Features Introduced in 2020

The following topics describe the Cortex XDR features introduced in 2020 by month.

Features Introduced in June

The following table describes the features released in June 2020 (release 2.4.1).
Endpoint Prevention and Management
Application inventory for Mac endpoints
Requires a Cortex XDR Pro per Endpoint License, Cortex XDR agent 7.1 or later
The Cortex XDR Application Inventory now includes also the applications installed on your Mac endpoints. Cortex XDR compiles an application inventory of all the applications installed in your network by collecting from each Cortex XDR agent the list of installed applications. Any new application installed on the endpoint will appear in Cortex XDR with 24 hours. Alternatively, you can re-scan the endpoint to retrieve the most updated list.
Application inventory is now supported for Windows, Mac, and Linux endpoints. However, because Cortex XDR performs Vulnerability Assessment for Linux endpoints only, no CVE information is available for Windows or Mac applications in the Application Inventory, and Windows and Mac applications are marked as
Unsupported Platform
UK Region Support
You can now deploy Cortex XDR in the UK region. When you choose the UK region during the activation and setup of the Cortex Data Lake, you keep all Cortex XDR logs and data within the UK boundary. However, Cortex XDR will continue to send files that require analysis by WildFire to the WildFire cloud for EU. If your compliance and privacy laws prohibit the sending of files outside the UK region, you can disable uploading of files to WildFire in your Malware Security Profiles.

Features Introduced in May

The following table describes the features released in May 2020 (release 2.4).
Investigation and Response
Threat Intelligence Management Integration
The IOC Rules table has been expanded to include information commonly found on IOCs retrieved from threat intelligence sources. These are:
  • Indicator's reputation.
  • Indicator's reliability.
  • A list of vendors that provided the indicator.
  • The indicator's class (for example,
In addition, when you manually add a single indicator, you can now set its reputation and reliability.
Finally, the
column in the IOC Rules table has been enhanced so that it can now indicate whether the IOC was inserted into Cortex XDR using a REST API.
Causality View Enhancements for Remote Procedure Call (RPC) Events
Requires a Cortex XDR Pro per Endpoint License
To expand your investigation capabilities, Cortex XDR now displays when an RPC protocol or code injection event were executed on another process from either a local or remote host.
To access more information about the injection events, in the Causality View and view the events executed on behalf of either an IP address or process, select:
IP Address and Hash Views
Requires a Cortex XDR Pro per Endpoint License
To streamline the investigation process and reduce the number of steps it takes to investigate and threat hunt artifacts, Cortex XDR now provides dedicated views for:
To help you collect and research information relating to artifacts, the IP View and Hash View automatically aggregate and display a summary of all the information Cortex XDR and threat intelligence reports have on the artifact. From the artifact view, you can also easily navigate to the corresponding incident, query, and filtered view of the Action Center to further inspect and initiate specific actions on the artifact. You can access the views from:
  • Quick Launcher
  • Right-click pivot menu
  • Keyboard shortcut
    (Windows) or
New Alert Table Fields
The Alerts table has been enhanced with additional fields to help you filter and manage information relating to:
  • XDR agent alerts
    • Endpoint Platform, MAC Address, and Domain
    • MD5 of the initiator process and CGO
    • SHA256 of target Microsoft Office/ DLL files and Macro
  • Firewall alerts
    • NGFW Serial Number and virtual System Name
    • App-ID Category, Subcategory and Technology Names
    • Email Subject, Sender, and Recipient information
Cortex XDR Alert Management
To allow for greater coverage of your incoming alerts, Cortex XDR now supports 2 million alerts per 4000 agents or per 20 TB.
Cortex XDR allocates the saved alerts as follows:
  • Half for informational type alerts
  • Half for severity type alerts
Incident Visibility in Blacklists and Whitelists
If during investigation of an incident, you whitelist or blacklist a file, Cortex XDR can now assign the incident ID to the file in the relevant list in the Action Center. This enables you and other administrators to easily identify the related incident when you return to the Action Center to investigate a whitelisted or blacklisted file. If the incident associated with the file is no longer relevant, you can easily change or clear the incident ID number.
