Features Introduced in 2021
Learn more about Cortex XDR features introduced during
2021 by month and functional area.
The following topics describe the Cortex
XDR features introduced in 2021 by month.
Features Releasing in November
New features in the Cortex® XDR™ 3.1 release.
The following table describes new features
in the Cortex XDR 3.1 release.
Feature | Description |
---|---|
General | |
New Support for Role-Based Access Control
Managing XQL Dataset Permissions | To help you better manage user access permissions in
Cortex XDR, Cortex XDR now supports XQL dataset permission enforcement
as part of managing roles or specific permissions using role-based access
control (RBAC). When creating or editing roles in Configurations Access Management Roles Datasets section
is displayed, where you can Enable or Disable the
access permissions for the various datasets listed. By default,
the Enable dataset access management feature
is disabled, and users have access to all datasets. Once you enable
this feature, you need to define for each dataset type the access
permissions you want to grant for the role. |
Cortex XDR Table Format Enhancements | To streamline your investigation across
all of Cortex XDR tables, Cortex XDR now
allows you to configure the order of which the columns are displayed
by allocating a column index number. |
New User-Specified Timestamp Formats | To allow for greater flexibility when investigating
your data, Cortex XDR now includes the following timestamp formats. The
selected format is applied throughout the Cortex XDR management console
and TSV export files.
The setting is
configured per user and not per tenant. |
XDR for Cloud | |
Cloud Inventory Data Collection ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR now provides a unified, normalized asset inventory for cloud assets in
Google Cloud Platform, Microsoft Azure, and Amazon Web Services.
This capability provides deeper visibility to all the assets and
superior context for incident investigation To receive cloud
assets, configure Configurations Data Collection Collection Integrations As soon as Cortex XDR begins
receiving cloud assets, you can view the data in Assets Cloud Inventory All Cloud Assets and Specific Cloud
Assets display the data in a table format. When any
row in the table is selected, a side panel on the right with greater details
is displayed, where you can view additional data divided by sections,
such as Asset Metadata and Asset
Editors . The Asset Editor section also
provides a link to open a predefined query in XQL Search on the cloud_audit_log dataset
to view the edit operations by the identity selected for this asset in
the last 7 days. |
Forensics | |
New Persistence Tables ( Requires
a Forensics add-on license and a Cortex XDR agent 7.6 or later for Windows ) | To expand your forensics investigation
capabilities, Cortex XDR introduces the following new Persistence tables:
|
Investigation and Response | |
New Support for Selecting Drill-down Query
Time Frame Options in Correlation Rules ( Requires a Cortex
XDR Pro license ) | To provide more flexibility to customers when
configuring the Drill-down Query Time Frame in Correlation Rules, Cortex
XDR now provides the ability to choose a particular time frame from
a list, as opposed to only having one option available. The following options
are available.
|
New Dataset Fields Available ( Requires
a Cortex XDR Pro license ) | To expand your investigation capabilities, the
following fields (where applicable) are available for any dataset
and can be queried in XQL Search.
|
New Palo Alto Networks NGFW Firewall Log
Datasets | To expand your investigation capabilities, the
following Palo Alto Networks NGFW Firewall log datasets are now available, which
you can query in XQL Search.
|
New Support for Adding Multiple Tags in
XQL and Parsing Rules XQL—( Requires a Cortex XDR Pro license )Parsing
Rules—( Requires a Cortex XDR Pro per TB license ) | To help you add multiple tags in addition to
the single tag supported, Cortex XDR now supports adding multiple
tags in these scenarios.
|
Additional Support for Creating BIOC Rules
in XQL Search ( Requires a Cortex XDR Pro license ) | To expand your investigation and analytics
capabilities, Cortex XDR now provides additional support for creating
BIOC Rules when building a query in XQL Search using
the complete Cortex XDR Query Language (XQL) syntax. In addition,
you can create BIOC rules using
the xdr_data and cloud_audit_log datasets
and presets for these datasets.
|
New Support for Dataset and Field Names
in Different Languages ( Requires a Cortex XDR Pro license ) | Cortex XDR Query Language (XQL) now supports
using different languages for dataset and field names. |
New Support for Enums in XQL ( Requires
a Cortex XDR Pro license ) | Cortex XDR Query Language (XQL) now supports
using enums in XQL Search using
the syntax ENUM.<prefix> , which
displays the relevant enums for a specific field in addition to
the previous syntax.For example, Before version
3.1
After
version 3.1 This syntax is now supported.
|
New Support for Adding Comments in XQL ( Requires
a Cortex XDR Pro license ) | Cortex XDR Query Language (XQL) now supports
adding comments in any section
when building a query in XQL Search. Comments on a single
line are added using the following syntax.
For
example,
To
write a comment that extends over multiple lines use the following
syntax.
For
example,
|
Incident View Enhancements | To help you better investigate your Incidents View, you can
now
|
Username support in Quick Launcher | To improve the search and investigative functionality
of the Quick Launcher, you can now search for usernames to easily
launch the User View and investigate the user's incidents, login, and
authentication events. |
Updated Cortex XDR Query Builder Results
Limit ( Requires a Cortex XDR Pro license ) | When running a query using the Cortex XDR Query Builder, Cortex
XDR now returns up to 10,000 results. When creating an XQL
Query, Cortex XDR will still return up to 1M results. |
Agent Asset Scan Enhancement ( Requires
a Cortex XDR Pro license ) | To expand your Cortex XDR agent scan capabilities,
Cortex XDR now enables you to discover network assets by using NMAP
scan on the agents.When you configure your Cortex XDR agent to scan
your endpoints, select now either NMAP or Ping. The scan is
automatically distributed by Cortex XDR to all the agents configured
in the profile and cannot be initiated by request.The scan results
can be viewed in the Asset Management table. |
Excluding Endpoints from Auto-Upgrade | To expand your response capabilities, Cortex
XDR now enables you to select one or more endpoints from the Endpoint Administration table
and exclude or include the endpoints from the auto-upgrade process. |
Improved Endpoint Content Version Visibility | To help you better manage your endpoint content
versions, Cortex XDR now displays the following new fields in the Endpoint Administration table:
|
MITRE Tags for BIOC Rules Enhancements ( Requires
a Cortex XDR Pro license ) | To aid in the alert investigation, when creating
and editing BIOC rules you can now
associate MITRE ATT&CK tactics, techniques or sub-techniques
by using the newly designed MITRE ATT&CK table. The MITRE
ATT&CK table maps out the correlations between the various tactics, techniques,
and sub-techniques, allowing you to easily select which MITRE ATT&CK
labels you want to include in the BIOC. In addition, as of
Cortex XDR 3.0, there is no limit on the number of MITRE ATT&CK
tactics, techniques or sub-techniques you can associate to a BIOC
rule. |
Informative BTP Rule Alert Names and Descriptions ( Requires
a Cortex XDR Pro license ) | Now Behavioral threat protection (BTP) alerts
have been given unique and informative names and descriptions, to
provide immediate clarity into the events without having to drill down
into each alert:
To
start displaying the new BTP rule alert names and descriptions,
you must enable this capability
in your global agent settings. Once you update the settings, new
alerts will include the changes while already existing alerts will
remain unaffected. If you have any Cortex XDR filters, starring
policies, exclusion policies, scoring rules, log forwarding queries,
or automation rules configured for XSOAR/3rd party SIEM, we advise
you to update those to support the changes before activating the
feature (for example, change the query to include the previous description
that is still available in the new description, instead of searching
for an exact match). |
New Cortex XDR Dashboard Incident Management
Widgets ( Requires a Cortex XDR Pro license ) | To help you better visualize and manage your
Cortex XDR incident findings, Cortex XDR introduces the following
new widgets:
|
Audit Logs | |
Management Logs for Cortex XDR Actions | To help you track whether a performed action
has been completed successfully or not, Cortex XDR now creates the
following Management Audit Log entry:
|
New Management Audit Logs for Rules Import | For increased visibility into rule exception changes
in the Management Audit Log,
Cortex XDR introduces new policy audit logs for the Add, Edit, Export,
Import, and Delete Subtypes. The new rule exception audit logs include
the following changes: Add
Edit
Export
Import
Delete
|
New Management Audit Logs for Auto Upgrade | For increased visibility into auto upgrade exclusion
and inclusion, Cortex XDR now includes the following Management Audit Log messages: Success
Fail
|
External Data Ingestion | |
Upgrade Filebeat Version to 7.14 for XDR
Collectors ( Requires a Cortex XDR Pro per TB license ) | Cortex XDR now supports using Filebeat version
7.14 when using XDR Collectors for On-premise
Data Collection on Windows and Linux machines. |
New Support for Enriching Network Logs with
Windows DHCP Data Collected with XDR Collectors ( Requires
a Cortex XDR Pro per TB license ) | To align the current Windows DHCP data collection
offerings via Elasticsearch Filebeat, Cortex XDR now supports enriching
network logs with Windows DHCP data using XDR Collectors. Previously,
this enrichment was only available when configuring a Windows
DHCP Collector for a cloud data collection integration.To
support this change, when defining data collection in a XDR Collector
profile using the Filebeat configuration file editor,
it is now possible to configure whether the data collected undergoes follow-up
processing in the backend within the filebeat.yml file
by setting the following tagging definition.
As
soon as Cortex XDR begins receiving logs through the XDR Collectors
configuration, the app automatically creates a Windows DHCP XQL
dataset ( microsoft_dhcp_raw ). Cortex
XDR uses Windows DHCP logs to enrich your network logs with hostnames
and MAC addresses that are searchable in XQL Search using the Windows DHCP
XQL dataset. |
Proofpoint Targeted Attack Protection (TAP)
Log Ingestion ( Requires a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest Proofpoint Targeted Attack Protection
(TAP) logs. To receive logs, configure Configurations Data Collection Collection Integrations Proofpoint Targeted Attack Protection data collector
in Cortex XDR.As soon as Cortex XDR begins receiving logs,
the app automatically creates a Proofpoint TAP XQL dataset ( proofpoint_tap_raw ).
This enables you to search the logs using XQL Search. |
New Support for Collecting All Okta Data
Events ( Requires a Cortex XDR Pro per TB license ) | To help you collect all types of events from
Okta, Cortex XDR has now enhanced the Okta data collector to
enable collecting all events, as opposed to only being able to collect
authentication data. When setting up the Okta data collector
in Cortex XDR in the Configurations Data Collection Collection Integrations Okta Filter is available
to configure collection for events of your choosing. All
events are collected by default unless you define an
Okta API Filter expression for collecting the data, such as filter=eventType eq “user.session.start”.\n .
