Configure Global Agent Settings

The different Cortex® XDR™ agents that operate on your endpoints require configuration of different global settings.
On top of customizable Agent Settings Profiles for each Operating System and different endpoint targets, you can set global Agent Configurations that apply to all the endpoints in your network.
  1. From the Cortex XDR management console, select
    Settings ( )
    Configurations
    General
    Agent Configuration
    .
  2. Set global uninstall password.
    The uninstall password is required to remove a Cortex XDR agent and to grant access to agent security component on the endpoint. You can use the default uninstall
    Password1
    defined in Cortex XDR or set a new one and
    Save
    . This global uninstall password applies to all the endpoints (excluding mobile) in your network.
    If you change the password later on, the new default password applies to all new and existing profiles to which it applied before.
    If you want to use a different password to uninstall specific agents, you can override the default global uninstall password by setting a different password for those agents in the Agent Settings profile. The selected password must satisfy the requirements enforced by
    Password Strength
    indicator.
  3. Manage the content updates bandwidth and frequency in your network.
    • Enable bandwidth control
      —Palo Alto Networks allows you to control your Cortex XDR agent network consumption by adjusting the bandwidth it is allocated. Based on the number of agents you want to update with content and upgrade packages, active or future agents, the Cortex XDR calculator configures the recommended amount of Mbps (Megabits per second) required for a connected agent to retrieve a content update over a 24 hour period or a week. Cortex XDR supports between 20 - 10000 Mbps, you can enter one of the recommended values or enter one of your own.For optimized performance and reduced bandwidth consumption, it is recommended that you install and update new agents with Cortex XDR agents 7.3 and later that include the content package built in using SCCM.
    • Enable minor content version updates
      —The Cortex XDR research team releases more frequent content updates in-between major content versions to ensure your network is constantly protected against the latest and newest threats in the wild. When you enable minor content version updates, the Cortex XDR agent receives minor content updates, starting with the next content releases. To learn more about the minor content numbering format, refer to the About Content Updates topic.
  4. Configure content bandwidth allocated for all endpoints.
    To control the amount of bandwidth allocated in your network to Cortex XDR content updates, assign a
    Content bandwidth management
    value between 20-10,000 Mbps.
    To help you with this calculation, Cortex XDR recommends the optimal value of Mbps based on the number of active agents in your network, and including overhead considerations for large content updates.
    Cortex XDR will verify that agents attempting to download the content update are within the allocated bandwidth before beginning the distribution. If the bandwidth has reached its cap, the download will be refused and the agents will attempt again at a later time. After you set the bandwidth,
    Save
    the configuration.
  5. Configure the Cortex XDR agent auto upgrade scheduler and number of parallel upgrades.
    If Agent Auto Upgrades are enabled for your Cortex XDR agents, you can control the automatic upgrade process in your network. To better control the rollout of a new Cortex XDR agent release in your organization, during the first week only a single batch of agents is upgraded. After that, auto-upgrades continue to be deployed across your network in parallel batches as configured.
    • Amount of agents per batch
      —Set the number of parallel agent upgrades, while the maximum is 500 agents.
    • Days in week
      —You can schedule the upgrade task for specific days of the week and a specific time range. The minimum range is four hours.
  6. Configure automated Advanced Analysis of XDR Agent alerts raised by exploit protection modules.
    Advanced Analysis is an additional verification method you can use to validate the verdict issued by the Cortex XDR agent. In addition, Advanced Analysis also helps Palo Alto Networks researchers tune exploit protection modules for accuracy.
    To initiate additional analysis you must retrieve data about the alert from the endpoint. You can do this manually on an alert-by-alert basis or you can enable Cortex XDR to automatically retrieve the files.
    After Cortex XDR receives the data, it automatically analyzes the memory contents and renders a verdict. When the analysis is complete, Cortex XDR displays the results in the
    Advanced Analysis
    field of the Additional data view for the data retrieval action on the
    Action Center
    . If the Advanced Analysis verdict is benign, you can avoid subsequent blocked files for users that encounter the same behavior by enabling Cortex XDR to automatically create and distribute exceptions based on the Advanced Analysis results.
    1. Configure the desired options:
      • Enable Cortex XDR to automatically upload defined alert data files for advanced analysis. Advanced Analysis increases the Cortex XDR exploit protection module accuracy
      • Automatically apply Advanced Analysis exceptions to your Global Exceptions list. This will apply all Advanced Analysis exceptions suggested by Cortex XDR, regardless of the alert data file source
    2. Save
      the Advanced Analysis configuration.
  7. Configure the Cortex XDR Agent license revocation and deletion period.
    This configuration applies to standard endpoints only and does not impact the license status of agents for VDIs or Temporary Sessions.
    1. Configure the desired options:
      • Connection Lost (Days)
        —Configure the number of days after which the license should be returned when an agent loses the connection to Cortex XDR. Default is 30 days; Range is 2 to 60 days.
      • Agent Deletion (Days)
        —Configure the number of days after which the agent and related data is removed from the Cortex XDR management console and database. Default is 180 days; Range is 3 to 360 days and must exceed the
        Connection Lost
        value.
    2. Save
      the Agent Status configuration.
  8. Enable WildFire analysis scoring for files with Benign verdicts.
    The WildFire analysis score for files with Benign verdict is used to indicate the level of confidence WildFire has in the Benign verdict. For example, a file by a trusted signer or a file that was tested manually gets a high confidence Benign score, whereas a file that did not display any suspicious behavior at the time of testing gets a lower confidence Benign score. To add an additional verification method to such files, enable this setting. Then, when Cortex XDR receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile settings you currently have in place (
    Run local analysis
    to determine the file verdict,
    Allow
    , or
    Block
    ).
    Disabling this capability takes immediate effect on new hashes, fresh agent installations, and existing security policies. It could take up to a week to take effect on existing agents in your environment pending agent caching.
  9. Enable Informative BTP Alerts.
    Behavioral threat protection (BTP) alerts have been given unique and informative names and descriptions, to provide immediate clarity into the events without having to drill down into each alert. Enable to display the informative BTP rule alert names and descriptions. After you update the settings, new alerts will include the changes while already existing alerts will remain unaffected.
    If you have any Cortex XDR filters, starring policies, exclusion policies, scoring rules, log forwarding queries, or automation rules configured for XSOAR/3rd party SIEM, we advise you to update those to support the changes before activating the feature. For example, change the query to include the previous description that is still available in the new description, instead of searching for an exact match.

Recommended For You