IOC and BIOC Alert Investigation Enhancements
To improve the investigation workflow, you can now pivot from an IOC or BIOC rule to a filtered list of alerts triggered by the rule. From an IOC or BIOC rule, you can also pivot to a query of alerts triggered by the rule.
Alert to Incident Investigation Enhancements
To aid in alert investigation, Cortex XDR now displays the related incident ID in Alerts tables (excluding the Incident alert table). You can also easily pivot to the relevant incident and can filter the results by Incident ID.
Quick Launcher
You can now use the Quick Launcher as an in-context shortcut to quickly perform common investigation tasks, or initiate response actions from any place in the Cortex XDR app.
Use the Quick Launcher to:
  • Search events for host, IP address, domain, and hash
  • Blacklist and whitelist processes by hash
  • Add domains or IP addresses to the EDL blocklist
  • Create a new IOC for an IP address, domain, hash, filename, or filepath
  • Isolate an endpoint
  • Open a terminal to a given endpoint
  • Initiate a malware scan on an endpoint
You can bring up the Quick Launcher using the
shortcut on Windows,
shortcut on macOS, or by clicking the Quick Launch icon ( quick-launcher-icon.png ) in the top navigation menu.
By highlighting a field value—such as an IP address or filename—from any page in the Cortex XDR management console, you can pre-populate a query in the Quick Launcher.
Native Search
Requires a Cortex XDR Pro license
Cortex XDR introduces the new text-based Native Search. You can now build simple and complex text-based queries to search across all available logs and data in Cortex XDR. When you build a query, you enter one or more fields based on the log’s metadata hierarchy, the operator, and the field value. As you enter fields, the query provides autocompletion based on the known log fields. You can also use Regex in your queries. To build complex queries, add complex statements in parentheses using supported operators and string multiple statements together using either
. Text-based queries also support wildcards with the exception of IP addresses and IP address ranges.
Examples of text-based queries include:
  • logtype = file AND subtype IN ("file create", "file delete") and hostname contains SF
  • network connections AND palo alto networks.app id = facebook
  • okta.sso AND ip != 10.0.*
Query Management Enhancement
You can now easily edit a query in the Query Center. This can be useful if you do not want to create a new query and instead want to modify the original. The option to
Edit a query
is available from the pivot menu for a query (
Query Center
Endpoint Prevention and Management
Alert Data Retrieval Enhancements
To improve the user experience and reduce unnecessary bandwidth consumption due to duplicate alert data retrieval actions—either by an automatic-upload or administrator-initiated action—Cortex XDR now verifies whether retrieval is already in progress. Now, when you try to retrieve data and an upload is already in progress, Cortex XDR displays a notification to alert you of the retrieval status. If the file is already available, Cortex XDR provides a download link for you to download it immediately.
Vulnerability Assessment and Application Inventory
Requires a Cortex XDR Pro per Endpoint License, Cortex XDR agent 7.1 or later
You can now identify and quantify the security vulnerabilities on an endpoint directly from the Cortex XDR management console. Relying on the information from Cortex XDR, you can easily mitigate and patch these vulnerabilities on all endpoints in your organization. To provide you with a comprehensive understanding of the vulnerability severity, Cortex XDR retrieves the latest data for each CVE from the NIST National Vulnerability Database, including CVE severity and metrics.
From Cortex XDR, you can view the vulnerabilities in your network by CVE or by endpoint. Additionally, Cortex XDR provides you with a list of all applications installed in your network, and indicates the CVEs only where they exist, providing you with a full application inventory of your network.
In this release, the application inventory is available for both Linux and Windows endpoints, and the vulnerability analysis by CVE or endpoint are available for Linux endpoints only.
During the first few days of this feature roll-out and until Cortex XDR collects the application data from all endpoints in your network, you will see only partial information in
Vulnerability Assessment
and a system notification that indicates the data is still being collected. When Cortex XDR completes the data collection, it will stop displaying the system notification.