For Okta information to be weaved into authentication stories, user.authentication.sso events
must be collected. |
Amazon S3 Enhancements to Support Additional
Log Formats for Data Ingestion ( Requires a Cortex XDR
Pro per TB license ) | To expand the current data ingestion capabilities
for the Amazon S3 data collector,
Cortex XDR now supports the following additional log formats for
the Amazon S3 data collector with a Log Type set
to Generic .
|
Extended Support for Azure Sign-in Logs
Ingestion with an Azure Event Hub Collector ( Requires
a Cortex XDR Pro per TB license ) | To extend visibility to your Azure
Event Hub audit logs, Cortex XDR can now ingest Azure sign-in
logs when you configure an Azure Event Hub data collector to
collect audit logs. This is also dependent on setting the applicable
Diagnostic settings in Azure Active Directory with the selected
sign-in log categories. These logs are added in Cortex XDR to the MSFT_Azure_raw dataset.In
addition, Cortex XDR can normalize and enrich these authentication
logs. Cortex XDR can stitch these Active Directory sign-in logs
with other Cortex XDR authentication stories across all cloud providers
using the same format. You can query these logs in XQL Search using
the following datasets:
|
Data Management | |
Parsing Rules Supports Case Sensitivity
using Configuration Stage Command ( Requires a Cortex XDR
Pro per TB license ) | To enhance the current Parsing Rules offerings
in Cortex XDR, Cortex XDR now supports configuring case sensitivity
in Parsing Rules using the following configuration stage command
in the INGEST section.
|
Parsing Rules Enhancement to Support Error
Reporting ( Requires a Cortex XDR Pro per TB license ) | To help you easily identify and resolve Parsing
Rules errors, Cortex XDR now includes error reporting in Parsing Rules for
these scenarios.
The
following are some of the main features of the error reporting for
Parsing Rules.
|
Analytics | |
Improved Analytics BIOC Rules Visibility ( Requires
a Cortex XDR Pro license ) | To expand your investigation capabilities of
your Analytics BIOC rules, Cortex
XDR now displays the following information in the Analytics
BIOC Rules table:
|
Endpoint Protection | |
Host Firewall macOS 11 Support and Enhancements ( Cortex
XDR agent 7.6 or a later release for macOS | To streamline management of your Host Firewall rules and
profiles, Cortex XDR now supports host firewall for macOS versions
11 and above and introduces the following enhancements: Host
Firewall
macOS Host Firewall Profile
|
Cortex XDR Agent Tampering Protection for
macOS ( Requires a Cortex XDR agent 7.6 or a later release
for macOS ) | You can now prevent unauthorized access or
tampering with the Cortex XDR agent components on macOS. With this configuration, manual
upgrades and changes to any of the daemons, files, or processes
will now require entering the agent uninstall password. |
Permanently Delete Quarantined files ( Requires
a Cortex XDR agent 7.6 or a later release for Windows ) | To help you better manage malicious files which
have been quarantined and avoid any potential mistake of restoring
unwanted files, you can now permanently delete quarantined files
on the endpoint from the Quarantine Details page. |
Agent Uninstall Password Security Enhancements ( Requires
a Cortex XDR agent 7.6 or a later release for Windows ) | For an added layer of security when configuring
the agent uninstall password, Cortex XDR now displays a password
strength indicator to ensure that unauthorized users are not able to
uninstall the Cortex XDR agent. When defining the Uninstall Password in
the Global Agent Configurations page
and Agent Settings Profile,
the selected password must now obtain the Cortex XDR requirements
enforced by password strength indicator. |
Malware Exception Profile Update Capabilities ( Requires
a Cortex XDR agent 7.6 or a later release for Windows ) | To expand your endpoint management capabilities
during investigation, Cortex XDR now enables you to add a file path
to the allow list of your endpoint Malware Security Profile directly
from the right-click pivot menu of the:
|
Broker VM Version
14.3.3 | |
New Support for Deploying a Broker VM Image
on Alibaba Cloud | Cortex XDR now supports setting up an image
of a Broker VM on Alibaba Cloud using a
QCOW2 image type. |
New Support for Configuring Internal Network
Subnet on the Broker VM | To avoid communication problems between
the external and internal network subnet of the broker VM, it is
now possible to configure the default internal network subnet to prevent
any conflicts. This is now available to configure when logging in
to the broker VM ( https://<broker_vm_ip_address>/. )
and configuring the broker VM settings. A new section called Internal
Network has been added, where you can overwrite the default NETWORK SUBNET (172.17.0.1/16 ). |
New Support for Collecting Logs from a Linux
Based Machine in the Files and Folder Collector ( Requires
a Cortex XDR Pro per TB license ) | To expand the current Files and
Folders Collector applet offerings in Cortex XDR, the Files and Folders Collector applet
in the broker VM now supports monitoring and collecting logs from
files and folders in a network share directory from a Linux based
machine, in addition to previously only supporting a Windows based
machine. |
New Support for Configuring a Custom Banner
for SSH Sessions in the Broker VM | Cortex XDR now provides the option of customizing
the login banner via the user interface, when logging into SSH sessions
on the broker VM. This
is available in Cortex XDR when configuring a particular broker
VM in the Broker VM Configurations window,
the section called SSH Access includes a
new field called Welcome Message , where you
can overwrite the default welcome message by adding a new one in
the field. When the field is empty, the default message is used. |
New Support for Gracefully Shutting Down
the Broker VM via the User Interface | To enable users to gracefully shutdown the broker VM
in the Cortex XDR user interface, a new right-click option under Broker Management called Shutdown
VM is now available in Cortex XDR (Settings Configurations Broker VM |
API | |
New Update Agent Name API | To expand your API capabilities, Cortex XDR
now provides an API that allows you to set an alias for an endpoint
- Set an Endpoint Alias.
With this API you can set or modify an alias field for endpoints. |
Improved Endpoint Content Version Visibility | To help you better manage your endpoint content
versions, Cortex XDR now displays in the Get Endpoint API response the
following new fields:
|
Second Timestamp Support | To expand your API investigation capabilities,
when running Get Alerts API Cortex
XDR now supports the creation_time field in seconds. |
Expanded Get Endpoint Response | To expand the data returned when running Get Endpoint API, Cortex
XDR now displays in the response the os_version field. |
Expanded Get Incidents Response | To expand the data returned when running Get Incidents API, Cortex
XDR now displays in the response the resolved_timestamp field.The
field displays the date and time when the incident was set with
a resolved status. |
Multitenants and MSSPs | |
Forensics Add-On Multitenant Management
Support ( Requires a Forensics add-on license and a Cortex
XDR agent 7.6 or later for Windows ) | Cortex XDR now enables multitenant management
of the Forensics investigative capabilities. Parent tenants can
now deploy and access Forensics data of paired child tenants by defining
in the Agent Settings Profile for Windows
how to monitor and collect forensics data. Parent tenants
with a Forensics add-on license can deploy on their child tenants
a forensics scan to investigate incidents. To track if your child
tenant has a Forensics add-on license, Cortex XDR now displays in
the Tenant Management table a new Forensics
License field. The field displays whether the add-on is a Child
Owned License or Parent Owned License . |
Features Releasing in August
New features in the Cortex® XDR™ 3.0 release.
The following table describes new features in the Cortex
XDR 3.0 release.
Feature | Description |
---|---|
General | |
India Region Support | You can now deploy Cortex XDR in the
India region. When you choose the IN region during activation and
setup of Cortex Data Lake, you keep all Cortex XDR logs and data
within the India boundary. If you use Cortex XDR Prevent or
Cortex XDR Pro per Endpoint, when the Cortex XDR agent identifies
unknown files, Cortex XDR sends them to the WildFire Singapore Cloud
for analysis. Starting October 2021 Cortex XDR will integrate with
WildFire located in India to allow you to keep all Cortex XDR Agent
WildFire traffic within the Indian boundary. WildFire
India portal will not display information for past events that occurred
prior to the transition to the new India cloud location, however,
you will still have access to the WildFire Singapore portal to view
the history. In addition, all information regarding the calculated
verdicts, such as the WildFire verdict and WildFire report, will
be available in the Cortex XDR portal. |
Cortex XDR Enhanced License Details | For increased visibility into your Cortex XDR
license details, Cortex XDR now displays in the Cortex XDR License window a
list of all the license and add-on types allocated to your account.
To help you easily track your licenses, the list includes the start and
end dates of your current and future licenses. |
Host Insights Evaluation Period Extension ( Requires
a Host Insights add-on license ) | The free evaluation period of the Host Insights
add-on in Cortex XDR is now extended from 30 days to 60 days. You
can use this extended 60-day period for better evaluation of the
Host Insights add-on functionality. |
New Compute Units Add-On ( Requires
a Cortex XDR Pro license ) | To expand your investigation capabilities, Cortex
XDR now enables you to purchase compute units to carry out additional investigation
actions. As of Cortex XDR version 3.0, the compute units can be used
to run additional XQL Query APIs in addition to the free quota provided
by Cortex XDR. The Compute Units add-on provides you with
an additional 1 compute unit (formally query units) per day, in
addition to your free daily quota to run XQL Query APIs. Each XQL query
consumes compute units based on the timeframe, complexity, and the
number of API response results. Compute units are first deducted
from your free daily quota followed by the Compute Units add-on. To
help you track your compute units, in the Cortex XDR app, you can
view the following information:
|
Allowed Domains for Distribution List | For an added layer of security when sending
reports using email, Cortex XDR now allows you to specify one or more domain
names that can be used in your distribution lists. By defining a
domain, you can for example ensure information is not sent outside
your organization. |
Independent Configuration of Access Permissions
for Settings | To provide more granular control of permissions
for your administrators, Cortex XDR now enables you to configure
read-only and read-write permissions independently for all Settings.
To provide continuity for existing admin roles and privileges, Cortex
XDR assigns both by default but you now have the option to configure
the view and action settings independently for both your new and
your preexisting admin roles. You can now define granular
role-based access control for the following pages in the Cortex
XDR management console:
|
Directory Sync Services Renaming | To align with the new naming in the hub, Directory
Sync Services has been renamed to Cloud Identity Engine. |
XDR for Cloud | |
Cortex XDR Agent for Kubernetes Hosts ( Requires
a Cortex XDR agent 7.5 or a later release for Linux and Cortex XDR
Cloud per Host license ) | Starting with this release, you can deploy the
Cortex XDR agent on Kubernetes Clusters as a daemonSet on any Kubernetes
cluster. Being natively integrated in Kubernetes using the deamonSet,
the agent provides visibility into containers and ensures full coverage
of your critical production workloads. To deploy the agent,
you must have the new license type Cloud per Host and then create a
Cortex XDR agent YAML installation package in Cortex XDR which allows
you to configure attributes such as namespace default value and nodeselector.
Once the Kubernetes agent is running on the endpoint, Cortex XDR
displays the Kubernetes Cluster and includes in the causality card
a visual indication on processes that are running within containers,
including information about the container itself such as its name,
ID, image, etc. For more information, refer to Cortex XDR agent administrator guide. |
Extended Visibility to Your Cloud Network
Flow Logs ( Requires a Cortex XDR Pro per TB license ) | To extend visibility into your cloud network
traffic and to further enrich incident data, Cortex XDR can now
ingest cloud network traffic logs from:
For
more information on these collectors, see External Data Ingestion Vendor
Support. Cortex XDR normalizes the logs from the different
platforms into a single XDR schema and creates searchable datasets.
Additionally, Cortex XDR optimizes and reconstructs the flow logs into
single session communications which are later stitched into network
stories and alerts. To begin receiving logs you must first
set up the relevant Configurations Data Collection Collection Integrations |
Extended Visibility to Your Cloud Platform ( Requires
a Cortex XDR Pro per TB license ) | To extend visibility into your cloud platform,
Cortex XDR can now ingest cloud audit logs from
For more information
on these collectors, see External Data Ingestion Vendor
Support. Cortex XDR normalizes the audit logs from the
different cloud platforms into a single XDR schema to create raw
datasets, for each platform individually as well as into a single collective
searchable dataset. To begin receiving logs you must first
set up the relevant Configurations Data Collection Collection Integrations |
New Cloud Investigation Capabilities ( Requires
a Cortex XDR Pro per TB license ) | To streamline investigation of cloud-related
alerts, Cortex XDR developed a proprietary algorithm that highlights
the most relevant events and alerts associated with a cloud-related
alert. To help you identify and investigate cloud- specific
data associated with cloud-related alerts, Cortex XDR displays a
new Cloud Causality View and includes the following table fields:
|
Prisma Cloud Alert Ingestion Requires
a Cortex XDR Pro per TB license | To provide additional alert visibility and improved
analytics, Cortex XDR can now ingest Prisma Cloud alerts.
