Features Introduced in 2020

Learn more about Cortex XDR features introduced during 2020 by month and functional area.
The following topics describe the Cortex XDR features introduced in 2020 by month.

Features Releasing in November

The following table describes new features in the Cortex XDR 2.6 release. The tentative release date of Cortex XDR 2.6 is November 1, 2020. The information shared here is for
INFORMATIONAL PURPOSES ONLY
and is not a binding commitment.
Feature
Description
General
Copyable Row Values
To continue investigation outside of Cortex XDR, you can now copy the contents of one or more rows to the clipboard. The new option is available from the pivot menu for the selected rows.
Investigation and Response
XQL Query Language for Cortex XDR
(
Requires a Cortex XDR Pro license
)
To improve your threat research and incident investigation capabilities, you can now use XQL queries to search for and view raw data that is stored in Cortex XDR. Supported data sets include Cortex XDR agent logs, network and authentication stories including third-party data, and logs ingested into Cortex XDR from third parties. XQL offers a wide range of features such as query filters, aggregations, and joins and unions across data sets. You submit XQL queries to Cortex XDR from the new Cortex XQL query which supersedes the Native Search.
Data Visualization for XQL Queries
(
Requires a Cortex XDR Pro license
)
To help you visualize the raw XQL query results, you can view your results in charts or graphs. For long term monitoring of results, you can also now add custom widgets to Cortex XDR dashboards and reports. To set up a custom widget, you supply the XQL query and the visualization type (donut chart, bar chart, or graph). XQL query-based widgets enable you to continuously monitor available logs and data for the information that matters most to your organization.
Search and Destroy Queries
(
Requires a Cortex XDR Pro per Endpoint license
)
To search for malicious files, you can now search using either the new XQL query or the Native Search. Each search method uses different syntax that is specific to the method.
BIOC Creation from XQL Queries
(
Requires a Cortex XDR Pro license
)
After you run an XQL query, you can now easily configure BIOCs that match your query parameters. BIOC rule creation is available only if the XQL query can convert to a valid BIOC if run on data as is and meaning it is not available for alters, functions, comp, field selection, datasets other than the EDR datasets or presets.
Separate Tab Options for Investigation
When you analyze an alert, you can now choose to open the Causality and Timeline Views in the same tab. Both the existing option for opening the view in a separate tab and the new option are available from the right-click pivot menus of alerts from the Incidents page, Alerts tables, and results for queries.
Incident Enhancements
To improve the incident investigation experience, the following enhancements are now available:
  • Consistent alert counting between the incident table and the incident view
  • Correlation of a macro hash as the key artifact hash
Full Causality Chain Termination
(
Requires a Cortex XDR Pro per Endpoint license
)
To enhance your remediation capabilities, you can now
Terminate Causality
when reviewing Remediation Suggestions from the Causality Card or Incident View. This enables you to terminate the entire causality chain of processes that executed under the process tree of the Causality Group Owner (CGO) process name.
UI Position Change for Native Search
In the Cortex XDR management console, the Native Search that was previously available at the top and center of the Query Builder is now available on the top right of the Query Builder.
Full Hash Visibility for Processes
When you hover over the process node in the Causality View, the Process Information pop-up now displays the full SHA256 hash.
Session PCAP Downloads for NGFW Alerts
(
Requires a Cortex XDR Pro per TB license
)
When a session PCAP is available for NGFW alerts raised on Palo Alto Networks firewall traffic, you can now download the PCAP containing the first 100 bytes of the triggering packet directly from Cortex XDR. To access the PCAP, you can download the file from the Alerts table or Incident.
Log and Alert Ingestion and Forwarding
Impacted User and Host Visibility in Notifications
When you configure notifications for alerts in Cortex XDR, the notification now includes the Username and Hostname of the impacted user in the Slack notification details, and Username for Email notifications.
When known, Cortex XDR displays the username and hostname in any Slack or Email notifications that you set up.
Google Cloud Platform (GCP) Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest raw logs from GCP. To receive logs from GCP, you configure
SaaS Log Collection
for GCP in Cortex XDR, and enable log forward in your GCP account. Cortex XDR can then provide visibility into your data using the XQL query combining results with any other data you have ingested into Cortex XDR.
Extended Log Ingestion for Syslog in CEF Format
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR extends log ingestion support from specific vendors to sources sending Syslog in CEF Format (TLS not supported). For simplified Syslog collector configuration, you can configure the protocol, IP address and port, and format settings from the broker applet management console. After Cortex XDR begins receiving logs from the third-party source, you can use the XQL query to view data and use it to create new BIOC rules.
Endpoint Prevention and Security
Cortex XDR Pro per Endpoint License Enforcement
Cortex XDR now enforces the number of Pro agents permitted by the license policy. Cortex XDR calculates the number of Pro agents permitted and will only apply Pro capabilities the number of agents associated with the license. Any agent that exceeds the number to which the policy applies will not have these capabilities.
To provide additional customization of your Cortex XDR Pro per Endpoint license capabilities, the agent settings policy also now includes configurable options for Pro capabilities, such as remediation suggestions. With an additional Host Insights Add-On license, the agent settings policy also now includes data collection for Vulnerability Assessment, Host Inventory, and Search and Destroy.
As soon as you reach the maximum allotted number of Pro agents, Cortex XDR displays a notification in the notification center. You can also track the status of the policy on a per-agent basis where Cortex XDR identifies whether an agent has Pro capabilities enabled from
Endpoint Administration
. If additional Pro agents are required, increase your Cortex XDR Pro per Endpoint license capacity.
Endpoint Visibility for Endpoint Groups
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license
)
To enable you to easily manage all endpoints in an endpoint group, you can now pivot from an endpoint group to a filtered list of endpoints on the
Endpoint Administration
page. From the filtered view, you can quickly view and initiate actions on the endpoints within the group.
Endpoint Location Visibility
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license
)
Cortex XDR now provides visibility into the last known location of the endpoint. The new Endpoint Location field on the
Endpoint Administration
page indicates whether the endpoint is internal or external as determined by the Cortex XDR agent. On Windows endpoints, endpoint location visibility is supported with Cortex XDR agent 7.1 and later versions. On Mac and Linux endpoints, endpoint location visibility is supported with Cortex XDR agent 7.2 and later. If the endpoint has an earlier version of the Cortex XDR agent, Cortex XDR displays the Endpoint Location field as
Not Supported
. If the agent is unable to determine the endpoint location, the field displays a
Disabled
status.
Widgets by Endpoint Groups
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license
)
To provide visibility into the status of specific groups of endpoints, you can now assign Endpoint Groups to widgets that you add to your dashboards and report templates. By default, endpoint-related widgets apply to all endpoints. To reduce the scope of a widget, add it to your Dashboard or Report Template and then use the
Data Scope
field to select one or more endpoint groups.
FQDN in Proxy Configuration
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent version 7.2.1 or later
)
When configuring proxy communication between Cortex XDR and your Cortex agents, you can now supply the FQDN of a proxy server instead of the IP address. The FQDN format is supported on Cortex XDR agent 7.2.1 and later versions. If you configure an FQDN for earlier agent versions, the Cortex XDR agent reverts back to the original proxy settings.
Cortex XDR Host Insights Add-On Module
Host Insights Menu Restructure
(
Requires a Cortex XDR Pro per Endpoint license and Host Insights Add-on
)
To streamline investigation in the Host Insights module, information about the host is now organized under the following menu items:
  • Host Inventory
  • Vulnerability Management
Host Inventory for macOS and Linux
(
Requires a Cortex XDR Pro per Endpoint license and Host Insights Add-on
)
To enhance your investigation capabilities, Cortex XDR now provides extensive Host Inventory data for macOS and Linux, such as users, groups, daemons, and more.
Bundle ID for macOS
(
Requires a Cortex XDR Pro per Endpoint license and Host Insights Add-on
)
To enhance your host information when using the Host Insights module, Bundle ID for macOS is now available on the Vulnerability Management page.
Broker VM
Broker VM Support for GCP
You can now deploy the broker VM in Google Cloud Platform (GCP). To set up the broker VM in GCP, you download the VMDK image from Cortex XDR and use it to set up the image and instance for the VM in Compute Engine.
CyberArk Authentication for Pathfinder
When you configure the Pathfinder applet, you can now use Cyberark AAM integration as an alternative to providing the domain credentials. To allow Cortex XDR to retrieve the user the credentials stored within the Cyberark AAM, you supply the web address, port, App-ID, certificate, and query string.
Multi-Tenants and MSSPs
Cross-Tenant Scheduled Queries
You can now schedule queries to run across multiple tenants. For each query, Cortex XDR can return up to 100,000 results across all selected tenants.
Increased Capacity for Query Results Across Tenants
You can now run queries across an unlimited number of tenants. In addition, Cortex XDR can now return up to 100,000 results across your tenants.
Hash Exclusion Visibility and Management
When you investigate a file by hash, Cortex XDR now provides visibility into any allow or block lists to which the hash belongs. If you attempt to add a hash that already belongs to a list, Cortex XDR now shows you in which lists this hash exist. The new hash visibility and management options are available across the Action Center, Hash View, and Quick Launcher.
API
User Validation for Cortex XDR APIs
To ensure that changes to Cortex XDR incidents are made by authorized users, Cortex XDR validates the user specified in the
assigned_user_mail
field when calling the
update_incident
API.
Enhanced Visibility of Incident Data
To help you gain greater visibility of requested API data when calling
get_incidents
and
get_incident_extra_data
APIs, the response section now includes the
incident_name
field if one is assigned to an incident ID.

