Features Introduced in 2021

Learn more about Cortex XDR features introduced during 2021 by month and functional area.

The following topics describe the Cortex XDR features introduced in 2021 by month.

Features Releasing in November

Features Releasing in August

Features Releasing in May

Features Releasing in March

Features Released in February

Features Releasing in November

New features in the Cortex® XDR™ 3.1 release.

The following table describes new features in the Cortex XDR 3.1 release.

Feature	Description
`General`
New Support for Role-Based Access Control Managing XQL Dataset Permissions	To help you better manage user access permissions in Cortex XDR, Cortex XDR now supports XQL dataset permission enforcement as part of managing roles or specific permissions using role-based access control (RBAC). When creating or editing roles in Configurations Access Management Roles , a new Datasets section is displayed, where you can Enable or Disable the access permissions for the various datasets listed. By default, the Enable dataset access management feature is disabled, and users have access to all datasets. Once you enable this feature, you need to define for each dataset type the access permissions you want to grant for the role.
Cortex XDR Table Format Enhancements	To streamline your investigation across all of Cortex XDR tables, Cortex XDR now allows you to configure the order of which the columns are displayed by allocating a column index number.
New User-Specified Timestamp Formats	To allow for greater flexibility when investigating your data, Cortex XDR now includes the following timestamp formats. The selected format is applied throughout the Cortex XDR management console and TSV export files. MMM Do YYYY HH:mm:ss MM/DD/YYYY HH:mm:ss.SSS Do MMM YYYY HH:mm:ss DD/MM/YYYY HH:mm:ss.SSS YYYY/MM/DD HH:mm:ss.SSS YYYY-MM-DDTHH:mm:ssZ The setting is configured per user and not per tenant.
`XDR for Cloud`
Cloud Inventory Data Collection (`Requires a Cortex XDR Pro per TB license`)	Cortex XDR now provides a unified, normalized asset inventory for cloud assets in Google Cloud Platform, Microsoft Azure, and Amazon Web Services. This capability provides deeper visibility to all the assets and superior context for incident investigation To receive cloud assets, configure Configurations Data Collection Collection Integrations settings using the new Cloud Inventory data collector for the vendor in Cortex XDR. As soon as Cortex XDR begins receiving cloud assets, you can view the data in Assets Cloud Inventory , where new pages for All Cloud Assets and Specific Cloud Assets display the data in a table format. When any row in the table is selected, a side panel on the right with greater details is displayed, where you can view additional data divided by sections, such as Asset Metadata and Asset Editors . The Asset Editor section also provides a link to open a predefined query in XQL Search on the cloud_audit_log dataset to view the edit operations by the identity selected for this asset in the last 7 days.
`Forensics`
New Persistence Tables (`Requires a Forensics add-on license and a Cortex XDR agent 7.6 or later for Windows`)	To expand your forensics investigation capabilities, Cortex XDR introduces the following new Persistence tables: Drivers Registry Scheduled Tasks Services Shim Databases Startup Folders WMI
`Investigation and Response`
New Support for Selecting Drill-down Query Time Frame Options in Correlation Rules (`Requires a Cortex XDR Pro license`)	To provide more flexibility to customers when configuring the Drill-down Query Time Frame in Correlation Rules, Cortex XDR now provides the ability to choose a particular time frame from a list, as opposed to only having one option available. The following options are available. Generated Alert —Uses the time frame of the alert that is triggered (first event to last event timestamp). This was previously the only option and is now the default option. XQL Search —Uses the time frame from when the Correlation Rule was run in XQL Search.
New Dataset Fields Available (`Requires a Cortex XDR Pro license`)	To expand your investigation capabilities, the following fields (where applicable) are available for any dataset and can be queried in XQL Search. Relevant broker VM fields _collector_type _collector_name _broker_hostname—Displays the Device ID, which is the unique identifier of the broker VM. _broker_ip_address _reporting_device—This field is deduced or parsed from the data. If this field is Not Applicable (N/A) then the field is left empty. _final_reporting_device—The final device that the log was extracted from. Collection Integrations fields _collector_type _colllector_name XDR Collectors _collector_type _collector_name _collector_id _collector_hostname _collector_ip_address
New Palo Alto Networks NGFW Firewall Log Datasets	To expand your investigation capabilities, the following Palo Alto Networks NGFW Firewall log datasets are now available, which you can query in XQL Search. Authentication Logs— panw_ngfw_auth_raw System Logs— panw_ngfw_system_raw User ID Logs— panw_ngfw_userid_raw File Data Logs— panw_ngfw_filedata_raw Global Protect Logs— panw_ngfw_globalprotect_raw
New Support for Adding Multiple Tags in XQL and Parsing Rules XQL—(`Requires a Cortex XDR Pro license`) Parsing Rules—(`Requires a Cortex XDR Pro per TB license`)	To help you add multiple tags in addition to the single tag supported, Cortex XDR now supports adding multiple tags in these scenarios. Adding an Operator for Tagging in XQL —You can now use the add operator in combination with the tag command to add both a single tag (previously supported) or multiple tags (newly supported) to a field that you can easily query in the dataset. For example, dataset = xdr_data \| tag add "test1", “test2”, test3” Adding Tags in Parsing Rules —You can add a single tag or list of tags to the ingested data as part of the ingestion flow that you can easily query in XQL Search. You can add tags as part of the INGEST section or using both the INGEST and RULE sections. The following are examples of each. Adding a list of tags in the INGEST section. [INGEST:vendor="MSFT", product="Azure AD Audit",target_dataset="msft_ad_audit_tagging", no_hit=drop, ingestnull =false ] tag add "New Event1", "New Event2", "New Event3" Adding a list of tags in the INGEST and RULE sections. [INGEST:vendor="Check Point", product="Anti Malware",target_dataset="malware_test", no_hit= drop , ingestnull = true ] alter xx = call new_tag_rule; [RULE:new_tag_rule]tag add "test1", “test2”, “test3”;
Additional Support for Creating BIOC Rules in XQL Search (`Requires a Cortex XDR Pro license`)	To expand your investigation and analytics capabilities, Cortex XDR now provides additional support for creating BIOC Rules when building a query in XQL Search using the complete Cortex XDR Query Language (XQL) syntax. In addition, you can create BIOC rules using the xdr_data and cloud_audit_log datasets and presets for these datasets. A cloud_audit_log data set requires a Cortex XDR Pro per TB license. Currently, you cannot create a BIOC rule on customized datasets and it is not possible to perform complex XQL functionality, such as running aggregations or Lookups, on BIOC rules.
New Support for Dataset and Field Names in Different Languages (`Requires a Cortex XDR Pro license`)	Cortex XDR Query Language (XQL) now supports using different languages for dataset and field names.
New Support for Enums in XQL (`Requires a Cortex XDR Pro license`)	Cortex XDR Query Language (XQL) now supports using enums in XQL Search using the syntax ENUM.<prefix> , which displays the relevant enums for a specific field in addition to the previous syntax. For example, Before version 3.1 \| filter event_type = FILE After version 3.1 This syntax is now supported. \| filter event_type = ENUM.FILE \| filter event_type = FILE
New Support for Adding Comments in XQL (`Requires a Cortex XDR Pro license`)	Cortex XDR Query Language (XQL) now supports adding comments in any section when building a query in XQL Search. Comments on a single line are added using the following syntax. /<comments> / For example, dataset = xdr_data \| filter event_type=1 /* process / and event_sub_type = 1 / execution*/ To write a comment that extends over multiple lines use the following syntax. //multi-line <comments> // For example, dataset = xdr_data \| filter //multi-line Adding comments is a great thing. Here is an example // event_type=1
Incident View Enhancements	To help you better investigate your Incidents View, you can now Pin specific Details Pane tabs to always display a specific tab first when you investigate incidents. View the user score in the Overview and Key Assets tabs. Extend visibility into incidents that have been resolved in the Incidents table with a new Resolved Timestamp field that displays the date and time when the incident was set with a resolved status.
Username support in Quick Launcher	To improve the search and investigative functionality of the Quick Launcher, you can now search for usernames to easily launch the User View and investigate the user's incidents, login, and authentication events.
Updated Cortex XDR Query Builder Results Limit (`Requires a Cortex XDR Pro license`)	When running a query using the Cortex XDR Query Builder, Cortex XDR now returns up to 10,000 results. When creating an XQL Query, Cortex XDR will still return up to 1M results.
Agent Asset Scan Enhancement (`Requires a Cortex XDR Pro license`)	To expand your Cortex XDR agent scan capabilities, Cortex XDR now enables you to discover network assets by using NMAP scan on the agents.When you configure your Cortex XDR agent to scan your endpoints, select now either NMAP or Ping. The scan is automatically distributed by Cortex XDR to all the agents configured in the profile and cannot be initiated by request.The scan results can be viewed in the Asset Management table.
Excluding Endpoints from Auto-Upgrade	To expand your response capabilities, Cortex XDR now enables you to select one or more endpoints from the Endpoint Administration table and exclude or include the endpoints from the auto-upgrade process.
Improved Endpoint Content Version Visibility	To help you better manage your endpoint content versions, Cortex XDR now displays the following new fields in the Endpoint Administration table: Content Release Timestamp Displays the time and date of when the current content version was released. Last Content Update Time Displays the time and date when the agent last deployed a content update.
MITRE Tags for BIOC Rules Enhancements (`Requires a Cortex XDR Pro license`)	To aid in the alert investigation, when creating and editing BIOC rules you can now associate MITRE ATT&CK tactics, techniques or sub-techniques by using the newly designed MITRE ATT&CK table. The MITRE ATT&CK table maps out the correlations between the various tactics, techniques, and sub-techniques, allowing you to easily select which MITRE ATT&CK labels you want to include in the BIOC. In addition, as of Cortex XDR 3.0, there is no limit on the number of MITRE ATT&CK tactics, techniques or sub-techniques you can associate to a BIOC rule.
Informative BTP Rule Alert Names and Descriptions (`Requires a Cortex XDR Pro license`)	Now Behavioral threat protection (BTP) alerts have been given unique and informative names and descriptions, to provide immediate clarity into the events without having to drill down into each alert: Alert names have been completely revised. New alert descriptions are now displayed alongside the existing descriptions. The module name remains Behavioral threat protection. To start displaying the new BTP rule alert names and descriptions, you must enable this capability in your global agent settings. Once you update the settings, new alerts will include the changes while already existing alerts will remain unaffected. If you have any Cortex XDR filters, starring policies, exclusion policies, scoring rules, log forwarding queries, or automation rules configured for XSOAR/3rd party SIEM, we advise you to update those to support the changes before activating the feature (for example, change the query to include the previous description that is still available in the new description, instead of searching for an exact match).
New Cortex XDR Dashboard Incident Management Widgets (`Requires a Cortex XDR Pro license`)	To help you better visualize and manage your Cortex XDR incident findings, Cortex XDR introduces the following new widgets: Incidents by MITRE ATT&CK Display a breakdown of the number of incidents involved with each MITRE ATT&CK tactic and technique over the last 30 days, 7 days, 24 hours, or custom time range according to the incidents creation time. Select a tactic or technique to pivot to the Incidents Table filtered according to the tactic/technique and creation time. Resolved Incidents By Assignee Display a breakdown of the top five users with the most resolved incidents assigned to them according to the incident creation time. Select an assignee to pivot to the Incidents table filtered according to the assignee and the resolved incident resolution time.
`Audit Logs`
Management Logs for Cortex XDR Actions	To help you track whether a performed action has been completed successfully or not, Cortex XDR now creates the following Management Audit Log entry: Type: Action CenterSubtype: Action CompletedStatus: "Success" if action status is completed successfully, "Failed" if action completed with partial success, failed, timeout, or expired.Severity: LowDescription: Action #<action ID> <"completed successfully / completed with partial success / failed">. Action description: <performed action’s description>
New Management Audit Logs for Rules Import	For increased visibility into rule exception changes in the Management Audit Log, Cortex XDR introduces new policy audit logs for the Add, Edit, Export, Import, and Delete Subtypes. The new rule exception audit logs include the following changes: Add Previous- Added new rules exception Updated- Added new rule exception Edit Previous- Edited rules exception #X Updated- Edited rule exception ID: X Export Previous- Exported 1 rules exceptions / Exported X rules exceptions Updated- Exported 1 rule exception / Exported X rule exceptions Import Previous- Imported 1 Exceptions / Imported X Exceptions Updated- Imported 1 rule exception / Imported X rule exceptions Delete Previous- Deleted rules exception #X / Deleted X rules exceptions Updated- Deleted rule exception ID: X / Deleted X rule exceptions