To receive alerts, configure Configurations Data Collection Collection Integrations Cortex XDR adds Prisma Cloud
alerts to the Cortex XDR Alerts table and groups them into Incidents.
Additionally, when Cortex XDR begins collecting data, the app creates
a new dataset ( prisma_cloud_raw ) that
you can use to initiate XQL Search queries and to create Correlation Rules. |
Prisma Cloud Compute Alert Ingestion Requires
a Cortex XDR Pro per TB license | To provide additional alert visibility and improved
analytics, Cortex XDR can now ingest Prisma Cloud Compute alerts.
To receive alerts, configure Configurations Data Collection Collection Integrations Cortex XDR adds Prisma Cloud
Compute alerts to the Cortex XDR Alerts table and groups them into
Incidents. Additionally, when Cortex XDR begins collecting data,
the app creates a new dataset ( prisma_cloud_compute_raw )
that you can use to initiate XQL Search queries and to create Correlation Rules. |
Forensics | |
New Comprehensive Forensics Add-On ( Requires
a Forensics add-on license and a Cortex XDR agent 7.4 or later for Windows ) | Cortex XDR now offers a new add-on that enables
you to perform comprehensive forensic investigations on your Windows
endpoints. With its deep data collection, the Forensics add-on
enables you to find the source and scope of an attack, and determine
what, if any, data was accessed. As an end-to-end solution, Cortex XDR
Forensics helps you with every step of an incident response, from
data collection, analysis, threat hunting, and remediation. Using
a host timeline, you can view user activity across multiple forensic
artifacts in a single table. For a more detailed view, right-click on
any row in the timeline for a complete listing of all fields for
that item. The historical artifacts collected by the Forensics add-on
can provide investigators with insight into Windows file access
and process execution, even for files and executables that have
been deleted from the host. The triage functionality in the
Forensics add-on collects detailed system information, including
a full file listing for all of the connected drives, full event
logs, and registry hives, so you can get a complete holistic picture
of an endpoint. You can perform a deep dive on a single endpoint
or search for artifacts across all your endpoints from the Forensics
workbench. For advanced detective work, you can use the XQL Search
feature to query across all data, including endpoint, network, cloud
and identity data. You can access the Forensics add-on
from the Add-Ons tab, under which the Host Insights add-on is also
available (if licensed). Also, the configuration options that were
previously labeled as Forensics are now labeled
as Alerts Data. |
Identity Analytics | |
Identity Analytics Module Activation Modification ( Requires
a Cortex XDR Pro license ) | To expand your investigation capabilities, as
of Cortex XDR 3.0 the Identity Analytics module
will be included with any Cortex XDR Pro licenses with no additional charge. Enablement of Identity Analyticshas
been removed from the Cortex XDR License dialog and relocated to Settings Configurations Cortex XDR Analytics |
User Score Management ( Requires
a Cortex XDR Pro license ) | To help you detect suspicious user activity and
compromised accounts within your network, Cortex XDR, calculates
a User Score based on Incident
Scoring Rules and Cortex XDR System Rules that allows you to easily
identify the most high-risk users in your organization. The
User Scores are displayed under Asset Management User Scores In addition, Cortex
XDR displays the top 5 users with the highest User Scores in a new dashboard widget. |
User View ( Requires a Cortex XDR
Pro license ) | To streamline your incident investigation process,
using Identity Analytics capabilities, Cortex XDR now provides a
dedicated User View providing easy
access when investigating a user in your organization. The
User View automatically aggregates and displays the user details,
user score trends, aggregated host logins, and associated incidents and
insights. You can access the User View from right-click pivot
menu of the:
|
Investigation and Response | |
New XQL Correlation Rules ( Requires
a Cortex XDR Pro license ) | To help you analyze correlations of multi-events
from multiple sources, Cortex XDR now contains a new XQL-based engine
for creating scheduled rules called Correlation Rules. Correlation Rules
are accessible in Cortex XDR from the new Rules Correlations Correlation Rules page.The following
are some of the main features of Correlation Rules.
There
may be future changes to the Correlation Rules offerings, which can
impact your licensing agreements. You will receive notification
ahead of time before any changes are implemented. |
New XQL Personal Query Library ( Requires
a Cortex XDR Pro license ) | Cortex XDR now provides as part of the XQL
Query Library a new personal query library for
saving and managing your own queries. When creating a query in XQL Search
or managing your queries from the Query Center, you can now save
this query to your personal library using the Save As Query to Library You
can also decide whether the query is shared with others (on the
same tenant) in their Query Library or make it unshared and only visible
by you. The XQL Query Library contains a powerful search mechanism
that enables you to search in any field related to the query, such
as the query name, description, creator, query text, and labels.
In addition, adding a label to your query enables you to search
for these queries using these labels in the XQL Query Library. |
Dataset Management Enhancements ( Requires
a Cortex XDR Pro license ) | To help you better manage your datasets and
understand your data storage availability, Cortex XDR has now implemented
the following enhancements in the Dataset Management page.
-The ingestion details are now listed
in the Data Ingestion Dashboard . In an upcoming release,
the ingestion details will be integrated to the Dataset
Management page.-Before the Cortex XDR ingestion
and storage enforcements are applied based on your licensing agreements,
you will be notified ahead of time explaining these changes and
the implementation timeline. |
New XQL Dataset for Cloud Identity Engine ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
includes a dedicated dataset called pan_dss_raw for
you to query data related to the Cloud Identity Engine (previously
called Directory Sync Service (DSS)), which enables you to leverage
Active Directory user, group, and computer information in Cortex
XDR.To set up this Cloud Identity Engine dataset you
need to Set Up Cloud Identity Engine.
Otherwise, you will not have a pan_dss_raw dataset. |
New USB Device Visibility in XQL ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
supports the ingestion of connect and disconnect events of USB devices
that are reported by the agent. You can use XQL Search to query
for this data and build widgets based on the xdr_data dataset, where
the following use cases are supported:
Examples of XQL queries that
query the USB device data.
|
XQL ASN Data Support ( Requires
a Cortex XDR Pro per TB license ) | The Cortex XDR Query Language (XQL) now
supports querying for Autonomous System Number (ASN) data in XQL
Search. As part of the xdr_data dataset, these
new fields are available: action_as_data and dst_action_as_data , which
includes this data:
|
New GlobalProtect Access Authentication
Log Visibility in XQL ( Requires a Cortex XDR Pro per TB license ) | To increase your network visibility, the Palo
Alto Network (PANW) firewall can now send GlobalProtect access authentication
logs to Cortex XDR. As a result, the Cortex XDR Query Language (XQL)
can now support querying for this data using the xdr_data dataset
in XQL Search.To ensure GlobalProtect access authentication
logs are sent to Cortex XDR, verify that your PANW firewall’s Log
Settings for GlobalProtect have the Cortex
Data Lake checkbox selected. |
Custom XQL Widget Report Attachments | You can now attach the XQL queries you saved
as custom widgets to your report templates. When editing
or creating a report template,
you can now attach one or more of your XQL query custom widgets
to your report. The XQL query widget is added to the report as a
CSV file along with the customized PDF. Each XQL query widget
creates a separate CSV file that you can:
|
Redesigned Incident View and Investigation
Capabilities | To streamline your incident investigation process
and reduce the number of steps it takes to analyze an incident,
Cortex XDR has redesigned the Incident View to showcase
and navigate across all incident data in one dedicated page. The
enhanced Incidents page capabilities now allow you to investigate
and manage incidents without the need to pivot to other pages. The
Incident page is now divided into two main sections, Left Pane Incident
List and Details Pane.
The
new incident view is supported for incidents created after Cortex
XDR 3.0. Incidents created before Cortex XDR 3.0, are displayed
in the legacy view. To enable flexibility, you can select
to display incidents created after Cortex XDR 3.0 Cortex using either
the Legacy or Advanced view. |
New Incident Resolved Statuses | The incident Resolved statuses have been updated
to allow for greater flexibility. As of Cortex XDR 3.0, the Resolved
status resolution reason Resolved - Threat Handled has
been deprecated and replaced with Resolved - True Positive .
Incidents with Resolved - Threat Handled status
will not be changed and are still available to search, but will
no longer be available as a status resolution reason. In
addition, Cortex XDR created a new resolution reason Resolved
- Security Testing . |
New Cortex XDR Dashboard for Security Operations
Center Manager | Cortex XDR introduces a new predefined dashboard
for Security Operations Center (SOC) Manager to help you better
visualize and manage the Cortex XDR incident findings. The Security
Admin Dashboard displays the following new widgets:
|
Centric View of Alert Information | When viewing listed alerts as you investigate
incidents, Cortex XDR now provides a centric view for a single alert,
each accessible from a dedicated panel that opens when you click
on the specific row of an alert. These dedicated panel views provide
you with various details about the alert, such as timestamp, name,
description, detected action, MITRE information, host information,
and rule information. |
Quick Actions in Tables Enhancements | To enhance the quick actions available in Cortex
XDR, Cortex XDR has now added the quick actionscapability
to the following tables:
The
new icons are available in table rows upon a left-click of the row
and provide an alternative to the right-click pivot menus. |
Granular Exceptions for BTP Alerts | You now have the option to create more granular
Behavioral Threat Protection (BTP) exceptions for BTP alerts. These
new additional BTP exceptions include the following Causality Group
Owner (CGO) attributes:
All
previous BTP exception options are still available as usual. |
Enhanced Child Process Node Investigation | To help you investigate the children of
a process node in a Causality View, when right-clicking the Process
node to view the Children table, Cortex XDR now displays the Process
Start Time field indicating when each child process started. |
Asset Management Enhancement ( Requires
a Cortex XDR Pro license ) | To help you identify and retrieve information
of unmanaged assets in your network, you can now configure in your Windows
Agent Profile a Cortex XDR agent scan of your endpoints using Ping
that provides updated identifiers of your network assets, such as
IP addresses and OS platforms. The scan is automatically distributed
by Cortex XDR to all the agents configured in the profile and cannot
be initiated by request. The scan results can be viewed in
the Asset Management table. |
Enhanced Endpoint Administration Table Filter
Options | You can now filter the following Endpoint Administration
fields:
|
IP View IP Address Visibility | When investigating an IP address, in the IP
view, the default aggregation has been adjusted to display information
on whether the IP address is an internal or external IP address. For
external IP addresses, the default Connection Type displayed is
incoming, while for the internal IP addresses, the default Connection Type
is Outgoing. |
Audit Logs | |
Management Logs for Cortex XDR Gateway | To help you track Permission Management changes
in the Cortex XDR Gateway, users
with Account Admin role permissions can now access the Cortex
XDR Gateway Management Audit Logs page.In the Cortex XDR Gateway Management Audit Log
|
External Data Ingestion | |
New 3rd Party Parsing Rules ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR now includes a new editor for creating
3rd party Parsing Rules, which enables
you to:
Cortex XDR provides a number of default Parsing
Rules that you can easily modify as required. You can access these
Parsing Rules by selecting Configurations Data Management Parsing Rules |
New XDR Collectors Configuration for On-premises
Data Collection ( Requires a Cortex XDR Pro per TB license ) | To extend the current data collection offerings,
Cortex XDR now provides a new XDR Collectors configuration that
is dedicated for on-premises data collection on Windows and Linux
machines. The collector includes a dedicated installer, content
updates, and policy management via the XDR console in Configurations XDR Collectors |
Amazon S3 Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest Amazon S3 logs. To receive logs,
configure Configurations Data Collection Collection Integrations As soon as Cortex XDR begins
receiving logs, the app automatically creates an Amazon S3 XQL dataset ( aws_s3_raw ).