Features Introduced in October

Cortex XDR introduces new features in October 2020 (release 2.5.5).
The following table describes the features released in October 2020 (release 2.5.5).
Feature
Description
Endpoint Prevention and Security
EDL Support with Cortex XDR Pro per Endpoint Licenses
To enhance data management capabilities, the In-App External Dynamic List (EDL) management is now also available with a Cortex XDR Pro per Endpoint license.

Features Introduced in September

The following table describes the features released in September 2020 (release 2.5).
Feature
Description
General Information
Japan Region Support
You can now deploy Cortex XDR in the Japan region. When you choose the JP region during the activation and setup of the Cortex Data Lake, you keep all Cortex XDR logs and data within the Japan boundary.
If you use Cortex XDR Prevent or Cortex XDR Pro per Endpoint, when the Cortex XDR agent identifies unknown files, Cortex XDR can send them to the local WildFire Japan Cloud to send files for analysis.
Inclusive Terminology
The following terms are now deprecated and replaced the following more inclusive terms in the Cortex XDR management console:
  • Blacklist is now
    Block List
  • Whitelist is now
    Allow List
Timezone Settings
To personalize your Cortex XDR experience, each user can now select a specific timezone. Selecting a timezone affects the timestamps displayed in the Cortex XDR management console, auditing logs, and when exporting files.
Cortex XDR Add-on Modules
Host Insights
(
Requires a Cortex XDR Pro per Endpoint license
)
Cortex XDR now offers additional security capabilities you can add to improve the security posture of your organization. Add-ons require an additional license. After you activate an add-on for your tenant, you can access the module from the new
Add-ons
menu.
Host Insights is the first add-on module that is available in Cortex XDR. This module requires a Cortex XDR Pro per Endpoint license, and is free for a 3 month trial period. The Host Insights add-on provides the following:
  • System Visibility
    —(
    Windows
    ) Full visibility into the business and IT operational data on all your endpoints. By reviewing insights for all your hosts in a single place, you can quickly identify IT and security issues that exist in your network, such as identifying a suspicious service or autoruns that were added to an endpoint. The Cortex XDR Host Insights include information about Users, Groups, Users to groups mapping, Services, Drivers, Autoruns, System information, Shares, and Disks.
  • Host Inventory
    —(
    Windows, Mac, and Linux
    ) As introduced in previous Cortex XDR releases, Host Inventory lists all the applications running on all your endpoints (previously named Application Inventory). Host Inventory is supported for Cortex XDR agent 7.1 and later releases.
  • Vulnerability Management
    —(
    Linux
    ) As introduced in previous Cortex XDR releases, Vulnerability Management enables you to identify and quantify the security vulnerabilities on your endpoints (previously named Vulnerability Assessment). Vulnerability Management is supported for Cortex XDR agent 7.1 and later releases.
  • Search and Destroy
    —(
    Windows
    ) Search and Destroy files on your endpoints to take immediate action on known and suspected malicious files. You can search from Cortex XDR for a file by hash or path on endpoints, and after you identify the presence of the file, you can immediately destroy the file from any or all endpoints on which the file exists.
To enable the Cortex XDR agent to collect the endpoint data required for the Host insights module, you must enable
Endpoint Data Collection
in the
Global Agent Settings
of your tenant.
Investigation and Response
MITRE Tags Enhancements
(
Requires a Cortex XDR Pro per Endpoint or Cortex XDR Pro per TB license
)
To aid in the alert investigation, when creating BIOC rules you can associate up to three MITRE ATT&CK tactics, techniques or sub-techniques in a BIOC rule.
The associated tactics and techniques are displayed in the following Alerts fields for alerts triggered by the BIOC rule:
  • MITRE ATT&CK Tactic
  • ATT&CK Technique
Monthly Scheduled Reports
To allow for more flexibility when creating a new report template, you can now choose to generate your reports on a monthly basis.
Remediate Changes from Malicious Activity
(
Requires a Cortex XDR Pro per Endpoint license
)
To streamline the manual process of searching and reverting files and registry keys affected by malicious activity, you can now initiate Cortex XDR to scan your data and provide remediation suggestions for the affected processes.
The Remediation Suggestions page lists which files and registry keys triggered the malicious causality chain, along with the timestamp and effected endpoint. You can select to remediate directly from the page according to the following remediation suggestions:
  • Delete File
  • Restore File
  • Rename File
  • Delete Registry Value
  • Restore Registry Value
Go To Mode for Quick Launcher
To improve the search and filter functionality of the Quick Launcher, you can now use Go To mode. The new mode enables you to quickly search for and jump to Cortex XDR pages. To enter Go To mode, enter a forward slash and begin typing the page name in the Quick Launcher and then select the page from a list of suggestions that match your search term.
Query and BIOC Enhancements for Device Information
(
Requires a Cortex XDR Pro per Endpoint license
)
To improve visibility of file and process events on different types of devices, you can now define the following device information when creating a File or Process BIOC rules and queries:
  • Device Type
  • Device Serial Number
You can also filter the following new fields in the Query Results and Causality View tables:
  • Process Events
    • Device Serial Number
    • Device Type
  • File Events
    • Device Serial Number
    • Device Type
    • File Previous Device Type
    • File Previous Device Serial Number
BIOC Rule Functionality Enhancements
(
Requires a Cortex XDR Pro per Endpoint license
)
To further enhance the BIOC rule capabilities, you can now define user-defined BIOC rules as custom prevention rules in your Restriction Security profiles. The custom prevention rules enable Cortex XDR to use BIOC rules to generate custom prevention alerts in addition to the BIOC detection alerts.
After the BIOC custom prevention rule is added to a Restrictions profile, the profile is deployed to your Windows, Mac, and Linux endpoints and can begin to trigger the prevention alerts.
Quarantine File Management Improvements
To help you better manage your quarantined files, you can now investigate the quarantine file details in two new views in the
Response
Action Center
Quarantine
page:
  • Detailed View
    • Filter according to the Endpoint Name, Domain, File Path, Quarantine Source, and Quarantine Date of all your quarantined files.
    • Restore all the files with the same SHA256 hash.
    • Export the detailed list of the quarantined hashes to a tab-separated values (TSV) file format.
  • Aggregated by SHA256 View
    • Filter according to the Hash, File Name, and File Path of the quarantine files grouped by the hash value.
    • Restore one or more quarantined files.
New Alert Fields
Cortex XDR introduces the following new alert fields to aid in alert investigation:
  • Initiator PID
    —Process ID (PID) of the initiating process
  • Initiator TID
    —Thread ID (TID) of the initiating process
  • OS Parent PID
    —OS parent process ID
  • OS Parent TID
    —OS parent thread ID
  • Is Phishing
    —Identifies phishing alerts raised on firewall traffic
To view the new fields, you can add them using the column manager of the Alerts table.
Copyable Entity Data
When investigating a specific entity in event and alert views such as the Causality View, you can now copy the summary at the bottom of the page. The summary includes information about the selected entity such as path, SHA256, username, and signature.
Inline Base64 Decoding of Command Lines Arguments
To facilitate investigation of command-line arguments, you can now decode base64-encoded data back to its raw representation in Cortex XDR directly. The decoding option is available for any base64 encrypted command-line argument value displayed in Cortex XDR.
Query Capacity Increase
When you use the Query Builder, the query can now return up to 100,000 results, an increase from 10,000 results. You can also export up to 100,000 results to a tab-separated values (TSV) file.
Report Scheduling Enhancements
To allow for more flexibility when creating a new report template, you can now choose to generate your reports on a monthly basis.
In-App External Dynamic List Management
(
Requires a Cortex XDR Pro per TB license
)
You can now configure and manage your external dynamic list (EDL) directly from the Cortex XDR management console. The EDL configurations defined in the console are used by the firewall to access the EDLs.
Cortex XDR supports two types of lists:
  • IP Addresses
  • Domain Names
For ease of list creation and management, you can add IP addresses and domain names to the EDLs directly from the Quick Launcher, IP Address View, and Causality View.
To review and manage the IP addresses and domain names of your EDL, you can access the list from the Action Center.
Hash View Display Enhancements
(
Requires a Cortex XDR Pro per TB or Cortex XDR Pro per Endpoint license
)
To provide a consistent investigation process across the Hash and IP Views, the Hash View display format is aligned to visualize the information in a node format similar to the IP View.
Asset View
To streamline the investigation process and reduce the number of steps it takes to investigate hosts on your network, Cortex XDR now provides a dedicated Asset View.
The asset view automatically aggregates and displays insights on your hosts and a list of related incidents. Insights detail the Users, Groups, Users to Groups, Services, Drivers, Autoruns, Shares, and Drives available on your host.
In collaboration with the IP and Hash Views, you can now easily track the information Cortex XDR has on your artifacts and assets.
