Features Introduced in 2020
The following topics describe the Cortex XDR features introduced in 2020 by month.
Features Introduced in April
The following table describes the features released in April 2020 (release 2.3).
OS Actor Visibility and Investigation
When Cortex XDR detects suspicious activity from an OS Actor, details about the process and activity are available with the alerts and from the Causality View. You can also use the Query Builder to search endpoint data for OS Actor attributes.
Cortex XDR now provides complete visibility into OS actors—processes that create a process on behalf of a different initiator.
Causality View Enhancements for Devices
When you investigate an alert in the Causality View, Cortex XDR now displays information about any related CD-ROM and Removable media devices including Type, Vendor, Product, and Serial Number.
Endpoint Prevention and Management
Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later)
You can now run Python 3.7 scripts on your endpoints directly from Cortex XDR. Cortex XDR provides pre-canned scripts for common endpoint remediation and endpoint management actions. You can also write and upload your own Python scripts and code snippets into Cortex XDR. Cortex XDR enables you to manage, run, and track the script execution on the endpoints, as well as store and display the execution results per endpoint.
To learn more about script execution, see Run Scripts on an Endpoint.
Full Visibility into the Cortex XDR Agent Operational Status
Cortex XDR agent 7.1 or later)
From the Cortex XDR management console, you now have full visibility into the Cortex XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent suffers from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications. The Cortex XDR agent reports the operational status as follows:
You can monitor the operational status of your endpoints from the
Endpoint Administrationtable. See Monitoring Agent Operational Status for the implications the operational status has on the endpoint.
Disk Encryption Using BitLocker
Windows only and with Cortex XDR agent 7.1 or later)
Cortex XDR now provides visibility into Windows endpoints that encrypt their hard drives using BitLocker, the Microsoft Windows built-in encryption tool. To enable disk encryption visibility, you set Disk Encryption profiles and apply them to Policy rules on your Windows endpoints. Additionally, you can apply Disk Encryption profiles to your enforce the BitLocker encryption or decryption of the endpoint operating system disk.
To provide visibility and interoperability into the encrypted endpoints, Cortex XDR leverages the Microsoft Windows APIs for BitLocker. The Cortex XDR agent applies the Microsoft Windows BitLocker rules on the endpoint according to the Disk Encryption settings configured in the Cortex XDR management console.
Host Firewall for Cortex XDR Agents
Windows only and with Cortex XDR agent 7.1 or later)
To reduce the attack surface originating in network communications to and from the endpoint, you can now control all inbound and outbound communications on your Windows endpoints with the Cortex XDR Host Firewall. To use the host firewall, you set rules that allow or block the traffic on the endpoints and apply them to your endpoints using Cortex XDR policy rules.
To fine tune the network communication configuration on the endpoint, you can apply host firewall rules according to the following:
To control inbound and outbound communication of your endpoints, Cortex XDR leverages the Microsoft Windows Filtering Platform APIs. The Cortex XDR agent applies the Microsoft Windows Filtering Platform rules on the endpoint according to the settings configured in the Cortex XDR management console.
Automatic Agent Upgrades
You can now ensure your Windows, Mac, and Linux endpoints are always up-to-date with the latest Cortex XDR agent release by enabling automatic agent upgrades. For increased flexibility, you can choose to apply automatic upgrades to major releases only, to minor releases only, or to both. You can set auto-upgrade for Cortex XDR agents running on Windows, Mac, and Linux endpoints in the Agent Settings Profile and apply it to a policy rule.
To configure automatic upgrades for your agents, see Add a New Agent Settings Profile..
Dormant Malware Scanning
Mac only and with Cortex XDR agent 7.1 or later)
In addition to blocking the execution of malware, the Cortex XDR agent can now scan the system drives of your Mac endpoints for dormant malware that is not actively attempting to run. During a malware scan, the Cortex XDR agent leverages WildFire to examine mach-O files and system drives only. When a malicious file is detected, the Cortex XDR agent reports the malware to Cortex XDR so that you can manually take action to remove the malware before it attempts to harm the endpoint. While unsupported file types excluded from the scan, additional agent protection capabilities continue to monitor and evaluate those files.