This enables you to search the logs using XQL Search. |
Workday Reports Data Ingestion ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest Workday reports data.
To receive reports data, configure Configurations Data Collection Collection Integrations As soon as Cortex XDR begins
receiving data, the app automatically creates a Workday XQL dataset ( workday_workday_raw )
and enables you to search the data using XQL Search. In addition,
Cortex XDR will add the workday fields next to each user in the Key
Assets list in the Incident View , and
in the User node in the Causality
View of Identity Analytics alerts. |
ServiceNow CMDB Data Ingestion ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest ServiceNow CMDB data.
To receive data from the ServiceNow CMDB database, configure Configurations Data Collection Collection Integrations As soon as Cortex XDR begins
receiving data, the app automatically creates the following ServiceNow
CMDB XQL datasets based on the selected table(s) using the format: servicenow_cmdb_<table name>_raw .
This enables you to search the data using XQL Search. |
Windows DHCP Example File Available in the
User Interface ( Requires a Cortex XDR Pro per TB license ) | To help you configure Windows DHCP log ingestion
using Elasticsearch Filebeat, Cortex XDR now provides in the Windows
DHCP user interface a downloadable filebeat.yml file. This
Elasticsearch Filebeat default configuration file must be populated
with values provided when you configure the Collection Integrations settings
in Cortex XDR for the Windows DHCP Collector. |
Analytics | |
Analytics Alert Causality View Enhancement ( Requires
a Cortex XDR Pro license ) | To streamline your investigation of multi-event analytics alerts, Cortex
XDR now displays a new Analytics Node identifying alerts that include
more than one event type. In the Events Table, Cortex XDR
lists all the events associated with the alert according to the
event type. |
Multi-Severity for Analytics BIOC Rules ( Requires
a Cortex XDR Pro license ) | To expand your investigation and analytics capabilities,
Cortex XDR now provides predefined Analytics BIOC Rules that raise
alerts with different severity levels. In the Analytics BIOC Rules table,
the Severity field now also displays a Multi-Severity flag. Hover
over the flag to see the severities defined for the rule. |
Endpoint Protection | |
Enhancements to the Cortex XDR Host Firewall ( Requires
a Cortex XDR agent 7.5 or a later release for Windows ) | Now the Cortex XDR host firewall offers improved
enforcement capabilities, better policy management, and greater
visibility and troubleshooting capabilities into your network:
For more details, refer
to the Cortex XDR administrator guide. Cortex
XDR 3.0 host firewall includes new features which are supported only
with Cortex XDR agents 7.5 and later, such as multiple IP addresses,
reporting mode, and more. For an older agent release, existing host firewall
rules remain unaffected. However, if you create a rule from Cortex
XDR 3.0, or edit an already existing rule that was created in an
old Cortex XDR release and add one of these unsupported parameters,
the agent could display unexpected behavior and the host firewall
policy will be disabled on the endpoint. |
Network Packet Inspection Engine ( Requires
a Cortex XDR agent 7.5 or a later release for Windows ) | To address the threats surfacing with the growing
remote workforce in your organization and the growing corporate
network boundaries, the new Network Packet Inspection Engine provides
coverage already at the network level. By analyzing the network
packet data, the Cortex XDR agent can detect malicious behavior, and
block or report it back to Cortex XDR. The new engine leverages
both Palo Alto Networks NGFW content rules, and new Cortex XDR content
rules created by the Research Team. To enable this capability,
edit your Malware Security Profile settings. |
Improved Security Content *Starting
with PTU 200 and later | To ensure your network is constantly protected
against the latest and newest threats in the wild, the Cortex XDR
research team will now start releasing more frequent content updates
in-between major content versions. When you enable minor content
updates, the Cortex XDR agent receives minor content updates, starting
with the next content releases. Otherwise, if you do not wish to
deploy minor content updates, your Cortex XDR agents will keep receiving
content updates for major releases which usually occur on a weekly basis. The
content version numbering format remains XXX-YYYY, where XXX indicates
the version and YYYY indicates the build number. To distinguish
between major and minor releases, XXX is rounded up to the nearest
ten for every major release, and incremented by one for a minor
release. For example, 180-<build_num> and 190-<build_num>
are major releases, and 181-<build_num>, 182-<build_num>,
and 191-<build_num> are minor releases. To enable this
capability, you need to update the Global Agent Settings for
your tenant. |
Separate Actions for Files Unknown to WildFire
and Files with Benign LC Score ( Requires a Cortex XDR
agent 7.5 or a later release for Windows ) | To better manage your anti-malware flow, you
can now configure separate actions for files that are unknown to
WildFire and files with Benign Low Confidence score. To adjust your settings,
refer to the Malware Security Profile settings. |
Quarantine Malicious ELF Files ( Requires
a Cortex XDR agent 7.5 or a later release for Linux ) | You can now configure your anti-malware flow
to automatically quarantine malicious ELF files. To enable this
capability, adjust your Malware Security Profile settings. |
Configurable Device Control Enforcement
Pop-Up Message ( Requires a Cortex XDR agent 7.5 or a later
release for Windows ) | You can now personalize the Cortex XDR notification
pop-up on the endpoint when the user attempts to connect a USB device
that is either blocked on the endpoint or allowed in read-only mode. To
enable this, refer to your Agent Settings Profile. |
Improved Logs Protection ( Requires
a Cortex XDR agent 7.5 or a later release for Linux ) | The Cortex XDR agent logs directory is now
accessible to privileged users only. |
Support for Azure-based Virtual Environments ( Requires
a Cortex XDR agent 7.5 or a later release for Windows ) | Support is now available for Cortex XDR agents
running on Microsoft Azure-based VMs and virtual desktops (WVD or
AVD). |
Extending Gatekeeper Protection to Bundles ( Requires
a Cortex XDR agent 7.5 or a later release for Mac ) | The Cortex XDR Gatekeeper Enhancement protection
module now provides coverage also for suspicious bundle executions. |
Audit Log for Unauthorized Agent Shutdown ( Requires
a Cortex XDR agent 7.5 or a later release for Mac ) | Now when a deliberate termination of the agent
is detected on the endpoint, an audit log is reported to Cortex
XDR. |
Simplified Network Bandwidth Allocation
for Security Content Updates | For optimized performance and reduced bandwidth
consumption, ensure you install new agents with the distribution
package available for Windows Cortex XDR agents 7.3 and later. Otherwise,
if you deploy the agent installer via SCCM, it is recommended to
configure the bandwidth you allocate in your organization for the
Palo Alto Networks content security updates. Cortex XDR now provides
two recommendations, based on the number of agents you want to update
(active or future gents), and according to the time frame during which
you want the update to complete (within a day or a week). You can
choose one of the recommended values or enter one of your own, between
20 - 10000 Mbps. To adjust your settings, update the Global Agent Settings for
your tenant. |
Gradual Rollout for Automatic Agent Upgrades | To better control the rollout of a new Cortex
XDR agent release in your organization, during the first week only
a single batch of agents is upgraded. After that, auto-upgrades continue
to be deployed across your network in parallel batches as configured. |
Broker VM Version
13.0.42 | |
New Support for Deploying a Broker VM Image
on a Nutanix Hypervisor | Cortex XDR now supports setting up an image
of a Broker VM on a Nutanix hypervisor (Nutanix
AHV 2021) using a QCOW2 image type. |
New FTP Collector in the Broker VM ( Requires
a Cortex XDR Pro per TB license ) | The broker VM now provides a new FTP Collector applet that enables
you to monitor and collect logs from files and folders via FTP,
FTPS, and SFTP directly to your log repository for query and visualization purposes. After
you activate the FTP Collector applet, you can collect files as
datasets ( <Vendor>_<Product>_raw ) by
defining the following:
|
New Files and Folder Collector in the Broker
VM ( Requires a Cortex XDR Pro per TB license ) | The broker VM now provides a new Files and Folders Collector applet
that enables you to monitor and collect logs from files and folders
in a network share for a Windows directory, directly to your log repository
for query and visualization purposes. After you activate the Files and
Folders Collector applet, you can collect files as datasets (<Vendor>_<Product>_raw )
by defining the following:
|
New Database Collector in the Broker VM ( Requires
a Cortex XDR Pro per TB license ) | The broker VM now provides a new Database Collector applet
that enables you to collect data from a client relational database
directly to your log repository for query and visualization purposes. After
you activate the Database Collector applet, you can collect data
as datasets ( <Vendor>_<Product>_raw )
by defining the following:
|
New NetFlow Collector in the Broker VM ( Requires
a Cortex XDR Pro per TB license ) | The broker VM now provides a new NetFlow Collector applet
that enables you to collect logs with flow records from Netflow
(Versions 5 and 9) and from IPFIX directly to your log repository
for query and visualization purposes. After you activate the
NetFlow Collector applet, you can collect data as XQL datasets ( <Vendor>_<Product>_raw )
by defining the following:
|
Enhanced WEC Certificates Renewal Mechanism ( Requires
a Cortex XDR Pro per TB license ) | The renewal process for the Windows
Event Collector (WEC) certificates are now streamlined to
keep you informed of your WEC certificate status and help you avoid
any disruption to your WEC data collection. The following improvements
are now implemented:
After
you receive a notification for renewing your WEC CA certificate,
we recommend that you do not add any new WEF clients until the WEC
certification renewal process is complete. Events from these WEF clients
that are added afterwards will not be collected by the server until
the WEC certificates are renewed. |
API | |
Get Violations API Enhancements | To expand Get Violations API, when
running device_control/get_violations/ :
|
Get Incident API Enhancement | |
New Incident Resolved Statuses | The Resolved status resolution reason Resolved
- Threat Handled will be deprecated in Cortex XDR version
3.1 and replaced with Resolved - True Positive . Until
Cortex XDR 3.1, when running the Update an Incident API,
if you enter Resolved - Threat Handled in
the status field, Cortex XDR will return
a message notifying of this change. In addition, you can
now enter a new status: Resolved - Security Testing . |
Incident ID Enhancement for Action APIs | To expand your investigation and action capabilities,
Cortex XDR now allows you to add an optional incident ID field
to the following APIs so you can track these actions in the Incident
View Timeline:
|
Managed Threat Hunting | |
Managed Threat Hunting Communication and
Tracking Enhancements | To streamline communication with the Managed
Threat Hunting team, Cortex XDR now allows you to track and investigate
the Managed Threat Hunting findings and communicate with the Managed
Threat Hunting team directly from the Cortex XDR app using a new
commenting tool. In the Managed Threat Huntingpage,
you can add, edit, and track comments made by the Managed Threat Hunting
team and users who have Investigation Admin role permissions. |
Features Releasing in May
New features in the Cortex® XDR™ 2.9 release.
The following table describes new features in the Cortex XDR
2.9 release.
