Features Introduced in 2020

The following topics describe the Cortex XDR features introduced in 2020 by month.

Features Introduced in April

The following table describes the features released in April 2020 (release 2.3).
Incident Management
OS Actor Visibility and Investigation
Cortex XDR now provides complete visibility into OS actors—processes that create a process on behalf of a different initiator.
When Cortex XDR detects suspicious activity from an OS Actor, details about the process and activity are available with the alerts and from the Causality View. You can also use the Query Builder to search endpoint data for OS Actor attributes.
Causality View Enhancements for Devices
When you investigate an alert in the Causality View, Cortex XDR now displays information about any related CD-ROM and Removable media devices including Type, Vendor, Product, and Serial Number.
Endpoint Prevention and Management
Script Execution
Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later
You can now run Python 3.7 scripts on your endpoints directly from Cortex XDR. Cortex XDR provides pre-canned scripts for common endpoint remediation and endpoint management actions. You can also write and upload your own Python scripts and code snippets into Cortex XDR. Cortex XDR enables you to manage, run, and track the script execution on the endpoints, as well as store and display the execution results per endpoint.
To learn more about script execution, see Run Scripts on an Endpoint.
Full Visibility into the Cortex XDR Agent Operational Status
Cortex XDR agent 7.1 or later
From the Cortex XDR management console, you now have full visibility into the Cortex XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent suffers from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications. The Cortex XDR agent reports the operational status as follows:
  • Protected
    —Indicates that the Cortex XDR agent is running as configured and did not report any exceptions to Cortex XDR.
  • Partially protected
    —Indicates that the Cortex XDR agent reported Cortex XDR one or more exceptions.
  • Unprotected
    —Indicates that the Cortex XDR agent reported Cortex XDR exceptions about the Malware protection module, and Behavioral threat protection or Exploit modules.
You can monitor the operational status of your endpoints from the
Endpoint Administration
table. See Monitoring Agent Operational Status for the implications the operational status has on the endpoint.
Disk Encryption Using BitLocker
Windows only and with Cortex XDR agent 7.1 or later
Cortex XDR now provides visibility into Windows endpoints that encrypt their hard drives using BitLocker, the Microsoft Windows built-in encryption tool. To enable disk encryption visibility, you set Disk Encryption profiles and apply them to Policy rules on your Windows endpoints. Additionally, you can apply Disk Encryption profiles to your enforce the BitLocker encryption or decryption of the endpoint operating system disk.
To provide visibility and interoperability into the encrypted endpoints, Cortex XDR leverages the Microsoft Windows APIs for BitLocker. The Cortex XDR agent applies the Microsoft Windows BitLocker rules on the endpoint according to the Disk Encryption settings configured in the Cortex XDR management console.
Host Firewall for Cortex XDR Agents
Windows only and with Cortex XDR agent 7.1 or later
To reduce the attack surface originating in network communications to and from the endpoint, you can now control all inbound and outbound communications on your Windows endpoints with the Cortex XDR Host Firewall. To use the host firewall, you set rules that allow or block the traffic on the endpoints and apply them to your endpoints using Cortex XDR policy rules.
To fine tune the network communication configuration on the endpoint, you can apply host firewall rules according to the following:
  • The current network location of the device (inside or outside the network).
  • The direction of the communication on the device (inbound or outbound).
  • IP address or IP address ranges.
  • Ports or port ranges.
  • The communication protocol (ICMP, TCP, UCP, and ICMPv6).
  • Specific programs running on the endpoint.
To control inbound and outbound communication of your endpoints, Cortex XDR leverages the Microsoft Windows Filtering Platform APIs. The Cortex XDR agent applies the Microsoft Windows Filtering Platform rules on the endpoint according to the settings configured in the Cortex XDR management console.
Automatic Agent Upgrades
You can now ensure your Windows, Mac, and Linux endpoints are always up-to-date with the latest Cortex XDR agent release by enabling automatic agent upgrades. For increased flexibility, you can choose to apply automatic upgrades to major releases only, to minor releases only, or to both. You can set auto-upgrade for Cortex XDR agents running on Windows, Mac, and Linux endpoints in the Agent Settings Profile and apply it to a policy rule.
To configure automatic upgrades for your agents, see Add a New Agent Settings Profile..
Dormant Malware Scanning
Mac only and with Cortex XDR agent 7.1 or later