Interactive Script Execution
Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later
To run multiple scripts on a set scope of target endpoints, track the execution progress and view the results in real-time, you can now initiate scripts in
Interactive Mode
. For each script, Cortex XDR displays the execution progress status on all connected endpoints in the target scope, the script general information, and the execution results. You can launch
Interactive Mode
at the end of a new
Execute Script
action, or from the
Action Center
for already existing script executions. When you are working in
Interactive Mode
, you can select additional scripts and execute them directly, or add your code snippets using the built-in text editor.
Enhancements to Script Upload
Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later
When you upload a new script to the
Scripts Library
, you can now review and edit the script code during the upload process in the Cortex XDR text editor.
Visibility into Disabled Agent Capabilities
Cortex XDR agent 7.1 or later
Cortex XDR now provides visibility into which response actions are disabled on the endpoint. You can view a list of the
Disabled Capabilities
per endpoint in
Endpoint Administration
: initiating a Live Terminal remote session on the endpoint, executing Python scripts on the endpoint, and retrieving files from the endpoint to Cortex XDR.
Alert and Log Ingestion and Forwarding
Okta and Azure Authentication Data Ingestion
Requires a Cortex XDR Pro per TB License
Cortex XDR can now ingest authentication logs from Okta and Azure AD into authentication stories. An authentication story unites logs and data regardless of the information source (from an on-premise KDC or from a cloud-based authentication service) into a uniform schema. To search authentication stories, you can use the Query Builder or new text-based Native Search.
To receive authentication logs from Okta and Azure AD, you configure the SaaS Log Collection settings in Cortex XDR.
Legacy Log Forwarding Format Support
If you previously used the Log Forwarding App to forward logs to an external syslog receiver or email, you can now use the legacy formats in Cortex XDR. To enable legacy formats, you add a Log Forwarding notification configuration and choose the
Use Legacy Log Format
option. For information on legacy formats, see Cortex XDR Log Formats.
Broker Service
Broker VM Remote Access Enhancements
To simplify and expand support of remote access to your broker VM, the broker now supports SSH with a public RSA Key Pair allowing you to easily generate your own key and grant access to your colleagues in addition to Cortex XDR support.
Broker VM Web Console Enhancements
To improve the registration process of your broker VM, you can now define the following configurations directly in the Broker VM web console:
  • NTP Servers
  • SSH Access
To align access to your Cortex XDR logs, in addition to the Cortex XDR console, you can now collect and download logs from the broker VM web console.
Broker VM XDR Console Enhancements
To help you better manage your registered broker VMs, you can now:
  • Configure an Internal Network Subnet for your broker VM
  • Rename your broker VM
  • View the broker VM disc usage
  • Receive notifications about new broker VM versions and lost connections
Windows Event Collector Set Up Enhancements
Requires Cortex XDR Pro per TB License
To simplify the process of setting up the Windows Event Collector, you can now generate, activate, and download the required WEC certificates used to establish a connection with your Domain Controller during the setup process directly from the Cortex XDR console.
To help you maintain your current WEC DC configurations, you can now migrate your existing WEC certificate from the Cortex XDR management console.
New Managed Threat Hunting Service
Cortex XDR now offers the new Managed Threat Hunting service as an add-on security service. To augment your security team, Managed Threat Hunting provides 24/7, year-round monitoring by Palo Alto Networks threat researchers and Unit 42 experts. The Managed Threat Hunting teams proactively safeguard your organization and provide threat reports for critical security incidents and impact reports for emerging threats that provide an analysis of exposure in your organization. In addition, the Managed Threat Hunting team can identify incidents and provide in-depth review of related threat reports.
To use Cortex XDR Managed Threat Hunting, you must purchase a Managed Threat Hunting license and have a Cortex XDR Pro for Endpoint license with a minimum of 500 endpoints.
Cross-Tenant Queries for MSSPs
To enable managed security service providers (MSSPs) that use Cortex XDR to threat hunt and perform investigations quickly, you can now use the Query Builder to query across multiple child tenants. Cortex XDR provides the tenant query selector at the top of the Query Builder with the option to select one or more child tenants.