Feature | Description |
---|---|
General | |
Cortex XDR Gateway for Onboarding and Granular RBAC | To streamline activation and management
of your Cortex XDR tenants, Cortex XDR now operates as a standalone
application known as the Cortex XDR Gateway. The
Cortex XDR Gateway is where you view and manage existing tenants
and tenants available for activation that are allocated to your
CSP account. The split from the hub enables you to easily:
To
activate and manage permissions, Cortex
XDR assigns the Account Admin role to existing CSP
Super User accounts. This role cannot be removed or changed
through the Cortex XDR Gateway. The Cortex Data Lake
quota management and the sizing calculator are still on the hub. |
In-App Granular Role-Based Access Control | To streamline management of your Cortex
XDR user and role-based access control (RBAC) permissions, Cortex
XDR now allows you to track user permissions, manage existing roles,
and create new roles in the Cortex XDR app without the need to log
in to the hub. Cortex XDR now displays the following information
in Configurations Access Management
|
Fine-Grained Role-Based Access Control Enhancements | To help you better manage your user access permissions,
the following changes have been made to the Cortex XDR Granular Role-Based
Access Control (RBAC) configurations in the Cortex XDR Gateway and
Cortex XDR management console.
To provide continuity
for existing roles and privileges, Cortex XDR assigns the updated
permissions by default but you now have the option to configure
the view and action access independently for both your new and your preexisting
roles. |
Streamlined Configurations Menu | To provide a more intuitive navigation, the Configurations menu
in Cortex XDR is now organized by the feature areas:
|
Cortex XDR Tenant Switcher | When using multitenancy within the scope
of a Cortex XDR tenant, you can now use the Tenant Navigator, which
enables you to switch directly to another owned tenant. The tenant
navigator includes the following selections:
When
you choose a tenant, Cortex XDR pivots your display directly to
the main page of the gateway or the main page of the tenant. |
Improved Quick Launcher Access | To enable easier access to the Quick Launcher, you can
now access it from the Cortex XDR top navigation bar as well as
from all other navigation menus in the app. |
Settings Navigation Change | To align the page title with navigation
paths in Cortex XDR, the Settings menu (accessible from the gear
icon
![]() Configurations .The Quick
Launcher also reflects the name change. |
Enhanced Session Security Settings | The Cortex XDR management console now provides enhanced
security settings for user sessions. These security
settings include the following categories:
For
more detailed information, see the Cortex XDR Administrator's Guide. |
Native Search Deprecation | The XQL Search and Query Builder are now
the main search options in Cortex XDR and provide more flexibility
and powerful querying capabilities. The Native Search option is
deprecated and, as a result:
|
Network Events Deprecation ( Starting
with the next Cortex XDR release ) | After Cortex XDR introduced network collection events,
that are stitched across endpoints and the Palo Alto Networks next-generation
firewalls logs, there is no longer need to support raw Network events.
Starting with the next Cortex XDR release, Network events
will be deprecated. In light of the upcoming change, Palo Alto Networks
encourages you to define BIOC rules and/or searches by using Network Connections in
the Query Builder. When searching in XQL, you should avoid using
the xdr_agent_network preset and use
the newtork_story preset instead. |
Audit Logs | |
One-Year Retention of Audit Log Entries | All entries that are accumulated in the
Cortex XDR audit logs are now available
for your retrospective review for an extended period of one year from
the date of their creation. |
New Management Audit Logs for Policy Changes | For increased visibility into policy configuration changes,
Cortex XDR introduces new policy audit logs for the Create, Edit,
Reorder, Update, and Delete Subtypes. The new policy audit logs
include:
|
Improved Management Audit Logs for Extensions Policies
and Profiles | For improved accuracy, Cortex XDR now logs Extensions
Policy and Profile actions under Extensions Policy Rules or Extensions
Profile type
This
change applies to future audit logs. Previously-created audit logs
retain their current descriptions. For more information on Cortex
XDR auditing, see Monitor Administrative Activity. |
Policy Change Visibility in Management Audit
Logs | You can now view the specifics of what has
changed in the configuration of your policies by viewing the management audit logs.
For each policy log, you can view the detailed changes instead of
the previously displayed message ( Policy rules were updated. ).
Hover with the pointer over the specific entry to view the info
in a tooltip. This enables you to know exactly what has changed
and, if necessary, roll back the change. |
Enhanced Management Logs Incident ID Value | To improve your investigation capabilities,
Cortex XDR now includes the Incident ID value in the Management Audit
logs when you perform an action on a single incident. The following
list displays examples of the updates by log subtype:
|
Updated Management Audit Logs for Threat
Handled Incident Status | To maintain consistency, Cortex XDR has
updated the following management audit log for change in status
of Threat Handled incidents:
|
Improved Management Audit Logs for Host
Insights Vulnerability Assessment Data Collection ( Requires
a Cortex XDR Pro per Endpoint license and Host-Insights add-on ) | When you rerun the host-insights data collection scan,
either from the Vulnerability Management endpoints
view or from the Asset View , Cortex XDR now uses
the same management audit log types as follows:
This
change applies to future audit logs. Previously-created audit logs
retain their current descriptions. For more information on Cortex
XDR auditing, see Monitor Administrative Activity |
Enhanced Audit Log for Operations in Rules Exceptions | The Cortex XDR management console now enables you
to view audit logs for Create,
Edit, and Delete operations of Rules Exceptions. In addition, the existing
management audit logs for import and export of Rules Exceptions
are now logged under the Rules Exceptions type. |
Investigation and Response | |
XQL Multi-Language Data Support ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) can
now support data provided in multiple languages, such as in XQL
queries, lookups, widgets, and external data ingestion. |
New XQL Datasets with Dataset Permission Enforcement ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
includes the following new datasets called endpoints and host_inventory .
These datasets support dataset permission enforcements in the Cortex
XDR Query Language (XQL), Query Center, and XQL Widgets. To view
or access any of these datasets, you need role-based access control (RBAC) permissions
to the Endpoint Administration and Host Inventory views. |
New Standardized User Format for Events
and Alerts ( Requires a Cortex XDR Pro license | To streamline the way usernames appear in
network events and alerts, Cortex XDR now processes and displays usernames
in the following standardized format, also termed “normalized
user”: <company domain> \<username> In
the Cortex XDR Query Language (XQL),
every user field included in the raw data, for network, authentication,
and login events, has an equivalent normalized user field associated
with it that displays the user information in the standardized format. For
example, the login_data field has the login_data_dst_normalized_user field
to display the content in the standardized format. We recommend
that you use these normalized_user fields when
building your queries to ensure the most accurate results.As
a result, any alert triggered based on network, authentication,
or login events, now displays the User Name in
the new standardized format in the Alerts and Incidents pages.
This change impacts every alert for Cortex XDR Analytics and Cortex XDR
Analytics BIOC, including BIOC and IOC alerts triggered on one of
these event types. |
New XQL IP Location Stage ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
includes a new stage command that enables you to associate the IPv4
address of any field to a list of predefined attributes related
to the geolocation. To support this, you can now add the iploc stage to your queries
using the format: iploc <field name> To
improve your query performance, we recommend that you filter the
data in your query before you run the iploc stage command.
In addition, limiting the number of fields in the results table
further improves the performance. |
New XQL Bin Stage ( Requires a
Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
includes a new stage command that enables you to group events by
quantity or time span. The most common use case is for time charts. To
support this feature, you can now add the bin stage command to your
queries using these formats depending on whether you are grouping
by quantity or time span:
|
New XQL Time Frame Configuration Function ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
includes a new configuration function that enables you to perform
searches within a specific time frame from the query execution.
To support this feature, you can now add the config stage command to
your queries with the timeframe function using
these formats:
|
New Support for Linux System Authentication Logs ( Requires
a Cortex XDR Pro license ) | EDR data collected for Linux now contains
Linux system authentication logs. These Linux system authentication
logs are now available using XQL queries and the Query Builder.
As a result, in the Query Builder, the Event Log now includes
both Windows and Linux event logs and the corresponding event_type in XQL
has been renamed from WINDOWS_EVENT_LOG to EVENT_LOG . |
New Visualizations for Widgets Based on
XQL Search Queries ( Requires a Cortex XDR Pro license ) | To help you better view and visualize data based on
XQL search queries, Cortex XDR expanded the type of available widgets
so that you can now display the search results using:
|
Incident
Thresholds for Alert Grouping | To keep incidents fresh and relevant, Cortex
XDR now provides the following two new thresholds after which an
incident stops adding alerts:
After the incident
reaches either threshold, it stops accepting alerts and Cortex XDR
groups subsequent related alerts in a new incident. For increased
visibility, Cortex XDR also provides a new Alerts Grouping Status field
in the Incidents table to identify the grouping status: Enabled when
the incident is open to accepting new related alerts or Disabled if
either threshold is reached and the incident is closed to further alerts
or if the incident reached the 1,000 alert limit. To view the exact
reason for a Disabled status, you can hover over the status field. |
MITRE, Severity, and Alert Grouping Visibility
in Incident Table | You can now view the following MITRE, severity,
and alert grouping fields in the Incident Table. Each
field displays the following information:
Incidents
created prior to Cortex XDR version 2.9 are updated as follows:
|
Incident Table View Enhancement | To streamline your incident investigation
process and reduce the number of steps it takes to investigate an incident,
Cortex XDR now allows you to display the Incidents page in one
of two new views:
The List
view displays the current table. The new Detail view positions the
incident table rows in a left-side pane and displays the complete Incident View on
the remaining of the page allowing you to scroll through the incident
rows and display each incident view without the need to pivot to
another tab or window.To ensure visibility of the incident
data, each row in the pane displays the incident description and
incorporates icons that provide the following details:
In addition, you can
sort the incident rows according to the available fields. The
current right-click menu options are also available in the Detail
view. |
Causality View Loading Time Enhancements | To improve loading time, as of Cortex XDR
version 2.9, when navigating to the Causality View from an
alert or event, Cortex XDR now displays the causality data as follows:
|
Added Option to View The Observed Behaviors
of Behavioral Threat Protection Alerts | The Cortex XDR management console now allows
you to view the observed behaviors of Behavioral Threat Protection alerts. To view the observed behaviors,
right-click on an alert in the alert table or in the incident view
and select View Observed Behaviors .The
option to view the Observed Behaviors table already exists in the
Causality Card. The new view option is another pivot option to view
the same information, and both options remain available. |
Featured Alert Fields Enhancement ( Requires
a Cortex XDR Pro license ) | To streamline the investigation process
and better highlight alerts that are significant to you, Cortex
XDR now includes Active Directory Groups and Organizational Unit (OU)
as optional Featured Alert Fields labels.Define
a Featured AD or OU in Investigation Incident Management Feature Fields Active Directory To
easily locate alerts containing featured AD or OU fields, in the Alerts
Table , alerts are flagged in the Alert Name field
with a flag and appear in the Contains Featured User or Contains Featured
Host fields associated with the AD/OU. |
Enhanced Alerts Deduplication | To better identify and deduplicate Analytics,
IOC or BIOC alerts for the same activity, the deduplication period is
now calculated according to the actual time the event took place,
rather than according to the time the event was reported to Cortex
XDR. This change applies to future alerts. Previously-created
alerts remain the same. |
Quick Actions in Tables | To streamline investigation in Cortex XDR,
you can quickly initiate actions using new icons that are available
in throughout Cortex XDR. The new icons are available in table rows
upon a left click of the row and provide an alternative to the right-click
pivot menus. The new icons are available for rows in the
following tables:
|
Centric View of CVE, Endpoint, and Application information,
with additional Vulnerability Assessment Enhancements | To streamline your investigation under Vulnerability Assessment,
Cortex XDR now provides a centric view for a single CVE, Endpoint,
and Application, each accessible when you click on a specific row
of the Vulnerability Assessment and Host Insights panels. These
views list the affected applications, endpoints, or applied vulnerabilities,
in an exportable and searchable manner, together with additional
information on each entity. The CVEs tab under Vulnerability
Assessment now includes additional fields to better fine-tune your vulnerability
investigation. This includes:
Other
view enhancements:
In
addition, Cortex XDR now calculates an unlimited number of vulnerabilities
per endpoint, as opposed to a limit of 500 vulnerabilities per endpoint
in previous versions. This update means that you might
see a higher number of CVEs in Vulnerability Assessment screens,
as well as in reports and dashboards. |
Low and Informational Categorization for
Agent Alerts | The Cortex XDR management console now displays Behavioral
Threat Protection (BTP) alerts at Low or Informational
severity. These are displayed as Insights in the Incident
View and the Causality View panels.
