification area (system tray).
    • XDR Agent Console Access
      —Enable this option to allow access to the Cortex XDR console.
    • XDR Agent User Notifications
      —Enable this option to operate display notifications in the notifications area on the endpoint. When disabled, the Cortex XDR agent operates in silent mode where the Cortex XDR agent does not display any notifications in the notification area. If you enable notifications, you can use the default notification messages, or provide custom text (up to 50 characters) for each notification type. You can also customize a notification footer.
    • Live Terminal User Notifications
      —Enable this option to display a pop-up on the endpoint when you initiate a Live Terminal session.
  5. (
    Android only
    ) Configure network usage preferences.
    When the option to
    Upload Using Cellular Data
    is enabled, the Cortex XDR agent uses cellular data to send unknown apps to the Cortex XDR for inspection. Standard data charges may apply. When this option is disabled, the Cortex XDR agent queues any unknown files and sends them when the endpoint connects to a Wi-Fi network. If configured, the data usage setting on the Android endpoint takes precedence over this configuration.
  6. (
    Windows only
    ) Configure
    Agent Security
    options that prevent unauthorized access or tampering with the Cortex XDR agent components.
    Use the default agent settings or customize them for the profile. To customize agent security capabilities:
    1. Enable
      XDR Agent Tampering Protection
    2. By default, the Cortex XDR agent protects all agent components, however you can configure protection more granularly for Cortex XDR agent services, processes, files, and registry values. With Traps 5.0.6 and later releases, when protection is enabled, access will be read-only. In earlier Traps releases, enabling protection disables all access to services, processes, files, and registry values.
  7. (
    Windows and Mac only
    ) Set an
    Uninstall Password
    Define and confirm a password the user must enter to uninstall the Cortex XDR agent. The uninstall password is encrypted using encryption algorithm (PBKDF2) when transferred between Cortex XDR and Cortex XDR agents. Additionally, the uninstall password is used to protect tampering attempts when using Cytool commands.
    The default uninstall password is
    . A new password must satisfy the following requirements:
    • Contain eight or more characters.
    • Contain English letters, numbers, or any of the following symbols:
  8. (
    Windows only
    ) Configure
    Windows Security Center Integration
    The Windows Security Center is a reporting tool that monitors the system health and security state of Windows endpoints on Windows 7 and later releases. When
    , the Cortex XDR agent registers with the Windows Security Center as an official Antivirus (AV) software product. When registration is
    , the Cortex XDR agent does not register to the Windows Action Center. As a result, Windows Action Center could indicate that Virus protection is
    , depending on other security products that are installed on the endpoint.
    For the Cortex XDR agent 5.0 release only, if you want to register the agent to the Windows Security Center but prevent from Windows to automatically install Meltdown/Spectra vulnerability patches on the endpoint, change the setting to
    Enabled (No Patches)
    When you
    the Cortex XDR agent to register to the Windows Security Center, Windows shuts down Microsoft Defender on the endpoint automatically. If you still want to allow Microsoft Defender to run on the endpoint where Cortex XDR is installed, you must Disable this option. However, Palo Alto Networks does not recommend running Windows Defender and the Cortex XDR agent on the same endpoint since it might cause performance issues and incompatibility issues with Global Protect and other applications.
  9. (
    Windows only
    ) Configure
    alert data collection options.
    When the Cortex XDR agent alerts on process-related activity on the endpoint, the Cortex XDR agent collects the contents of memory and other data about the event in what is known as a alert data dump file. You can customize the
    Alert Data Dump File Size
    , or
    (the largest and most complete set of information)—and whether to
    Automatically Upload Alert Data Dump File
    to Cortex XDR. During event investigation, if automatic uploading of the alert data dump file was disabled, you can manually retrieve the data.
  10. (
    Windows, Mac, and Linux only
    ) Enable the Cortex XDR agent to
    Monitor and Collect Enhanced Endpoint Data
    for use by apps on the Cortex platform.