In addition to blocking the execution of malware, the Cortex XDR agent can now scan the system drives of your Mac endpoints for dormant malware that is not actively attempting to run. During a malware scan, the Cortex XDR agent leverages WildFire to examine mach-O files and system drives only. When a malicious file is detected, the Cortex XDR agent reports the malware to Cortex XDR so that you can manually take action to remove the malware before it attempts to harm the endpoint. While unsupported file types excluded from the scan, additional agent protection capabilities continue to monitor and evaluate those files.
Agent Installation through Package Manager
Linux only and with Cortex XDR agent 7.1 or later
You can now create Cortex XDR agent installation packages in
formats, which are deployed on the endpoint using a Linux package manager. Additionally, you can choose to upgrade existing Cortex XDR agents using the new formats, even if they were installed or upgraded using the Shell installer previously.
For the detailed workflow, see Create an Agent Installation Package.
New Distribution Support
Linux only and with Cortex XDR agent 7.1 or later
You can now install the Cortex XDR agent on Linux endpoints running RHEL8, CentOS8, Oracle 8, SUSE 15, SUSE 15 SP1, and SUSE 11 SP4 distributions.
The Cortex XDR agent does not enforce injection-based protection modules (ROP Mitigation, SO Hijacking Protection, and Brute Force Protection) on 32-bit processes running on 64-bit SUSE 15 SP1 endpoints. All other exploit and malware protection modules work as expected.
EDR is supported only on SUSE 12 SP5, not all SUSE 12 versions.
Additionally, the Cortex XDR agent now supports the kernel module for SUSE 12.
For full compatibility information, see the Compatibility Matrix.
MAC Address Reporting
Cortex XDR agent 7.1 or later
To gain better visibility into endpoints in your network, the Cortex XDR agent now reports the endpoint MAC address and corresponding IP address to Cortex XDR. You can search and filter endpoints in Cortex XDR according to the MAC address, and can also use the Query Builder to search events by the reporting endpoint MAC address.
Endpoints Navigation Changes
For improved navigation of endpoint features, the Cortex XDR management console now organizes the
menus as follows:
  • Endpoint Management
    —Includes endpoint administration, endpoint group management, and agent installation package management.
  • Policy Management
    —Now separated into two sections:
    for managing your endpoint profiles, rules, and exceptions; and
    for managing your Device Control profiles, rules, and exceptions.
  • Device Control Violations
    —Quickly view behavior flagged by Cortex XDR agents as matching a Device Control policy rule.
Endpoint Group Name Portability
When you apply endpoint policy rules to specific endpoint groups, Cortex XDR now uses the unique endpoint group ID for assignment instead of the name. This eliminates the need for you to update your policy rules after you change the name of an endpoint group.
Restricting Response Actions on the Endpoint
If you want to prevent Cortex XDR from accessing your endpoint and performing invasive actions, you can permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint, execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. You disable these actions when you install the Cortex XDR agent on the endpoint. Disabling any of these actions is irreversible, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package on the endpoint.
Global Improvements
Broker VM Extended Application Support
To ease the deployment of broker VM when using Azure and Hyper-V 2012 and later, you can now download a VDH image from the Cortex XDR management console when configuring your broker VM.
Cortex XDR Deployment Access Enhancements
To simplify access to Cortex XDR, all new and existing customers need to update the following firewall URL:
The new URL is replacing:
  • https://<xdr-tenant>-distributions.storage.googleapis.com
  • https://<xdr-tenant>-agent-uploads.storage.googleapis.com
  • https://migration-<cortex-data-lake-tenant-ID>-agent-uploads.storage.googleapis.com
  • https://migration-<cortex-data-lake-tenant-ID>-distributions.storage.googleapis.com
  • https://xdr-<region>-<cortex-data-lake-tenant-ID>-agent-uploads.storage.googleapis.com
  • https://xdr-<region>-<cortex-data-lake-tenant-ID>-distributions.storage.googleapis.com
Public APIs
New Public APIs for Script Executions
To further expand the Cortex XDR public API capabilities, you can now:
  • View all scripts available in the scripts library
  • Run scripts on endpoints
  • Retrieve script results from the server
  • Retrieve and manage your Cortex XDR incidents, endpoints, agents, and installation packages
New APIs include:
Existing API Enhancements
To improve and simplify the use of the public Cortex XDR APIs, the following enhancements have been made:
  • Request field
    is no longer mandatory for the following APIs:
    • Get Incidents
    • Get Endpoints
    • Get Device Violations
    • Get Audit Management Log
    • Get Audit Agent Report
  • Request either
    results for:
    • Scan Endpoints
    • Cancel Scan Endpoints
    • Get Incidents
    • Get Endpoints
    • Get Device Violations
    • Get Audit Management Log
    • Get Audit Agent Report
  • Simplified request fields for:
    • Isolate Endpoints
    • Unisolate Endpoints
    • Delete Endpoints
    • Quarantine Files
    • Retrieve File