Low severity alerts are also displayed in the Alerts table. |
Authentication Story Enrichment ( Requires
a Cortex XDR Pro per Endpoint license and a Cortex XDR agent 7.3
or later for Linux ) | Starting with this release, Cortex XDR includes
Linux authentication logs in authentication stories and will generate
alerts accordingly. |
External Data Ingestion | |
Zscaler Cloud Firewall Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | If you use Zscaler Cloud Firewall in your
network, you can now forward your firewall and network logs to Cortex
XDR for analysis. This enables you to take advantage of Cortex XDR
anomalous behavior detection and investigation capabilities. To
begin analyzing your traffic logs, you set up a Syslog Collector
and configure your firewall to forward logs to the Syslog Collector.
To provide seamless log ingestion, Cortex XDR automatically maps
the fields in your traffic logs to the Cortex XDR log format. As
soon as Cortex XDR begins receiving logs, the app automatically
creates a Zscaler XQL dataset ( <Vendor> _<Product> _raw<Vendor> and <Product> fields
defined on the Zscaler syslog configuration. This enables you to
search the logs using XQL Search. |
Windows DHCP Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | To provide additional network asset visibility
in Cortex XDR Asset Management and improved
analytics, Cortex XDR can now ingest Windows DHCP logs. To
receive logs, configure Configurations Data Collection Collection Integrations Settings SaaS Integrations As soon as Cortex XDR begins
receiving logs, the app automatically creates a Windows DHCP XQL
dataset ( microsoft_dhcp_raw ). This enables
you to search the logs using XQL Search. |
Syslog Collector Applet Enhancements ( Requires
a Cortex XDR Pro per TB license ) | The Syslog Collector applet
now includes these enhancements:
|
Additional External Alerts Fields Available
for Mapping ( Requires a Cortex XDR Pro license ) | When you ingest alerts from external sources
using either the Syslog Collector or Cortex XDR API, you can now map
these additional optional fields to the alerts table:
|
New Behavior for Ingesting Null Fields ( Requires
a Cortex XDR Pro license ) | To expand your investigation and analytics capabilities,
Cortex XDR now ingests any field with a null value, as opposed to
the previous behavior of not ingesting these null value fields.
It is also now possible to use the Cortex XDR Query Language (XQL)
to query ingestion rules for null values. |
Analytics | |
Improved Accuracy for Malware Protection ( Requires
a Cortex XDR agent 7.4 or later release for Windows ) | Starting with this release, WildFire introduces analysis
scores for files with Benign verdict to indicate the level of confidence
WildFire has in the Benign verdict. For example, a file by a trusted
signer or a file that was tested manually would get a high confidence
Benign score, whereas a file that did not display any suspicious
behavior at the time of testing would get a lower confidence Benign score.
Files with a low confidence score are displayed as Benign Low Confidence
(LC). When Cortex XDR receives a Benign Low Confidence verdict,
the agent enforces the Malware Security profile settings you currently
have in place (Run local analysis to determine the file verdict,
Allow, or Block). As soon as you deploy your Cortex XDR
7.4 agents, Cortex XDR will enforce this new behavior according
to the settings you already have in your existing Malware Security
profile for files unknown to WildFire. If you want to change it,
you need to change the existing settings. |
Cortex XDR Identity Analytics Add-On Module ( Requires
a Cortex XDR Pro license ) | To expand your investigation capabilities,
Cortex XDR now offers a new Identity Analytics add-on module.
The add-on requires a Cortex XDR Pro per TB license and a separate
module license. The module license is currently free, however will
entail an additional cost in the future. The Identity Analytics
add-on displays in the Analytics Alert View suspicious user
activity such as stolen or misused credentials, lateral movement,
credential harvesting, or brute-force data collected by the Cortex
XDR Analytics engine detectors.When investigating an analytics
type alert, a new User node appears in the
causality view. Hover over the node to display user profile information,
such as recent authentication statistics, user role, and if associated
with Active Directory groups or Organizational Units. When selecting
the alert node, in the Alert Description and Event
Table sections, Cortex XDR displays the recent logins,
hosts, alerts, and process executions associated with the user. |
Auto-Disable of Alerts from Analytics Detectors ( Requires
a Cortex XDR Pro per TB license ) | To ensure the analytics detectors raise
alerts efficiently and do not overcrowd your Alerts table, Cortex
XDR automatically disables alerts from detectors that reach 5000
or more hits over a 24 hour period. |
Endpoint Security
and Management | |
Cortex XDR Agent Deployment with Installer
and Content Update Package ( Requires a Cortex XDR agent
7.4 or later release for Windows ) | To reduce the network load and time typically required
for the initial roll-out or major upgrades of the Cortex XDR agent,
Cortex XDR now offers an agent installation and content update package.
The package includes the agent installer and the latest supported content
available at the time of the bundle download, eliminating the Content
Update download phase from the Cortex XDR Server post agent installation.You
can deploy the package using a third party tool such as SCCM, or manually
on the endpoint. For more information on the installation
process, refer to the Cortex XDR Agent administrator
guide. |
Cortex XDR Agent Installer and Content Caching on
the Broker VM ( Requires a Cortex XDR agent 7.4 or later
and Broker VM 12.0.58 or later ) | To reduce external bandwidth usage and time required
for Cortex XDR agent installations, upgrades, and content updates,
Cortex XDR now offers an additional option to cache the files on
your Cortex XDR Broker VM. When both P2P and Broker VM download
sources are selected, the agent first queries a peer agent for the
files. If the files are unavailable or the process fails, the agent queries
the Broker VM where the files are stored for a 30-days retention
period since an agent last asked for them. If the download from
the Broker VM fails as well, the agent retrieves the files directly
from the Cortex XDR server. The option to retrieve the files from
the Server is always enabled. To enable the Broker VM caching
option, you must first:
For
the detailed workflow on how to set up caching on the Broker VM,
refer to the Cortex XDR administrator’s guide. |
Peer-to-Peer Distribution of Cortex XDR
Agent Installers | To reduce bandwidth load when distributing
installers from Cortex XDR to the Cortex XDR agents, Cortex XDR now
leverages P2P distribution to include agent installers, in addition
to content updates. In your Agent Settings profile, you can choose
the download source from which agents retrieve release upgrades
and content updates: P2P, Palo Alto Networks Broker VM, and the
Cortex XDR server. Peer-to-peer distribution is enabled by default
in the Agent Settings profile,
and requires that you enable UDP and TCP over port 33221 (You can
change this port number later on through the Agent Settings profile). |
Device Control Enforcement on Previously Connected
USB Devices ( Requires a Cortex XDR agent 7.4 or later
release for Windows ) | When the Cortex XDR agent starts enforcing
Device Control on the endpoint, it now enforces the policy rules
not only on newly connected devices, but also on devices that were
previously connected to the endpoint before the policy enforcement
was applied. |
Native Support for Apple Silicon (M1) ( Requires
a Cortex XDR agent 7.4 or later release for Mac ) | Starting with this release, you can install
the Cortex XDR agent on macOS based devices with Apple Silicon (M1).
To resolve issues that could occur, refer to the Cortex XDR 7.4
agent list of known issues. |
Context-based Global Exceptions for the
Gatekeeper Enhancement Protection Module ( Requires a
Cortex XDR agent 7.4 or later release for Mac ) | Now when the Cortex XDR Gatekeeper Enhancement security
module raises an alert, you can create a global exception for this
specific source-child combination only, while allowing Cortex XDR
to continue enforcing the Gatekeeper Enhancement protection module
on the source process running other child processes. For more
details, see Add a Global Endpoint Policy
Exception. |
Cortex XDR Agent Silent Uninstall ( Requires
a Cortex XDR agent 7.4 or later release for Mac ) | Starting with this release, when you uninstall
the Cortex XDR agent from the Cortex XDR management console, the
process is silent and does not prompt the end-user for approvals
on the endpoint. |
Scope-Based Access Control (SBAC) for Endpoints | Cortex XDR now enables assignment of user permissions
to specific endpoint groups in the organization. By default, all
users have management access to all endpoints in the tenant. However,
after you (as an administrator) assign a management scope to a Cortex
XDR user, the user is be able to manage only the specific endpoints
within that scope. This Scope-Based Access Control (SBAC) affects
the following functional areas in Cortex XDR:
The rest of the functional areas and their
permissions in Cortex XDR do not support SBAC. Accordingly, if these permissions
are granted to a scoped user, the user will be able to access all
endpoints in the tenant within this functional area. For example,
a scoped user with a permission to view incidents, can view all
incidents in the system without limitation to a scope. To
view and modify the scope of a user, go to Configurations Access Management Users In
the list of Cortex XDR users, the Endpoint Scope column now specifies
any SBAC assignment. |
Broker VM Version
12.1.5 | |
CSV Log Files Integration with the Broker
VM ( Requires a Cortex XDR Pro per TB license ) | The broker VM now provides a new CSV Collector applet
that enables you to monitor and collect CSV log files from a shared
Windows directory directly to your log repository for query and
visualization purposes. After you activate the CSV Collector
applet, you can ingest CSV files as datasets by defining the list
of folders mounted to the broker VM and setting the list of CSV
files to monitor and upload to Cortex XDR using a username and password. |
Agent Proxy Listening Interface | You can now specify a proxy listening interface
when activating a local agent on the broker VM, through the Activate
Local Agent applet. For more information, see the Cortex XDR Administrator’s Guide. |
API | |
New XQL API ( Requires a Cortex
XDR Pro license ) | To expand your investigation capabilities,
Cortex XDR now enables you to run XQL queries on your data sources using
APIs. The XQL APIs require a Cortex XDR
Pro license and a daily Query Quota made up of query units. Cortex
XDR provides a free quota of query units and you will be able to
purchase additional units in future Cortex XDR versions. Each
XQL query consumes query units based on the number of API response
results. Queries called without enough quota will fail. You
can run the following APIs on your tenant and MSSP child tenants:
To help you track
your XQL APIs, in the Cortex XDR app, you can view the following
information:
|
New API Key Time Limit | For an added layer of security when managing
your user API permissions, you can
now set a time limitation on the API key used to authenticate API calls. When
creating API keys, select the option to enable an Expiration
Date for the key. In the API Keys table,
a new Expiration Time field has been added
allowing you to track each key.In addition, Cortex XDR displays
an API Key Expiration notification one week and one day prior to
the defined expiration date. |
Enhanced Visibility of Incident Data | To help you gain greater visibility of requested
API data when calling Get Incidents and Get Extra Incident Data APIs,
the response section now includes the following fields:
|
Updated Alert Severity Valid Values | To ensure consistency in the Cortex XDR
app Alerts table, when calling Insert Parsed Alerts API,
the severity filed is now mandatory
and does not accept the value Unknown . Possible
valid values are:
|
Updated Featured Alert Fields API ( Requires
a Cortex XDR Pro license ) | To expand your Featured Alert Field capabilities, Cortex
XDR has updated the Replace Featured Active Directory
Groups Replace Featured Active Directory Groups API to
allow you to delete and replace Organizational Unit (OU) in addition
to Active Directory Groups (AD).When calling /replace_ad_groups/ , you
can now distinguish between an AD or OU group by including the new
field type with a value of either group or OU in
your request. The field is not mandatory and is sent, by default,
as group . |
Upload Cortex XDR Indicator Request Validation | To help you gain greater visibility if an
indicator has been updated correctly, when calling Insert Simple Indicators, CSVand Insert Simple Indicators, JSON APIs,
you can now send a validate field in
your request. In the case where the update was unsuccessful,
the validate field returns a validation_errors array listing
the specific fields and errors that occurred. |
Features Released in March
The following table describes new features in the Cortex XDR
2.8 release.
