Features Introduced in 2019

Learn more about Cortex XDR features introduced during 2019 by month and functional area.
The following topics describe the Cortex XDR features introduced in 2019 by month.

Features Introduced in December

The following table describes the features released in December 2019 (release 2.0) and require Cortex XDR agent version 7.0.
Unified Interface for Cortex XDR and Traps
Traps advanced endpoint protection capabilities are now available in Cortex XDR. With this integration, the Traps agent is now the Cortex XDR agent in 7.0 and later agent releases. Features that you used in Traps management service are now available in the Cortex XDR interface which now includes a new
menu. In addition, Cortex XDR now provides the following new functionality for endpoint-related alerts:
  • Causality View for endpoint alerts that do not contain stitched data that show all related process and event information.
  • Detailed analysis of behavioral threat events in the Causality View.
As Traps transitions to management by Cortex XDR, some documentation and UI refer to the earlier name for Traps instead of the new name of Cortex XDR agent.
New Cortex XDR Licenses
Cortex XDR is now available in three license types:
  • Cortex XDR Prevent—Enables endpoint protection functionality including exploit prevention and malware protection with the ability to manage and configure endpoint and device control security policies.
  • Cortex XDR Pro Per Endpoint—Enables the same endpoint protection functionality as the Cortex XDR Prevent license with the added benefit of EDR data collection and log stitching with third-party alerts.
  • Cortex XDR Pro Per TB—Does not include endpoint protection functionality but enables analysis of firewall traffic logs from Palo Alto Networks or external firewall vendors such as Check Point, Cisco, and Fortinet.
In addition, you can now view your license details such as license type and expiration from the menu in Cortex XDR.
Serverless Content Distribution
Windows only
To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, the content update algorithm has been enhanced to enable agents on your LAN network to retrieve the new content version from other agents who have already retrieved it. Now within the six hour randomization window during which the Cortex XDR agent attempts to retrieve the new content version, it will query other agents twice: once within the first hour, and once again during the following five hours. If the agent did not retrieve the new content from other agents in both queries, it will retrieve it from Cortex XDR directly.
Peer-to-peer content distribution is enabled by default in the Agent Settings profile, and requires that you enable UDP and TCP over port 33221 (You can later change the port number through the Agent Settings profile.).
Peer-to-peer content distribution might increase traffic on the organization’s LAN network.
When a new agent is downloading content for the first time, it will be unprotected in the time in between activation and until it retrieves its first content from a peer agent (this may take up to 10 minutes). This applies to Windows endpoints and new VDI sessions.
Content Bandwidth Management
You can now configure the bandwidth you want to use to distribute content updates between Cortex XDR and all Cortex XDR agents. When you configure the bandwidth, you assign a value in Mbps. You can configure content bandwidth management from your
Agent Configuration
Device Control of USB-Connected Devices
Windows only
To protect Windows endpoints from loading malicious files from USB-connected removable devices (CD-ROM, disk drives, floppy disks and portable devices drives), Cortex XDR now provides Device Control. With Device Control, you can configure different policies to manage USB-connectivity on your endpoint. For example, you can:
  • Block all supported USB-connected devices
  • Temporarily block only some USB-connected device types (
    Windows only
  • Block a USB-connected device type but whitelist a specific vendor or product from that list and allow it read/write permissions on the endpoint (
    Windows only
To apply Device Control to your endpoints, you define Device Control profiles according to the device types, and configure Device Control policies that apply to your endpoints or endpoint groups.
Customized User Notifications
Windows and Mac
You can now customize the header and footer of user notifications that the Cortex XDR Agent displays when a security event occurs. You can override the default generic texts to provide your end users with localized messages, support contact info, textual instructions, and more. Customized headers are set in the
User Interface
definitions of the Agent Settings profile and are relevant to the following types of notifications:
  1. Exploit/Malware events set to block
  2. Restriction events set to block (
    Windows only
  3. Restriction events set to notify user (
    Windows only
You can also customize the notification footer default text. Cortex XDR displays the same footer for all notification types.
Remote Investigation and Remediation with Live Terminal
Linux and Mac
If an event requires further investigation and remediation, you can initiate a Live Terminal session to the remote Linux or Mac endpoint. This enables you to navigate and manage files in the file system, run Bash or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.
Retrieve Files Response Action
Linux and Mac
You can now initiate a response action to Retrieve Files from Linux and Mac endpoints with Cortex XDR directly. You can retrieve up to 20 files related to a security event (up to 200MB total). As part of the 20 files, you can retrieve additional files by supplying the file path. Outside of a security event, you can retrieve files from up to 10 different endpoints. To track the status of a file retrieval action, you can view the action from the Action Center. Cortex XDR retains retrieved files for up to one week.