Data Visibility and Management
To gain visibility into the type and amount of data consumed by Cortex XDR, you can now easily monitor the information in the Data Ingestion predefined dashboard. Each dashboard widget displays the following calculations according to either the Product or Vendor name:
  • Your daily Ingestion Rate at which Cortex XDR ingests third party and Palo Alto Networks logs.
  • A Daily Consumption comparison of the product/vendor consumption versus your allowed quota.
  • Detailed Ingestion information regarding each product/vendor.
Causality View Enhancements
(
Requires a Cortex XDR Pro per TB or Cortex XDR Pro per Endpoint license
)
To streamline investigation of an alert, the Causality View now displays a Process Information pop-up when hovering over a process node. The pop-up displays the most useful process information you need to investigate a causality chain, such as the process path, command line, signature, username, running time, and WildFire verdict. If Cortex XDR has any analytics data available on the process, the pop-up also displays the analytics profile information.
The pop-up remains on the screen for you to copy and paste any information and disappears after you navigate off the process node.
Analytics Alert View Enhancements
(
Requires a Cortex XDR Pro per TB or Cortex XDR Pro per Endpoint license
)
To expand your investigation capabilities, you can now perform the following actions directly from the Analytics Alert View:
  • Open the IP View from the device node
  • View Process Instances from the process node
  • Add an IP address to your EDL list
Asset Management
Asset Management
(
Requires a Cortex XDR Pro per TB or Cortex XDR Pro per Endpoint license
)
To streamline the management of your network assets and help you better understand how network data passes internally and externally, Cortex XDR now provides asset management and visibility.
To identify assets within your network, you must first define your network parameters in the Cortex XR management console. Cortex XDR can then display the following information about each of your assets so you can easily track your network security coverage:
  • Whether the asset is managed by a Cortex XDR agent
  • Associated IP address
  • First and Last time the asset has been seen
  • Host name
To easily monitor which assets are managed and unmanaged by a Cortex XDR agent, add the new Managed Assets and Unmanaged Assets widgets to your custom dashboard.
Analytics Management Reorganization
(
Requires a Cortex XDR Pro per Endpoint or Cortex XDR Pro per TB license
)
Analytics Management capabilities have been integrated with Cortex XDR management console as follows:
  • Enable the Analytics engine and view the status in
    gear.png
    Settings
    Cortex XDR - Analytics
    .
  • Monitor log and traffic data in
    Reporting
    Dashboards
    Data Ingestion predefined dashboard.
  • Set up and monitor Directory Sync in the hub.
  • Define your network segments in
    Assets
    Network Configuration
    IP Address Ranges
    . The Analytics Network Coverage Metrics, Report Time Ranges, and Warnings have been deprecated.
  • Activate system alerts in
    gear.png
    Settings
    Notifications
    .
  • Manage your External Dynamic Lists in
    gear.png
    Settings
    EDL
    .
  • All Pathfinder capabilities are now manged in
    gear.png
    Settings
    Broker
    VMs
    .
  • Analytics Audit Log has been deprecated.
Log Ingestion and Forwarding
PingOne Authentication Data Ingestion
(
Requires a Cortex XDR Pro per TB License
)
Cortex XDR can now ingest authentication logs from PingOne into authentication stories. An authentication story unites logs and data regardless of source into a uniform schema. To search authentication stories, you can use the Query Builder or text-based Native Search. To receive authentication logs from PingOne, you configure the SaaS Log Collection settings in Cortex XDR.
Affected Host Visibility in Alert Notifications
When you forward alert notifications, Cortex XDR now includes the affected host in the alert details.
Endpoint Prevention and Management
Device Control of USB-Connected Devices (Mac)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later release
)
To protect Mac endpoints from loading malicious files from USB-connected removable devices (CD-ROM, disk drives, and floppy disks), Cortex XDR now extends Device Control to Mac endpoints. With Device Control, you can configure different policies to manage USB-connectivity on your endpoint. For example, you can:
  • Block all supported USB-connected devices.
  • Temporarily block only some USB-connected device types.
  • Block a USB-connected device type but allow a specific vendor or product from that list read/write permissions on the endpoint.
To apply Device Control to your Mac endpoints, you define Device Control profiles according to the device types, and configure device control policies that apply to Cortex XDR endpoints or endpoint groups.
Disk Encryption Using FileVault (Mac)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license
and Cortex XDR agent 7.2 or a later release)
Cortex XDR now provides visibility into Mac endpoints that encrypt their hard drives using FileVault, the Apple built-in encryption tool, through
Endpoints
Disk Encryption Visibility
. Additionally, you can enforce FileVault encryption on the endpoint operating system disk through Cortex XDR, by configuring Disk Encryption profiles and applying them to your Mac endpoints.
The Cortex XDR Disk Encryption profile for Mac can encrypt the endpoint disk, however it cannot decrypt it. You have to perform the decryption manually on the endpoint. If you use an institutional recovery key (IRK) to decrypt the endpoint, you must ensure the key is signed by a valid authority.
Host Firewall (Mac)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later release
)
To reduce the attacks that occur during network communications on the endpoint, you can now control all inbound communications on your Mac endpoints, using the Cortex XDR Host Firewall. To use the host firewall, you set rules that allow or block inbound traffic on the endpoint, and apply them to your endpoints using Cortex XDR policy rules.
Cortex XDR enables you to configure different sets of rules according to the current location of the device within the organization network. To fine tune your control over the inbound communication, you can also:
  • Hide your mac endpoint from all TCP and UDP networks using Apple Stealth mode.
  • Block all incoming communications on the endpoint.
  • Allow or block specific programs running on the endpoint using Apple BundleID.
To control inbound communication of your endpoints, Cortex XDR leverages the Mac Application Firewall APIs. The Cortex XDR agent applies the Application Firewall rules on the endpoint according to the settings configured in the Cortex XDR management console.
Network Location Resolution for Cortex XDR Agents (Mac)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later release
)
To apply location based Host Firewall rules on your Mac endpoints, Cortex XDR can now determine whether the Cortex XDR agent is within the organization network or outside also for Mac endpoints. Similarly to the network location test performed for Windows endpoints, Cortex XDR performs a domain controller connectivity test and DNS test to determine whether the Cortex XDR agent is within the organization network or outside.
Web Shell Exploits Protection (Linux)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later release
)
The Cortex XDR agent now protects your Linux endpoints against PHP web shells. With advanced machine learning algorithms, the new Local Threat-Evaluation Engine (LTEE) analyses PHP scripts to detect web shells. When Local File Threat Examination is enabled in your Malware profile, the Cortex XDR agent creates an alert for any malicious PHP script. You can also set the policy to quarantine malicious PHP files on the endpoint.
You enable Local File Threat Examination in the Malware security proile.
Crypto Mining Protection (Linux)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later release
)
The Cortex XDR agent now protects your endpoint against crypto-mining attacks that could consume the endpoint CPU computing power, as part of the Behavioral threat protection (BTP) module.
Installed KB Visibility (Windows)
(
Requires a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.1 or a later release
)
The Cortex XDR Application Inventory now includes information about all the Microsoft patches installed on a Windows endpoint, including a link to the Microsoft official Knowledge Base (KB) support article.
Device Control for User Defined Device Classes (Windows)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later release
)
You can now extend your Device Control policy rules for Windows endpoints to include custom USB connected device classes beyond Disk Drive, CD-ROM, Portable Devices and Floppy Disk Drives, such as USB connected network adapters. When you create a custom device class, you must provide the official ClassGuid identifier used by Microsoft. Alternatively, if you configured a GUID value to a specific USB connected device, you must use this value for the new device class. After you add a custom device class, you can enforce any device control rules and exceptions on this device class.
Enhanced Endpoint Scanning (Windows)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later release
)
When the Cortex XDR agent encounters a file that is unknown to WildFire during an endpoint scan, the agent can now leverage its built-in Cortex XDR Local analysis engine to process the file directly on the endpoint and assign the file a benign or malicious verdict. Local analysis is used in all types of scans: periodic scans, malware scans you initiate from Cortex XDR, and custom scans you initiate from the endpoint. For future reference, the agent also uploads the file to the WildFire service for further analysis.
Improved Local Analysis Engine for Office Files with Macros (Windows)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later release
)