New Management Audit Logs for Auto Upgrade	For increased visibility into auto upgrade exclusion and inclusion, Cortex XDR now includes the following Management Audit Log messages: Success {endpoint-id} was excluded from auto upgrade {endpoint-id} was included in auto upgrade {endpoint-id} and {x} other endpoints were included in auto upgrade {endpoint-id} and {x} other endpoints were excluded from auto upgrade Fail Could not include {endpoint-id} in auto upgrade Could not exclude {endpoint-id} from auto upgrade Could not include {endpoint-id} and {x} other endpoints in auto upgrade Could not exclude {endpoint-id} and {x} other endpoints from auto upgrade
`External Data Ingestion`
Upgrade Filebeat Version to 7.14 for XDR Collectors (`Requires a Cortex XDR Pro per TB license`)	Cortex XDR now supports using Filebeat version 7.14 when using XDR Collectors for On-premise Data Collection on Windows and Linux machines.
New Support for Enriching Network Logs with Windows DHCP Data Collected with XDR Collectors (`Requires a Cortex XDR Pro per TB license`)	To align the current Windows DHCP data collection offerings via Elasticsearch Filebeat, Cortex XDR now supports enriching network logs with Windows DHCP data using XDR Collectors. Previously, this enrichment was only available when configuring a Windows DHCP Collector for a cloud data collection integration. To support this change, when defining data collection in a XDR Collector profile using the Filebeat configuration file editor, it is now possible to configure whether the data collected undergoes follow-up processing in the backend within the filebeat.yml file by setting the following tagging definition. - add_tags:tags: [windows_dhcp]target: "xdr_log_type" As soon as Cortex XDR begins receiving logs through the XDR Collectors configuration, the app automatically creates a Windows DHCP XQL dataset ( microsoft_dhcp_raw ). Cortex XDR uses Windows DHCP logs to enrich your network logs with hostnames and MAC addresses that are searchable in XQL Search using the Windows DHCP XQL dataset.
Proofpoint Targeted Attack Protection (TAP) Log Ingestion (`Requires a Cortex XDR Pro per TB license`)	Cortex XDR can now ingest Proofpoint Targeted Attack Protection (TAP) logs. To receive logs, configure Configurations Data Collection Collection Integrations settings for the Proofpoint Targeted Attack Protection data collector in Cortex XDR. As soon as Cortex XDR begins receiving logs, the app automatically creates a Proofpoint TAP XQL dataset ( proofpoint_tap_raw ). This enables you to search the logs using XQL Search.
New Support for Collecting All Okta Data Events (`Requires a Cortex XDR Pro per TB license`)	To help you collect all types of events from Okta, Cortex XDR has now enhanced the Okta data collector to enable collecting all events, as opposed to only being able to collect authentication data. When setting up the Okta data collector in Cortex XDR in the Configurations Data Collection Collection Integrations settings, a new field called Okta Filter is available to configure collection for events of your choosing. All events are collected by default unless you define an Okta API Filter expression for collecting the data, such as filter=eventType eq “user.session.start”.\n . For Okta information to be weaved into authentication stories, user.authentication.sso events must be collected.
Amazon S3 Enhancements to Support Additional Log Formats for Data Ingestion (`Requires a Cortex XDR Pro per TB license`)	To expand the current data ingestion capabilities for the Amazon S3 data collector, Cortex XDR now supports the following additional log formats for the Amazon S3 data collector with a Log Type set to Generic . CEF LEEF Cisco Corelight Beyondtrust Cloud ECS
Extended Support for Azure Sign-in Logs Ingestion with an Azure Event Hub Collector (`Requires a Cortex XDR Pro per TB license`)	To extend visibility to your Azure Event Hub audit logs, Cortex XDR can now ingest Azure sign-in logs when you configure an Azure Event Hub data collector to collect audit logs. This is also dependent on setting the applicable Diagnostic settings in Azure Active Directory with the selected sign-in log categories. These logs are added in Cortex XDR to the MSFT_Azure_raw dataset. In addition, Cortex XDR can normalize and enrich these authentication logs. Cortex XDR can stitch these Active Directory sign-in logs with other Cortex XDR authentication stories across all cloud providers using the same format. You can query these logs in XQL Search using the following datasets: cloud_audit_logs xdr_data —From this release, all Azure Event Hub authentication logs are now added to this dataset.
`Data Management`
Parsing Rules Supports Case Sensitivity using Configuration Stage Command (`Requires a Cortex XDR Pro per TB license`)	To enhance the current Parsing Rules offerings in Cortex XDR, Cortex XDR now supports configuring case sensitivity in Parsing Rules using the following configuration stage command in the INGEST section. config case_sensitive = true \| false
Parsing Rules Enhancement to Support Error Reporting (`Requires a Cortex XDR Pro per TB license`)	To help you easily identify and resolve Parsing Rules errors, Cortex XDR now includes error reporting in Parsing Rules for these scenarios. Unable to compile a rule for different reasons including invalid function parameters, such as invalid regex. Unable to apply a rule to the data. Mismatch between expected data type, such as CEF, LEEF, or JSON with the actual data, such as TEXT or CSV. The following are some of the main features of the error reporting for Parsing Rules. The errors are now saved to a new dataset called parsing_rules_errors , where the dataset type is system_audit . The Parsing Rules editor now includes a separate section called Latest 20 Errors at the bottom page with the following capabilities: Lists the details of the last 20 errors from the total number of errors found. Selecting a particular error highlights the relevant lines in the User Defined or Default Rules views and displays these lines on the screen, so you can easily review the error and troubleshoot the problem. Link to Show Errors in XQL to view additional information about these errors in XQL Search from the last 24 hours. The entire list of errors in the parsing_rules_errors dataset are displayed, so you can easily troubleshoot. When you Save changes in the Parsing Rules editor, all of the errors listed are removed from the page.
`Analytics`
Improved Analytics BIOC Rules Visibility (`Requires a Cortex XDR Pro license`)	To expand your investigation capabilities of your Analytics BIOC rules, Cortex XDR now displays the following information in the Analytics BIOC Rules table: New rule status Pending Activation In addition to displaying enabled and disabled rules, you can now filter the table to view rules that are still collecting data. Activation Prerequisites field displaying a description of the prerequisites required to activate the rule. View the data and time range required by Cortex XDR to enable a rule. When a rule is in Pending Activation status , hover over the rule to track the ongoing status of how the rule is meeting the activation prerequisites. View the activation prerequisite progress; how much data within a certain period of time has already been collected.
`Endpoint Protection`
Host Firewall macOS 11 Support and Enhancements (`Cortex XDR agent 7.6 or a later release for macOS`	To streamline management of your Host Firewall rules and profiles, Cortex XDR now supports host firewall for macOS versions 11 and above and introduces the following enhancements: Host Firewall Rule Platform Visibility Cortex XDR now displays the corresponding platform associated with your Host Firewall rule. In the Host Firewall Rules Group Group Name Rules table , you can now view the new Platform field, displaying the operating systems associated with a specific rule. Improved New Policy Rule Creation Cortex XDR now enables you to create rules for Windows and macOS platforms in the same window. When selecting Protocol of type `TCP` or UDP , in addition to the Windows Settings section, the macOS Settings is enabled for your to define. macOS Host Firewall Profile When editing or creating a macOS Host Firewall Profile, Cortex XDR has updated the configuration design to align with the Windows profile window and allows you to define Report Settings, Internal and External Rule Groups and Rules. With the introduction of macOS 11, Host Firewall Rules created on macOS 10 and Cortex XDR agent 7.5 and prior are managed in the Legacy Host Firewall Rules section. When editing or creating new groups, Cortex XDR now displays the Applicable Rules Count field. The field displays the number of rules in the specific group that are associated with the platform profile. In the View Rules table, Cortex XDR now displays the Group Name and Platform fields, and only displays rules associated with the platform profile.
Cortex XDR Agent Tampering Protection for macOS (`Requires a Cortex XDR agent 7.6 or a later release for macOS`)	You can now prevent unauthorized access or tampering with the Cortex XDR agent components on macOS. With this configuration, manual upgrades and changes to any of the daemons, files, or processes will now require entering the agent uninstall password.
Permanently Delete Quarantined files (`Requires a Cortex XDR agent 7.6 or a later release for Windows`)	To help you better manage malicious files which have been quarantined and avoid any potential mistake of restoring unwanted files, you can now permanently delete quarantined files on the endpoint from the Quarantine Details page.
Agent Uninstall Password Security Enhancements (`Requires a Cortex XDR agent 7.6 or a later release for Windows`)	For an added layer of security when configuring the agent uninstall password, Cortex XDR now displays a password strength indicator to ensure that unauthorized users are not able to uninstall the Cortex XDR agent. When defining the Uninstall Password in the Global Agent Configurations page and Agent Settings Profile, the selected password must now obtain the Cortex XDR requirements enforced by password strength indicator.
Malware Exception Profile Update Capabilities (`Requires a Cortex XDR agent 7.6 or a later release for Windows`)	To expand your endpoint management capabilities during investigation, Cortex XDR now enables you to add a file path to the allow list of your endpoint Malware Security Profile directly from the right-click pivot menu of the: Alerts Table Events table of a process causality node XQL search result table
`Broker VM` `Version 14.3.3`
New Support for Deploying a Broker VM Image on Alibaba Cloud	Cortex XDR now supports setting up an image of a Broker VM on Alibaba Cloud using a QCOW2 image type.
New Support for Configuring Internal Network Subnet on the Broker VM	To avoid communication problems between the external and internal network subnet of the broker VM, it is now possible to configure the default internal network subnet to prevent any conflicts. This is now available to configure when logging in to the broker VM ( https://<broker_vm_ip_address>/. ) and configuring the broker VM settings. A new section called Internal Network has been added, where you can overwrite the default NETWORK SUBNET ( 172.17.0.1/16 ).
New Support for Collecting Logs from a Linux Based Machine in the Files and Folder Collector (`Requires a Cortex XDR Pro per TB license`)	To expand the current Files and Folders Collector applet offerings in Cortex XDR, the Files and Folders Collector applet in the broker VM now supports monitoring and collecting logs from files and folders in a network share directory from a Linux based machine, in addition to previously only supporting a Windows based machine.
New Support for Configuring a Custom Banner for SSH Sessions in the Broker VM	Cortex XDR now provides the option of customizing the login banner via the user interface, when logging into SSH sessions on the broker VM. This is available in Cortex XDR when configuring a particular broker VM in the Broker VM Configurations window, the section called SSH Access includes a new field called Welcome Message , where you can overwrite the default welcome message by adding a new one in the field. When the field is empty, the default message is used.
New Support for Gracefully Shutting Down the Broker VM via the User Interface	To enable users to gracefully shutdown the broker VM in the Cortex XDR user interface, a new right-click option under Broker Management called Shutdown VM is now available in Cortex XDR ( Settings Configurations Broker VM ).
`API`
New Update Agent Name API	To expand your API capabilities, Cortex XDR now provides an API that allows you to set an alias for an endpoint - Set an Endpoint Alias. With this API you can set or modify an alias field for endpoints.
Improved Endpoint Content Version Visibility	To help you better manage your endpoint content versions, Cortex XDR now displays in the Get Endpoint API response the following new fields: content_release_timestamp Displays the time and date of when the current content update version was deployed to the endpoint. last_content_update_time Displays the time and date when the agent last deployed a content update.
Second Timestamp Support	To expand your API investigation capabilities, when running Get Alerts API Cortex XDR now supports the creation_time field in seconds.
Expanded Get Endpoint Response	To expand the data returned when running Get Endpoint API, Cortex XDR now displays in the response the os_version field.
Expanded Get Incidents Response	To expand the data returned when running Get Incidents API, Cortex XDR now displays in the response the resolved_timestamp field. The field displays the date and time when the incident was set with a resolved status.
`Multitenants and MSSPs`
Forensics Add-On Multitenant Management Support (`Requires a Forensics add-on license and a Cortex XDR agent 7.6 or later for Windows`)	Cortex XDR now enables multitenant management of the Forensics investigative capabilities. Parent tenants can now deploy and access Forensics data of paired child tenants by defining in the Agent Settings Profile for Windows how to monitor and collect forensics data. Parent tenants with a Forensics add-on license can deploy on their child tenants a forensics scan to investigate incidents. To track if your child tenant has a Forensics add-on license, Cortex XDR now displays in the Tenant Management table a new Forensics License field. The field displays whether the add-on is a Child Owned License or Parent Owned License .