Agent Installation through Package Manager
Linux only and with Cortex XDR agent 7.1 or later)
You can now create Cortex XDR agent installation packages in
.debformats, which are deployed on the endpoint using a Linux package manager. Additionally, you can choose to upgrade existing Cortex XDR agents using the new formats, even if they were installed or upgraded using the Shell installer previously.
For the detailed workflow, see Create an Agent Installation Package.
New Distribution Support
Linux only and with Cortex XDR agent 7.1 or later)
You can now install the Cortex XDR agent on Linux endpoints running RHEL8, CentOS8, Oracle 8, SUSE 15, SUSE 15 SP1, and SUSE 11 SP4 distributions.
The Cortex XDR agent does not enforce injection-based protection modules (ROP Mitigation, SO Hijacking Protection, and Brute Force Protection) on 32-bit processes running on 64-bit SUSE 15 SP1 endpoints. All other exploit and malware protection modules work as expected.
EDR is supported only on SUSE 12 SP5, not all SUSE 12 versions.
Additionally, the Cortex XDR agent now supports the kernel module for SUSE 12.
For full compatibility information, see the Compatibility Matrix.
MAC Address Reporting
Cortex XDR agent 7.1 or later)
To gain better visibility into endpoints in your network, the Cortex XDR agent now reports the endpoint MAC address and corresponding IP address to Cortex XDR. You can search and filter endpoints in Cortex XDR according to the MAC address, and can also use the Query Builder to search events by the reporting endpoint MAC address.
Endpoints Navigation Changes
For improved navigation of endpoint features, the Cortex XDR management console now organizes the
Endpointsmenus as follows:
Endpoint Group Name Portability
When you apply endpoint policy rules to specific endpoint groups, Cortex XDR now uses the unique endpoint group ID for assignment instead of the name. This eliminates the need for you to update your policy rules after you change the name of an endpoint group.
Restricting Response Actions on the Endpoint
If you want to prevent Cortex XDR from accessing your endpoint and performing invasive actions, you can permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint, execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. You disable these actions when you install the Cortex XDR agent on the endpoint. Disabling any of these actions is irreversible, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package on the endpoint.
Broker VM Extended Application Support
To ease the deployment of broker VM when using Azure and Hyper-V 2012 and later, you can now download a VDH image from the Cortex XDR management console when configuring your broker VM.
Cortex XDR Deployment Access Enhancements
To simplify access to Cortex XDR, all new and existing customers need to update the following firewall URL:
The new URL is replacing:
New Public APIs for Script Executions
To further expand the Cortex XDR public API capabilities, you can now:
New APIs include:
Existing API Enhancements
To improve and simplify the use of the public Cortex XDR APIs, the following enhancements have been made:
Features Introduced in March
The following table describes the features released in March 2020 (release 2.2).
Rule Visibility for BIOC and IOC Alerts
You can now easily view the BIOC or IOC rules that generated alerts directly from the
Alertstable without the need to open a new tab.
In the Causality View of the alert or incident, right-click an alert row in the Events table and select
View generating rule.
New Alert Table Fields
The Alerts table has been enhanced with additional fields to help you filter and manage your alerts:
Causality View Event Enhancements
To enable easier navigation taking action more quickly during investigation within the Cortex XDR management console, Behavioral Threat Protection has been enhanced so that you can quickly whitelist, blacklist, terminate, and quarantine a process.
Alert Action Enhancements
Action Center Static Filters
To help you filter relevant endpoints when intiating a new action, Cortex XDR now provides a static filter on the endpoints table that applies to the targets defined in your action. When navigating to
, in the
Targetstep, the Endpoints table displays only endpoints that are eligible for the action you want to perform.
Device Control Configuration Enhancements
You now have the ability to manually insert the Vendor and Product ID in hexadecimal code when you add a Device Control Profile.
Auto-Disable of BIOC Rules
To ensure your BIOC rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR now automatically disables any BIOC rules that reach 5000 or more hits over a 24 hour period.
BIOC rules that trigger 5000 or more alerts can indicate that the BIOC rule is too general and that you should refine the rule configuration.