The local analysis engine for Cortex XDR agents running on Windows endpoints now provides enhanced coverage for Microsoft Office files with macros. When the endpoint user attempts to open an Office file with a macro, and the WildFire verdict for the file is unavailable (if the sample is unknown to WildFire or the endpoint is currently disconnected from Cortex XDR), the Cortex XDR agent will analyze the file using the new advanced machine learning model for local analysis.
Cortex XDR Agents Migration Between Managing XDR Servers (Cross-platform)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later release
)
You can now migrate existing agents between Cortex XDR tenants directly from the Cortex XDR management console. This can be useful during POCs or to change the allocation of agents between tenants. When you change the tenant that manages the agent, the agent transfers to the new tenant, as a freshly installed agent, without any data that was previously stored for it on the original tenant. After the Cortex XDR registers with the new tenant, it can no longer communicate with the previous tenant.
To register to another tenant, the Cortex XDR agent requires a distribution ID from the available installation packages on the target tenant, matching the same operating system and for the same or a previous agent version. The
Change managing server
option is available from the advanced options menu only and for a user with administrator permissions.
Custom Port Configuration for the Agent Proxy Applet
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license
)
In closed networks where the Cortex XDR agents communicate with the Cortex XDR management console through the Palo Alto Networks Broker VM, you can now configure a custom port for the communication.
To set a custom port, activate the Agent Proxy applet in your global tenant settings and edit the default 8888 port set by Cortex XDR.
Global Uninstall Agent Password Update
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license
)
Now, you can edit the global agent uninstall password that you defined upon the initial setup of Cortex XDR for all the default profiles. Changing the global default password applies to new and existing agents for which the previous global password applied. If you want to use a different password to uninstall specific agents, you can override the default global uninstall password by setting a different password for those agents in the Agent Settings profile.
Scripts Interactive Mode Availability (Cross-platform)
(
Requires a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.1 or a later release
)
You can now run a script in interactive mode directly from the right-click pivot menu for an endpoint in
Endpoint Administration
.
Host Identification by Fully Qualified Domain Name (Windows)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license
)
To help you uniquely identify the host in an alert, Cortex XDR now displays also the fully qualified domain name (FQDN) of Windows hosts. This is especially helpful if you have multiple domains or duplicate host names in your network.
Bandwidth Calculator for Content Updates
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license
)
Now, when you allocate for Cortex XDR the network bandwidth for content updates, Cortex XDR recommends the optimal value of Mbps based on the number of active agents in your network, and including overhead considerations for large content updates.
Post Detection Alert Response
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license
)
The Cortex XDR agent can now proactively apply your malware security policy—such as quarantine and block settings—and enforce them when a post-detection alert is raised. A post-detection alert is raised for activity, files, or processes that were previously thought to be benign but are now—as a result of additional information, analysis, or administrator action—known to be malicious.
For example, if your security policy enables the Cortex XDR agent to block malicious files and processes, the agent can immediately halt running files and processes and block any future attempts to run. If you also enable the Cortex XDR agent to quarantine files, the agent can proactively quarantine detected malware even if it is dormant and not currently running.
After the Cortex XDR agent enforces the security policy, Cortex XDR updates the action from detected to prevented for the corresponding alert.
DMG Analysis (Mac)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR Agent 7.2
)
On macOS endpoints, the Cortex XDR agent can now
Analyze and prevent malicious DMG files from running
. To enable DMG file examination, you configure the new option in your Malware Security profiles. When an unknown DMG file attempts to run, the Cortex XDR agent sends the file to Cortex XDR for analysis by WildFire. The agent can then prevent the DMG from running until it receives the benign verdict for the file.
Advanced Analysis of Cortex XDR Agent Alerts
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license
)
To provide additional verdict verification of XDR Agent alerts raised by exploit protection modules, Cortex XDR can now perform advanced analysis of the endpoint memory state. To initiate additional analysis you must retrieve data about the alert from the endpoint. You can do this manually on an alert-by-alert basis or you can enable Cortex XDR to automatically retrieve the files for Advanced Analysis (
Settings
Agent Configuration
Advanced Analysis
). After Cortex XDR receives the data, it automatically analyzes the memory contents and renders a verdict. When the analysis is complete, Cortex XDR displays the results in the new Advanced Analysis field of the Additional data view for the data retrieval action on the Action Center.
Endpoint Isolation Comments
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license
)
When you need to isolate one or more endpoints, you can now enter a comment to provide additional information about the reason for the response action. You can enter the comment anywhere in Cortex XDR where you initiate the response action including the Action Center, Endpoint Management, Quick Launcher and in the isolation API.
After you isolated an endpoint, Cortex XDR will display the
Isolation Comment
on the
Action Center
Isolation
tab. From this page you can also filter and sort by the comment and edit it (from the right-click pivot menu).
Action Progress Visibility
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license
)
After a Cortex XDR agent initiates an action, you can now view the time of the most recent status update in the Action Center. Cortex XDR displays the timestamp in the new
Last Updated
column in the additional details view of an action.
Impacted Host Visibility in Notifications
When you configure notifications for alerts in Cortex XDR, the notification now includes the Impacted Host in the notification details. When known, Cortex XDR displays the hosts in any Slack or Email notifications that you set up.
Incident Comment Visibility
To increase visibility of comments on incidents, you can now view the total number of comments from the incident view.
Broker Service
Network Mapper
(
Requires a Cortex XDR Pro per Endpoint license
)
To provide greater insight and visibility into your network assets, the Broker VM introduces the new Network Mapper applet.
The Network Mapper applet acts as a discovery tool to locate and identify managed and unmanaged hosts in your network. The assets identified within your network are displayed in the Assets table.
Pathfinder Integration with the Broker VM
(
Requires a Cortex XDR Pro per TB or a Cortex XDR Pro per Endpoint license
)
Pathfinder has now been integrated with the Broker VM and allows you to now manage Pathfinder directly from the Cortex XDR management console.
The Pathfinder will now take on new capabilities of collecting data of hosts which do not have a Cortex XDR Agent installed. This collector provides insights into a host that you would previously be unable to scan. The data collector is triggered automatically by an Analytics type alerts and runs for up to two weeks on the unmanaged host.
After the collector is deployed you can:
  • Track the hosts and collector status in the Pathfinder Collection Center page of the console.
  • Query and investigate the EDR data gathered by the collector.
All existing Pathfinder VMs are upgraded automatically to the new broker VM. There is no action required from you. For security reasons, any disconnected Pathfinder VMs will be upgraded with their existing configurations, however, you will be required to re-enter the network credentials as described in Configure the Broker VM.
The following capabilities have been deprecated for this release:
  • On-demand Scan
  • On-demand Host Information Retrieval
  • Remote terminal on unmanaged hosts
Broker Management Enhancements
To help you better manage your registered broker VMs, you can now perform the following directly from the Cortex XDR console:
  • Reset your Broker VM Web UI password
  • Reinstate an expired broker while maintaining its previous configurations
  • Open Remote Terminal to a Broker VM to easily run commands and connect to support without the need to generate an SSH key
Public APIs
New APIs
To expand your API capabilities, Cortex XDR now provides the following APIs:
Existing API Enhancements
To help you gain better visibility and control of the API requested data, you can now:
  • Filter incidents by status in Get Incidents
  • View how many endpoints were sent an action request. The
    endpoints_count
    appears in the response of the following APIs:
    • Isolate Endpoints
    • Unisolate Endpoints
    • Scan Endpoints
    • Cancel Scan Endpoints
    • Quarantine Files
    • Restore File
    • Retrieve File
API Renaming
The following APIs and associated URI have been renamed:
  • Blacklist Files
    • API renamed to Block List Files
    • URI:
      /public_api/v1/hash_exceptions/blacklist/
      is now
      /public_api/v1/hash_exceptions/block_list/
  • Whitelist Files
    • API renamed to Allow List Files
    • URI:
      /public_api/v1/hash_exceptions/whitelist/
      is now
      /public_api/v1/hash_exceptions/allow_list/

