Features Introduced in 2020

The following topics describe the Cortex XDR features introduced in 2020 by month.

Features Introduced in February

The following table describes the features released in February 2020 (release 2.1)
Incident Management
Incident Description Improvements
You can now edit the description for an incident and revert back to the Cortex XDR default description from the
View Incidents
page. You can also search the Incidents table by the Incident description.
Incident Sources
You can now easily view and filter all the sources related to the alerts that make up a specific incident from the
Incident Sources
Automatic Incident Resolve
To help you better manage and maintain your incidents, Cortex XDR automatically resolves incidents in which all allocated alerts were excluded. Instances resolved by Cortex XDR are displayed with a Resolved - Auto Resolve status in the
Agent Management
Static Endpoint Group Creation from File
You can now easily populate a static endpoint group from a file containing endpoint IP addresses, hostnames, and/or aliases. Each endpoint must match a registered endpoint in Cortex XDR for inclusion in the endpoint group.
Policy Usage Count
You can now easily identify the relationship between security profiles and policy rules in Cortex XDR. From the
Policy Management
page, you can view the number of policy rules (
Usage Count
) that consume a specific security profile in Cortex XDR. From a security profile that has one or more associated policy rules, you can also pivot to the list of policy rules that use the specific profile.
Endpoint Isolation Improvements
To better manage endpoint isolation, you can now:
  • Isolate and cancel isolation on more than one endpoint at a time.
  • View the date and time of when an endpoint was isolated in
    Endpoint Management
    Isolation Date
  • Easily track the status of an endpoint isolation from the
    Action Center
    and from the
    Endpoint Management
    page where the Endpoint Isolated column displays either
    Pending Isolation
    Pending Isolation Cancelation
Broker VMs Applet Activation
You can now activate the syslog collector and Windows event collector applets from
Broker VM
Alert Data Auto Upload
To enable continuous access to your alert data memory dump files, you can enable the Cortex XDR agent to automatically upload the files. To do this, you configure your upload preferences from
Policy Management
Management Features
New Cortex XDR Report and Dashboard Widgets
Cortex XDR introduces the following new widgets to help you better detect and visualize the status of endpoint alerts and incidents according to Cortex XDR actions, sources, and categories:
  • Data Usage Breakdown
  • Detection by Actions
  • Detection by Category
  • Detection by Source
  • Incidents by Status
  • Response Action Breakdown
In addition, you now have the option to change the graph view for widgets to display as either a bar graph or pie chart.
Email Notifications for Alerts
To help you stay informed with the alerts that matter to you most, you can now configure email notifications for all Cortex XDR alert sources directly from the Cortex XDR management console. To streamline alert notifications management, you can define one or more alert notification configurations from the
Alert Notifications
page. For each alert notification configuration, you can customize the alert filters, distribution list to use to send the notification, and frequency at which you want Cortex XDR to send the notification.
WildFire Report Visualization
You can easily view and download the WildFire analysis report associated with a file involved in an alert from the Causality View and from and
View Incident
PDF Report Password Encryption
You can now better protect sensitive reports by adding a password. You can encrypt a report when defining the email distribution list for your report.
Global Improvements
Cortex XDR Access
To enable access to Palo Alto Networks GCS buckets in GCP, you now have to enable new URLs in your firewall.
Export Results to File
You can now export table results to a tab-separated values (TSV) file for many pages in Cortex XDR including Incidents, Endpoints, Alerts, Whitelist, and Blacklist.
You can also use filters to identify a subset of results and export only results that match your filter criteria.
Cortex XDR Broker VM Enhancements
The following enhancements have been made with broker VM 6.0.16:
  • You can now use a Prometheus endpoint to monitor the broker VM.
  • Supports network proxy settings in the Agent Proxy applet.
  • The Syslog collector applet now supports TCP protocol and port to log type mapping.
  • Stability improvements.
Cortex XDR Analytics Enhancements
To provide the analytics engine with an additional dimension of data, you can now configure Cortex XDR to ingest data from a Windows Event Collector. To set up Windows event collection, you must have a Cortex XDR Pro per TB license.
Public APIs
New Public APIs for Endpoint and Agent Management
Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment.
The following API capabilities have been added:
  • Scan Endpoints
  • Cancel Endpoint Scan
  • Delete Endpoints
  • Get Endpoints
  • Get Policy
  • Get Device Violations
  • Quarantine File
  • Get Quarantine Status
  • Restore File
  • Retrieve Files
  • Whitelist Files
  • Blacklist Files
Enhancements for Existing Public APIs
The following improvements have been made to existing APIs:
  • Get Incidents—Supports filters
    . Response returns
  • Get Extra Incident Data—Response returns
  • Get All Endpoints—Supports filters
  • Isolate and Unisolate Endpoints—Supports bulk endpoint isolate/unisolate.

Recommended For You