Features Releasing in August

New features in the Cortex® XDR™ 3.0 release.

The following table describes new features in the Cortex XDR 3.0 release.

Feature	Description
`General`
India Region Support	You can now deploy Cortex XDR in the India region. When you choose the IN region during activation and setup of Cortex Data Lake, you keep all Cortex XDR logs and data within the India boundary. If you use Cortex XDR Prevent or Cortex XDR Pro per Endpoint, when the Cortex XDR agent identifies unknown files, Cortex XDR sends them to the WildFire Singapore Cloud for analysis. Starting October 2021 Cortex XDR will integrate with WildFire located in India to allow you to keep all Cortex XDR Agent WildFire traffic within the Indian boundary. WildFire India portal will not display information for past events that occurred prior to the transition to the new India cloud location, however, you will still have access to the WildFire Singapore portal to view the history. In addition, all information regarding the calculated verdicts, such as the WildFire verdict and WildFire report, will be available in the Cortex XDR portal.
Cortex XDR Enhanced License Details	For increased visibility into your Cortex XDR license details, Cortex XDR now displays in the Cortex XDR License window a list of all the license and add-on types allocated to your account. To help you easily track your licenses, the list includes the start and end dates of your current and future licenses.
Host Insights Evaluation Period Extension (`Requires a Host Insights add-on license`)	The free evaluation period of the Host Insights add-on in Cortex XDR is now extended from 30 days to 60 days. You can use this extended 60-day period for better evaluation of the Host Insights add-on functionality.
New Compute Units Add-On (`Requires a Cortex XDR Pro license`)	To expand your investigation capabilities, Cortex XDR now enables you to purchase compute units to carry out additional investigation actions. As of Cortex XDR version 3.0, the compute units can be used to run additional XQL Query APIs in addition to the free quota provided by Cortex XDR. The Compute Units add-on provides you with an additional 1 compute unit (formally query units) per day, in addition to your free daily quota to run XQL Query APIs. Each XQL query consumes compute units based on the timeframe, complexity, and the number of API response results. Compute units are first deducted from your free daily quota followed by the Compute Units add-on. To help you track your compute units, in the Cortex XDR app, you can view the following information: Enable Cortex XDR to send a notification when the Compute Units pool reached a defined threshold. Track your compute usage and remaining available quota in the XQL API Usage page.
Allowed Domains for Distribution List	For an added layer of security when sending reports using email, Cortex XDR now allows you to specify one or more domain names that can be used in your distribution lists. By defining a domain, you can for example ensure information is not sent outside your organization.
Independent Configuration of Access Permissions for Settings	To provide more granular control of permissions for your administrators, Cortex XDR now enables you to configure read-only and read-write permissions independently for all Settings. To provide continuity for existing admin roles and privileges, Cortex XDR assigns both by default but you now have the option to configure the view and action settings independently for both your new and your preexisting admin roles. You can now define granular role-based access control for the following pages in the Cortex XDR management console: Dashboard Report Query
Directory Sync Services Renaming	To align with the new naming in the hub, Directory Sync Services has been renamed to Cloud Identity Engine.
`XDR for Cloud`
Cortex XDR Agent for Kubernetes Hosts (`Requires a Cortex XDR agent 7.5 or a later release for Linux and Cortex XDR Cloud per Host license`)	Starting with this release, you can deploy the Cortex XDR agent on Kubernetes Clusters as a daemonSet on any Kubernetes cluster. Being natively integrated in Kubernetes using the deamonSet, the agent provides visibility into containers and ensures full coverage of your critical production workloads. To deploy the agent, you must have the new license type Cloud per Host and then create a Cortex XDR agent YAML installation package in Cortex XDR which allows you to configure attributes such as namespace default value and nodeselector. Once the Kubernetes agent is running on the endpoint, Cortex XDR displays the Kubernetes Cluster and includes in the causality card a visual indication on processes that are running within containers, including information about the container itself such as its name, ID, image, etc. For more information, refer to Cortex XDR agent administrator guide.
Extended Visibility to Your Cloud Network Flow Logs (`Requires a Cortex XDR Pro per TB license`)	To extend visibility into your cloud network traffic and to further enrich incident data, Cortex XDR can now ingest cloud network traffic logs from: Google Cloud Platform using the Google Cloud Platform data collector. Amazon Web Services using the new Amazon S3 data collector. Microsoft Azure platforms using the new Azure Network Watcher data collector. For more information on these collectors, see External Data Ingestion Vendor Support. Cortex XDR normalizes the logs from the different platforms into a single XDR schema and creates searchable datasets. Additionally, Cortex XDR optimizes and reconstructs the flow logs into single session communications which are later stitched into network stories and alerts. To begin receiving logs you must first set up the relevant Configurations Data Collection Collection Integrations settings for the vendor in Cortex XDR. As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset using the vendor and product you specified during the log collector setup. You can then use XQL Search to initiate queries on the dataset.
Extended Visibility to Your Cloud Platform (`Requires a Cortex XDR Pro per TB license`)	To extend visibility into your cloud platform, Cortex XDR can now ingest cloud audit logs from Google Cloud Platform using the Google Cloud Platform data collector. Amazon Web Services using the new Amazon S3 data collector. Microsoft Azure platforms using the new Azure Event Hub data collector. For more information on these collectors, see External Data Ingestion Vendor Support. Cortex XDR normalizes the audit logs from the different cloud platforms into a single XDR schema to create raw datasets, for each platform individually as well as into a single collective searchable dataset. To begin receiving logs you must first set up the relevant Configurations Data Collection Collection Integrations settings for the vendor in Cortex XDR. As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset using the vendor and product you specified during the log collector setup. You can then use XQL Search to initiate queries on the dataset.
New Cloud Investigation Capabilities (`Requires a Cortex XDR Pro per TB license`)	To streamline investigation of cloud-related alerts, Cortex XDR developed a proprietary algorithm that highlights the most relevant events and alerts associated with a cloud-related alert. To help you identify and investigate cloud- specific data associated with cloud-related alerts, Cortex XDR displays a new Cloud Causality View and includes the following table fields: Cloud Causality View Enables you to swiftly investigate a cloud-alert by displaying the series of events and artifacts that are shared with the alert. Alerts Table Cloud Referenced Resource Cloud Operation Type Cloud Operation Sub-Type Cloud Identity Type Cloud Project Cloud Provider Cloud Resource Type Cloud Resource Sub-Type Endpoint Administration Table Last Origin IP
Prisma Cloud Alert Ingestion `Requires a Cortex XDR Pro per TB license`	To provide additional alert visibility and improved analytics, Cortex XDR can now ingest Prisma Cloud alerts. To receive alerts, configure Configurations Data Collection Collection Integrations settings for the product in Cortex XDR. Cortex XDR adds Prisma Cloud alerts to the Cortex XDR Alerts table and groups them into Incidents. Additionally, when Cortex XDR begins collecting data, the app creates a new dataset ( prisma_cloud_raw ) that you can use to initiate XQL Search queries and to create Correlation Rules.
Prisma Cloud Compute Alert Ingestion `Requires a Cortex XDR Pro per TB license`	To provide additional alert visibility and improved analytics, Cortex XDR can now ingest Prisma Cloud Compute alerts. To receive alerts, configure Configurations Data Collection Collection Integrations settings for the product in Cortex XDR. Cortex XDR adds Prisma Cloud Compute alerts to the Cortex XDR Alerts table and groups them into Incidents. Additionally, when Cortex XDR begins collecting data, the app creates a new dataset ( prisma_cloud_compute_raw ) that you can use to initiate XQL Search queries and to create Correlation Rules.
`Forensics`
New Comprehensive Forensics Add-On (`Requires a Forensics add-on license and a Cortex XDR agent 7.4 or later for Windows`)	Cortex XDR now offers a new add-on that enables you to perform comprehensive forensic investigations on your Windows endpoints. With its deep data collection, the Forensics add-on enables you to find the source and scope of an attack, and determine what, if any, data was accessed. As an end-to-end solution, Cortex XDR Forensics helps you with every step of an incident response, from data collection, analysis, threat hunting, and remediation. Using a host timeline, you can view user activity across multiple forensic artifacts in a single table. For a more detailed view, right-click on any row in the timeline for a complete listing of all fields for that item. The historical artifacts collected by the Forensics add-on can provide investigators with insight into Windows file access and process execution, even for files and executables that have been deleted from the host. The triage functionality in the Forensics add-on collects detailed system information, including a full file listing for all of the connected drives, full event logs, and registry hives, so you can get a complete holistic picture of an endpoint. You can perform a deep dive on a single endpoint or search for artifacts across all your endpoints from the Forensics workbench. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud and identity data. You can access the Forensics add-on from the Add-Ons tab, under which the Host Insights add-on is also available (if licensed). Also, the configuration options that were previously labeled as Forensics are now labeled as Alerts Data.
`Identity Analytics`
Identity Analytics Module Activation Modification (`Requires a Cortex XDR Pro license`)	To expand your investigation capabilities, as of Cortex XDR 3.0 the Identity Analytics module will be included with any Cortex XDR Pro licenses with no additional charge. Enablement of Identity Analyticshas been removed from the Cortex XDR License dialog and relocated to Settings Configurations Cortex XDR Analytics .
User Score Management (`Requires a Cortex XDR Pro license`)	To help you detect suspicious user activity and compromised accounts within your network, Cortex XDR, calculates a User Score based on Incident Scoring Rules and Cortex XDR System Rules that allows you to easily identify the most high-risk users in your organization. The User Scores are displayed under Asset Management User Scores , providing you with a central location from which you can view and investigate information relating to the user scores. In addition, Cortex XDR displays the top 5 users with the highest User Scores in a new dashboard widget.
User View (`Requires a Cortex XDR Pro license`)	To streamline your incident investigation process, using Identity Analytics capabilities, Cortex XDR now provides a dedicated User View providing easy access when investigating a user in your organization. The User View automatically aggregates and displays the user details, user score trends, aggregated host logins, and associated incidents and insights. You can access the User View from right-click pivot menu of the: Users section of the Incident View Key Assets & Artifacts tab User Scores Table Analytics Alert View User Node Top 5 Notable Users Widget
`Investigation and Response`
New XQL Correlation Rules (`Requires a Cortex XDR Pro license`)	To help you analyze correlations of multi-events from multiple sources, Cortex XDR now contains a new XQL-based engine for creating scheduled rules called Correlation Rules. Correlation Rules are accessible in Cortex XDR from the new Rules Correlations menu, which reveals the Correlation Rules page. The following are some of the main features of Correlation Rules. Ability to add new Correlation Rules from either the Correlation Rules page or when building a query in XQL Search. When right-clicking any Correlation Rule in the Correlation Rules page, these options are available. Open in XQL —Opens the rule in XQL Search either in a new tab or in the same tab. View related alerts —Displays the related alerts in the Alerts page in a new tab or the same tab. Execute Correlation Rule —Runs the rule. Disables —Disables the rule. Edit rule —Opens the Edit Correlation Rule editor so you can update the rule settings. Save as new —Enables you to create a new Correlation Rule based on the settings of the existing rule. Delete —Deletes the rule. Show rows with ‘[rule Description]’ —Filters the Correlation Rules list to only display rules that match the Description of the rule. Hide rows with ‘[rule Description]’ —Filters the Correlation Rules list to remove any rule that matches the Description of the rule. Copy entire row —Copies the contents of the entire Correlation Rule in the row of the table. When setting up Correlation Rules, you have additional capabilities. Define the timing for when the Correlation Rule should run. Define whether alerts generated by the Correlation Rule are suppressed by a duration time, field, or both. Set the resulting action for the Correlation Rule as either to generate an alert or save the data to a dataset. -When generating an alert, you can also define the alert settings, which includes the Alerts Field Mapping for incident enrichment, Alert Severity, MITRE Attack Tactics and Techniques, and other alert settings. -When saving the data to a dataset, you can test and fine-tune new rules before initiating alerts and applying correlation of correlation use-cases. There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive notification ahead of time before any changes are implemented.
New XQL Personal Query Library (`Requires a Cortex XDR Pro license`)	Cortex XDR now provides as part of the XQL Query Library a new personal query library for saving and managing your own queries. When creating a query in XQL Search or managing your queries from the Query Center, you can now save this query to your personal library using the Save As Query to Library option. You can also decide whether the query is shared with others (on the same tenant) in their Query Library or make it unshared and only visible by you. The XQL Query Library contains a powerful search mechanism that enables you to search in any field related to the query, such as the query name, description, creator, query text, and labels. In addition, adding a label to your query enables you to search for these queries using these labels in the XQL Query Library.
Dataset Management Enhancements (`Requires a Cortex XDR Pro license`)	To help you better manage your datasets and understand your data storage availability, Cortex XDR has now implemented the following enhancements in the Dataset Management page. License details for the Cortex XDR Pro licenses and Cortex XDR Pro per RTN retention licenses. A storage bar with all the datasets usage information. For each dataset listed in the table, the following information is available: Total Days Stored, Total Size Stored, Average Daily Size, Total Events, Average Event Size, First Stored Date (hidden by default), Last Stored Date, and Default Query Target (hidden by default). -The ingestion details are now listed in the Data Ingestion Dashboard . In an upcoming release, the ingestion details will be integrated to the Dataset Management page. -Before the Cortex XDR ingestion and storage enforcements are applied based on your licensing agreements, you will be notified ahead of time explaining these changes and the implementation timeline.
New XQL Dataset for Cloud Identity Engine (`Requires a Cortex XDR Pro license`)	The Cortex XDR Query Language (XQL) now includes a dedicated dataset called pan_dss_raw for you to query data related to the Cloud Identity Engine (previously called Directory Sync Service (DSS)), which enables you to leverage Active Directory user, group, and computer information in Cortex XDR. To set up this Cloud Identity Engine dataset you need to Set Up Cloud Identity Engine. Otherwise, you will not have a pan_dss_raw dataset.
New USB Device Visibility in XQL (`Requires a Cortex XDR Pro license`)	The Cortex XDR Query Language (XQL) now supports the ingestion of connect and disconnect events of USB devices that are reported by the agent. You can use XQL Search to query for this data and build widgets based on the xdr_data dataset, where the following use cases are supported: Displaying devices by Vendor ID, Vendor Name, Product ID, and Product Name. Displaying hosts that a specific device, based on serial number, is connected. Query for USB devices that are connected to specific hosts or groups of hosts. Examples of XQL queries that query the USB device data. This query returns the action_device_usb_product_namefield from all xdr_data records, where the event_type is DEVICE . dataset = xdr_data \| filter event_type= DEVICE \| fields action_device_usb_product_name This query returns the action_device_usb_vendor_name field from all device_control records (preset of the xdr_data dataset) where the event_type is DEVICE . preset = device_control\| filter event_type = DEVICE\| fields action_device_usb_vendor_name For more information, see Ingest Connect and Disconnect Events of USB Devices in Device Control.
XQL ASN Data Support (`Requires a Cortex XDR Pro per TB license`)	The Cortex XDR Query Language (XQL) now supports querying for Autonomous System Number (ASN) data in XQL Search. As part of the xdr_data dataset, these new fields are available: action_as_data and dst_action_as_data , which includes this data: as_number —The Autonomous System Number (ASN), which uniquely identifies each network on the Internet. organization —Defines the organization for the ASN. isp —The Internet service provider associated with the ASN. domain —Domain name. is_proxy —Boolean value indicating whether the ASN is coming from a proxy server.
New GlobalProtect Access Authentication Log Visibility in XQL (`Requires a Cortex XDR Pro per TB license`)	To increase your network visibility, the Palo Alto Network (PANW) firewall can now send GlobalProtect access authentication logs to Cortex XDR. As a result, the Cortex XDR Query Language (XQL) can now support querying for this data using the xdr_data dataset in XQL Search. To ensure GlobalProtect access authentication logs are sent to Cortex XDR, verify that your PANW firewall’s Log Settings for GlobalProtect have the Cortex Data Lake checkbox selected.
Custom XQL Widget Report Attachments	You can now attach the XQL queries you saved as custom widgets to your report templates. When editing or creating a report template, you can now attach one or more of your XQL query custom widgets to your report. The XQL query widget is added to the report as a CSV file along with the customized PDF. Each XQL query widget creates a separate CSV file that you can: Send by email as separate attachments for each widget. The total size of an attachment in the email cannot exceed 20MB. Send by slack as part of a ZIP file that includes the PDF. Download from the Reports page.
Redesigned Incident View and Investigation Capabilities	To streamline your incident investigation process and reduce the number of steps it takes to analyze an incident, Cortex XDR has redesigned the Incident View to showcase and navigate across all incident data in one dedicated page. The enhanced Incidents page capabilities now allow you to investigate and manage incidents without the need to pivot to other pages. The Incident page is now divided into two main sections, Left Pane Incident List and Details Pane. Left-pane Incident List Scroll through each incident row to view the incident name, description, ID, score, and the number of related assets and artifacts. From each row, you can edit the incident assignee, status, name, and description. Details Pane Displays the incident details of the incident selected in the left-pane list. Navigate across the following tabs to investigate the incident details: Overview Made up of an Incident Header listing the incident details, the MITRE tactics and techniques, and widgets to visualize the number of alerts, type of sources, hosts, and users associated with the incident. Timeline A chronological representation of alerts and actions relating to the incident. Select an alert or action to display an additional pane of information related to the entity, and add an optional comment. Alerts & Insights Displays a table of the alerts and insights associated with the incident. The tables include the sorting and response actions available in Cortex XDR. Key Assets & Artifacts Displays information and allows to perform response actions for hosts, users, and key artifacts associated with the incident. Executions (Requires a Cortex XDR Pro License) Present the causality chains associated with the incident. The new incident view is supported for incidents created after Cortex XDR 3.0. Incidents created before Cortex XDR 3.0, are displayed in the legacy view. To enable flexibility, you can select to display incidents created after Cortex XDR 3.0 Cortex using either the Legacy or Advanced view.