Feature | Description |
---|---|
Access
Management | |
Cortex XDR Management Console IP Address
Changes | Cortex XDR now uses new IP addresses for accessing
the Cortex XDR management console ( <xdr-tenant> .xdr.<region> .paloaltonetworks.comcortex-xdr App-ID
or the outgoing HTTPS connection is not filtered by a firewall,
no firewall adjustments are necessary. However, if your HTTPS connection is
filtered through a firewall (and you do not use the App-ID), you
must adjust your configuration to use the new IP addresses according
to your region. The FQDN for the Cortex XDR management console remains
unchanged. |
Broker VM | |
Approved Remote Terminal Commands | When you connect to a broker VM remotely, Cortex XDR now
allows you to perform the following privileged commands:
|
API | |
Enhanced Visibility of Mac Addresses | To provide greater visibility for alerts
that have multiple associated MAC addresses, the Get Alerts API response
now includes the mac_address field. The
new field returns a list of one or more MAC addresses and will supersede
the existing mac field which will be deprecated
in a future release. |
Features Introduced in February
The following table describes new features in the Cortex XDR
2.7 release.
Feature | Description |
---|---|
General | |
Extended Tab Viewing Options | The option to view results in the same or a
new tab are now available in the pivot menus of the following tables:
|
In-App New Version Notification | Cortex XDR now displays a notification when
you log in to your tenant following a Cortex XDR version upgrade.
The notification displays the updated version number and lists selected new
features available for your license type. From the notification,
you can choose to pivot to the Release Notes for
more information or you can dismiss the notification and view at
another time by navigating to User What’s new |
Audit Logs SHA256 Value Enhancement | To improve your investigation capabilities,
Cortex XDR now includes the SHA256 value in the Management Audit
and Agent Audit logs for files that you restored and quarantined. The
Management Audit Log and Agent Audit Log Description field
in the Cortex XDR management console and the Get Audit Agent Report
and the Get Audit Management Log APIs now display the file Description in
a new format:
|
Auto-Disable BIOC Rules Log Description Update
in Audit Logs | The Auto-Disabled behavioral indicator of
compromise (BIOC) rule Description field
displayed in the Management Audit Log page and the Get Audit Management
Log API now display the rule description in
a new format:BIOC rule #<rule number> has been automatically disabled because it reached 10,000 matches in the last 24 hours. Rule name: <rule name>, severity: <severity> |
Investigation
and Response | |
XQL Query Language Enhancements ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) is extended
in the following ways:
|
New Datasets for XQL Search ( Requires
a Cortex XDR Pro license ) | Cortex XDR now enables you to query the
following data using the Cortex XDR Query Language (XQL):
In addition, log records received
from a security information and event management (SIEM) system are
parsed into key-value pairs. Log record field values that are not
identified as an integer, string, or timestamp are ingested as a
JSON record. |
Network Preset Name Change in XQL Search ( Requires
a Cortex XDR Pro license ) | The Network preset for XQL Search of EDR
data is changed—it is now Agent Network. This is only a name change;
this preset still provides the same network events sent from agents
as before this change. The Agent Network preset is not the
same as the Network Story preset that provides stitched network
events from different sources. |
Additional XQL Search Pivot Functionality ( Requires
a Cortex XDR Pro license ) | To continue investigation, you can now pivot from XQL Search results
to the Causality View and Timeline View. These options are supported
for results that identify the following types of events: process
(except for those with an event subtype of termination), network,
file, registry, injection, load image, system calls, network stories,
and Windows event logs. From the events table in the Causality
View and Timeline View, you can similarly pivot from an event to View
in XQL in either the same tab or a new tab. This can
be useful if you want to further refine the query to continue investigation. |
Histograms
for XQL Search Queries ( Requires a Cortex XDR Pro license ) | Cortex XDR now automatically generates histograms
for every field that is part of an XQL Search result. A histogram
is a type of visualization of the results within a specific query. Histograms
are similar to bar charts that show the distribution of values within
a specific field across a result set. Each time you generate a new
query, Cortex XDR will regenerate the histogram based on the updated
result set. Histograms are not supported for JSON and array
fields. |
New Visualizations for Widgets Based on XQL
Search Queries ( Requires a Cortex XDR Pro license ) | To help you better view and visualize data
based on XQL search queries, you can now view your XQL search results in
three new modes:
Cortex
XDR expanded the type of available widgets so that you can now display
the search results using:
To
easily save a visualization after you create a widget, find the
widget in the Widget Library. |
New
Cortex XDR Widget Library | To streamline widget visibility and management,
Cortex XDR now enables you to search, view, and edit both your custom widgets
and the Cortex XDR predefined widgets in the new Widget Library. The
library is a one-stop page where you can easily add or create widgets
to your dashboards and reports to help you continuously monitor
your XQL query results, logs, and data visually. |
New Incident Management Page | To streamline the Investigation menu,
a new Incident Management page is now available.
From this page, you can view starred incidents, manage scoring rules, and view incident exclusions. |
Custom
Incident Scoring Rules ( Requires a Cortex XDR Pro license ) | To streamline the investigation process
and better highlight incidents that are significant in your environment,
Cortex XDR now enables you to define custom incident scoring rules that
prioritize your incidents according to the needs of your organization. Define
scoring rules in the Cortex XDR management console on the Investigations Incident Management The incident
score is displayed as a filterable Score field
in the Incident table and as a tag in the Incident View. |
Featured Alert Fields ( Requires
a Cortex XDR Pro license ) | To streamline the investigation process
and better highlight alerts that are significant to you, Cortex
XDR now enables you to label specific alert attributes as Featured Alert Fields. Featured
fields help you track alerts that involve a specific:
Label a field as Featured in Investigation Incident Management Feature Alert Fields
To
easily locate alerts containing featured fields, alerts containing
one or more of the featured fields are flagged in the Alert
Name field with a
![]() Alert notification emails
now include whether the alert contains one or more featured fields:
|
IOC Rule Functionality Enhancements ( Requires
a Cortex XDR Pro license ) | To ensure your indicators of compromise (IOCs) rules raise alerts
efficiently and do not overcrowd your Alerts table, Cortex XDR now
automatically performs the following tasks:
|
Network Causality Event Timestamp Investigation ( Requires
a Cortex XDR Pro license ) | To help you investigate the time frame of
security processes and connections made over your network, Cortex
XDR now displays the network event timestamp in the Network Causality View. When
selecting the Network Appliance node in the Network Causality View,
the event timestamp is now displayed in the Entity Data section
of the card. |
Enhanced Timestamp Investigation | To enhance your investigation capabilities,
you can now narrow the Timestamp field results
in the Cortex XDR tables by right-clicking to display rows that
are 30 days before or 30 days after the selected field value. |
Events Table Results Enhancements | The Events table (available from the Causality View and Timeline View) now includes
the following enhancements:
|
Slack Notifications Enhancement | To help streamline investigations for alerts
you receive on Slack, Cortex XDR now
provides a link in Slack notifications to the alert details in Cortex
XDR. If the alert is part of an Incident, the notification also
includes the link to investigate the incident in Cortex XDR. |
Hostname Visibility in Alerts | Hostname visibility in the Cortex XDR Alerts Table
is now displayed according to the following guidelines:
|
Native Search Deprecation | For queries on data in your Cortex XDR tenant,
Cortex XDR provides query functions using the XQL Search that enable
you to query the data, create widgets, and schedule queries, all
of which supersede the Native Search. The Native
Search will remain available from the Query Builder only until the
next release. |
Remote Malicious Causality Chains Response (Windows) ( Requires Cortex
XDR agent 7.3 or a later version ) | When the Cortex XDR agent identifies a remote
network connection that attempts to perform malicious activity—such
as encrypt endpoint files—the agent can now block the IP address
to close all existing communication and block new connections from this
IP address to the endpoint. You can view the list of all blocked
IP addresses per endpoint from the Cortex XDR Action
Center , as well as unblock them to re-enable communication
as appropriate. You set the action mode in your Malware Security profile
where you can also add a specific and known safe IP address or IP
address range to the IP addresses allow list. This capability is supported
for network connections made in IPv4 only.When Cortex
XDR blocks an IP address per endpoint, that address remains blocked
throughout all agent profiles and policies, including any host-firewall
policy rules. |
Network Isolation of macOS Endpoints (macOS
10.15.4 and later) ( Requires Cortex XDR agent 7.3 or a later
version ) | Cortex XDR now extends the Network isolation
response action to macOS endpoints. To prevent a compromised macOS
endpoint from communicating, you can now isolate your endpoint to
halt all network access on the endpoint except for traffic to Cortex
XDR. After you isolate an endpoint, the
Cortex XDR agent reports an Isolated check-in status and the endpoint
remains isolated from the network until you cancel this isolation
from Cortex XDR. Note the following limitations:
|
Live Terminal Enhancements (Windows and Mac) ( Requires Cortex
XDR agent 7.3 or a later version ) | To improve the awareness and visibility of
the endpoint end user, now when you initiate a Live Terminal session
from Cortex XDR to the endpoint, you can prompt the end user to approve
the connection request. Additionally, you can configure the Cortex
XDR agent to display a blinking light (
![]() |
External Data Ingestion | |
PingFederate Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest logs from PingFederate. To receive
logs, you must enable PingFederate to send logs in CEF format to
the Syslog Collector that you set up on the broker VM. As
soon as Cortex XDR begins receiving logs, the app automatically
creates a PingFederate XQL dataset ( ping_identity_pingfederate_raw )
and enables you to search the logs using XQL Search. Log information
from PingFederate is also visible, when relevant, in the xdr_data dataset and
in the authentication_story preset. |
Amazon CloudWatch and AWS CloudTrail Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest Amazon CloudWatch and AWS CloudTrail Logs.