SO Hijacking Protection
Linux only
Cortex XDR extends Exploit Protection on Linux endpoints to also protect endpoints from SO Hijacking attacks, where the attacker attempts to dynamically load libraries on Linux operating systems from unsecure locations to gain control of a process. Cortex XDR agent blocks this activity and raises a SO Hijacking Protection alert.
The new SO Hijacking Exploit Protection moduleis automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile.
Extended Exploit Protection Coverage for Java Deserialization Exploits
Linux only
Cortex XDR extends Exploit Protection on Linux endpoints to also detect Java deserialization exploits on Java-based servers. The new Exploit Protection module detects scenarios where suspicious input is attempting to execute malicious code during the Java objects deserialization process. Cortex XDR agent blocks this activity and raises a Suspicious Input Deserialization alert. You can create a Global Exception to whitelist a specific Java executable (jar, class) which you know to be benign directly from the Cortex XDR alert.
The new Java Deserialization Exploit protection module is automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile.
Administrative Actions Center in Cortex XDR
You can now perform a wide variety of administrative actions on your endpoints and monitor them from the new Action Center in Cortex XDR. For example, you can isolate endpoints, whitelist files, or initiate a bulk action to upgrade your Cortex XDR agents. After you initiate an action, Cortex XDR displays the action status in detail allowing you to closely monitor the affected endpoints and action progress.
Cortex XDR Support for Fortinet and Cisco Firewall Logs and Alerts
If you use Fortinet Fortigate or Cisco ASA firewalls in your network, you can now forward your firewall logs to Cortex XDR for analysis. This enables you to take advantage of Cortex XDR anomalous behavior detection and investigation capabilities. To begin analyzing your traffic logs, you set up a syslog collector and configure your firewalls to forward logs to the syslog collector. To provide seamless log ingestion, Cortex XDR automatically maps the fields in your traffic logs to the Cortex XDR log format.
In addition, Cortex XDR can also include your firewall alerts in incidents for additional context.
Granular Role-Based Access Control (RBAC)
From the hub, you can now assign new granular Cortex XDR roles to Cortex XDR app users. Each of the new roles identifies select pages in the app that the user can view and select actions that the user can perform.
To prevent unauthorized access to features and information in Cortex XDR, you can now assign roles for API key usage. This enables you to limit access to sensitive data, when needed.
Public APIs for Endpoint and Agent Management
Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment. The following API capabilities have been added:
  • Get Endpoints—Retrieve a list of endpoints
  • Isolate Endpoints—Isolate a specific endpoint
  • Unisolate Endpoints—Cancel an endpoints isolation
  • Get Distribution Version—Retrieve the installation package versions
  • Create Distributions—Create installation packages
  • Get Distribution Status—Retrieve the installation package statuses
  • Get Distribution URL—Retrieve the installation package URL
  • Get Audit Management Log—Retrieve a list of audit log details
  • Get Audit Agent Report—Retrieve a list of agent event report details
The APIs are supported in Cortex XDR Prevent and Cortex XDR Pro—Endpoint.
Customizable Dashboards
To instantly surface the information about your environment that matters to you most, you can now customize the default dashboard that displays when you log in to Cortex XDR. To create a dashboard, you can either use a predefined dashboard template as a starting place or you can create a new dashboard from scratch using the dashboard builder. Dashboards can be private or public. If you have multiple dashboards, you can select the one you want to be the default, and can toggle to the others from the dashboard menu.
You can now run and customize reports containing a snapshot of statistics about your environment over a selected time period. You can generate reports from Cortex XDR on-demand or schedule them to run daily or weekly. You can use dashboards as the basis for a report template, or you can customize your report with widgets from the widget library. When your report is ready, you can download it from the Reports page. You can also email reports to an email distribution of your choice.
OR Operator Support for Filters
You can now use the OR operator with filters to return results that match any specified filter criteria (instead of using the AND operator to return results that match all of the criteria). You can also use filter sets to group criteria. For example (a AND b) OR (c AND d).
Dynamic Endpoint Group Creation Using Filters
You can now use an unlimited number of filters to define endpoint groups.
Active Directory Object Filtering
You can now filter endpoints in the Endpoints Management table by Active Directory (AD) Objects. To filter by an AD object, you must have Cloud Identity Engine paired to Cortex XDR.
Cortex XDR Analytics Enhancements
(release 2.8.1)
The analytics engine includes backend performance improvements and enhancements.
Deprecated Cortex XDR Analytics Alerts
(release 2.8.1)
The following detection models have been deprecated in favor of more updated models:
  • Reverse Connection
  • Consecutive Connections