Public APIs
New APIs for Ingesting Threat Intelligence Feeds
Two new APIs are now available that can add one or more IOCs to Cortex XDR:
These APIs are intended for use with IOCs retrieved from threat intelligence sources. However, they can be used to insert an IOC obtained from any source so long as the request presents IOCs in a valid format.
Existing API Enhancements
To help you gain better visibility and control over which endpoints can be scanned, you can now filter Get Endpoints, Scan Endpoints, and Cancel Scan Endpoints APIs according to the scan status.
  • Field Name
    • scan_status
  • Valid Values
    • none
    • in_progress
    • canceled
    • aborted
    • success
    • error
To allow you to better filter hash files and process that have been whitelisted or blacklisted, you can now send the
field when running the following APIs:
Script APIs Enhancements
To help you better understand the Get Script Metadata API response, Cortex XDR has aligned the following response fields with how they are displayed in the Cortex XDR management console.
  • has changed to
    and returns the type of script output. For example,
  • script_output
    has changed to
    and returns an array for each output with its

Features Introduced in April

The following table describes the features released in April 2020 (release 2.3).
Incident Management
OS Actor Visibility and Investigation
Cortex XDR now provides complete visibility into OS actors—processes that create a process on behalf of a different initiator.
When Cortex XDR detects suspicious activity from an OS Actor, details about the process and activity are available with the alerts and from the Causality View. You can also use the Query Builder to search endpoint data for OS Actor attributes.
Causality View Enhancements for Devices
When you investigate an alert in the Causality View, Cortex XDR now displays information about any related CD-ROM and Removable media devices including Type, Vendor, Product, and Serial Number.
Endpoint Prevention and Management
Script Execution
Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later
You can now run Python 3.7 scripts on your endpoints directly from Cortex XDR. Cortex XDR provides pre-canned scripts for common endpoint remediation and endpoint management actions. You can also write and upload your own Python scripts and code snippets into Cortex XDR. Cortex XDR enables you to manage, run, and track the script execution on the endpoints, as well as store and display the execution results per endpoint.
To learn more about script execution, see Run Scripts on an Endpoint.
Full Visibility into the Cortex XDR Agent Operational Status
Cortex XDR agent 7.1 or later
From the Cortex XDR management console, you now have full visibility into the Cortex XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent suffers from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications. The Cortex XDR agent reports the operational status as follows:
  • Protected
    —Indicates that the Cortex XDR agent is running as configured and did not report any exceptions to Cortex XDR.
  • Partially protected
    —Indicates that the Cortex XDR agent reported Cortex XDR one or more exceptions.
  • Unprotected
    —Indicates that the Cortex XDR agent reported Cortex XDR exceptions about the Malware protection module, and Behavioral threat protection or Exploit modules.
You can monitor the operational status of your endpoints from the
Endpoint Administration
table. See Monitoring Agent Operational Status for the implications the operational status has on the endpoint.
Disk Encryption Using BitLocker
Windows only and with Cortex XDR agent 7.1 or later
Cortex XDR now provides visibility into Windows endpoints that encrypt their hard drives using BitLocker, the Microsoft Windows built-in encryption tool. To enable disk encryption visibility, you set Disk Encryption profiles and apply them to Policy rules on your Windows endpoints. Additionally, you can apply Disk Encryption profiles to your enforce the BitLocker encryption or decryption of the endpoint operating system disk.
To provide visibility and interoperability into the encrypted endpoints, Cortex XDR leverages the Microsoft Windows APIs for BitLocker. The Cortex XDR agent applies the Microsoft Windows BitLocker rules on the endpoint according to the Disk Encryption settings configured in the Cortex XDR management console.
Host Firewall for Cortex XDR Agents
Windows only and with Cortex XDR agent 7.1 or later
To reduce the attack surface originating in network communications to and from the endpoint, you can now control all inbound and outbound communications on your Windows endpoints with the Cortex XDR Host Firewall. To use the host firewall, you set rules that allow or block the traffic on the endpoints and apply them to your endpoints using Cortex XDR policy rules.