New Incident Resolved Statuses	The incident Resolved statuses have been updated to allow for greater flexibility. As of Cortex XDR 3.0, the Resolved status resolution reason Resolved - Threat Handled has been deprecated and replaced with Resolved - True Positive . Incidents with Resolved - Threat Handled status will not be changed and are still available to search, but will no longer be available as a status resolution reason. In addition, Cortex XDR created a new resolution reason Resolved - Security Testing .
New Cortex XDR Dashboard for Security Operations Center Manager	Cortex XDR introduces a new predefined dashboard for Security Operations Center (SOC) Manager to help you better visualize and manage the Cortex XDR incident findings. The Security Admin Dashboard displays the following new widgets: Incident Status Board Display the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time: Total number of open incidents, how many are unassigned, and how many are overdue according to the incident severity. Breakdown of open incidents according to the status New and Under Investigation. Breakdown of resolved incidents according to resolved reason. Resolved Incident MTTR Display either the last 30 days, 7 days, or 24 hours of the following information according to incident creation time and resolved statuses: Total Mean Time to Resolve (MTTR) of all incidents, according to severity, created during the selected timeframe and the average time it took to resolve the incidents compared to the defined Target MTTR. Overdue Incidents of Top 5 Assignees Display the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time: Top 5 assignees, by assignee name, with the highest number of overdue incidents. Incidents Over Time Display the following information over 14 days: Number of new incidents created per day. Number of resolved incidents per day. Newest Incidents Display the following details for the 5 most recent incidents: Starred Severity ID Score Description Creation time
Centric View of Alert Information	When viewing listed alerts as you investigate incidents, Cortex XDR now provides a centric view for a single alert, each accessible from a dedicated panel that opens when you click on the specific row of an alert. These dedicated panel views provide you with various details about the alert, such as timestamp, name, description, detected action, MITRE information, host information, and rule information.
Quick Actions in Tables Enhancements	To enhance the quick actions available in Cortex XDR, Cortex XDR has now added the quick actionscapability to the following tables: Incidents: Star / Unstar Alerts: Exclude / Undo Exclusion Endpoints: Isolate / Cancel endpoint isolation The new icons are available in table rows upon a left-click of the row and provide an alternative to the right-click pivot menus.
Granular Exceptions for BTP Alerts	You now have the option to create more granular Behavioral Threat Protection (BTP) exceptions for BTP alerts. These new additional BTP exceptions include the following Causality Group Owner (CGO) attributes: CGO hash value CGO signer entity (for Windows and Mac only) CGO process path—directory path of the CGO process. CGO command arguments—if a CGO process path is selected. All previous BTP exception options are still available as usual.
Enhanced Child Process Node Investigation	To help you investigate the children of a process node in a Causality View, when right-clicking the Process node to view the Children table, Cortex XDR now displays the Process Start Time field indicating when each child process started.
Asset Management Enhancement (`Requires a Cortex XDR Pro license`)	To help you identify and retrieve information of unmanaged assets in your network, you can now configure in your Windows Agent Profile a Cortex XDR agent scan of your endpoints using Ping that provides updated identifiers of your network assets, such as IP addresses and OS platforms. The scan is automatically distributed by Cortex XDR to all the agents configured in the profile and cannot be initiated by request. The scan results can be viewed in the Asset Management table.
Enhanced Endpoint Administration Table Filter Options	You can now filter the following Endpoint Administration fields: Group Names - Use != to identify endpoints that are not part of a given group. IP Address - Use Not in rage to identify endpoints not part of a defined IP address rage.
IP View IP Address Visibility	When investigating an IP address, in the IP view, the default aggregation has been adjusted to display information on whether the IP address is an internal or external IP address. For external IP addresses, the default Connection Type displayed is incoming, while for the internal IP addresses, the default Connection Type is Outgoing.
`Audit Logs`
Management Logs for Cortex XDR Gateway	To help you track Permission Management changes in the Cortex XDR Gateway, users with Account Admin role permissions can now access the Cortex XDR Gateway Management Audit Logs page. In the Cortex XDR Gateway Management Audit Log page, you can now track the permission auditing actions performed on your CSP accounts. The Management Audit Log table lists the following fields of log information: Timestamp (Displayed in UTC) Email User Name Type Subtype Result Severity Description
`External Data Ingestion`
New 3rd Party Parsing Rules (`Requires a Cortex XDR Pro per TB license`)	Cortex XDR now includes a new editor for creating 3rd party Parsing Rules, which enables you to: Remove unused data that is not required for analytics, hunting, or regulation. Reduce your data storage costs. Pre-process all incoming data for complex rule performance. Add tag/tags to the ingested data as part of the ingestion flow. Cortex XDR provides a number of default Parsing Rules that you can easily modify as required. You can access these Parsing Rules by selecting Configurations Data Management Parsing Rules .
New XDR Collectors Configuration for On-premises Data Collection (`Requires a Cortex XDR Pro per TB license`)	To extend the current data collection offerings, Cortex XDR now provides a new XDR Collectors configuration that is dedicated for on-premises data collection on Windows and Linux machines. The collector includes a dedicated installer, content updates, and policy management via the XDR console in Configurations XDR Collectors .
Amazon S3 Log Ingestion (`Requires a Cortex XDR Pro per TB license`)	Cortex XDR can now ingest Amazon S3 logs. To receive logs, configure Configurations Data Collection Collection Integrations settings for the vendor in Cortex XDR. As soon as Cortex XDR begins receiving logs, the app automatically creates an Amazon S3 XQL dataset ( aws_s3_raw ). This enables you to search the logs using XQL Search.
Workday Reports Data Ingestion (`Requires a Cortex XDR Pro per TB license`)	Cortex XDR can now ingest Workday reports data. To receive reports data, configure Configurations Data Collection Collection Integrations settings for the vendor in Cortex XDR. As soon as Cortex XDR begins receiving data, the app automatically creates a Workday XQL dataset ( workday_workday_raw ) and enables you to search the data using XQL Search. In addition, Cortex XDR will add the workday fields next to each user in the Key Assets list in the Incident View , and in the User node in the Causality View of Identity Analytics alerts.
ServiceNow CMDB Data Ingestion (`Requires a Cortex XDR Pro per TB license`)	Cortex XDR can now ingest ServiceNow CMDB data. To receive data from the ServiceNow CMDB database, configure Configurations Data Collection Collection Integrations settings for the vendor in Cortex XDR. As soon as Cortex XDR begins receiving data, the app automatically creates the following ServiceNow CMDB XQL datasets based on the selected table(s) using the format: servicenow_cmdb_<table name>_raw . This enables you to search the data using XQL Search.
Windows DHCP Example File Available in the User Interface (`Requires a Cortex XDR Pro per TB license`)	To help you configure Windows DHCP log ingestion using Elasticsearch Filebeat, Cortex XDR now provides in the Windows DHCP user interface a downloadable filebeat.yml file. This Elasticsearch Filebeat default configuration file must be populated with values provided when you configure the Collection Integrations settings in Cortex XDR for the Windows DHCP Collector.
`Analytics`
Analytics Alert Causality View Enhancement (`Requires a Cortex XDR Pro license`)	To streamline your investigation of multi-event analytics alerts, Cortex XDR now displays a new Analytics Node identifying alerts that include more than one event type. In the Events Table, Cortex XDR lists all the events associated with the alert according to the event type.
Multi-Severity for Analytics BIOC Rules (`Requires a Cortex XDR Pro license`)	To expand your investigation and analytics capabilities, Cortex XDR now provides predefined Analytics BIOC Rules that raise alerts with different severity levels. In the Analytics BIOC Rules table, the Severity field now also displays a Multi-Severity flag. Hover over the flag to see the severities defined for the rule.
`Endpoint Protection`
Enhancements to the Cortex XDR Host Firewall (`Requires a Cortex XDR agent 7.5 or a later release for Windows`)	Now the Cortex XDR host firewall offers improved enforcement capabilities, better policy management, and greater visibility and troubleshooting capabilities into your network: Rules enforcement —The Cortex XDR host firewall rules are integrated with the Windows Security Center, and you can configure rules for all IP protocols, using multiple IP address notations, and more parameters. Policy management —Now the policy consists of rule groups that are reusable across all profiles, and there are default inbound and outbound rule groups provided by Palo Alto Networks. Additionally, you can import your rules directly into Cortex XDR. Visibility and troubleshooting —The Cortex XDR agent now reports aggregated host firewall enforcement events, and you can also view all single activities the agent performed in your network by retrieving a detailed log file. For Cortex XDR Pro customers, the host firewall events are now also queryable via XQL to enable data and network analysis. For more details, refer to the Cortex XDR administrator guide. Cortex XDR 3.0 host firewall includes new features which are supported only with Cortex XDR agents 7.5 and later, such as multiple IP addresses, reporting mode, and more. For an older agent release, existing host firewall rules remain unaffected. However, if you create a rule from Cortex XDR 3.0, or edit an already existing rule that was created in an old Cortex XDR release and add one of these unsupported parameters, the agent could display unexpected behavior and the host firewall policy will be disabled on the endpoint.
Network Packet Inspection Engine (`Requires a Cortex XDR agent 7.5 or a later release for Windows`)	To address the threats surfacing with the growing remote workforce in your organization and the growing corporate network boundaries, the new Network Packet Inspection Engine provides coverage already at the network level. By analyzing the network packet data, the Cortex XDR agent can detect malicious behavior, and block or report it back to Cortex XDR. The new engine leverages both Palo Alto Networks NGFW content rules, and new Cortex XDR content rules created by the Research Team. To enable this capability, edit your Malware Security Profile settings.
Improved Security Content `*Starting with PTU 200 and later`	To ensure your network is constantly protected against the latest and newest threats in the wild, the Cortex XDR research team will now start releasing more frequent content updates in-between major content versions. When you enable minor content updates, the Cortex XDR agent receives minor content updates, starting with the next content releases. Otherwise, if you do not wish to deploy minor content updates, your Cortex XDR agents will keep receiving content updates for major releases which usually occur on a weekly basis. The content version numbering format remains XXX-YYYY, where XXX indicates the version and YYYY indicates the build number. To distinguish between major and minor releases, XXX is rounded up to the nearest ten for every major release, and incremented by one for a minor release. For example, 180-<build_num> and 190-<build_num> are major releases, and 181-<build_num>, 182-<build_num>, and 191-<build_num> are minor releases. To enable this capability, you need to update the Global Agent Settings for your tenant.
Separate Actions for Files Unknown to WildFire and Files with Benign LC Score (`Requires a Cortex XDR agent 7.5 or a later release for Windows`)	To better manage your anti-malware flow, you can now configure separate actions for files that are unknown to WildFire and files with Benign Low Confidence score. To adjust your settings, refer to the Malware Security Profile settings.
Quarantine Malicious ELF Files (`Requires a Cortex XDR agent 7.5 or a later release for Linux`)	You can now configure your anti-malware flow to automatically quarantine malicious ELF files. To enable this capability, adjust your Malware Security Profile settings.
Configurable Device Control Enforcement Pop-Up Message (`Requires a Cortex XDR agent 7.5 or a later release for Windows`)	You can now personalize the Cortex XDR notification pop-up on the endpoint when the user attempts to connect a USB device that is either blocked on the endpoint or allowed in read-only mode. To enable this, refer to your Agent Settings Profile.
Improved Logs Protection (`Requires a Cortex XDR agent 7.5 or a later release for Linux`)	The Cortex XDR agent logs directory is now accessible to privileged users only.
Support for Azure-based Virtual Environments (`Requires a Cortex XDR agent 7.5 or a later release for Windows`)	Support is now available for Cortex XDR agents running on Microsoft Azure-based VMs and virtual desktops (WVD or AVD).
Extending Gatekeeper Protection to Bundles (`Requires a Cortex XDR agent 7.5 or a later release for Mac`)	The Cortex XDR Gatekeeper Enhancement protection module now provides coverage also for suspicious bundle executions.
Audit Log for Unauthorized Agent Shutdown (`Requires a Cortex XDR agent 7.5 or a later release for Mac`)	Now when a deliberate termination of the agent is detected on the endpoint, an audit log is reported to Cortex XDR.
Simplified Network Bandwidth Allocation for Security Content Updates	For optimized performance and reduced bandwidth consumption, ensure you install new agents with the distribution package available for Windows Cortex XDR agents 7.3 and later. Otherwise, if you deploy the agent installer via SCCM, it is recommended to configure the bandwidth you allocate in your organization for the Palo Alto Networks content security updates. Cortex XDR now provides two recommendations, based on the number of agents you want to update (active or future gents), and according to the time frame during which you want the update to complete (within a day or a week). You can choose one of the recommended values or enter one of your own, between 20 - 10000 Mbps. To adjust your settings, update the Global Agent Settings for your tenant.
Gradual Rollout for Automatic Agent Upgrades	To better control the rollout of a new Cortex XDR agent release in your organization, during the first week only a single batch of agents is upgraded. After that, auto-upgrades continue to be deployed across your network in parallel batches as configured.
`Broker VM` `Version 13.0.42`
New Support for Deploying a Broker VM Image on a Nutanix Hypervisor	Cortex XDR now supports setting up an image of a Broker VM on a Nutanix hypervisor (Nutanix AHV 2021) using a QCOW2 image type.
New FTP Collector in the Broker VM (`Requires a Cortex XDR Pro per TB license`)	The broker VM now provides a new FTP Collector applet that enables you to monitor and collect logs from files and folders via FTP, FTPS, and SFTP directly to your log repository for query and visualization purposes. After you activate the FTP Collector applet, you can collect files as datasets ( <Vendor>_<Product>_raw ) by defining the following: FTP, FTPS, or SFTP (default) connection details with the path to the folder containing the files that you want to monitor and upload to Cortex XDR. Settings related to the list of files to monitor and upload to Cortex XDR, where the log format is either JSON, CSV, or Raw. Once the files are uploaded to Cortex XDR, you can define whether in the source directory the files are renamed or deleted.
New Files and Folder Collector in the Broker VM (`Requires a Cortex XDR Pro per TB license`)	The broker VM now provides a new Files and Folders Collector applet that enables you to monitor and collect logs from files and folders in a network share for a Windows directory, directly to your log repository for query and visualization purposes. After you activate the Files and Folders Collector applet, you can collect files as datasets ( <Vendor>_<Product>_raw ) by defining the following: Details of the Folder Path on the network share containing the files that you want to monitor and upload to Cortex XDR. Settings related to the list of files to monitor and upload to Cortex XDR, where the log format is either JSON, CSV, or Raw.
New Database Collector in the Broker VM (`Requires a Cortex XDR Pro per TB license`)	The broker VM now provides a new Database Collector applet that enables you to collect data from a client relational database directly to your log repository for query and visualization purposes. After you activate the Database Collector applet, you can collect data as datasets ( <Vendor>_<Product>_raw ) by defining the following: Database connection details, where the Connection Type can be MySQL , PostgreSQL , and MSSQL. Settings related to the query details for collecting the data from the database to monitor and upload to Cortex XDR.
New NetFlow Collector in the Broker VM (`Requires a Cortex XDR Pro per TB license`)	The broker VM now provides a new NetFlow Collector applet that enables you to collect logs with flow records from Netflow (Versions 5 and 9) and from IPFIX directly to your log repository for query and visualization purposes. After you activate the NetFlow Collector applet, you can collect data as XQL datasets ( <Vendor>_<Product>_raw ) by defining the following: The number of the UDP Port on which the flow records are received (default 2055 The IP address or CIDR of the Source Network device that sends the flow records to Cortex XDR (default Any ). The Vendor and Product name used to identify the XQL dataset as ( <Vendor>_<Product>_raw ), where the flow records are stored in Cortex XDR (default IP Flow ).
Enhanced WEC Certificates Renewal Mechanism (`Requires a Cortex XDR Pro per TB license`)	The renewal process for the Windows Event Collector (WEC) certificates are now streamlined to keep you informed of your WEC certificate status and help you avoid any disruption to your WEC data collection. The following improvements are now implemented: For any tenant with an active WEC applet containing a Certificate Authority (CA) certificate that expires in less than 90 days, a notification appears in the Broker VMs page, Windows Event Forwarder Configurations window, and a new notification is displayed in the notification area until the WEC certificate is replaced. The WEC CA certificate is now increased for an extended period of time. The broker VM applet now includes an automatic renewal mechanism for a WEC server certificate, which has a lifespan of 12 months. The WEC client certificate after the renewal is issued with a lifespan of 5 years. On the Broker VMs page, you can now renew your WEC server certificates by right-clicking the applet and selecting Windows Event Collector Renew WEC Server Certificate . After you receive a notification for renewing your WEC CA certificate, we recommend that you do not add any new WEF clients until the WEC certification renewal process is complete. Events from these WEF clients that are added afterwards will not be collected by the server until the WEC certificates are renewed.
`API`
Get Violations API Enhancements	To expand Get Violations API, when running device_control/get_violations/ : If a custom device has been deleted, the response value has been updated from user-defined to user-defined (Deleted) . You can now filter by type=”user-defined” and user-defined-deleted .
Get Incident API Enhancement	To expand the Get Incidents API, Cortex XDR now supports in operator for the status field.
New Incident Resolved Statuses	The Resolved status resolution reason Resolved - Threat Handled will be deprecated in Cortex XDR version 3.1 and replaced with Resolved - True Positive . Until Cortex XDR 3.1, when running the Update an Incident API, if you enter Resolved - Threat Handled in the status field, Cortex XDR will return a message notifying of this change. In addition, you can now enter a new status: Resolved - Security Testing .
Incident ID Enhancement for Action APIs	To expand your investigation and action capabilities, Cortex XDR now allows you to add an optional incident ID field to the following APIs so you can track these actions in the Incident View Timeline: Restore File Retrieve File Quarantine Files Allow List Files Block List Files Isolate Endpoints Unisolate Endpoints Scan Endpoints Cancel Scan Endpoints Run Script Run Snippet Code Script
`Managed Threat Hunting`
Managed Threat Hunting Communication and Tracking Enhancements	To streamline communication with the Managed Threat Hunting team, Cortex XDR now allows you to track and investigate the Managed Threat Hunting findings and communicate with the Managed Threat Hunting team directly from the Cortex XDR app using a new commenting tool. In the Managed Threat Huntingpage, you can add, edit, and track comments made by the Managed Threat Hunting team and users who have Investigation Admin role permissions.