Features Introduced in October

The following table describes the features released in October 2019 (release 1.7).
External Alert Investigation in Cortex XDR
To provide you with a more complete and detailed picture of the activity involved in an incident, you can now investigate alerts from external sources in Cortex XDR. Setting up Cortex XDR to receive alerts from an external source is easy. You simply set up a syslog collector and configure your alert source to forward alerts (in CEF format) to the syslog collector. You can also ingest alerts from external sources using the Cortex XDR API. To view the external alerts in Cortex XDR, you must map required fields to the Cortex XDR format. Cortex XDR can then stitch the alerts it receives from any external source with relevant log data such as endpoint and user data. These alerts are available in your incidents, alerts tables, and Causality view.
Cortex XDR Analytics for Check Point Firewall Logs
For network deployments consisting of Check Point firewalls or a mix of Check Point and Palo Alto Networks firewalls, you can now forward your Check Point firewall logs to Cortex XDR for analysis. This enables you to take advantage of Cortex XDR anomalous behavior detection and investigation capabilities if you use Check Point firewalls in your network. Similar to setting up Cortex XDR to ingest alerts from external sources, you set up a syslog collector and configure the firewall to forward logs to the syslog collector. However unlike external alerts, no additional mapping of fields is required to begin analyzing Check Point firewall logs and detecting threats in your network. As soon as Cortex XDR begins receiving logs from Check Point firewalls, the analytics engine applies detectors to raise Analytics alerts on anomalous activity.

Features Introduced in September

The following table describes the features released in September 2019 (release 1.6).
Starred Incidents
To help you focus on the incidents that matter most, you can now create a incident starring policy that categorizes and stars incidents that contain alerts matching the attributes that you decide are important. After you define a policy, Cortex XDR adds a star indicator to any incidents that contain alerts that match the policy. You can then sort or filter the Incidents table for starred incidents. On the Incidents Dashboard, you can also choose whether to display all incidents or only starred incidents.
In addition, you can also take advantage of the new starred incident policy in Cortex XDR APIs: The get_incidents API now includes a new starred field to indicate whether an incident contains alerts that match your incident starring policy.

Features Introduced in August

The following table describes the features released in August 2019 (release 1.5).
Unified Cortex XDR Interface
The Cortex XDR – Investigation and Response and Cortex XDR – Analytics apps have been consolidated into one Cortex XDR app. The new app is available from the hub under the Cortex XDR tile. To access Cortex XDR – Analytics features in the new app, you must be assigned an administrative role for the Cortex XDR – Analytics.
Analytics Alert Analysis
You can now analyze Analytics and Analytics BIOC alerts in Cortex XDR. Each alert type provides a tailored analytics view to help you understand the context of the alert. This view provides an alert summary, a graphical representation of the activity that you can interact with, and any related events. From the analytics view, you can also take additional actions to respond to the alert such as initiating a live terminal or adding a malicious domain or IP address to an external dynamic list (EDL).
App-ID Integration
Cortex XDR can now identify related App-IDs for an alert. App-ID is a traffic classification system that determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. When known, you can also pivot to the Palo Alto Networks Applipedia entry that describes the detected application. To add the App ID column, use the column manager on the Alerts table.
URL Category Integration
Cortex XDR now integrates URL filtering categories associated with URL filtering logs in the Alerts table. When known, Cortex XDR displays the URL Filtering type.
Threat Intelligence License Truncation
Cortex XDR now truncates part of the license key on the Threat Intelligence page when you integrate additional threat intelligence sources such as AutoFocus and VirusTotal. Truncating part of the license key enables you to take screen captures or videos of the page, such as for demo purposes, without sharing your license key.
Alerts Tab Change
To streamline investigations, the Alerts page is now removed from the main Cortex XDR menu. Now, you can only access the Alerts table from the Incidents table or from within the investigation of an incident.

Recommended For You