To fine tune the network communication configuration on the endpoint, you can apply host firewall rules according to the following:
  • The current network location of the device (inside or outside the network).
  • The direction of the communication on the device (inbound or outbound).
  • IP address or IP address ranges.
  • Ports or port ranges.
  • The communication protocol (ICMP, TCP, UCP, and ICMPv6).
  • Specific programs running on the endpoint.
To control inbound and outbound communication of your endpoints, Cortex XDR leverages the Microsoft Windows Filtering Platform APIs. The Cortex XDR agent applies the Microsoft Windows Filtering Platform rules on the endpoint according to the settings configured in the Cortex XDR management console.
Automatic Agent Upgrades
You can now ensure your Windows, Mac, and Linux endpoints are always up-to-date with the latest Cortex XDR agent release by enabling automatic agent upgrades. For increased flexibility, you can choose to apply automatic upgrades to major releases only, to minor releases only, or to both. You can set auto-upgrade for Cortex XDR agents running on Windows, Mac, and Linux endpoints in the Agent Settings Profile and apply it to a policy rule.
To configure automatic upgrades for your agents, see Add a New Agent Settings Profile..
Dormant Malware Scanning
Mac only and with Cortex XDR agent 7.1 or later
In addition to blocking the execution of malware, the Cortex XDR agent can now scan the system drives of your Mac endpoints for dormant malware that is not actively attempting to run. During a malware scan, the Cortex XDR agent leverages WildFire to examine mach-O files and system drives only. When a malicious file is detected, the Cortex XDR agent reports the malware to Cortex XDR so that you can manually take action to remove the malware before it attempts to harm the endpoint. While unsupported file types excluded from the scan, additional agent protection capabilities continue to monitor and evaluate those files.
Agent Installation through Package Manager
Linux only and with Cortex XDR agent 7.1 or later
You can now create Cortex XDR agent installation packages in
formats, which are deployed on the endpoint using a Linux package manager. Additionally, you can choose to upgrade existing Cortex XDR agents using the new formats, even if they were installed or upgraded using the Shell installer previously.
For the detailed workflow, see Create an Agent Installation Package.
New Distribution Support
Linux only and with Cortex XDR agent 7.1 or later
You can now install the Cortex XDR agent on Linux endpoints running RHEL8, CentOS8, Oracle 8, SUSE 15, SUSE 15 SP1, and SUSE 11 SP4 distributions.
The Cortex XDR agent does not enforce injection-based protection modules (ROP Mitigation, SO Hijacking Protection, and Brute Force Protection) on 32-bit processes running on 64-bit SUSE 15 SP1 endpoints. All other exploit and malware protection modules work as expected.
EDR is supported only on SUSE 12 SP5, not all SUSE 12 versions.
Additionally, the Cortex XDR agent now supports the kernel module for SUSE 12.
For full compatibility information, see the Compatibility Matrix.
MAC Address Reporting
Cortex XDR agent 7.1 or later
To gain better visibility into endpoints in your network, the Cortex XDR agent now reports the endpoint MAC address and corresponding IP address to Cortex XDR. You can search and filter endpoints in Cortex XDR according to the MAC address, and can also use the Query Builder to search events by the reporting endpoint MAC address.
Endpoints Navigation Changes
For improved navigation of endpoint features, the Cortex XDR management console now organizes the
menus as follows:
  • Endpoint Management
    —Includes endpoint administration, endpoint group management, and agent installation package management.
  • Policy Management
    —Now separated into two sections:
    for managing your endpoint profiles, rules, and exceptions; and
    for managing your Device Control profiles, rules, and exceptions.
  • Device Control Violations
    —Quickly view behavior flagged by Cortex XDR agents as matching a Device Control policy rule.
Endpoint Group Name Portability
When you apply endpoint policy rules to specific endpoint groups, Cortex XDR now uses the unique endpoint group ID for assignment instead of the name. This eliminates the need for you to update your policy rules after you change the name of an endpoint group.