To receive logs, configure SaaS Log Collection settings for
the vendor in Cortex XDR.As soon as Cortex XDR begins receiving
logs, the app automatically creates an Amazon AWS XQL dataset ( amazon_aws_raw )
and enables you to search the logs using XQL Search. |
Elasticsearch Filebeat Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | When you use Elasticsearch Filebeat to
log activity on your endpoints or servers, Cortex XDR can now ingest those
file logs. To receive logs, configure the collection settings for Filebeat
in Cortex XDR and the output settings in your Filebeat installations. As
soon as Cortex XDR begins receiving logs, Cortex XDR automatically
creates a dataset for each collected vendor and product and makes
logs available in XQL Search queries. |
HTTP Log Collector ( Requires a Cortex
XDR Pro per TB license ) | You can now set up an HTTP Log Collector to receive
logs in text or JSON format. To begin receiving logs you must first
set up the HTTP Log Collector and use the provided examples to construct
an HTTP POST request. As soon as Cortex XDR begins receiving
logs, Cortex XDR automatically creates a dataset using the vendor
and product you specified during the log collector setup. You can
then use XQL Search to initiate queries on the dataset. |
Google Kubernetes Engine (GKE) Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | As an alternative to setting up a GCP Pub/Sub,
Cortex XDR can now ingest container logs from Google Kubernetes Engine (GKE) using
Elasticsearch Filebeat. To receive logs, you must install Filebeat
on your containers and enable SaaS Log Collection settings for Filebeat. As
soon as Cortex XDR begins receiving logs, the app automatically
creates a GKE XQL dataset—using the product and vendor that you
specify during Filebeat setup—and enables you to search the logs
using XQL Search. |
Extended Log Ingestion for Syslog in LEEF
Format ( Requires a Cortex XDR Pro per TB license ) | Cortex XDR extends log ingestion support
to vendors sending LEEF over Syslog. As with
log ingestion for CEF over Syslog, you can configure the protocol,
the IP address and port, and the format settings for the syslog
collector. After Cortex XDR begins receiving logs from the
third-party source, it automatically parses the logs in LEEF format
and creates a dataset. Cortex XDR extracts the vendor and product
name to identify the dataset as <vendor> _<product> _raw |
Analytics | |
Analytics BIOC Visibility and Management ( Requires
a Cortex XDR Pro license ) | If you have Analytics enabled, Cortex XDR
now provides visibility into and enables management of your Analytics BIOC rules by
pivoting from the BIOC Rules table to a dedicated page. For
each rule, Cortex XDR displays identifying information, such as
name and ID, severity, rule activation status, and any relevant
MITRE ATT&CK information. Cortex XDR also enables you to disable
or enable Analytics BIOC rules as needed. To view and manage
Analytics BIOC rules, you must have the corresponding permissions
enabled for your role. |
Asset Management | |
Enhancements to Asset Management ( Requires
a Cortex XDR Pro license ) | Cortex XDR now displays also the MAC address
vendor name, and the platform running on your managed and unmanaged assets. |
Export Network Assets to File ( Requires
a Cortex XDR Pro license ) | You can now export your Asset Management table results
to a tab-separated values (TSV) file. |
Endpoint
Security and Management | |
Flexible Agent License Revocation ( Requires
a Cortex XDR Pro license ) | To enable a flexible revocation policy for
Cortex XDR agent licenses, you can now configure the number of days
after which the license should be returned when an agent loses the
connection to Cortex XDR. In addition, you can configure the number
of days after which the agent and related data is removed from the
Cortex XDR management console and database. For more information,
see Cortex XDR Agent License Revocation. |
Enhanced Local Analysis
Prevention (Windows) ( Requires a Cortex XDR Prevent or Cortex
XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later
version ) | The Local Analysis module, which prevents
the execution of malicious Portable Executables (PEs) and Office
documents with macros, now includes a new rule-based static engine
that provides an additional layer of protection. The new engine
provides additional context to Cortex XDR alerts by matching the
samples that are under agent examination to static rules that inspect multiple
file attributes and features. The Local Analysis rules are
maintained by the Palo Alto Networks Research team and are updated
through content updates. You cannot add, modify, or remove rules
from the Local Analysis module. |
Bulk Alias Edits for Endpoints ( Requires
a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license ) | To enable you to quickly change the alias for multiple
endpoints, you can now perform the action from the Endpoint
Control menu on the Endpoint Administration page. |
Vulnerable Drivers Protection (Windows) ( Requires
a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex
XDR agent 7.2 or a later version ) | Cortex XDR can now leverage the latest threat
research to quickly deploy behavioral threat protection (BTP) rules
that detect attempts to load vulnerable drivers. As with other BTP
rules, Cortex XDR can deliver changes to vulnerable driver rules
with content updates. To configure vulnerable drivers protection,
you must enable Behavioral Threat Protection and configure
the Action mode for vulnerable drivers protection as
part of a Malware Security Profile.By
default, Cortex XDR blocks all identified attempts to run vulnerable
drivers. If you change the default ( Block ), you can Report (and
allow) vulnerable drivers or disable the module. |
Device Control for VDI (Windows) ( Requires
a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex
XDR agent 7.3 or a later version ) | Cortex XDR now extends Device Control for USB
devices to include virtual desktop infrastructure (VDI). The Cortex
XDR agent enforces the Device Control policy rules on USB devices
after the end user logs on to the VDI instance. USB Devices that
were connected prior to the agent enforcing the Device Control policy
rules are not blocked after the fact. Note the following limitations:
|
Unpatched Vulnerabilities Protection (Windows) ( Requires
a Cortex XDR agent 7.1 or a later version ) | Palo Alto Networks
strongly recommends that you upgrade your operating system as soon
as possible to address vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094. For more
information, refer to the Microsoft Security Response Center. For
Cortex XDR agents 7.1 and later releases running on unpatched Windows
endpoints, a new capability in the Exploit Security profile will
modify IP4 and IPv6 settings temporarily on the endpoint as a workaround
to protect unpatched endpoints from these known vulnerabilities.
After the endpoint is patched with a fix for these vulnerabilities,
the Cortex XDR agent automatically reverts all modified Windows
system settings to their values before modification. Before
applying this workaround on your endpoints, refer to the Cortex
XDR Administrator’s Guide for
the full details and impact this workaround could have on your network. |
Extended Device Control to Read-Only Disk
Drives (Windows and Mac) ( Requires a Cortex XDR Prevent
or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.0
or a later version for Windows endpoints and Cortex XDR agent 7.2
or a later version for Mac endpoints ) | You can now set a Device Control policy
profile to allow disk drives to connect in read-only mode on the
specified endpoints. |
Peer-to-Peer Content
Distribution (Mac and Linux) ( Requires a Cortex XDR Prevent
or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3
or a later version ) | Cortex XDR now extends peer-to-peer content
distribution to Mac and Linux endpoints. To reduce bandwidth load
when distributing content from Cortex XDR to the Cortex XDR agents,
you can enable agents on your LAN network to retrieve the new content
version from other agents that already retrieved it. Peer-to-peer
content distribution is enabled by default in the Agent Settings Profile. |
Agent Installation Using a Unified Configuration
Profile File for MDMs (Mac) | For a seamless installation of the Cortex XDR
agent that does not require end user interaction, Palo Alto Networks
now provides a unified configuration profile that you can upload
to any third party deployment software of your choice. You can download
a configuration profile already signed by Palo Alto Networks, or
an unsigned configuration profile, if you prefer or are required
to sign using your own signing certificate. You can use the unified configuration
profile to deploy any version of the Cortex XDR agent. For more
information, refer to Install the Cortex XDR Agent
Using a Unified Configuration Profile for MDMs. |
Custom Agent Installation Directory (Linux) ( Requires
a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex
XDR agent 7.3 or a later version ) | You can now install your Cortex XDR agent in
a custom directory on Linux endpoints instead of using the default ./opt directory.
To do this, set the custom path in a new installation variable --install-path=/ .
After you install the Cortex XDR to the custom path, all following
upgrades and the removal of the agent from the endpoint are executed
in the same location. For more information, see how to Install the Cortex XDR Agent
for Linux.<some/path> |
New Operating Systems Support (Linux) ( Requires Cortex
XDR agent 7.3 or a later version ) | You can now install the Cortex XDR agent
on Linux endpoints that are running on:
For all supported kernel
versions, see the Latest kernel module version
support |
Host Insights Add-on | |
Search and Destroy Malicious Files on Mac
Endpoints (macOS 10.15.4 and later) ( Requires a Cortex
XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex
XDR agent 7.3 or a later version ) | Cortex XDR now extends the File Search and
Destroy response action to Mac endpoints. You can use search and destroy to
take immediate action on known and suspected malicious files. You
can search from Cortex XDR for a file by hash or path on endpoints
and, after you identify the presence of the file, you can immediately
destroy the file from any or all endpoints on which the file exists. |
Host Insights Export to File ( Requires
a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex
XDR agent 7.1 or a later version ) | You can now export all the Cortex XDR host insights tables and
respective asset views to a tab-separated values (TSV) file. |
Vulnerability Management Name Change ( Requires
a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex
XDR agent 7.1 or a later version ) | To better reflect the feature usage, Vulnerability Management is
renamed to Vulnerability Assessment . |
Multitenants
and MSSPs | |
Cross-Tenant XQL Queries for Multi-Tenancy ( Requires
a Cortex XDR Pro license ) | To enable multitenant management that uses
XQL Query to view raw data that is stored in Cortex XDR, you can
now execute XQL queries on a single child tenant or up to 100 child
tenants simultaneously directly from your parent tenant XQL Search page. When executing XQL queries on
a single child tenant, Cortex XDR provides the parent tenant with autocompletion
and validation capabilities to all datasets available on the child
tenant. When executing XQL queries on multiple child tenants simultaneously:
You can view, track, and investigate
the query results and graphs for each child tenant in your XQL Search
page results table or Query Center by filtering by child tenant. |
Broker
VM ( Version 11.1.1 ) | |
Broker VM Images | MD5 values for broker images version 11.1.1:
|
New Supported WEC Event Collection ( Requires
a Cortex XDR Pro per TB license ) | To expand the Broker VM data collection
capabilities, in addition to the default WEC event IDs, you can
now configure the Broker VM to collect all or specific Windows event types,
such as DHCP, DNS, and IIS event types, directly from the Cortex
XDR management console. |
WEC Domain Controller Certificate Notifications ( Requires
a Cortex XDR Pro per TB license ) | To keep you informed of your WEC Domain
Controller Certificate status and avoid service disruptions, Cortex
XDR now displays a notification of the remaining
time left on your license or whether your license is expired. |
Approved Remote Terminal Command | When you connect to a broker VM remotely, Cortex XDR now
allows you to perform the following privileged commands:
|
API | |
New Featured Alert Fields APIs ( Requires
a Cortex XDR Pro license ) | To expand your API capabilities, Cortex
XDR now provides the APIs to help you manage your featured alert fields.
Using the following APIs you can delete and replace existing featured
alert fields:
|
Enhanced Visibility of Incident Data | To help you gain greater visibility of requested
API data when calling Get Incidents and Get Extra Incident Data APIs, the response section
now includes the following Incident Scoring fields:
|
Enhanced Visibility of Alert Data | To help you gain greater visibility of Alerts
that include Featured host name, username, or IP address, the Get Alerts API response
now includes the following boolean type fields:
|
Enhanced Insert Parsed Alerts Capabilities | To enable you to include additional information
when running the Insert Parsed Alerts API,
you can now send the action status taken on an alert ( Reported or Blocked )
using the action_status field. |
Recommended For You
Recommended Videos
Recommended videos not found.