Enhanced Network Visibility
To provide a more complete and comprehensive summary of processes and activity surrounding a security event, Cortex XDR now stitches together firewall network logs and raw endpoint data. Cortex XDR uses the stitched data to visually depict the source and destination of security processes and connections made over the network.
With enhanced network visibility, you can:
Granular Role-Based Access Control
To help you better manage user access permissions in Cortex XDR, RBAC configurations now separate what type of views and actions are permitted for each role.
Roles are defined in the hub and allow you to:
In-App Configuration of Alert and Log Forwarding
To help you stay up-to-date and informed with alerts and logs that matter to you most, Cortex XDR now expands alert notifications to include management audit logs, agent audit logs, and dashboard reports. In addition to forwarding alerts to email accounts, you can now forward alerts to Syslog servers and Slack channels.
Managed Security Improvements
Cortex XDR managed securityallows Managed Security Services Providers (MSSP) to easily manage security on behalf of their clients. You can now:
Cortex XDR License Notifications
To keep you informed of updates made to your license and avoid service disruptions, Cortex XDR now displays a notification of changes made to your license when you log in. If any actions are required from you.
Broker VM Enhancements
To ease the deployment of Broker VM, the broker VM images are now available directly from the Cortex XDR console. The registration and configuration are managed through web consoles:
Content Roll-out Control
To allow you better control of the security content in your environment, Cortex XDR now allows you to:
The settings can be assigned to specific targets using the policy rules.
Features Introduced in February
The following table describes the features released in February 2020 (release 2.1).
Incident Description Improvements
You can now edit the description for an incident and revert back to the Cortex XDR default description from the
page. You can also search the Incidents table by the Incident description.
Automatic Incident Resolve
To help you better manage and maintain your incidents, Cortex XDR automatically resolves incidents in which all allocated alerts were excluded. Instances resolved by Cortex XDR are displayed with a Resolved - Auto Resolve status in the
Static Endpoint Group Creation from File
You can now easily populate a static endpoint group from a file containing endpoint IP addresses, hostnames, and/or aliases. Each endpoint must match a registered endpoint in Cortex XDR for inclusion in the endpoint group.
Policy Usage Count
You can now easily identify the relationship between security profiles and policy rules in Cortex XDR. From the
page, you can view the number of policy rules (
Usage Count) that consume a specific security profile in Cortex XDR. From a security profile that has one or more associated policy rules, you can also pivot to the list of policy rules that use the specific profile.
Endpoint Isolation Improvements
To better manage endpoint isolation, you can now:
Broker VMs Applet Activation
Alert Data Auto Upload
To enable continuous access to your alert data memory dump files, you can enable the Cortex XDR agent to automatically upload the files. To do this, you configure your upload preferences from
New Cortex XDR Report and Dashboard Widgets
Cortex XDR introduces the following new widgets to help you better detect and visualize the status of endpoint alerts and incidents according to Cortex XDR actions, sources, and categories:
Email Notifications for Alerts
To help you stay informed with the alerts that matter to you most, you can now configure email notifications for all Cortex XDR alert sources directly from the Cortex XDR management console. To streamline alert notifications management, you can define one or more alert notification configurations from the
page. For each alert notification configuration, you can customize the alert filters, distribution list to use to send the notification, and frequency at which you want Cortex XDR to send the notification.
WildFire Report Visualization
PDF Report Password Encryption
You can now better protect sensitive reports by adding a password. You can encrypt a report when defining the email distribution list for your report.
Cortex XDR Access
Export Results to File
You can now export table results to a tab-separated values (TSV) file for many pages in Cortex XDR including Incidents, Endpoints, Alerts, Whitelist, and Blacklist.
You can also use filters to identify a subset of results and export only results that match your filter criteria.
Cortex XDR Broker VM Enhancements
The following enhancements have been made with broker VM 6.0.16:
Cortex XDR Analytics Enhancements
To provide the analytics engine with an additional dimension of data, you can now configure Cortex XDR to ingest data from a Windows Event Collector. To set up Windows event collection, you must have a Cortex XDR Pro per TB license.
New Public APIs for Endpoint and Agent Management
Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment.
The following API capabilities have been added:
Enhancements for Existing Public APIs
The following improvements have been made to existing APIs:
Recommended For You
Recommended videos not found.