Restricting Response Actions on the Endpoint
If you want to prevent Cortex XDR from accessing your endpoint and performing invasive actions, you can permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint, execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. You disable these actions when you install the Cortex XDR agent on the endpoint. Disabling any of these actions is irreversible, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package on the endpoint.
Global Improvements
Broker VM Extended Application Support
To ease the deployment of broker VM when using Azure and Hyper-V 2012 and later, you can now download a VDH image from the Cortex XDR management console when configuring your broker VM.
Cortex XDR Deployment Access Enhancements
To simplify access to Cortex XDR, all new and existing customers need to update the following firewall URL:
The new URL is replacing:
  • https://<xdr-tenant>-distributions.storage.googleapis.com
  • https://<xdr-tenant>-agent-uploads.storage.googleapis.com
  • https://migration-<cortex-data-lake-tenant-ID>-agent-uploads.storage.googleapis.com
  • https://migration-<cortex-data-lake-tenant-ID>-distributions.storage.googleapis.com
  • https://xdr-<region>-<cortex-data-lake-tenant-ID>-agent-uploads.storage.googleapis.com
  • https://xdr-<region>-<cortex-data-lake-tenant-ID>-distributions.storage.googleapis.com
Public APIs
New Public APIs for Script Executions
To further expand the Cortex XDR public API capabilities, you can now:
  • View all scripts available in the scripts library
  • Run scripts on endpoints
  • Retrieve script results from the server
  • Retrieve and manage your Cortex XDR incidents, endpoints, agents, and installation packages
New APIs include:
Existing API Enhancements
To improve and simplify the use of the public Cortex XDR APIs, the following enhancements have been made:
  • Request field
    is no longer mandatory for the following APIs:
    • Get Incidents
    • Get Endpoints
    • Get Device Violations
    • Get Audit Management Log
    • Get Audit Agent Report
  • Request either
    results for:
    • Scan Endpoints
    • Cancel Scan Endpoints
    • Get Incidents
    • Get Endpoints
    • Get Device Violations
    • Get Audit Management Log
    • Get Audit Agent Report
  • Simplified request fields for:
    • Isolate Endpoints
    • Unisolate Endpoints
    • Delete Endpoints
    • Quarantine Files
    • Retrieve File

Features Introduced in March

The following table describes the features released in March 2020 (release 2.2).
Incident Management
Injection Events
You can now easily view more information about injector and injected processes directly from the Causality View and Query Center Resultstable without the need to navigate between tabs.
  • From the
    Causality View
    Events table
    , right-click a
    Process Injection
    row and
    the injector/ injected process in a separate causality view.
  • In
    Query Center
    table of a
    Process Injection
    action type, right-click the row and select
    to view the causality view of either the Injector process or the Injected process.
Rule Visibility for BIOC and IOC Alerts
You can now easily view the BIOC or IOC rules that generated alerts directly from the
table without the need to open a new tab.
In the Causality View of the alert or incident, right-click an alert row in the Events table and select
View generating rule
Windows Event Log Enhancements
You can now run a query, investigate an event, and create BIOC rules for Windows Event Log data.
New Alert Table Fields
The Alerts table has been enhanced with additional fields to help you filter and manage your alerts:
  • Firewall source zone, destination zone, and rule name
  • Operating system version
  • MITRE ATT&CK technique and MITRE ATT&CK tactic
  • Identifiers of the operating system entity that created the process that triggered the alert
Causality View Event Enhancements
To enable easier navigation taking action more quickly during investigation within the Cortex XDR management console, Behavioral Threat Protection has been enhanced so that you can quickly whitelist, blacklist, terminate, and quarantine a process.
Agent Management
Alert Action Enhancements
You can easily create a profile exception directly from the Alerts table without the need to open a new tab. If no Exception profile exists it will allow you to create a new exception.
Action Center Static Filters
To help you filter relevant endpoints when intiating a new action, Cortex XDR now provides a static filter on the endpoints table that applies to the targets defined in your action. When navigating to
Action Center
+New Action
, in the
step, the Endpoints table displays only endpoints that are eligible for the action you want to perform.