Features Releasing in May

New features in the Cortex® XDR™ 2.9 release.

The following table describes new features in the Cortex XDR 2.9 release.

Feature	Description
`General`
Cortex XDR Gateway for Onboarding and Granular RBAC	To streamline activation and management of your Cortex XDR tenants, Cortex XDR now operates as a standalone application known as the Cortex XDR Gateway. The Cortex XDR Gateway is where you view and manage existing tenants and tenants available for activation that are allocated to your CSP account. The split from the hub enables you to easily: Activate new tenants. View and access existing tenants. View and manage granular role-based access (RBAC) settings. To activate and manage permissions, Cortex XDR assigns the Account Admin role to existing CSP Super User accounts. This role cannot be removed or changed through the Cortex XDR Gateway. The Cortex Data Lake quota management and the sizing calculator are still on the hub.
In-App Granular Role-Based Access Control	To streamline management of your Cortex XDR user and role-based access control (RBAC) permissions, Cortex XDR now allows you to track user permissions, manage existing roles, and create new roles in the Cortex XDR app without the need to log in to the hub. Cortex XDR now displays the following information in Configurations Access Management : Users —Displays the User Name , XDR Role , Last Login Time , and Status of users in your organization. You can import new users using a CSV file, search for a specific user, and edit a user’s role permissions. Roles —Displays the Palo Alto Networks predefined roles and any additional roles that you and your organization create. You can search these available roles and create new roles that you can then assign to users enabling user access permissions.
Fine-Grained Role-Based Access Control Enhancements	To help you better manage your user access permissions, the following changes have been made to the Cortex XDR Granular Role-Based Access Control (RBAC) configurations in the Cortex XDR Gateway and Cortex XDR management console. RBAC role Administrator has been renamed Instance Administrator . Vulnerability Assessment —Existing vulnerability assessment permissions will be removed and included within the Host Insights role permissions. A user granted view and action Host Insights permissions will be automatically granted permissions to the vulnerability assessment capabilities. Device Control —Existing device control action permission allowing you to create rules, profiles, and exceptions has been split into two permission types: Device Control Rules —Enables you to create and modify profiles and rules. Device Control Exceptions —Enables you to create and modify device control exceptions. Endpoint Profiles —Existing Profiles action permission for has been split into two permissions: Endpoint Profiles —Enables you to create and modify endpoint profiles. Prevention Rules —Enables you to add rules into a restriction profile. Endpoint Groups —Existing Endpoint Administration permissions has been split into two new sets view and action permissions to manage your endpoints: Endpoint Management —Enables read-only access (View). Endpoint Management —Enables read-write access (Action). Endpoint Group —Enables read-only access (View). Endpoint Group —Enables read-write access (Action). Cortex XDR App Pages View and Action permissions have been added for Cortex XDR app pages: Dashboard Reports Query Builder Query Center To provide continuity for existing roles and privileges, Cortex XDR assigns the updated permissions by default but you now have the option to configure the view and action access independently for both your new and your preexisting roles.
Streamlined Configurations Menu	To provide a more intuitive navigation, the Configurations menu in Cortex XDR is now organized by the feature areas: General —Additional settings to personalize your Cortex XDR dashboard and experience. For endpoint licenses, you can also configure global agent settings. Cortex XDR-Analytics —(`Cortex XDR Pro`) Activate the Cortex XDR analytics engine to analyze logs and events and raise Analytics alerts. Broker VM —Configure and view the Broker VMs on which you deploy applets that facilitate log collection from external vendors and communication with agents outside your network. XDR Collectors —(`Cortex XDR Pro per TB`) Manage your Cortex XDR Collectors for on-premises data collection on Windows and Linux machines. The collector includes a dedicated installer, content updates, and policy management. Data Collection —(`Cortex XDR Pro per TB`) Configure settings for data collection from internal sources, such as Pathfinder and external log, and alert sources, such as SaaS providers. Data Management —(`Cortex XDR Pro`) Manage datasets for XQL Search, configure ingestion rules, and manage storage for external logs. Integrations —Manage integrations with Palo Alto Networks products such as WildFire and AutoFocus and other third-party integrations, such as Slack and VirusTotal. Access Management —Manage your Cortex XDR user and role-based access control (RBAC) permissions.
Cortex XDR Tenant Switcher	When using multitenancy within the scope of a Cortex XDR tenant, you can now use the Tenant Navigator, which enables you to switch directly to another owned tenant. The tenant navigator includes the following selections: Cortex XDR tenant gateway link List of Cortex XDR tenants to which you have access grouped by CSP account. For accounts with more than five tenants, a search option is available to help you quickly find a specific tenant. If there are more than 5 tenants within a specific account, a list of tenants is available for that CSP account. When you choose a tenant, Cortex XDR pivots your display directly to the main page of the gateway or the main page of the tenant.
Improved Quick Launcher Access	To enable easier access to the Quick Launcher, you can now access it from the Cortex XDR top navigation bar as well as from all other navigation menus in the app.
Settings Navigation Change	To align the page title with navigation paths in Cortex XDR, the Settings menu (accessible from the gear icon ) is now named Configurations . The Quick Launcher also reflects the name change.
Enhanced Session Security Settings	The Cortex XDR management console now provides enhanced security settings for user sessions. These security settings include the following categories: Session Expiration —Enables you to define the number of hours after which the user login session will expire. You can also define a one-week expiration for the Cortex XDR dashboard. Allowed Sessions —Enables you to define approved domains and approved IP address ranges through which you allow access to Cortex XDR. User Expiration —Enables you to deactivate an inactive user and also configure the automated user deactivation period. For more detailed information, see the Cortex XDR Administrator's Guide.
Native Search Deprecation	The XQL Search and Query Builder are now the main search options in Cortex XDR and provide more flexibility and powerful querying capabilities. The Native Search option is deprecated and, as a result: Existing BIOC rules created by Native Search actions are still available and function as they did before. This includes the option to export the rule and set metadata, such as Type, Severity, MITRE Technique, and MITRE Tactics. However you can no longer edit the rule. Queries created using Native Search actions are still available in the Query Center for viewing historical results. However, you can no longer rerun or edit these queries. You can still edit the schedule of past scheduled queries by right-clicking the Query Center and then Show Scheduled Query .
Network Events Deprecation (`Starting with the next Cortex XDR release`)	After Cortex XDR introduced network collection events, that are stitched across endpoints and the Palo Alto Networks next-generation firewalls logs, there is no longer need to support raw Network events. Starting with the next Cortex XDR release, Network events will be deprecated. In light of the upcoming change, Palo Alto Networks encourages you to define BIOC rules and/or searches by using Network Connections in the Query Builder. When searching in XQL, you should avoid using the xdr_agent_network preset and use the newtork_story preset instead.
`Audit Logs`
One-Year Retention of Audit Log Entries	All entries that are accumulated in the Cortex XDR audit logs are now available for your retrospective review for an extended period of one year from the date of their creation.
New Management Audit Logs for Policy Changes	For increased visibility into policy configuration changes, Cortex XDR introduces new policy audit logs for the Create, Edit, Reorder, Update, and Delete Subtypes. The new policy audit logs include: Create Policy Success: New `platform` policy rule `rule-name` with target `target-name` created Failure: `rule-name` policy rule failed to create Edit Policy Name Success: `platform` policy rule `rule-name` renamed to `new rule-name` Failure: Rename of `rule-name` policy rule `new rule-name` has failed. Edit Policy Status Success: `platform` policy rule `status` changed to `new status` Failure: `platform` policy rule `rule-name` failed to update status Edit Policy Profiles Success: `platform` policy rule `rule-name` updated to include the following profiles `profile-names` Failure: `platform` policy rule `rule-name` failed to update Edit Policy Scope Success: `platform` policy rule `rule-name` updated to include `scope` Failure: `platform` policy rule `rule-name` failed to update Edit Policy Profile and Scope Success: `platform` policy rule `rule-name` scope updated to include: `scope` and the following profiles: `profiles` Failure: `platform` policy rule `rule-name` failed to update Reorder Policy Success: `platform` policy rule `rule-name` reordered Failure: `platform` policy rule `rule-name` failed to reorder Delete Policy Success: `platform` policy rule `rule-name` delete Failure: `platform` policy rule `rule-name` failed to delete Update Policy Success: Policy rules were updated. Failure: Failed to update policy rules
Improved Management Audit Logs for Extensions Policies and Profiles	For improved accuracy, Cortex XDR now logs Extensions Policy and Profile actions under Extensions Policy Rules or Extensions Profile type For Extensions Policies actions, a new Extensions Policy Rules log type is added with the following available descriptions: Extensions policy rules were updated . Failed to update extensions policy rules . For Extensions Profiles actions, the following audit logs will be logged as Extensions Profile type: Failed to create an extensions profile . Failed to delete an extensions profile . Failed to edit an extensions profile . This change applies to future audit logs. Previously-created audit logs retain their current descriptions. For more information on Cortex XDR auditing, see Monitor Administrative Activity.
Policy Change Visibility in Management Audit Logs	You can now view the specifics of what has changed in the configuration of your policies by viewing the management audit logs. For each policy log, you can view the detailed changes instead of the previously displayed message ( Policy rules were updated. ). Hover with the pointer over the specific entry to view the info in a tooltip. This enables you to know exactly what has changed and, if necessary, roll back the change.
Enhanced Management Logs Incident ID Value	To improve your investigation capabilities, Cortex XDR now includes the Incident ID value in the Management Audit logs when you perform an action on a single incident. The following list displays examples of the updates by log subtype: Assign Incident Previous — Changed assignee of 1 incident to email@paloaltonetworks.com Updated — Incident 12345 assigned to email@paloaltonetworks.com Change Incident Severity Previous — Changed severity of 1 incident to Medium Updated — Changed incident 12345 severity to Medium Change Incident Status Previous — Changed status of 1 incident to Resolved - Handled Threat Updated — Changed incident 12345 status to Resolved - Threat Handled Change Scoring Previous — Changed scoring of 1 incident to 122 Updated — Changed scoring of incident #12345 to 122 Change Scoring Previous — Changed scoring of 1 incident to rule-based scoring Updated — Changed scoring of incident #12345 to rule-based scoring
Updated Management Audit Logs for Threat Handled Incident Status	To maintain consistency, Cortex XDR has updated the following management audit log for change in status of Threat Handled incidents: Previous — Changed status of 5 incidents to Resolved - Handled Threat Updated — Changed status of 5 incidents to Resolved - Threat Handled
Improved Management Audit Logs for Host Insights Vulnerability Assessment Data Collection (`Requires a Cortex XDR Pro per Endpoint license and Host-Insights add-on`)	When you rerun the host-insights data collection scan, either from the Vulnerability Management endpoints view or from the Asset View , Cortex XDR now uses the same management audit log types as follows: Log type — Host Insights Subtype — Collect host insights from an endpoint Available descriptions Endpoint host insights collection initiated successfully Failed initiating host insights collection from an endpoint This change applies to future audit logs. Previously-created audit logs retain their current descriptions. For more information on Cortex XDR auditing, see Monitor Administrative Activity
Enhanced Audit Log for Operations in Rules Exceptions	The Cortex XDR management console now enables you to view audit logs for Create, Edit, and Delete operations of Rules Exceptions. In addition, the existing management audit logs for import and export of Rules Exceptions are now logged under the Rules Exceptions type.
`Investigation and Response`
XQL Multi-Language Data Support (`Requires a Cortex XDR Pro license`)	The Cortex XDR Query Language (XQL) can now support data provided in multiple languages, such as in XQL queries, lookups, widgets, and external data ingestion.
New XQL Datasets with Dataset Permission Enforcement (`Requires a Cortex XDR Pro license`)	The Cortex XDR Query Language (XQL) now includes the following new datasets called endpoints and host_inventory . These datasets support dataset permission enforcements in the Cortex XDR Query Language (XQL), Query Center, and XQL Widgets. To view or access any of these datasets, you need role-based access control (RBAC) permissions to the Endpoint Administration and Host Inventory views.
New Standardized User Format for Events and Alerts (`Requires a Cortex XDR Pro license`	To streamline the way usernames appear in network events and alerts, Cortex XDR now processes and displays usernames in the following standardized format, also termed “normalized user”: `<company domain>`\`<username>` In the Cortex XDR Query Language (XQL), every user field included in the raw data, for network, authentication, and login events, has an equivalent normalized user field associated with it that displays the user information in the standardized format. For example, the login_data field has the login_data_dst_normalized_user field to display the content in the standardized format. We recommend that you use these normalized_user fields when building your queries to ensure the most accurate results. As a result, any alert triggered based on network, authentication, or login events, now displays the User Name in the new standardized format in the Alerts and Incidents pages. This change impacts every alert for Cortex XDR Analytics and Cortex XDR Analytics BIOC, including BIOC and IOC alerts triggered on one of these event types.
New XQL IP Location Stage (`Requires a Cortex XDR Pro license`)	The Cortex XDR Query Language (XQL) now includes a new stage command that enables you to associate the IPv4 address of any field to a list of predefined attributes related to the geolocation. To support this, you can now add the iploc stage to your queries using the format: iploc `<field name>` To improve your query performance, we recommend that you filter the data in your query before you run the iploc stage command. In addition, limiting the number of fields in the results table further improves the performance.
New XQL Bin Stage (`Requires a Cortex XDR Pro license`)	The Cortex XDR Query Language (XQL) now includes a new stage command that enables you to group events by quantity or time span. The most common use case is for time charts. To support this feature, you can now add the bin stage command to your queries using these formats depending on whether you are grouping by quantity or time span: Quantity : bin `<field>` bins = `<number>` Time span : bin `<field>` span = `<time>` timeshift = `<epoch time>` `<time>` is a combination of a number and time suffix. timeshift = `<epoch time>` is optional and enables you to designate a particular start time for grouping the events according to the Unix epoch time. When you group events by quantity, the `<field>` in the bin stage command must be a number. When you group by time, the `<field>` must be a date type.
New XQL Time Frame Configuration Function (`Requires a Cortex XDR Pro license`)	The Cortex XDR Query Language (XQL) now includes a new configuration function that enables you to perform searches within a specific time frame from the query execution. To support this feature, you can now add the config stage command to your queries with the timeframe function using these formats: Relative time : config timeframe = `<number><time unit>` Exact time : config timeframe between "`<Year-Month-Day H:M:S ±Timezone>`" and "`<Year-Month-Day H:M:S ±Timezone>`" Where the `±Timezone` format is `±xxxx` and if none is configured the default is UTC.
New Support for Linux System Authentication Logs (`Requires a Cortex XDR Pro license`)	EDR data collected for Linux now contains Linux system authentication logs. These Linux system authentication logs are now available using XQL queries and the Query Builder. As a result, in the Query Builder, the Event Log now includes both Windows and Linux event logs and the corresponding event_type in XQL has been renamed from WINDOWS_EVENT_LOG to EVENT_LOG .
New Visualizations for Widgets Based on XQL Search Queries (`Requires a Cortex XDR Pro license`)	To help you better view and visualize data based on XQL search queries, Cortex XDR expanded the type of available widgets so that you can now display the search results using: Funnel graph Word Cloud graph Map Single Value Trend graph Graph Header
Incident Thresholds for Alert Grouping	To keep incidents fresh and relevant, Cortex XDR now provides the following two new thresholds after which an incident stops adding alerts: 30 days after the incident was created 14 days since the last alert in the incident was detected (excludes backward scan alerts) After the incident reaches either threshold, it stops accepting alerts and Cortex XDR groups subsequent related alerts in a new incident. For increased visibility, Cortex XDR also provides a new Alerts Grouping Status field in the Incidents table to identify the grouping status: Enabled when the incident is open to accepting new related alerts or Disabled if either threshold is reached and the incident is closed to further alerts or if the incident reached the 1,000 alert limit. To view the exact reason for a Disabled status, you can hover over the status field.
MITRE, Severity, and Alert Grouping Visibility in Incident Table	You can now view the following MITRE, severity, and alert grouping fields in the Incident Table. Each field displays the following information: MITRE ATT&CK Tactic —MITRE tactics found in the alerts. MITRE ATT&CK Technique —MITRE techniques found in the alerts. Alert Categories —Type of Alert categories found in the alerts. WildFire Hits —Number of the Malware, Phishing, and Grayware artifacts that are part of the incident. High Severity Alerts —Number of high severity alerts that are part of the incident. Medium Severity Alerts —Number of medium severity alerts that are part of the incident. Low Severity Alerts —Number of low severity alerts that are part of the incident. Alerts Grouping Status —Displays whether Alert Grouping is currently enabled. Incidents created prior to Cortex XDR version 2.9 are updated as follows: MITRE Attack Tactics, MITRE Attack Techniques, and Alert Categories fields will remain empty. WildFire Hits field will begin with an empty value, however when an new alert is added to the incident the filed is updated. High Severity, Medium Severity, Low Severity, Alert Grouping Status fields are updated with the corresponding value. If an incident is merged or moved with other incidents, Cortex XDR will recalculate and update the fields.