Features Introduced in March

The following table describes the features released in March 2020 (release 2.2).
Incident Management
Injection Events
You can now easily view more information about injector and injected processes directly from the Causality View and Query Center Resultstable without the need to navigate between tabs.
  • From the
    Causality View
    Events table
    , right-click a
    Process Injection
    row and
    the injector/ injected process in a separate causality view.
  • In
    Query Center
    table of a
    Process Injection
    action type, right-click the row and select
    to view the causality view of either the Injector process or the Injected process.
Rule Visibility for BIOC and IOC Alerts
You can now easily view the BIOC or IOC rules that generated alerts directly from the
table without the need to open a new tab.
In the Causality View of the alert or incident, right-click an alert row in the Events table and select
View generating rule
Windows Event Log Enhancements
You can now run a query, investigate an event, and create BIOC rules for Windows Event Log data.
New Alert Table Fields
The Alerts table has been enhanced with additional fields to help you filter and manage your alerts:
  • Firewall source zone, destination zone, and rule name
  • Operating system version
  • MITRE ATT&CK technique and MITRE ATT&CK tactic
  • Identifiers of the operating system entity that created the process that triggered the alert
Causality View Event Enhancements
To enable easier navigation taking action more quickly during investigation within the Cortex XDR management console, Behavioral Threat Protection has been enhanced so that you can quickly whitelist, blacklist, terminate, and quarantine a process.
Agent Management
Alert Action Enhancements
You can easily create a profile exception directly from the Alerts table without the need to open a new tab. If no Exception profile exists it will allow you to create a new exception.
Action Center Static Filters
To help you filter relevant endpoints when intiating a new action, Cortex XDR now provides a static filter on the endpoints table that applies to the targets defined in your action. When navigating to
Action Center
+New Action
, in the
step, the Endpoints table displays only endpoints that are eligible for the action you want to perform.
Management Features
Device Control Configuration Enhancements
You now have the ability to manually insert the Vendor and Product ID in hexadecimal code when you add a Device Control Profile.
MITRE ATT&CK Tagging for Alerts and BIOC Rules
To help you better manage and get more insights into the types of Alerts and BIOC rules, you can now view the associated MITRE ATT&CK Technique and MITRE ATT&CK Tactic fields.
Auto-Disable of BIOC Rules
To ensure your BIOC rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR now automatically disables any BIOC rules that reach 5000 or more hits over a 24 hour period.
BIOC rules that trigger 5000 or more alerts can indicate that the BIOC rule is too general and that you should refine the rule configuration.
Global Improvements
Enhanced Network Visibility
To provide a more complete and comprehensive summary of processes and activity surrounding a security event, Cortex XDR now stitches together firewall network logs and raw endpoint data. Cortex XDR uses the stitched data to visually depict the source and destination of security processes and connections made over the network.
With enhanced network visibility, you can:
  • Run investigation queries based on stitched network and endpoint logs.
  • Create granular BIOC rules over raw network data and logs from Palo Alto Networks Next-Generation Firewalls.
  • Investigate network alerts in the new Network Causality View.
Granular Role-Based Access Control
To help you better manage user access permissions in Cortex XDR, RBAC configurations now separate what type of views and actions are permitted for each role.
Roles are defined in the hub and allow you to:
  • Assign predefined Cortex XDR Roles
  • Create and save new roles based on the granular permission
  • Edit role permissions (available for user-created roles)
  • Directly assign permissions to users without saving a role
In-App Configuration of Alert and Log Forwarding
To help you stay up-to-date and informed with alerts and logs that matter to you most, Cortex XDR now expands alert notifications to include management audit logs, agent audit logs, and dashboard reports. In addition to forwarding alerts to email accounts, you can now forward alerts to Syslog servers and Slack channels.
Managed Security Improvements
Cortex XDR managed securityallows Managed Security Services Providers (MSSP) to easily manage security on behalf of their clients. You can now:
  • Push profiles, BIOC rules, exclusions, and starred alerts
  • View alerts and incidents of child tenants
  • View causality cards and timelines of child tenants
  • Run investigation queries on child tenants
Cortex XDR License Notifications
To keep you informed of updates made to your license and avoid service disruptions, Cortex XDR now displays a notification of changes made to your license when you log in. If any actions are required from you.
Broker VM Enhancements
To ease the deployment of Broker VM, the broker VM images are now available directly from the Cortex XDR console. The registration and configuration are managed through web consoles:
  • Broker web console—A web interface allowing you to configure and register the VM to the Cortex server without accessing the VM directly.
  • Cortex XDR management console—Manage your broker VM through the Cortex XDR console, such as track connectivity, edit configurations, and enable real-time monitoring.
Content Roll-out Control
To allow you better control of the security content in your environment, Cortex XDR now allows you to:
  • Halt security content updates
  • Delay security content updates for a defined number of days
The settings can be assigned to specific targets using the policy rules.
Public APIs
API Response Enhancements
When running the following APIs, the
response has been replaced with an
field -
{"reply": {"action_id": X}
New Public APIs for Endpoint and Agent Management
Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment.
The following API capabilities have been added:

Features Introduced in February

The following table describes the features released in February 2020 (release 2.1).
Incident Management
Incident Description Improvements
You can now edit the description for an incident and revert back to the Cortex XDR default description from the
View Incidents
page. You can also search the Incidents table by the Incident description.
Incident Sources
You can now easily view and filter all the sources related to the alerts that make up a specific incident from the
Incident Sources
Automatic Incident Resolve
To help you better manage and maintain your incidents, Cortex XDR automatically resolves incidents in which all allocated alerts were excluded. Instances resolved by Cortex XDR are displayed with a Resolved - Auto Resolve status in the
Agent Management
Static Endpoint Group Creation from File
You can now easily populate a static endpoint group from a file containing endpoint IP addresses, hostnames, and/or aliases. Each endpoint must match a registered endpoint in Cortex XDR for inclusion in the endpoint group.
Policy Usage Count
You can now easily identify the relationship between security profiles and policy rules in Cortex XDR. From the
Policy Management
page, you can view the number of policy rules (
Usage Count
) that consume a specific security profile in Cortex XDR. From a security profile that has one or more associated policy rules, you can also pivot to the list of policy rules that use the specific profile.
Endpoint Isolation Improvements
To better manage endpoint isolation, you can now:
  • Isolate and cancel isolation on more than one endpoint at a time.
  • View the date and time of when an endpoint was isolated in
    Endpoint Management
    Isolation Date
  • Easily track the status of an endpoint isolation from the
    Action Center
    and from the
    Endpoint Management
    page where the Endpoint Isolated column displays either
    Pending Isolation
    Pending Isolation Cancelation
Broker VMs Applet Activation
You can now activate the syslog collector and Windows event collector applets from
Broker VM
Alert Data Auto Upload
To enable continuous access to your alert data memory dump files, you can enable the Cortex XDR agent to automatically upload the files. To do this, you configure your upload preferences from
Policy Management
Management Features
New Cortex XDR Report and Dashboard Widgets
Cortex XDR introduces the following new widgets to help you better detect and visualize the status of endpoint alerts and incidents according to Cortex XDR actions, sources, and categories:
  • Data Usage Breakdown
  • Detection by Actions
  • Detection by Category
  • Detection by Source
  • Incidents by Status
  • Response Action Breakdown
In addition, you now have the option to change the graph view for widgets to display as either a bar graph or pie chart.
Email Notifications for Alerts
To help you stay informed with the alerts that matter to you most, you can now configure email notifications for all Cortex XDR alert sources directly from the Cortex XDR management console. To streamline alert notifications management, you can define one or more alert notification configurations from the
Alert Notifications
page. For each alert notification configuration, you can customize the alert filters, distribution list to use to send the notification, and frequency at which you want Cortex XDR to send the notification.
WildFire Report Visualization
You can easily view and download the WildFire analysis report associated with a file involved in an alert from the Causality View and from and
View Incident
PDF Report Password Encryption
You can now better protect sensitive reports by adding a password. You can encrypt a report when defining the email distribution list for your report.
Global Improvements
Cortex XDR Access
To enable access to Palo Alto Networks GCS buckets in GCP, you now have to enable new URLs in your firewall.
Export Results to File
You can now export table results to a tab-separated values (TSV) file for many pages in Cortex XDR including Incidents, Endpoints, Alerts, Whitelist, and Blacklist.
You can also use filters to identify a subset of results and export only results that match your filter criteria.
Cortex XDR Broker VM Enhancements
The following enhancements have been made with broker VM 6.0.16:
  • You can now use a Prometheus endpoint to monitor the broker VM.
  • Supports network proxy settings in the Agent Proxy applet.
  • The Syslog collector applet now supports TCP protocol and port to log type mapping.
  • Stability improvements.
Cortex XDR Analytics Enhancements
To provide the analytics engine with an additional dimension of data, you can now configure Cortex XDR to ingest data from a Windows Event Collector. To set up Windows event collection, you must have a Cortex XDR Pro per TB license.
Public APIs
New Public APIs for Endpoint and Agent Management
Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment.
The following API capabilities have been added:
  • Scan Endpoints
  • Cancel Endpoint Scan
  • Delete Endpoints
  • Get Endpoints
  • Get Policy
  • Get Device Violations
  • Quarantine File
  • Get Quarantine Status
  • Restore File
  • Retrieve Files
  • Whitelist Files
  • Blacklist Files
Enhancements for Existing Public APIs
The following improvements have been made to existing APIs:
  • Get Incidents—Supports filters
    . Response returns
  • Get Extra Incident Data—Response returns
  • Get All Endpoints—Supports filters
  • Isolate and Unisolate Endpoints—Supports bulk endpoint isolate/unisolate.

Recommended For You