Features Introduced in June

The following table describes the features released in June 2020 (release 2.4.1).
Feature
Description
Endpoint Prevention and Management
Application inventory for Mac endpoints
(
Requires a Cortex XDR Pro per Endpoint License, Cortex XDR agent 7.1 or later
)
The Cortex XDR Application Inventory now includes also the applications installed on your Mac endpoints. Cortex XDR compiles an application inventory of all the applications installed in your network by collecting from each Cortex XDR agent the list of installed applications. Any new application installed on the endpoint will appear in Cortex XDR with 24 hours. Alternatively, you can re-scan the endpoint to retrieve the most updated list.
Application inventory is now supported for Windows, Mac, and Linux endpoints. However, because Cortex XDR performs vulnerability assessment for Linux endpoints only, no CVE information is available for Windows or Mac applications in the Application Inventory, and Windows and Mac applications are marked as
Unsupported Platform
.
UK Region Support
You can now deploy Cortex XDR in the UK region. When you choose the UK region during the activation and setup of the Cortex Data Lake, you keep all Cortex XDR logs and data within the UK boundary. However, Cortex XDR will continue to send files that require analysis by WildFire to the WildFire cloud for EU. If your compliance and privacy laws prohibit the sending of files outside the UK region, you can disable uploading of files to WildFire in your Malware Security Profiles.

Features Introduced in May

The following table describes the features released in May 2020 (release 2.4).
Feature
Description
Investigation and Response
Threat Intelligence Management Integration
The IOC Rules table has been expanded to include information commonly found on IOCs retrieved from threat intelligence sources. These are:
  • Indicator's reputation.
  • Indicator's reliability.
  • A list of vendors that provided the indicator.
  • The indicator's class (for example,
    Malware
    ).
In addition, when you manually add a single indicator, you can now set its reputation and reliability.
Finally, the
Source
column in the IOC Rules table has been enhanced so that it can now indicate whether the IOC was inserted into Cortex XDR using a REST API.
Causality View Enhancements for Remote Procedure Call (RPC) Events
(
Requires a Cortex XDR Pro per Endpoint License
)
To expand your investigation capabilities, Cortex XDR now displays when an RPC protocol or code injection event were executed on another process from either a local or remote host.
To access more information about the injection events, in the Causality View and view the events executed on behalf of either an IP address or process, select:
causality-injected-event.png
IP Address and Hash Views
(
Requires a Cortex XDR Pro per Endpoint License
)
To streamline the investigation process and reduce the number of steps it takes to investigate and threat hunt artifacts, Cortex XDR now provides dedicated views for:
To help you collect and research information relating to artifacts, the IP View and Hash View automatically aggregate and display a summary of all the information Cortex XDR and threat intelligence reports have on the artifact. From the artifact view, you can also easily navigate to the corresponding incident, query, and filtered view of the Action Center to further inspect and initiate specific actions on the artifact. You can access the views from:
  • Quick Launcher
  • Right-click pivot menu
  • Keyboard shortcut
    Ctrl+Shift+E
    (Windows) or
    CMD+Shift+E
    (macOS)
New Alert Table Fields
The Alerts table has been enhanced with additional fields to help you filter and manage information relating to:
  • XDR agent alerts
    • Endpoint Platform, MAC Address, and Domain
    • MD5 of the initiator process and CGO
    • SHA256 of target Microsoft Office/ DLL files and Macro
  • Firewall alerts
    • NGFW Serial Number and virtual System Name
    • App-ID Category, Subcategory and Technology Names
    • Email Subject, Sender, and Recipient information
Cortex XDR Alert Management
To allow for greater coverage of your incoming alerts, Cortex XDR now supports 2 million alerts per 4000 agents or per 20 TB.
Cortex XDR allocates the saved alerts as follows:
  • Half for informational type alerts
  • Half for severity type alerts
Incident Visibility in Blacklists and Whitelists
If during investigation of an incident, you whitelist or blacklist a file, Cortex XDR can now assign the incident ID to the file in the relevant list in the Action Center. This enables you and other administrators to easily identify the related incident when you return to the Action Center to investigate a whitelisted or blacklisted file. If the incident associated with the file is no longer relevant, you can easily change or clear the incident ID number.
IOC and BIOC Alert Investigation Enhancements
To improve the investigation workflow, you can now pivot from an IOC or BIOC rule to a filtered list of alerts triggered by the rule. From an IOC or BIOC rule, you can also pivot to a query of alerts triggered by the rule.
Alert to Incident Investigation Enhancements
To aid in alert investigation, Cortex XDR now displays the related incident ID in Alerts tables (excluding the Incident alert table). You can also easily pivot to the relevant incident and can filter the results by Incident ID.
Quick Launcher
You can now use the Quick Launcher as an in-context shortcut to quickly perform common investigation tasks, or initiate response actions from any place in the Cortex XDR app.
Use the Quick Launcher to:
  • Search events for host, IP address, domain, and hash
  • Blacklist and whitelist processes by hash
  • Add domains or IP addresses to the EDL blocklist
  • Create a new IOC for an IP address, domain, hash, filename, or filepath
  • Isolate an endpoint
  • Open a terminal to a given endpoint
  • Initiate a malware scan on an endpoint
You can bring up the Quick Launcher using the
Ctrl-Shift+X
shortcut on Windows,
CMD+Shift+X
shortcut on macOS, or by clicking the Quick Launch icon ( quick-launcher-icon.png ) in the top navigation menu.
By highlighting a field value—such as an IP address or filename—from any page in the Cortex XDR management console, you can pre-populate a query in the Quick Launcher.
Native Search
(
Requires a Cortex XDR Pro license
)
Cortex XDR introduces the new text-based Native Search. You can now build simple and complex text-based queries to search across all available logs and data in Cortex XDR. When you build a query, you enter one or more fields based on the log’s metadata hierarchy, the operator, and the field value. As you enter fields, the query provides autocompletion based on the known log fields. You can also use Regex in your queries. To build complex queries, add complex statements in parentheses using supported operators and string multiple statements together using either
and
or
or
. Text-based queries also support wildcards with the exception of IP addresses and IP address ranges.
Examples of text-based queries include:
  • logtype = file AND subtype IN ("file create", "file delete") and hostname contains SF
  • network connections AND palo alto networks.app id = facebook
  • okta.sso AND ip != 10.0.*
Query Management Enhancement
You can now easily edit a query in the Query Center. This can be useful if you do not want to create a new query and instead want to modify the original. The option to
Edit a query
is available from the pivot menu for a query (
Investigation
Query Center
).
Endpoint Prevention and Management
Alert Data Retrieval Enhancements
To improve the user experience and reduce unnecessary bandwidth consumption due to duplicate alert data retrieval actions—either by an automatic-upload or administrator-initiated action—Cortex XDR now verifies whether retrieval is already in progress. Now, when you try to retrieve data and an upload is already in progress, Cortex XDR displays a notification to alert you of the retrieval status. If the file is already available, Cortex XDR provides a download link for you to download it immediately.