    Event monitoring and data collection requires:
    • A Cortex XDR Pro per Endpoint license.
    • A supported agent version—Traps agent 6.0 or a later release for Windows endpoints and Traps agent 6.1 or later releases for Mac and Linux endpoints.
    • Log storage allocated to EDR endpoint data in your Cortex Data Lake instance.
    By default, the Cortex XDR agent collects information about events that occur on the endpoint. If you enable Behavioral Threat Protection in a Malware Security profile, the Cortex XDR agent also collects information about all active file, process, network, and registry activity on an endpoint (see Endpoint Data Collected by Cortex XDR).
    When you enable the Cortex XDR agent to monitor and collect enhanced endpoint data, you enable Cortex XDR to share the detailed endpoint information with other Cortex apps. The information can help to provide the endpoint context when a security event occurs so that you can gain insight on the overall event scope during investigation. The event scope includes all activities that took place during an attack, the endpoints that were involved, and the damage caused. When disabled, the Cortex XDR agent will not share endpoint activity logs.
  11. (
    Windows only, Requires Cortex XDR agents 7.2 and later releases
    Enable File Search and Destroy
    When you enable File search and destroy, the Cortex XDR agent collects detailed information about files on the endpoint to create a files inventory database. The agent locally monitors any actions performed on these files and updates the local files database in real-time. You can choose to include in the files database all file types or common file types only. Additionally, you can exclude from the files database all the files that exist under a specific local path on the endpoint.
    The common file types are: doc, docx, ppt, pptx, pps, ppsx, xls, xlsx, pdf, pages, keynote, rtf, txt, vsd, vsdx, dwg, dxf, csv, url, dotm, docm, xlm, xlsm, xlb, xltm, xltx, xlt, xla, dotx, docb, pot, pptm, potm, ppam, ppsm, sldx, sldm, xps, pub, zip, rar, 7z, gz, tar, cab, ps1, vb, vbe, vbs, js, cmd, bat, vbscript, wsf, jar, db, dbf, mdf, sdf, sql, sqlite, sqlite3, myd, mdb, jpg, jpeg, bmp, gif, exif, png, svg, c, cpp, py, and java.
  12. (
    Windows only
    Response Actions
    If you need to isolate an endpoint but want to allow access for a specific application (for example communication between the VDI process and a VDI server), add the process to the
    Network Isolation Allow List
    If your Cortex XDR agents communicate with Cortex XDR through a proxy, you must add to your allow list the following Cortex XDR agent processes along with the IP address of the proxy server:
    • C:\Program Files\Palo Alto Networks\Traps\tlaservice.exe
    • C:\Program Files\Palo Alto Networks\Traps\cyserver.exe
    • For Cortex XDR agent release prior to 7.1.0 only -
      C:\Program Files\Palo Alto Networks\Traps\cyveraservice.exe
    This enables the Cortex XDR agent to maintain communication with Cortex XDR after you isolate the endpoint.
    When you add a specific application to your allow list from network isolation, the Cortex XDR agent continues to block some internal system processes. This is because some applications, for example ping.exe, can use other processes to facilitate network communication. As a result, if the Cortex XDR agent continues to block an application you included in your allow list, you may need to perform additional network monitoring to determine the process that facilitates the communication, and then add that process to the allow list.
    1. +Add
      an entry to the allow list.
    2. Specify the
      Process Path
      you want to allow and the
      address of the endpoint. Use the
      wildcard on either side to match any process or IP address. For example, specify
      as the process path and an IP address to allow any process to run on the isolated endpoint with that IP address. Conversely, specify
      as the IP address and a specific process path to allow the process to run on any isolated endpoint that receives this profile.
    3. Click the check mark when finished.
  13. (
    Windows only
    ) Specify the
    Content Configuration
    for your Cortex XDR agents.
    You have several option to configure how your Cortex XDR agent retrieves new content.