Management Features
Device Control Configuration Enhancements
You now have the ability to manually insert the Vendor and Product ID in hexadecimal code when you add a Device Control Profile.
MITRE ATT&CK Tagging for Alerts and BIOC Rules
To help you better manage and get more insights into the types of Alerts and BIOC rules, you can now view the associated MITRE ATT&CK Technique and MITRE ATT&CK Tactic fields.
Auto-Disable of BIOC Rules
To ensure your BIOC rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR now automatically disables any BIOC rules that reach 5000 or more hits over a 24 hour period.
BIOC rules that trigger 5000 or more alerts can indicate that the BIOC rule is too general and that you should refine the rule configuration.
Global Improvements
Enhanced Network Visibility
To provide a more complete and comprehensive summary of processes and activity surrounding a security event, Cortex XDR now stitches together firewall network logs and raw endpoint data. Cortex XDR uses the stitched data to visually depict the source and destination of security processes and connections made over the network.
With enhanced network visibility, you can:
  • Run investigation queries based on stitched network and endpoint logs.
  • Create granular BIOC rules over raw network data and logs from Palo Alto Networks Next-Generation Firewalls.
  • Investigate network alerts in the new Network Causality View.
Granular Role-Based Access Control
To help you better manage user access permissions in Cortex XDR, RBAC configurations now separate what type of views and actions are permitted for each role.
Roles are defined in the hub and allow you to:
  • Assign predefined Cortex XDR Roles
  • Create and save new roles based on the granular permission
  • Edit role permissions (available for user-created roles)
  • Directly assign permissions to users without saving a role
In-App Configuration of Alert and Log Forwarding
To help you stay up-to-date and informed with alerts and logs that matter to you most, Cortex XDR now expands alert notifications to include management audit logs, agent audit logs, and dashboard reports. In addition to forwarding alerts to email accounts, you can now forward alerts to Syslog servers and Slack channels.
Managed Security Improvements
Cortex XDR managed securityallows Managed Security Services Providers (MSSP) to easily manage security on behalf of their clients. You can now:
  • Push profiles, BIOC rules, exclusions, and starred alerts
  • View alerts and incidents of child tenants
  • View causality cards and timelines of child tenants
  • Run investigation queries on child tenants
Cortex XDR License Notifications
To keep you informed of updates made to your license and avoid service disruptions, Cortex XDR now displays a notification of changes made to your license when you log in. If any actions are required from you.
Broker VM Enhancements
To ease the deployment of Broker VM, the broker VM images are now available directly from the Cortex XDR console. The registration and configuration are managed through web consoles:
  • Broker web console—A web interface allowing you to configure and register the VM to the Cortex server without accessing the VM directly.
  • Cortex XDR management console—Manage your broker VM through the Cortex XDR console, such as track connectivity, edit configurations, and enable real-time monitoring.
Content Roll-out Control
To allow you better control of the security content in your environment, Cortex XDR now allows you to:
  • Halt security content updates
  • Delay security content updates for a defined number of days
The settings can be assigned to specific targets using the policy rules.
Public APIs
API Response Enhancements
When running the following APIs, the
response has been replaced with an
field -
{"reply": {"action_id": X}
New Public APIs for Endpoint and Agent Management
Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment.
The following API capabilities have been added:

Features Introduced in February

The following table describes the features released in February 2020 (release 2.1).
Incident Management
Incident Description Improvements
You can now edit the description for an incident and revert back to the Cortex XDR default description from the
View Incidents
page. You can also search the Incidents table by the Incident description.
Incident Sources
You can now easily view and filter all the sources related to the alerts that make up a specific incident from the
Incident Sources
Automatic Incident Resolve
To help you better manage and maintain your incidents, Cortex XDR automatically resolves incidents in which all allocated alerts were excluded. Instances resolved by Cortex XDR are displayed with a Resolved - Auto Resolve status in the
Agent Management
Static Endpoint Group Creation from File
You can now easily populate a static endpoint group from a file containing endpoint IP addresses, hostnames, and/or aliases. Each endpoint must match a registered endpoint in Cortex XDR for inclusion in the endpoint group.