Vulnerability Assessment and Application Inventory
(
Requires a Cortex XDR Pro per Endpoint License, Cortex XDR agent 7.1 or later
)
You can now identify and quantify the security vulnerabilities on an endpoint directly from the Cortex XDR management console. Relying on the information from Cortex XDR, you can easily mitigate and patch these vulnerabilities on all endpoints in your organization. To provide you with a comprehensive understanding of the vulnerability severity, Cortex XDR retrieves the latest data for each CVE from the NIST National Vulnerability Database, including CVE severity and metrics.
From Cortex XDR, you can view the vulnerabilities in your network by CVE or by endpoint. Additionally, Cortex XDR provides you with a list of all applications installed in your network, and indicates the CVEs only where they exist, providing you with a full application inventory of your network.
In this release, the application inventory is available for both Linux and Windows endpoints, and the vulnerability analysis by CVE or endpoint are available for Linux endpoints only.
During the first few days of this feature roll-out and until Cortex XDR collects the application data from all endpoints in your network, you will see only partial information in
Vulnerability Assessment
and a system notification that indicates the data is still being collected. When Cortex XDR completes the data collection, it will stop displaying the system notification.
Interactive Script Execution
(
Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later
)
To run multiple scripts on a set scope of target endpoints, track the execution progress and view the results in real-time, you can now initiate scripts in
Interactive Mode
. For each script, Cortex XDR displays the execution progress status on all connected endpoints in the target scope, the script general information, and the execution results. You can launch
Interactive Mode
at the end of a new
Execute Script
action, or from the
Action Center
for already existing script executions. When you are working in
Interactive Mode
, you can select additional scripts and execute them directly, or add your code snippets using the built-in text editor.
Enhancements to Script Upload
(
Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later
)
When you upload a new script to the
Scripts Library
, you can now review and edit the script code during the upload process in the Cortex XDR text editor.
Visibility into Disabled Agent Capabilities
(
Cortex XDR agent 7.1 or later
)
Cortex XDR now provides visibility into which response actions are disabled on the endpoint. You can view a list of the
Disabled Capabilities
per endpoint in
Endpoint Administration
: initiating a Live Terminal remote session on the endpoint, executing Python scripts on the endpoint, and retrieving files from the endpoint to Cortex XDR.
Alert and Log Ingestion and Forwarding
Okta and Azure Authentication Data Ingestion
(
Requires a Cortex XDR Pro per TB License
)
Cortex XDR can now ingest authentication logs from Okta and Azure AD into authentication stories. An authentication story unites logs and data regardless of the information source (from an on-premise KDC or from a cloud-based authentication service) into a uniform schema. To search authentication stories, you can use the Query Builder or new text-based Native Search.
To receive authentication logs from Okta and Azure AD, you configure the SaaS Log Collection settings in Cortex XDR.
Legacy Log Forwarding Format Support
If you previously used the Log Forwarding App to forward logs to an external syslog receiver or email, you can now use the legacy formats in Cortex XDR. To enable legacy formats, you add a Log Forwarding notification configuration and choose the
Use Legacy Log Format
option. For information on legacy formats, see Cortex XDR Log Formats.
Broker Service
Broker VM Remote Access Enhancements
To simplify and expand support of remote access to your broker VM, the broker now supports SSH with a public RSA Key Pair allowing you to easily generate your own key and grant access to your colleagues in addition to Cortex XDR support.
Broker VM Web Console Enhancements
To improve the registration process of your broker VM, you can now define the following configurations directly in the Broker VM web console:
  • NTP Servers
  • SSH Access
To align access to your Cortex XDR logs, in addition to the Cortex XDR console, you can now collect and download logs from the broker VM web console.
Broker VM XDR Console Enhancements
To help you better manage your registered broker VMs, you can now:
  • Configure an Internal Network Subnet for your broker VM
  • Rename your broker VM
  • View the broker VM disc usage
  • Receive notifications about new broker VM versions and lost connections
Windows Event Collector Set Up Enhancements
(
Requires Cortex XDR Pro per TB License
)
To simplify the process of setting up the Windows Event Collector, you can now generate, activate, and download the required WEC certificates used to establish a connection with your Domain Controller during the setup process directly from the Cortex XDR console.
To help you maintain your current WEC DC configurations, you can now migrate your existing WEC certificate from the Cortex XDR management console.
MSSP
New Managed Threat Hunting Service
Cortex XDR now offers the new Managed Threat Hunting service as an add-on security service. To augment your security team, Managed Threat Hunting provides 24/7, year-round monitoring by Palo Alto Networks threat researchers and Unit 42 experts. The Managed Threat Hunting teams proactively safeguard your organization and provide threat reports for critical security incidents and impact reports for emerging threats that provide an analysis of exposure in your organization. In addition, the Managed Threat Hunting team can identify incidents and provide in-depth review of related threat reports.
To use Cortex XDR Managed Threat Hunting, you must purchase a Managed Threat Hunting license and have a Cortex XDR Pro for Endpoint license with a minimum of 500 endpoints.
Cross-Tenant Queries for MSSPs
To enable managed security service providers (MSSPs) that use Cortex XDR to threat hunt and perform investigations quickly, you can now use the Query Builder to query across multiple child tenants. Cortex XDR provides the tenant query selector at the top of the Query Builder with the option to select one or more child tenants.
Public APIs
New APIs for Ingesting Threat Intelligence Feeds
Two new APIs are now available that can add one or more IOCs to Cortex XDR:
These APIs are intended for use with IOCs retrieved from threat intelligence sources. However, they can be used to insert an IOC obtained from any source so long as the request presents IOCs in a valid format.
Existing API Enhancements
To help you gain better visibility and control over which endpoints can be scanned, you can now filter Get Endpoints, Scan Endpoints, and Cancel Scan Endpoints APIs according to the scan status.
  • Field Name
    • scan_status
  • Valid Values
    • none
    • in_progress
    • canceled
    • aborted
    • success
    • error
To allow you to better filter hash files and process that have been whitelisted or blacklisted, you can now send the
incident_id
field when running the following APIs:
  • Whitelist Files
  • Blacklist Files
Script APIs Enhancements
To help you better understand the Get Script Metadata API response, Cortex XDR has aligned the following response fields with how they are displayed in the Cortex XDR management console.
  • has changed to
    script_output_type
    and returns the type of script output. For example,
    auto_detect
    ,
    dictionary
    ,
    number
    ,
    numbers_list
    ,
    string
    ,
    strings_list
    ,
    boolean
    ,
    ip_address
    .
  • script_output
    has changed to
    script_output_dictionary_definitions
    and returns an array for each output with its
    name
    ,
    friendly_name
    and
    type
    .