    • Download Source
      —Cortex XDR deploys serverless peer-to-peer
      content distribution to Cortex XDR agents in your LAN network by default to reduce bandwidth loads. Within the six hour randomization window during which the Cortex XDR agent attempts to retrieve the new content version, it will broadcast its peer agents on the same subnet twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the new content from other agents in both queries, it will retrieve it from Cortex XDR directly. If you do not want to allow P2P content distribution, select the
      Cortex Server
      download source to allow all Cortex XDR agents in your network to retrieve the content directly from the Cortex XDR server on their following heartbeat.
      To enable P2P, you must enable UDP and TCP over the defined
      Content Download Source
      . By default, Cortex XDR uses port 33221. You can configure another port number.
      Limitations in the content download process:
      • When you install the Cortex XDR agent, the agent retrieves the latest content update version available. A freshly installed agent can take between five to ten minutes (depending on your network and content update settings) to retrieve the content for the first time. During this time, your endpoint is not protected.
      • When you upgrade a Cortex XDR agent to a newer Cortex XDR agent version, if the new agent cannot use the content version running on the endpoint, then the new content update will start within one minute in P2P and within five minutes from Cortex XDR.
    • Content Auto-update
      —By default, the Cortex XDR agent always retrieves the most updated content and deploys it on the endpoint so it is always protected with the latest security measures. However, you can
      the automatic content download. Then, the agent stops retrieving content updates from the Cortex XDR Server and keeps working with the current content on the endpoint.
      • If you disable content updates for a newly installed agent, the agent will retrieve the content for the first time from Cortex XDR and then disable content updates on the endpoint.
      • When you add a Cortex XDR agent to an endpoints group with disabled content auto-upgrades policy, then the policy is applied to the added agent as well.
    • Content Rollout
      —The Cortex XDR agent can retrieve content updates
      as they are available, or after a pre-configured
      period. When you delay content updates, the Cortex XDR agent will retrieve the content according to the configured delay. For example, if you configure a delay period of two days, the agent will not use any content released in the last 48 hours.
    If you disable or delay automatic-content updates provided by Palo Alto Networks, it may affect the security level in your organization.
  14. Enable
    Agent Auto Upgrade
    for your Cortex XDR agents.
    To ensure your endpoints are always up-to-date with the latest Cortex XDR agent release, enable automatic agent upgrades. For increased flexibility, you can choose to apply automatic upgrades to major releases only, to minor releases only, or to both. It can take up to 15 minutes for new and updated auto-upgrade profile settings to take effect on your endpoints.
    Automatic agent upgrades are not supported with non-persistent VDI and temporary sessions.
    To control the agent auto upgrade scheduler and number of parallel upgrades in your network, see Configure Global Agent Settings.
    Automatic upgrades are not supported with non-persistent VDI and temporary sessions.
  15. Enable
    Network Location Configuration
    for your Cortex XDR agents.
    Requires Cortex XDR agents 7.1 and later releases
    ) If you configure host firewall rules in your network, you must enable Cortex XDR to determine the network location of your device, as follows:
    1. A domain controller (DC) connectivity test
      — When
      , the DC test checks whether the device is connected to the internal network or not. If the device is connected to the internal network, then it is in the organization. Otherwise, if the DC test failed or returned an external domain, Cortex XDR proceeds to a DNS connectivity test.
    2. A DNS test
      —In the DNS test, the Cortex XDR agent submits a DNS name that is known only to the internal network. If the DNS returned the pre-configured internal IP, then the device is within the organization. Otherwise, if the DNS IP cannot be resolved, then the device is located elsewhere. Enter the
      IP Address
      DNS Server Name
      for the test.
    If the Cortex XDR agent detects a network change on the endpoint, the agent triggers the device location test, and re-calculates the policy according to the new location.
  16. Save
    the changes to your profile.
  17. You can do this in two ways: You can
    Create a new policy rule using this profile
    from the right-click menu or you can launch the new policy wizard from
    Policy Rules

Recommended For You