Incident Table View Enhancement	To streamline your incident investigation process and reduce the number of steps it takes to investigate an incident, Cortex XDR now allows you to display the Incidents page in one of two new views: Split Pane Mode Table View The List view displays the current table. The new Detail view positions the incident table rows in a left-side pane and displays the complete Incident View on the remaining of the page allowing you to scroll through the incident rows and display each incident view without the need to pivot to another tab or window. To ensure visibility of the incident data, each row in the pane displays the incident description and incorporates icons that provide the following details: Severity Status Score Star Assignee Update Time Incident Description In addition, you can sort the incident rows according to the available fields. The current right-click menu options are also available in the Detail view.
Causality View Loading Time Enhancements	To improve loading time, as of Cortex XDR version 2.9, when navigating to the Causality View from an alert or event, Cortex XDR now displays the causality data as follows: Visualize the branch between the CGO and the actor process of the alert/event. Display up to nine additional process branches that reveal alerts related to the alert/event. Branches containing alerts with the nearest timestamp to the original alert/event are displayed first. Causality cards that contain more causality data display a Showing Partial Causality flag. You can manually add additional child or parent processes branches by right-clicking on the process nodes displayed in the graph.
Added Option to View The Observed Behaviors of Behavioral Threat Protection Alerts	The Cortex XDR management console now allows you to view the observed behaviors of Behavioral Threat Protection alerts. To view the observed behaviors, right-click on an alert in the alert table or in the incident view and select View Observed Behaviors . The option to view the Observed Behaviors table already exists in the Causality Card. The new view option is another pivot option to view the same information, and both options remain available.
Featured Alert Fields Enhancement (`Requires a Cortex XDR Pro license`)	To streamline the investigation process and better highlight alerts that are significant to you, Cortex XDR now includes Active Directory Groups and Organizational Unit (OU) as optional Featured Alert Fields labels. Define a Featured AD or OU in Investigation Incident Management Feature Fields Active Directory . To easily locate alerts containing featured AD or OU fields, in the Alerts Table , alerts are flagged in the Alert Name field with a flag and appear in the Contains Featured User or Contains Featured Host fields associated with the AD/OU.
Enhanced Alerts Deduplication	To better identify and deduplicate Analytics, IOC or BIOC alerts for the same activity, the deduplication period is now calculated according to the actual time the event took place, rather than according to the time the event was reported to Cortex XDR. This change applies to future alerts. Previously-created alerts remain the same.
Quick Actions in Tables	To streamline investigation in Cortex XDR, you can quickly initiate actions using new icons that are available in throughout Cortex XDR. The new icons are available in table rows upon a left click of the row and provide an alternative to the right-click pivot menus. The new icons are available for rows in the following tables: Incidents: Open Incidents View (same or new tab) Star an incident or clear the star Alerts: Open the Causality View (same or new tab) Exclude an alert or cancel alert exclusion Endpoints: Isolate an endpoint or cancel isolation Initiate Live Terminal Open the Asset View Open Incidents (same or new tab)
Centric View of CVE, Endpoint, and Application information, with additional Vulnerability Assessment Enhancements	To streamline your investigation under Vulnerability Assessment, Cortex XDR now provides a centric view for a single CVE, Endpoint, and Application, each accessible when you click on a specific row of the Vulnerability Assessment and Host Insights panels. These views list the affected applications, endpoints, or applied vulnerabilities, in an exportable and searchable manner, together with additional information on each entity. The CVEs tab under Vulnerability Assessment now includes additional fields to better fine-tune your vulnerability investigation. This includes: Additional CVSS fields, including Exploitability and Impact Metrics. Affected endpoints column, allowing you to easily search for CVEs on a specific endpoint. The last username who modified the comment and timestamp. Other view enhancements: The Hosts tab under Vulnerability Assessment has been renamed to ‘Endpoints’ and now includes the Endpoint Group details. The Apps tab was removed from the Vulnerability Assessment panel, and is accessible, same as today, under the Host Insights menu. In addition, Cortex XDR now calculates an unlimited number of vulnerabilities per endpoint, as opposed to a limit of 500 vulnerabilities per endpoint in previous versions. This update means that you might see a higher number of CVEs in Vulnerability Assessment screens, as well as in reports and dashboards.
Low and Informational Categorization for Agent Alerts	The Cortex XDR management console now displays Behavioral Threat Protection (BTP) alerts at Low or Informational severity. These are displayed as Insights in the Incident View and the Causality View panels. Low severity alerts are also displayed in the Alerts table.
Authentication Story Enrichment (`Requires a Cortex XDR Pro per Endpoint license and a Cortex XDR agent 7.3 or later for Linux`)	Starting with this release, Cortex XDR includes Linux authentication logs in authentication stories and will generate alerts accordingly.
`External Data Ingestion`
Zscaler Cloud Firewall Log Ingestion (`Requires a Cortex XDR Pro per TB license`)	If you use Zscaler Cloud Firewall in your network, you can now forward your firewall and network logs to Cortex XDR for analysis. This enables you to take advantage of Cortex XDR anomalous behavior detection and investigation capabilities. To begin analyzing your traffic logs, you set up a Syslog Collector and configure your firewall to forward logs to the Syslog Collector. To provide seamless log ingestion, Cortex XDR automatically maps the fields in your traffic logs to the Cortex XDR log format. As soon as Cortex XDR begins receiving logs, the app automatically creates a Zscaler XQL dataset ( `<Vendor>`_`<Product>`_raw ) based on the `<Vendor>` and `<Product>` fields defined on the Zscaler syslog configuration. This enables you to search the logs using XQL Search.
Windows DHCP Log Ingestion (`Requires a Cortex XDR Pro per TB license`)	To provide additional network asset visibility in Cortex XDR Asset Management and improved analytics, Cortex XDR can now ingest Windows DHCP logs. To receive logs, configure Configurations Data Collection Collection Integrations settings for the vendor in Cortex XDR, which replaces the preexisting Settings SaaS Integrations settings. In addition, you must install and configure an Elasticsearch Filebeat agent on your Windows DHCP Server. As soon as Cortex XDR begins receiving logs, the app automatically creates a Windows DHCP XQL dataset ( microsoft_dhcp_raw ). This enables you to search the logs using XQL Search.
Syslog Collector Applet Enhancements (`Requires a Cortex XDR Pro per TB license`)	The Syslog Collector applet now includes these enhancements: Supports a Secure TCP protocol with a TLS encrypted VPN. For a particular Protocol/Port entry, you can now map the syslog sources based on your own IP address or CIDR. This is configured by setting the order of the IP address or CIDR in the new Source Network column.
Additional External Alerts Fields Available for Mapping (`Requires a Cortex XDR Pro license`)	When you ingest alerts from external sources using either the Syslog Collector or Cortex XDR API, you can now map these additional optional fields to the alerts table: Process Command Line Process SHA256 Domain Process File Path Hostname Username
New Behavior for Ingesting Null Fields (`Requires a Cortex XDR Pro license`)	To expand your investigation and analytics capabilities, Cortex XDR now ingests any field with a null value, as opposed to the previous behavior of not ingesting these null value fields. It is also now possible to use the Cortex XDR Query Language (XQL) to query ingestion rules for null values.
`Analytics`
Improved Accuracy for Malware Protection (`Requires a Cortex XDR agent 7.4 or later release for Windows`)	Starting with this release, WildFire introduces analysis scores for files with Benign verdict to indicate the level of confidence WildFire has in the Benign verdict. For example, a file by a trusted signer or a file that was tested manually would get a high confidence Benign score, whereas a file that did not display any suspicious behavior at the time of testing would get a lower confidence Benign score. Files with a low confidence score are displayed as Benign Low Confidence (LC). When Cortex XDR receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile settings you currently have in place (Run local analysis to determine the file verdict, Allow, or Block). As soon as you deploy your Cortex XDR 7.4 agents, Cortex XDR will enforce this new behavior according to the settings you already have in your existing Malware Security profile for files unknown to WildFire. If you want to change it, you need to change the existing settings.
Cortex XDR Identity Analytics Add-On Module (`Requires a Cortex XDR Pro license`)	To expand your investigation capabilities, Cortex XDR now offers a new Identity Analytics add-on module. The add-on requires a Cortex XDR Pro per TB license and a separate module license. The module license is currently free, however will entail an additional cost in the future. The Identity Analytics add-on displays in the Analytics Alert View suspicious user activity such as stolen or misused credentials, lateral movement, credential harvesting, or brute-force data collected by the Cortex XDR Analytics engine detectors. When investigating an analytics type alert, a new User node appears in the causality view. Hover over the node to display user profile information, such as recent authentication statistics, user role, and if associated with Active Directory groups or Organizational Units. When selecting the alert node, in the Alert Description and Event Table sections, Cortex XDR displays the recent logins, hosts, alerts, and process executions associated with the user.
Auto-Disable of Alerts from Analytics Detectors (`Requires a Cortex XDR Pro per TB license`)	To ensure the analytics detectors raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR automatically disables alerts from detectors that reach 5000 or more hits over a 24 hour period.
`Endpoint Security and Management`
Cortex XDR Agent Deployment with Installer and Content Update Package (`Requires a Cortex XDR agent 7.4 or later release for Windows`)	To reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent, Cortex XDR now offers an agent installation and content update package. The package includes the agent installer and the latest supported content available at the time of the bundle download, eliminating the Content Update download phase from the Cortex XDR Server post agent installation.You can deploy the package using a third party tool such as SCCM, or manually on the endpoint. For more information on the installation process, refer to the Cortex XDR Agent administrator guide.
Cortex XDR Agent Installer and Content Caching on the Broker VM (`Requires a Cortex XDR agent 7.4 or later and Broker VM 12.0.58 or later`)	To reduce external bandwidth usage and time required for Cortex XDR agent installations, upgrades, and content updates, Cortex XDR now offers an additional option to cache the files on your Cortex XDR Broker VM. When both P2P and Broker VM download sources are selected, the agent first queries a peer agent for the files. If the files are unavailable or the process fails, the agent queries the Broker VM where the files are stored for a 30-days retention period since an agent last asked for them. If the download from the Broker VM fails as well, the agent retrieves the files directly from the Cortex XDR server. The option to retrieve the files from the Server is always enabled. To enable the Broker VM caching option, you must first: On your Broker VM settings, configure an FQDN address and enable agent caching in your Local Agent applet. In your Agent Settings profile, add Broker VM as a Download Source and configure the Broker VM FQDN address. For the detailed workflow on how to set up caching on the Broker VM, refer to the Cortex XDR administrator’s guide.
Peer-to-Peer Distribution of Cortex XDR Agent Installers	To reduce bandwidth load when distributing installers from Cortex XDR to the Cortex XDR agents, Cortex XDR now leverages P2P distribution to include agent installers, in addition to content updates. In your Agent Settings profile, you can choose the download source from which agents retrieve release upgrades and content updates: P2P, Palo Alto Networks Broker VM, and the Cortex XDR server. Peer-to-peer distribution is enabled by default in the Agent Settings profile, and requires that you enable UDP and TCP over port 33221 (You can change this port number later on through the Agent Settings profile).
Device Control Enforcement on Previously Connected USB Devices (`Requires a Cortex XDR agent 7.4 or later release for Windows`)	When the Cortex XDR agent starts enforcing Device Control on the endpoint, it now enforces the policy rules not only on newly connected devices, but also on devices that were previously connected to the endpoint before the policy enforcement was applied.
Native Support for Apple Silicon (M1) (`Requires a Cortex XDR agent 7.4 or later release for Mac`)	Starting with this release, you can install the Cortex XDR agent on macOS based devices with Apple Silicon (M1). To resolve issues that could occur, refer to the Cortex XDR 7.4 agent list of known issues.
Context-based Global Exceptions for the Gatekeeper Enhancement Protection Module (`Requires a Cortex XDR agent 7.4 or later release for Mac`)	Now when the Cortex XDR Gatekeeper Enhancement security module raises an alert, you can create a global exception for this specific source-child combination only, while allowing Cortex XDR to continue enforcing the Gatekeeper Enhancement protection module on the source process running other child processes. For more details, see Add a Global Endpoint Policy Exception.
Cortex XDR Agent Silent Uninstall (`Requires a Cortex XDR agent 7.4 or later release for Mac`)	Starting with this release, when you uninstall the Cortex XDR agent from the Cortex XDR management console, the process is silent and does not prompt the end-user for approvals on the endpoint.
Scope-Based Access Control (SBAC) for Endpoints	Cortex XDR now enables assignment of user permissions to specific endpoint groups in the organization. By default, all users have management access to all endpoints in the tenant. However, after you (as an administrator) assign a management scope to a Cortex XDR user, the user is be able to manage only the specific endpoints within that scope. This Scope-Based Access Control (SBAC) affects the following functional areas in Cortex XDR: Endpoint Administration table—view endpoints and take actions on endpoints. Note: Policy Management does not support SBAC. Action Center—view and take actions only on endpoints that are within the scope of the user. Dashboards and Reports—scoping takes place only on agent-related widgets. The rest of the functional areas and their permissions in Cortex XDR do not support SBAC. Accordingly, if these permissions are granted to a scoped user, the user will be able to access all endpoints in the tenant within this functional area. For example, a scoped user with a permission to view incidents, can view all incidents in the system without limitation to a scope. To view and modify the scope of a user, go to Configurations Access Management Users In the list of Cortex XDR users, the Endpoint Scope column now specifies any SBAC assignment.
`Broker VM` `Version 12.1.5`
CSV Log Files Integration with the Broker VM (`Requires a Cortex XDR Pro per TB license`)	The broker VM now provides a new CSV Collector applet that enables you to monitor and collect CSV log files from a shared Windows directory directly to your log repository for query and visualization purposes. After you activate the CSV Collector applet, you can ingest CSV files as datasets by defining the list of folders mounted to the broker VM and setting the list of CSV files to monitor and upload to Cortex XDR using a username and password.
Agent Proxy Listening Interface	You can now specify a proxy listening interface when activating a local agent on the broker VM, through the Activate Local Agent applet. For more information, see the Cortex XDR Administrator’s Guide.
`API`
New XQL API (`Requires a Cortex XDR Pro license`)	To expand your investigation capabilities, Cortex XDR now enables you to run XQL queries on your data sources using APIs. The XQL APIs require a Cortex XDR Pro license and a daily Query Quota made up of query units. Cortex XDR provides a free quota of query units and you will be able to purchase additional units in future Cortex XDR versions. Each XQL query consumes query units based on the number of API response results. Queries called without enough quota will fail. You can run the following APIs on your tenant and MSSP child tenants: start_xql_query/ —Run an XQL query. Response returns a unique query ID used to call the get_query_results/ API. get_query_results/ —Retrieve XQL query. Results return up to 1000 results. get_query_results_stream —Retrieve XQL query with more than 1000 results. get_quota/ —Retrieve the number of used and available query units. To help you track your XQL APIs, in the Cortex XDR app, you can view the following information: Query usage and your remaining available quota. Data about the XQL queries executed by APIs: ID —Unique identifier of the XQL query API. Timestamp —Date and time of when the XQL API was called. PAPI Key ID —The API Key ID used to call the XQL API. XQL Query — Query string called by the XQL API. Query Unit Usage —Number of query units used to run the API.
New API Key Time Limit	For an added layer of security when managing your user API permissions, you can now set a time limitation on the API key used to authenticate API calls. When creating API keys, select the option to enable an Expiration Date for the key. In the API Keys table, a new Expiration Time field has been added allowing you to track each key.In addition, Cortex XDR displays an API Key Expiration notification one week and one day prior to the defined expiration date.
Enhanced Visibility of Incident Data	To help you gain greater visibility of requested API data when calling Get Incidents and Get Extra Incident Data APIs, the response section now includes the following fields: mitre_techniques_ids_and_names —Array of which MITRE technique names and IDs the incident raised mitre_tactics_ids_and_names —Array of the MITRE tactic names and IDs the incident raised wildfire_hits —Number of WildFire detections raised by the incident alert_categories —Array of which alert category the incident raised alerts_grouping_status —String representing whether the grouping is Enabled or Disabled .
Updated Alert Severity Valid Values	To ensure consistency in the Cortex XDR app Alerts table, when calling Insert Parsed Alerts API, the severity filed is now mandatory and does not accept the value `Unknown`. Possible valid values are: Informational Low Medium High
Updated Featured Alert Fields API (`Requires a Cortex XDR Pro license`)	To expand your Featured Alert Field capabilities, Cortex XDR has updated the Replace Featured Active Directory Groups Replace Featured Active Directory Groups API to allow you to delete and replace Organizational Unit (OU) in addition to Active Directory Groups (AD). When calling /replace_ad_groups/ , you can now distinguish between an AD or OU group by including the new field type with a value of either `group` or `OU` in your request. The field is not mandatory and is sent, by default, as group .
Upload Cortex XDR Indicator Request Validation	To help you gain greater visibility if an indicator has been updated correctly, when calling Insert Simple Indicators, CSVand Insert Simple Indicators, JSON APIs, you can now send a validate field in your request. In the case where the update was unsuccessful, the validate field returns a validation_errors array listing the specific fields and errors that occurred.