Features Introduced in April

The following table describes the features released in April 2020 (release 2.3).
Feature
Description
Incident Management
OS Actor Visibility and Investigation
Cortex XDR now provides complete visibility into OS actors—processes that create a process on behalf of a different initiator.
When Cortex XDR detects suspicious activity from an OS Actor, details about the process and activity are available with the alerts and from the Causality View. You can also use the Query Builder to search endpoint data for OS Actor attributes.
Causality View Enhancements for Devices
When you investigate an alert in the Causality View, Cortex XDR now displays information about any related CD-ROM and Removable media devices including Type, Vendor, Product, and Serial Number.
Endpoint Prevention and Management
Script Execution
(
Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later
)
You can now run Python 3.7 scripts on your endpoints directly from Cortex XDR. Cortex XDR provides pre-canned scripts for common endpoint remediation and endpoint management actions. You can also write and upload your own Python scripts and code snippets into Cortex XDR. Cortex XDR enables you to manage, run, and track the script execution on the endpoints, as well as store and display the execution results per endpoint.
To learn more about script execution, see Run Scripts on an Endpoint.
Full Visibility into the Cortex XDR Agent Operational Status
(
Cortex XDR agent 7.1 or later
)
From the Cortex XDR management console, you now have full visibility into the Cortex XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent suffers from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications. The Cortex XDR agent reports the operational status as follows:
  • Protected
    —Indicates that the Cortex XDR agent is running as configured and did not report any exceptions to Cortex XDR.
  • Partially protected
    —Indicates that the Cortex XDR agent reported Cortex XDR one or more exceptions.
  • Unprotected
    —Indicates that the Cortex XDR agent reported Cortex XDR exceptions about the Malware protection module, and Behavioral threat protection or Exploit modules.
You can monitor the operational status of your endpoints from the
Endpoint Administration
table. See Monitoring Agent Operational Status for the implications the operational status has on the endpoint.
Disk Encryption Using BitLocker
(
Windows only and with Cortex XDR agent 7.1 or later
)
Cortex XDR now provides visibility into Windows endpoints that encrypt their hard drives using BitLocker, the Microsoft Windows built-in encryption tool. To enable disk encryption visibility, you set Disk Encryption profiles and apply them to Policy rules on your Windows endpoints. Additionally, you can apply Disk Encryption profiles to your enforce the BitLocker encryption or decryption of the endpoint operating system disk.
To provide visibility and interoperability into the encrypted endpoints, Cortex XDR leverages the Microsoft Windows APIs for BitLocker. The Cortex XDR agent applies the Microsoft Windows BitLocker rules on the endpoint according to the Disk Encryption settings configured in the Cortex XDR management console.
Host Firewall for Cortex XDR Agents
(
Windows only and with Cortex XDR agent 7.1 or later
)
To reduce the attack surface originating in network communications to and from the endpoint, you can now control all inbound and outbound communications on your Windows endpoints with the Cortex XDR Host Firewall. To use the host firewall, you set rules that allow or block the traffic on the endpoints and apply them to your endpoints using Cortex XDR policy rules.
To fine tune the network communication configuration on the endpoint, you can apply host firewall rules according to the following:
  • The current network location of the device (inside or outside the network).
  • The direction of the communication on the device (inbound or outbound).
  • IP address or IP address ranges.
  • Ports or port ranges.
  • The communication protocol (ICMP, TCP, UCP, and ICMPv6).
  • Specific programs running on the endpoint.
To control inbound and outbound communication of your endpoints, Cortex XDR leverages the Microsoft Windows Filtering Platform APIs. The Cortex XDR agent applies the Microsoft Windows Filtering Platform rules on the endpoint according to the settings configured in the Cortex XDR management console.
Automatic Agent Upgrades
You can now ensure your Windows, Mac, and Linux endpoints are always up-to-date with the latest Cortex XDR agent release by enabling automatic agent upgrades. For increased flexibility, you can choose to apply automatic upgrades to major releases only, to minor releases only, or to both. You can set auto-upgrade for Cortex XDR agents running on Windows, Mac, and Linux endpoints in the Agent Settings Profile and apply it to a policy rule.
To configure automatic upgrades for your agents, see Add a New Agent Settings Profile..
Dormant Malware Scanning
(
Mac only and with Cortex XDR agent 7.1 or later
)
In addition to blocking the execution of malware, the Cortex XDR agent can now scan the system drives of your Mac endpoints for dormant malware that is not actively attempting to run. During a malware scan, the Cortex XDR agent leverages WildFire to examine mach-O files and system drives only. When a malicious file is detected, the Cortex XDR agent reports the malware to Cortex XDR so that you can manually take action to remove the malware before it attempts to harm the endpoint. While unsupported file types excluded from the scan, additional agent protection capabilities continue to monitor and evaluate those files.
Agent Installation through Package Manager
(
Linux only and with Cortex XDR agent 7.1 or later
)
You can now create Cortex XDR agent installation packages in
.rpm
or
.deb
formats, which are deployed on the endpoint using a Linux package manager. Additionally, you can choose to upgrade existing Cortex XDR agents using the new formats, even if they were installed or upgraded using the Shell installer previously.
For the detailed workflow, see Create an Agent Installation Package.
New Distribution Support
(
Linux only and with Cortex XDR agent 7.1 or later
)
You can now install the Cortex XDR agent on Linux endpoints running RHEL8, CentOS8, Oracle 8, SUSE 15, SUSE 15 SP1, and SUSE 11 SP4 distributions.
The Cortex XDR agent does not enforce injection-based protection modules (ROP Mitigation, SO Hijacking Protection, and Brute Force Protection) on 32-bit processes running on 64-bit SUSE 15 SP1 endpoints. All other exploit and malware protection modules work as expected.
EDR is supported only on SUSE 12 SP5, not all SUSE 12 versions.
Additionally, the Cortex XDR agent now supports the kernel module for SUSE 12.
For full compatibility information, see the Compatibility Matrix.
MAC Address Reporting
(
Cortex XDR agent 7.1 or later
)
To gain better visibility into endpoints in your network, the Cortex XDR agent now reports the endpoint MAC address and corresponding IP address to Cortex XDR. You can search and filter endpoints in Cortex XDR according to the MAC address, and can also use the Query Builder to search events by the reporting endpoint MAC address.
Endpoints Navigation Changes
For improved navigation of endpoint features, the Cortex XDR management console now organizes the
Endpoints
menus as follows:
endpoint-navigation.png
  • Endpoint Management
    —Includes endpoint administration, endpoint group management, and agent installation package management.
  • Policy Management
    —Now separated into two sections:
    Prevention/Security
    for managing your endpoint profiles, rules, and exceptions; and
    Compliance
    for managing your Device Control profiles, rules, and exceptions.
  • Device Control Violations
    —Quickly view behavior flagged by Cortex XDR agents as matching a Device Control policy rule.
Endpoint Group Name Portability
When you apply endpoint policy rules to specific endpoint groups, Cortex XDR now uses the unique endpoint group ID for assignment instead of the name. This eliminates the need for you to update your policy rules after you change the name of an endpoint group.
Restricting Response Actions on the Endpoint
If you want to prevent Cortex XDR from accessing your endpoint and performing invasive actions, you can permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint, execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. You disable these actions when you install the Cortex XDR agent on the endpoint. Disabling any of these actions is irreversible, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package on the endpoint.
Global Improvements
Broker VM Extended Application Support
To ease the deployment of broker VM when using Azure and Hyper-V 2012 and later, you can now download a VDH image from the Cortex XDR management console when configuring your broker VM.
Cortex XDR Deployment Access Enhancements
To simplify access to Cortex XDR, all new and existing customers need to update the following firewall URL:
https://panw-xdr-evr-prod-
<region>
.storage.googleapis.com
The new URL is replacing:
  • https://<xdr-tenant>-distributions.storage.googleapis.com
  • https://<xdr-tenant>-agent-uploads.storage.googleapis.com
  • https://migration-<cortex-data-lake-tenant-ID>-agent-uploads.storage.googleapis.com
  • https://migration-<cortex-data-lake-tenant-ID>-distributions.storage.googleapis.com
  • https://xdr-<region>-<cortex-data-lake-tenant-ID>-agent-uploads.storage.googleapis.com
  • https://xdr-<region>-<cortex-data-lake-tenant-ID>-distributions.storage.googleapis.com
Public APIs
New Public APIs for Script Executions
To further expand the Cortex XDR public API capabilities, you can now:
  • View all scripts available in the scripts library
  • Run scripts on endpoints
  • Retrieve script results from the server
  • Retrieve and manage your Cortex XDR incidents, endpoints, agents, and installation packages
New APIs include:
Existing API Enhancements
To improve and simplify the use of the public Cortex XDR APIs, the following enhancements have been made:
  • Request field
    filters
    is no longer mandatory for the following APIs:
    • Get Incidents
    • Get Endpoints
    • Get Device Violations
    • Get Audit Management Log
    • Get Audit Agent Report
  • Request either
    all
    or
    filtered
    results for:
    • Scan Endpoints
    • Cancel Scan Endpoints
    • Get Incidents
    • Get Endpoints
    • Get Device Violations
    • Get Audit Management Log
    • Get Audit Agent Report
  • Simplified request fields for:
    • Isolate Endpoints
    • Unisolate Endpoints
    • Delete Endpoints
    • Quarantine Files
    • Retrieve File