Policy Usage Count
You can now easily identify the relationship between security profiles and policy rules in Cortex XDR. From the
Policy Management
page, you can view the number of policy rules (
Usage Count
) that consume a specific security profile in Cortex XDR. From a security profile that has one or more associated policy rules, you can also pivot to the list of policy rules that use the specific profile.
Endpoint Isolation Improvements
To better manage endpoint isolation, you can now:
  • Isolate and cancel isolation on more than one endpoint at a time.
  • View the date and time of when an endpoint was isolated in
    Endpoint Management
    Isolation Date
  • Easily track the status of an endpoint isolation from the
    Action Center
    and from the
    Endpoint Management
    page where the Endpoint Isolated column displays either
    Pending Isolation
    Pending Isolation Cancelation
Broker VMs Applet Activation
You can now activate the syslog collector and Windows event collector applets from
Broker VM
Alert Data Auto Upload
To enable continuous access to your alert data memory dump files, you can enable the Cortex XDR agent to automatically upload the files. To do this, you configure your upload preferences from
Policy Management
Management Features
New Cortex XDR Report and Dashboard Widgets
Cortex XDR introduces the following new widgets to help you better detect and visualize the status of endpoint alerts and incidents according to Cortex XDR actions, sources, and categories:
  • Data Usage Breakdown
  • Detection by Actions
  • Detection by Category
  • Detection by Source
  • Incidents by Status
  • Response Action Breakdown
In addition, you now have the option to change the graph view for widgets to display as either a bar graph or pie chart.
Email Notifications for Alerts
To help you stay informed with the alerts that matter to you most, you can now configure email notifications for all Cortex XDR alert sources directly from the Cortex XDR management console. To streamline alert notifications management, you can define one or more alert notification configurations from the
Alert Notifications
page. For each alert notification configuration, you can customize the alert filters, distribution list to use to send the notification, and frequency at which you want Cortex XDR to send the notification.
WildFire Report Visualization
You can easily view and download the WildFire analysis report associated with a file involved in an alert from the Causality View and from and
View Incident
PDF Report Password Encryption
You can now better protect sensitive reports by adding a password. You can encrypt a report when defining the email distribution list for your report.
Global Improvements
Cortex XDR Access
To enable access to Palo Alto Networks GCS buckets in GCP, you now have to enable new URLs in your firewall.
Export Results to File
You can now export table results to a tab-separated values (TSV) file for many pages in Cortex XDR including Incidents, Endpoints, Alerts, Whitelist, and Blacklist.
You can also use filters to identify a subset of results and export only results that match your filter criteria.
Cortex XDR Broker VM Enhancements
The following enhancements have been made with broker VM 6.0.16:
  • You can now use a Prometheus endpoint to monitor the broker VM.
  • Supports network proxy settings in the Agent Proxy applet.
  • The Syslog collector applet now supports TCP protocol and port to log type mapping.
  • Stability improvements.
Cortex XDR Analytics Enhancements
To provide the analytics engine with an additional dimension of data, you can now configure Cortex XDR to ingest data from a Windows Event Collector. To set up Windows event collection, you must have a Cortex XDR Pro per TB license.
Public APIs
New Public APIs for Endpoint and Agent Management
Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment.
The following API capabilities have been added:
  • Scan Endpoints
  • Cancel Endpoint Scan
  • Delete Endpoints
  • Get Endpoints
  • Get Policy
  • Get Device Violations
  • Quarantine File
  • Get Quarantine Status
  • Restore File
  • Retrieve Files
  • Whitelist Files
  • Blacklist Files
Enhancements for Existing Public APIs
The following improvements have been made to existing APIs:
  • Get Incidents—Supports filters
    . Response returns
  • Get Extra Incident Data—Response returns
  • Get All Endpoints—Supports filters
  • Isolate and Unisolate Endpoints—Supports bulk endpoint isolate/unisolate.

Recommended For You