Features Released in March

The following table describes new features in the Cortex XDR 2.8 release.

Feature	Description
`Access Management`
Cortex XDR Management Console IP Address Changes	Cortex XDR now uses new IP addresses for accessing the Cortex XDR management console ( `<xdr-tenant>`.xdr.`<region>`.paloaltonetworks.com ). If you already use the cortex-xdr App-ID or the outgoing HTTPS connection is not filtered by a firewall, no firewall adjustments are necessary. However, if your HTTPS connection is filtered through a firewall (and you do not use the App-ID), you must adjust your configuration to use the new IP addresses according to your region. The FQDN for the Cortex XDR management console remains unchanged.
`Broker VM`
Approved Remote Terminal Commands	When you connect to a broker VM remotely, Cortex XDR now allows you to perform the following privileged commands: The edit_routes command is now deprecated. To enable updates to your static network routes, Cortex XDR allows you to execute the restart_routes command. The command invokes a restart of the routing service, applying updates you make to your network route configuration file. squid_tail —Display the Proxy applet Squid log file in real-time.
`API`
Enhanced Visibility of Mac Addresses	To provide greater visibility for alerts that have multiple associated MAC addresses, the Get Alerts API response now includes the mac_address field. The new field returns a list of one or more MAC addresses and will supersede the existing mac field which will be deprecated in a future release.

Features Introduced in February

The following table describes new features in the Cortex XDR 2.7 release.