Features Introduced in March

The following table describes the features released in March 2020 (release 2.2).
Feature
Description
Incident Management
Injection Events
You can now easily view more information about injector and injected processes directly from the Causality View and Query Center Resultstable without the need to navigate between tabs.
  • From the
    Causality View
    Events table
    , right-click a
    Process Injection
    row and
    Analyze
    the injector/ injected process in a separate causality view.
  • In
    Query Center
    Results
    table of a
    Process Injection
    action type, right-click the row and select
    Analyze
    to view the causality view of either the Injector process or the Injected process.
Rule Visibility for BIOC and IOC Alerts
You can now easily view the BIOC or IOC rules that generated alerts directly from the
Alerts
table without the need to open a new tab.
In the Causality View of the alert or incident, right-click an alert row in the Events table and select
View generating rule
.
Windows Event Log Enhancements
You can now run a query, investigate an event, and create BIOC rules for Windows Event Log data.
New Alert Table Fields
The Alerts table has been enhanced with additional fields to help you filter and manage your alerts:
  • Firewall source zone, destination zone, and rule name
  • Operating system version
  • MITRE ATT&CK technique and MITRE ATT&CK tactic
  • Identifiers of the operating system entity that created the process that triggered the alert
Causality View Event Enhancements
To enable easier navigation taking action more quickly during investigation within the Cortex XDR management console, Behavioral Threat Protection has been enhanced so that you can quickly whitelist, blacklist, terminate, and quarantine a process.
Agent Management
Alert Action Enhancements
You can easily create a profile exception directly from the Alerts table without the need to open a new tab. If no Exception profile exists it will allow you to create a new exception.
Action Center Static Filters
To help you filter relevant endpoints when intiating a new action, Cortex XDR now provides a static filter on the endpoints table that applies to the targets defined in your action. When navigating to
Response
Action Center
+New Action
, in the
Target
step, the Endpoints table displays only endpoints that are eligible for the action you want to perform.
Management Features
Device Control Configuration Enhancements
You now have the ability to manually insert the Vendor and Product ID in hexadecimal code when you add a Device Control Profile.
MITRE ATT&CK Tagging for Alerts and BIOC Rules
To help you better manage and get more insights into the types of Alerts and BIOC rules, you can now view the associated MITRE ATT&CK Technique and MITRE ATT&CK Tactic fields.
Auto-Disable of BIOC Rules
To ensure your BIOC rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR now automatically disables any BIOC rules that reach 5000 or more hits over a 24 hour period.
BIOC rules that trigger 5000 or more alerts can indicate that the BIOC rule is too general and that you should refine the rule configuration.
Global Improvements
Enhanced Network Visibility
To provide a more complete and comprehensive summary of processes and activity surrounding a security event, Cortex XDR now stitches together firewall network logs and raw endpoint data. Cortex XDR uses the stitched data to visually depict the source and destination of security processes and connections made over the network.
With enhanced network visibility, you can:
  • Run investigation queries based on stitched network and endpoint logs.
  • Create granular BIOC rules over raw network data and logs from Palo Alto Networks Next-Generation Firewalls.
  • Investigate network alerts in the new Network Causality View.
Granular Role-Based Access Control
To help you better manage user access permissions in Cortex XDR, RBAC configurations now separate what type of views and actions are permitted for each role.
Roles are defined in the hub and allow you to:
  • Assign predefined Cortex XDR Roles
  • Create and save new roles based on the granular permission
  • Edit role permissions (available for user-created roles)
  • Directly assign permissions to users without saving a role
In-App Configuration of Alert and Log Forwarding
To help you stay up-to-date and informed with alerts and logs that matter to you most, Cortex XDR now expands alert notifications to include management audit logs, agent audit logs, and dashboard reports. In addition to forwarding alerts to email accounts, you can now forward alerts to Syslog servers and Slack channels.
Managed Security Improvements
Cortex XDR managed securityallows Managed Security Services Providers (MSSP) to easily manage security on behalf of their clients. You can now:
  • Push profiles, BIOC rules, exclusions, and starred alerts
  • View alerts and incidents of child tenants
  • View causality cards and timelines of child tenants
  • Run investigation queries on child tenants
Cortex XDR License Notifications
To keep you informed of updates made to your license and avoid service disruptions, Cortex XDR now displays a notification of changes made to your license when you log in. If any actions are required from you.
Broker VM Enhancements
To ease the deployment of Broker VM, the broker VM images are now available directly from the Cortex XDR console. The registration and configuration are managed through web consoles:
  • Broker web console—A web interface allowing you to configure and register the VM to the Cortex server without accessing the VM directly.
  • Cortex XDR management console—Manage your broker VM through the Cortex XDR console, such as track connectivity, edit configurations, and enable real-time monitoring.
Content Roll-out Control
To allow you better control of the security content in your environment, Cortex XDR now allows you to:
  • Halt security content updates
  • Delay security content updates for a defined number of days
The settings can be assigned to specific targets using the policy rules.
Public APIs
API Response Enhancements
When running the following APIs, the
true
response has been replaced with an
action-_id
field -
{"reply": {"action_id": X}
  • Retrieve File
    Quarantine Files
  • Scan Endpoints
  • Isolate Endpoints
  • Unisolate Endpoints
New Public APIs for Endpoint and Agent Management
Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment.
The following API capabilities have been added:
  • Get Audit Agent Report
  • Get Audit Management Report

Features Introduced in February

The following table describes the features released in February 2020 (release 2.1).
Feature
Description
Incident Management
Incident Description Improvements
You can now edit the description for an incident and revert back to the Cortex XDR default description from the
Incidents
View Incidents
page. You can also search the Incidents table by the Incident description.
Incident Sources
You can now easily view and filter all the sources related to the alerts that make up a specific incident from the
Investigation
Incidents
Incident Sources
.
Automatic Incident Resolve
To help you better manage and maintain your incidents, Cortex XDR automatically resolves incidents in which all allocated alerts were excluded. Instances resolved by Cortex XDR are displayed with a Resolved - Auto Resolve status in the
Investigation
Incidents
Status
column.
Agent Management
Static Endpoint Group Creation from File
You can now easily populate a static endpoint group from a file containing endpoint IP addresses, hostnames, and/or aliases. Each endpoint must match a registered endpoint in Cortex XDR for inclusion in the endpoint group.
Policy Usage Count
You can now easily identify the relationship between security profiles and policy rules in Cortex XDR. From the
Endpoints
Policy Management
Profiles
page, you can view the number of policy rules (
Usage Count
) that consume a specific security profile in Cortex XDR. From a security profile that has one or more associated policy rules, you can also pivot to the list of policy rules that use the specific profile.
Endpoint Isolation Improvements
To better manage endpoint isolation, you can now:
  • Isolate and cancel isolation on more than one endpoint at a time.
  • View the date and time of when an endpoint was isolated in
    Endpoints
    Endpoint Management
    Isolation Date
    column.
  • Easily track the status of an endpoint isolation from the
    Action Center
    and from the
    Endpoints
    Endpoint Management
    page where the Endpoint Isolated column displays either
    Pending Isolation
    or
    Pending Isolation Cancelation
    .
Broker VMs Applet Activation
You can now activate the syslog collector and Windows event collector applets from
Settings
Broker VM
.
Alert Data Auto Upload
To enable continuous access to your alert data memory dump files, you can enable the Cortex XDR agent to automatically upload the files. To do this, you configure your upload preferences from
Endpoints
Policy Management
Profiles
Forensics
.
Management Features
New Cortex XDR Report and Dashboard Widgets
Cortex XDR introduces the following new widgets to help you better detect and visualize the status of endpoint alerts and incidents according to Cortex XDR actions, sources, and categories:
  • Data Usage Breakdown
  • Detection by Actions
  • Detection by Category
  • Detection by Source
  • Incidents by Status
  • Response Action Breakdown
In addition, you now have the option to change the graph view for widgets to display as either a bar graph or pie chart.
Email Notifications for Alerts
To help you stay informed with the alerts that matter to you most, you can now configure email notifications for all Cortex XDR alert sources directly from the Cortex XDR management console. To streamline alert notifications management, you can define one or more alert notification configurations from the
Settings
Alert Notifications
page. For each alert notification configuration, you can customize the alert filters, distribution list to use to send the notification, and frequency at which you want Cortex XDR to send the notification.
WildFire Report Visualization
You can easily view and download the WildFire analysis report associated with a file involved in an alert from the Causality View and from and
Investigation
Incidents
View Incident
page.
PDF Report Password Encryption
You can now better protect sensitive reports by adding a password. You can encrypt a report when defining the email distribution list for your report.
Global Improvements
Cortex XDR Access
To enable access to Palo Alto Networks GCS buckets in GCP, you now have to enable new URLs in your firewall.
Export Results to File
You can now export table results to a tab-separated values (TSV) file for many pages in Cortex XDR including Incidents, Endpoints, Alerts, Whitelist, and Blacklist.
You can also use filters to identify a subset of results and export only results that match your filter criteria.
Cortex XDR Broker VM Enhancements
The following enhancements have been made with broker VM 6.0.16:
  • You can now use a Prometheus endpoint to monitor the broker VM.
  • Supports network proxy settings in the Agent Proxy applet.
  • The Syslog collector applet now supports TCP protocol and port to log type mapping.
  • Stability improvements.
Cortex XDR Analytics Enhancements
To provide the analytics engine with an additional dimension of data, you can now configure Cortex XDR to ingest data from a Windows Event Collector. To set up Windows event collection, you must have a Cortex XDR Pro per TB license.
Public APIs
New Public APIs for Endpoint and Agent Management
Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment.
The following API capabilities have been added:
  • Scan Endpoints
  • Cancel Endpoint Scan
  • Delete Endpoints
  • Get Endpoints
  • Get Policy
  • Get Device Violations
  • Quarantine File
  • Get Quarantine Status
  • Restore File
  • Retrieve Files
  • Whitelist Files
  • Blacklist Files
Enhancements for Existing Public APIs
The following improvements have been made to existing APIs:
  • Get Incidents—Supports filters
    description
    ,
    incident_sources
    . Response returns
    hosts
    ,
    usernames
    ,
    incident_sources
    .
  • Get Extra Incident Data—Response returns
    hosts
    ,
    usernames
    ,
    incident_sources
    .
  • Get All Endpoints—Supports filters
    hostname
    ,
    username
    .
  • Isolate and Unisolate Endpoints—Supports bulk endpoint isolate/unisolate.

Recommended For You