Feature	Description
`General`
Extended Tab Viewing Options	The option to view results in the same or a new tab are now available in the pivot menus of the following tables: Query Center —Open query results Scheduled Queries —View executed queries Endpoint Management —Open the related Asset View and related incidents of an endpoint Asset Management —Open asset and agent details views BIOC rules —Open the related rule query
In-App New Version Notification	Cortex XDR now displays a notification when you log in to your tenant following a Cortex XDR version upgrade. The notification displays the updated version number and lists selected new features available for your license type. From the notification, you can choose to pivot to the Release Notes for more information or you can dismiss the notification and view at another time by navigating to User What’s new in the Cortex XDR management console.
Audit Logs SHA256 Value Enhancement	To improve your investigation capabilities, Cortex XDR now includes the SHA256 value in the Management Audit and Agent Audit logs for files that you restored and quarantined. The Management Audit Log and Agent Audit Log Description field in the Cortex XDR management console and the Get Audit Agent Report and the Get Audit Management Log APIs now display the file Description in a new format: Management Audit Logs Restore quarantined file hash `<full SHA256>` on <endpoint name> Quarantine <file path>, `SHA256: <full SHA256>` on <endpoint name> Agent Audit Logs Restored file <file path>, `SHA256: <full SHA256>` on <endpoint name> Quarantined file <file path>, `SHA256: <full SHA256>` on <endpoint name>
Auto-Disable BIOC Rules Log Description Update in Audit Logs	The Auto-Disabled behavioral indicator of compromise (BIOC) rule Description field displayed in the Management Audit Log page and the Get Audit Management Log API now display the rule description in a new format: BIOC rule #<rule number> has been automatically disabled because it reached 10,000 matches in the last 24 hours. Rule name: <rule name>, severity: <severity>
`Investigation and Response`
XQL Query Language Enhancements (Requires a Cortex XDR Pro license )	The Cortex XDR Query Language (XQL) is extended in the following ways: You can now perform case-insensitive value searches (by default, field values are case sensitive when searched). To support this, you can now add the config stage to your queries. The following functions are added to the filter and alter stages: current_time(), extract_time(), timestamp_diff(), to_timestamp(), add(), subtract(), multiply(), divide(), round(), array_length(), and string_count(). The following aggregates are added to the comp stage: earliest(), first(), last(), and latest().
New Datasets for XQL Search (Requires a Cortex XDR Pro license )	Cortex XDR now enables you to query the following data using the Cortex XDR Query Language (XQL): Next-generation firewall logs (available as a new dataset). These fields and data are identical to the log record information that is available using the Explore app. Device control connect and disconnect events (added to the xdr_data dataset). In addition, log records received from a security information and event management (SIEM) system are parsed into key-value pairs. Log record field values that are not identified as an integer, string, or timestamp are ingested as a JSON record.
Network Preset Name Change in XQL Search (Requires a Cortex XDR Pro license )	The Network preset for XQL Search of EDR data is changed—it is now Agent Network. This is only a name change; this preset still provides the same network events sent from agents as before this change. The Agent Network preset is not the same as the Network Story preset that provides stitched network events from different sources.
Additional XQL Search Pivot Functionality (Requires a Cortex XDR Pro license )	To continue investigation, you can now pivot from XQL Search results to the Causality View and Timeline View. These options are supported for results that identify the following types of events: process (except for those with an event subtype of termination), network, file, registry, injection, load image, system calls, network stories, and Windows event logs. From the events table in the Causality View and Timeline View, you can similarly pivot from an event to View in XQL in either the same tab or a new tab. This can be useful if you want to further refine the query to continue investigation.
Histograms for XQL Search Queries (Requires a Cortex XDR Pro license )	Cortex XDR now automatically generates histograms for every field that is part of an XQL Search result. A histogram is a type of visualization of the results within a specific query. Histograms are similar to bar charts that show the distribution of values within a specific field across a result set. Each time you generate a new query, Cortex XDR will regenerate the histogram based on the updated result set. Histograms are not supported for JSON and array fields.
New Visualizations for Widgets Based on XQL Search Queries (Requires a Cortex XDR Pro license )	To help you better view and visualize data based on XQL search queries, you can now view your XQL search results in three new modes: Raw —Displays the raw format of the entity in the database. JSON —Displays the entity with a key value distinction. Tree —A dynamic view of the JSON hierarchy with the option to collapse and expand the different hierarchies. Cortex XDR expanded the type of available widgets so that you can now display the search results using: Pie charts —Includes options for full circle (default), donut, and semicircle charts. Area graphs —Includes options for standard, stacked, and percentage graphs. Bubble graphs —Includes options for standard, packed, and group packed graphs. Scatter graphs Single value totals Gauge graphs —Includes options for radial, filler, and marker graphs. Table —Displays the results table data. To easily save a visualization after you create a widget, find the widget in the Widget Library.
New Cortex XDR Widget Library	To streamline widget visibility and management, Cortex XDR now enables you to search, view, and edit both your custom widgets and the Cortex XDR predefined widgets in the new Widget Library. The library is a one-stop page where you can easily add or create widgets to your dashboards and reports to help you continuously monitor your XQL query results, logs, and data visually.
New Incident Management Page	To streamline the Investigation menu, a new Incident Management page is now available. From this page, you can view starred incidents, manage scoring rules, and view incident exclusions.
Custom Incident Scoring Rules (Requires a Cortex XDR Pro license )	To streamline the investigation process and better highlight incidents that are significant in your environment, Cortex XDR now enables you to define custom incident scoring rules that prioritize your incidents according to the needs of your organization. Define scoring rules in the Cortex XDR management console on the Investigations Incident Management page. Each rule is based on a defined score, an Alert attribute, or the entity on which it occurred. When an alert matching the defined rule is raised, Cortex XDR adds the alert score to the total score of the incident. By default, the alert score is applied only to the first alert that matches the defined rule. Subsequent alerts for the same incident do not receive any score. The incident score is displayed as a filterable Score field in the Incident table and as a tag in the Incident View.
Featured Alert Fields (Requires a Cortex XDR Pro license )	To streamline the investigation process and better highlight alerts that are significant to you, Cortex XDR now enables you to label specific alert attributes as Featured Alert Fields. Featured fields help you track alerts that involve a specific: Host Name User Name IP Address Label a field as Featured in Investigation Incident Management Feature Alert Fields and then filter and sort alerts containing the featured fields in the Alerts Table using the new table fields: Contains Featured Host Contains Featured User Contains Featured IP Address To easily locate alerts containing featured fields, alerts containing one or more of the featured fields are flagged in the Alert Name field with a flag. Alert notification emails now include whether the alert contains one or more featured fields: "contains_featured_host":[`"NO"/”YES”`], "contains_featured_user":[`"NO"/”YES”`], "contains_featured_ip":[`"NO"/”YES”`],
IOC Rule Functionality Enhancements (Requires a Cortex XDR Pro license )	To ensure your indicators of compromise (IOCs) rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR now automatically performs the following tasks: Disables any IOC rules that reach 5,000 or more hits over a 24-hour period. Creates a Rule Exception based on the Process SHA256 field for IOC rules that hit more than 100 endpoints over a 72-hour period.
Network Causality Event Timestamp Investigation (Requires a Cortex XDR Pro license )	To help you investigate the time frame of security processes and connections made over your network, Cortex XDR now displays the network event timestamp in the Network Causality View. When selecting the Network Appliance node in the Network Causality View, the event timestamp is now displayed in the Entity Data section of the card.
Enhanced Timestamp Investigation	To enhance your investigation capabilities, you can now narrow the Timestamp field results in the Cortex XDR tables by right-clicking to display rows that are 30 days before or 30 days after the selected field value.
Events Table Results Enhancements	The Events table (available from the Causality View and Timeline View) now includes the following enhancements: The maximum number of related events increased from 10,000 to 100,000. You can now export the related events to a tab-separated values (TSV) file. The following fields are no longer displayed: FILE File Macro SHA256 INJECTION Injection Type
Slack Notifications Enhancement	To help streamline investigations for alerts you receive on Slack, Cortex XDR now provides a link in Slack notifications to the alert details in Cortex XDR. If the alert is part of an Incident, the notification also includes the link to investigate the incident in Cortex XDR.
Hostname Visibility in Alerts	Hostname visibility in the Cortex XDR Alerts Table is now displayed according to the following guidelines: When a hostname associated with an IP address is known in the Palo Alto Networks Next-Generation Firewalls alerts, Cortex XDR displays the hostname in the Host field. When a hostname associated with an IP address is unknown in the Palo Alto Networks Next-Generation Firewalls and third-party source alerts, the Host field is blank and no longer displays the IP address. However, the IP address is still available in the Host IP address field.
Native Search Deprecation	For queries on data in your Cortex XDR tenant, Cortex XDR provides query functions using the XQL Search that enable you to query the data, create widgets, and schedule queries, all of which supersede the Native Search. The Native Search will remain available from the Query Builder only until the next release.
Remote Malicious Causality Chains Response (Windows) (Requires Cortex XDR agent 7.3 or a later version )	When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypt endpoint files—the agent can now block the IP address to close all existing communication and block new connections from this IP address to the endpoint. You can view the list of all blocked IP addresses per endpoint from the Cortex XDR Action Center , as well as unblock them to re-enable communication as appropriate. You set the action mode in your Malware Security profile where you can also add a specific and known safe IP address or IP address range to the IP addresses allow list. This capability is supported for network connections made in IPv4 only. When Cortex XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules.
Network Isolation of macOS Endpoints (macOS 10.15.4 and later) (Requires Cortex XDR agent 7.3 or a later version )	Cortex XDR now extends the Network isolation response action to macOS endpoints. To prevent a compromised macOS endpoint from communicating, you can now isolate your endpoint to halt all network access on the endpoint except for traffic to Cortex XDR. After you isolate an endpoint, the Cortex XDR agent reports an Isolated check-in status and the endpoint remains isolated from the network until you cancel this isolation from Cortex XDR. Note the following limitations: If during isolation you need the Cortex XDR agent to communicate with an application or proxy, add the process to the Network Isolation Allow List Network Isolation Allow List. To ensure that an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
Live Terminal Enhancements (Windows and Mac) (Requires Cortex XDR agent 7.3 or a later version )	To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light ( ) on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress. Both settings are optional and you can configure them independently.
`External Data Ingestion`
PingFederate Log Ingestion (Requires a Cortex XDR Pro per TB license )	Cortex XDR can now ingest logs from PingFederate. To receive logs, you must enable PingFederate to send logs in CEF format to the Syslog Collector that you set up on the broker VM. As soon as Cortex XDR begins receiving logs, the app automatically creates a PingFederate XQL dataset ( ping_identity_pingfederate_raw ) and enables you to search the logs using XQL Search. Log information from PingFederate is also visible, when relevant, in the xdr_data dataset and in the authentication_story preset.
Amazon CloudWatch and AWS CloudTrail Log Ingestion (Requires a Cortex XDR Pro per TB license )	Cortex XDR can now ingest Amazon CloudWatch and AWS CloudTrail Logs. To receive logs, configure SaaS Log Collection settings for the vendor in Cortex XDR. As soon as Cortex XDR begins receiving logs, the app automatically creates an Amazon AWS XQL dataset ( amazon_aws_raw ) and enables you to search the logs using XQL Search.
Elasticsearch Filebeat Log Ingestion (Requires a Cortex XDR Pro per TB license )	When you use Elasticsearch Filebeat to log activity on your endpoints or servers, Cortex XDR can now ingest those file logs. To receive logs, configure the collection settings for Filebeat in Cortex XDR and the output settings in your Filebeat installations. As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset for each collected vendor and product and makes logs available in XQL Search queries.
HTTP Log Collector (Requires a Cortex XDR Pro per TB license )	You can now set up an HTTP Log Collector to receive logs in text or JSON format. To begin receiving logs you must first set up the HTTP Log Collector and use the provided examples to construct an HTTP POST request. As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset using the vendor and product you specified during the log collector setup. You can then use XQL Search to initiate queries on the dataset.
Google Kubernetes Engine (GKE) Log Ingestion (Requires a Cortex XDR Pro per TB license )	As an alternative to setting up a GCP Pub/Sub, Cortex XDR can now ingest container logs from Google Kubernetes Engine (GKE) using Elasticsearch Filebeat. To receive logs, you must install Filebeat on your containers and enable SaaS Log Collection settings for Filebeat. As soon as Cortex XDR begins receiving logs, the app automatically creates a GKE XQL dataset—using the product and vendor that you specify during Filebeat setup—and enables you to search the logs using XQL Search.
Extended Log Ingestion for Syslog in LEEF Format (Requires a Cortex XDR Pro per TB license )	Cortex XDR extends log ingestion support to vendors sending LEEF over Syslog. As with log ingestion for CEF over Syslog, you can configure the protocol, the IP address and port, and the format settings for the syslog collector. After Cortex XDR begins receiving logs from the third-party source, it automatically parses the logs in LEEF format and creates a dataset. Cortex XDR extracts the vendor and product name to identify the dataset as `<vendor>`_`<product>`_raw . You can then use XQL Search queries to view logs and create new BIOC rules.
`Analytics`
Analytics BIOC Visibility and Management (Requires a Cortex XDR Pro license )	If you have Analytics enabled, Cortex XDR now provides visibility into and enables management of your Analytics BIOC rules by pivoting from the BIOC Rules table to a dedicated page. For each rule, Cortex XDR displays identifying information, such as name and ID, severity, rule activation status, and any relevant MITRE ATT&CK information. Cortex XDR also enables you to disable or enable Analytics BIOC rules as needed. To view and manage Analytics BIOC rules, you must have the corresponding permissions enabled for your role.
`Asset Management`
Enhancements to Asset Management (Requires a Cortex XDR Pro license )	Cortex XDR now displays also the MAC address vendor name, and the platform running on your managed and unmanaged assets.
Export Network Assets to File (Requires a Cortex XDR Pro license )	You can now export your Asset Management table results to a tab-separated values (TSV) file.
`Endpoint Security and Management`
Flexible Agent License Revocation (Requires a Cortex XDR Pro license )	To enable a flexible revocation policy for Cortex XDR agent licenses, you can now configure the number of days after which the license should be returned when an agent loses the connection to Cortex XDR. In addition, you can configure the number of days after which the agent and related data is removed from the Cortex XDR management console and database. For more information, see Cortex XDR Agent License Revocation.
Enhanced Local Analysis Prevention (Windows) (Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version )	The Local Analysis module, which prevents the execution of malicious Portable Executables (PEs) and Office documents with macros, now includes a new rule-based static engine that provides an additional layer of protection. The new engine provides additional context to Cortex XDR alerts by matching the samples that are under agent examination to static rules that inspect multiple file attributes and features. The Local Analysis rules are maintained by the Palo Alto Networks Research team and are updated through content updates. You cannot add, modify, or remove rules from the Local Analysis module.
Bulk Alias Edits for Endpoints (Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license )	To enable you to quickly change the alias for multiple endpoints, you can now perform the action from the Endpoint Control menu on the Endpoint Administration page.
Vulnerable Drivers Protection (Windows) (Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later version )	Cortex XDR can now leverage the latest threat research to quickly deploy behavioral threat protection (BTP) rules that detect attempts to load vulnerable drivers. As with other BTP rules, Cortex XDR can deliver changes to vulnerable driver rules with content updates. To configure vulnerable drivers protection, you must enable Behavioral Threat Protection and configure the Action mode for vulnerable drivers protection as part of a Malware Security Profile. By default, Cortex XDR blocks all identified attempts to run vulnerable drivers. If you change the default (Block ), you can Report (and allow) vulnerable drivers or disable the module.
Device Control for VDI (Windows) (Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version )	Cortex XDR now extends Device Control for USB devices to include virtual desktop infrastructure (VDI). The Cortex XDR agent enforces the Device Control policy rules on USB devices after the end user logs on to the VDI instance. USB Devices that were connected prior to the agent enforcing the Device Control policy rules are not blocked after the fact. Note the following limitations: Virtual environments leverage different stacks that might not be subject to the Device Control policy rules that are enforced by the Cortex XDR agent and, therefore, could lead to USB devices that are allowed to connect to the VDI instance in contrast to the configured policy rules. The Cortex XDR agent provides best-effort enforcement of the Device Control policy rules on VDI instances that are running on physical endpoints where a Cortex XDR agent is not deployed.
Unpatched Vulnerabilities Protection (Windows) (Requires a Cortex XDR agent 7.1 or a later version )	Palo Alto Networks strongly recommends that you upgrade your operating system as soon as possible to address vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094. For more information, refer to the Microsoft Security Response Center. For Cortex XDR agents 7.1 and later releases running on unpatched Windows endpoints, a new capability in the Exploit Security profile will modify IP4 and IPv6 settings temporarily on the endpoint as a workaround to protect unpatched endpoints from these known vulnerabilities. After the endpoint is patched with a fix for these vulnerabilities, the Cortex XDR agent automatically reverts all modified Windows system settings to their values before modification. Before applying this workaround on your endpoints, refer to the Cortex XDR Administrator’s Guide for the full details and impact this workaround could have on your network.
Extended Device Control to Read-Only Disk Drives (Windows and Mac) (Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints )	You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.
Peer-to-Peer Content Distribution (Mac and Linux) (Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version )	Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
Agent Installation Using a Unified Configuration Profile File for MDMs (Mac)	For a seamless installation of the Cortex XDR agent that does not require end user interaction, Palo Alto Networks now provides a unified configuration profile that you can upload to any third party deployment software of your choice. You can download a configuration profile already signed by Palo Alto Networks, or an unsigned configuration profile, if you prefer or are required to sign using your own signing certificate. You can use the unified configuration profile to deploy any version of the Cortex XDR agent. For more information, refer to Install the Cortex XDR Agent Using a Unified Configuration Profile for MDMs.
Custom Agent Installation Directory (Linux) (Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version )	You can now install your Cortex XDR agent in a custom directory on Linux endpoints instead of using the default ./opt directory. To do this, set the custom path in a new installation variable --install-path=/`<some/path>` . After you install the Cortex XDR to the custom path, all following upgrades and the removal of the agent from the endpoint are executed in the same location. For more information, see how to Install the Cortex XDR Agent for Linux.
New Operating Systems Support (Linux) (Requires Cortex XDR agent 7.3 or a later version )	You can now install the Cortex XDR agent on Linux endpoints that are running on: Debian 10, OpenSuse Leap 15.1, or SUSE 15 SP2. Ubuntu Server 16, Ubuntu Server 18, and Ubuntu Server 20 with AWS kernel modules. For all supported kernel versions, see the Latest kernel module version support .
`Host Insights Add-on`
Search and Destroy Malicious Files on Mac Endpoints (macOS 10.15.4 and later) (Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.3 or a later version )	Cortex XDR now extends the File Search and Destroy response action to Mac endpoints. You can use search and destroy to take immediate action on known and suspected malicious files. You can search from Cortex XDR for a file by hash or path on endpoints and, after you identify the presence of the file, you can immediately destroy the file from any or all endpoints on which the file exists.
Host Insights Export to File (Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.1 or a later version )	You can now export all the Cortex XDR host insights tables and respective asset views to a tab-separated values (TSV) file.
Vulnerability Management Name Change (Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.1 or a later version )	To better reflect the feature usage, Vulnerability Management is renamed to Vulnerability Assessment .
`Multitenants and MSSPs`
Cross-Tenant XQL Queries for Multi-Tenancy (Requires a Cortex XDR Pro license )	To enable multitenant management that uses XQL Query to view raw data that is stored in Cortex XDR, you can now execute XQL queries on a single child tenant or up to 100 child tenants simultaneously directly from your parent tenant XQL Search page. When executing XQL queries on a single child tenant, Cortex XDR provides the parent tenant with autocompletion and validation capabilities to all datasets available on the child tenant. When executing XQL queries on multiple child tenants simultaneously: Autocomplete and validation are supported only on Cortex XDR dataset types, such as EDR data, Cortex XDR Alerts, and Palo Alto Networks New Generation Firewall Logs. Queries are executed on each child tenant separately and return up to one million results split across the selected tenants. For example, an XQL query on 10 tenants returns a maximum of 100,000 results per tenant. You can view, track, and investigate the query results and graphs for each child tenant in your XQL Search page results table or Query Center by filtering by child tenant.
`Broker VM` (Version 11.1.1 )
Broker VM Images	MD5 values for broker images version 11.1.1: OVA— 232a6940ff81fcc5c585b1775973df37 VHD— 285f301fb75db249d27491646548f3e3 VMDK— b17329ba1661c206a1097cf69945bcd9 Azure VHD— ed78bf4e56cf78dde2a2ae6840569dab
New Supported WEC Event Collection (Requires a Cortex XDR Pro per TB license )	To expand the Broker VM data collection capabilities, in addition to the default WEC event IDs, you can now configure the Broker VM to collect all or specific Windows event types, such as DHCP, DNS, and IIS event types, directly from the Cortex XDR management console.
WEC Domain Controller Certificate Notifications (Requires a Cortex XDR Pro per TB license )	To keep you informed of your WEC Domain Controller Certificate status and avoid service disruptions, Cortex XDR now displays a notification of the remaining time left on your license or whether your license is expired.
Approved Remote Terminal Command	When you connect to a broker VM remotely, Cortex XDR now allows you to perform the following privileged commands: hostnamectl —Update a hostname. edit_routes —Update static network routes.
`API`
New Featured Alert Fields APIs (Requires a Cortex XDR Pro license )	To expand your API capabilities, Cortex XDR now provides the APIs to help you manage your featured alert fields. Using the following APIs you can delete and replace existing featured alert fields: Replace Featured Hosts Replace Featured Users Replace Featured IP Addresses Replace Featured Active Directory Groups
Enhanced Visibility of Incident Data	To help you gain greater visibility of requested API data when calling Get Incidents and Get Extra Incident Data APIs, the response section now includes the following Incident Scoring fields: rule_based_score —The incident score calculated by the Incident Scoring Rules. manual_score —The incident score updated manually by an Admin user.
Enhanced Visibility of Alert Data	To help you gain greater visibility of Alerts that include Featured host name, username, or IP address, the Get Alerts API response now includes the following boolean type fields: contains_featured_host —Either True or False depending on whether the alert contains a featured host name. contains_featured_user —Either True or False depending on whether the alert contains a featured username. contains_featured_ip —Either True or False depending on whether the alert contains a featured IP address.
Enhanced Insert Parsed Alerts Capabilities	To enable you to include additional information when running the Insert Parsed Alerts API, you can now send the action status taken on an alert ( Reported or Blocked ) using the action_status field.

Document:Cortex XDR™ Release Notes

Features Introduced in 2021

Table of Contents

Features Introduced in 2021

Features Releasing in November

Features Releasing in August

Features Releasing in May

Features Released in March

Features Introduced in February

Recommended For You

Document:Cortex XDR™ Release Notes

Features Introduced in 2021

Table of Contents

Features Introduced in 2021

Features Releasing in November

Features Releasing in August

Features Releasing in May

Features Released in March

Features Introduced in February

Recommended For You

Recommended Videos