Features Introduced in 2021
Learn more about Cortex XDR features introduced during
2021 by month and functional area.
The following topics describe the Cortex
XDR features introduced in 2021 by month.
Features Releasing in May
New features in the Cortex® XDR™ 2.9 release.
The following table describes new features in the Cortex XDR
2.9 release.
Feature | Description |
|---|---|
General | |
Cortex XDR Gateway for Onboarding and Granular RBAC | To streamline activation and management
of your Cortex XDR tenants, Cortex XDR now operates as a standalone
application known as the Cortex XDR Gateway. The
Cortex XDR Gateway is where you view and manage existing tenants
and tenants available for activation that are allocated to your
CSP account. The split from the hub enables you to easily:
To activate and manage permissions, Cortex
XDR assigns the CSP Super User role to existing administrator
accounts. This role cannot be removed or changed through the Cortex
XDR Gateway. The Cortex Data Lake quota management and
the sizing calculator are still on the hub. |
In-App Granular Role-Based Access Control | To streamline management of your Cortex
XDR user and role-based access control (RBAC) permissions, Cortex
XDR now allows you to track user permissions, manage existing roles,
and create new roles in the Cortex XDR app without the need to log
in to the hub. Cortex XDR now displays the following information
in :
|
Fine-Grained Role-Based Access Control Enhancements | To help you better manage your user access permissions,
the following changes have been made to the Cortex XDR Granular Role-Based
Access Control (RBAC) configurations in the Cortex XDR Gateway and
Cortex XDR management console.
To provide continuity
for existing roles and privileges, Cortex XDR assigns the updated
permissions by default but you now have the option to configure
the view and action access independently for both your new and your preexisting
roles. |
Cortex XDR Tenant Switcher | When using multitenancy within the scope
of a Cortex XDR tenant, you can now use the Tenant Navigator, which
enables you to switch directly to another owned tenant. The tenant
navigator includes the following selections:
When
you choose a tenant, Cortex XDR pivots your display directly to
the main page of the gateway or the main page of the tenant. |
Improved Quick Launcher Access | To enable easier access to the Quick Launcher, you can
now access it from the Cortex XDR top navigation bar as well as
from all other navigation menus in the app. |
Settings Navigation Change | To align the page title with navigation
paths in Cortex XDR, the Settings menu (accessible from the gear
icon
) is
now named Configurations .The Quick
Launcher also reflects the name change. |
Enhanced Session Security Settings | The Cortex XDR management console now provides enhanced
security settings for user sessions. These security
settings include the following categories:
For
more detailed information, see the Cortex XDR Administrator's Guide. |
Native Search Deprecation | The XQL Search and Query Builder are now
the main search options in Cortex XDR and provide more flexibility
and powerful querying capabilities. The Native Search option is
deprecated and, as a result:
|
Network Events Deprecation ( Starting
with the next Cortex XDR release ) | After Cortex XDR introduced network collection events,
that are stitched across endpoints and the Palo Alto Networks next-generation
firewalls logs, there is no longer need to support raw Network events.
Starting with the next Cortex XDR release, Network events
will be deprecated. In light of the upcoming change, Palo Alto Networks
encourages you to define BIOC rules and/or searches by using Network Connections in
the Query Builder. When searching in XQL, you should avoid using
the xdr_agent_network preset and use
the newtork_story preset instead. |
Audit Logs | |
One-Year Retention of Audit Log Entries | All entries that are accumulated in the
Cortex XDR audit logs are now available
for your retrospective review for an extended period of one year from
the date of their creation. |
New Management Audit Logs for Policy Changes | For increased visibility into policy configuration changes,
Cortex XDR introduces new policy audit logs for the Create, Edit,
Reorder, Update, and Delete Subtypes. The new policy audit logs
include:
|
Improved Management Audit Logs for Extensions Policies
and Profiles | For improved accuracy, Cortex XDR now logs Extensions
Policy and Profile actions under Extensions Policy Rules or Extensions
Profile type
This
change applies to future audit logs. Previously-created audit logs
retain their current descriptions. For more information on Cortex
XDR auditing, see Monitor Administrative Activity. |
Policy Change Visibility in Management Audit
Logs | You can now view the specifics of what has
changed in the configuration of your policies by viewing the management audit logs.
For each policy log, you can view the detailed changes instead of
the previously displayed message ( Policy rules were updated. ).
Hover with the pointer over the specific entry to view the info
in a tooltip. This enables you to know exactly what has changed
and, if necessary, roll back the change. |
Enhanced Management Logs Incident ID Value | To improve your investigation capabilities,
Cortex XDR now includes the Incident ID value in the Management Audit
logs when you perform an action on a single incident. The following
list displays examples of the updates by log subtype:
|
Updated Management Audit Logs for Threat
Handled Incident Status | To maintain consistency, Cortex XDR has
updated the following management audit log for change in status
of Threat Handled incidents:
|
Improved Management Audit Logs for Host
Insights Vulnerability Assessment Data Collection ( Requires
a Cortex XDR Pro per Endpoint license and Host-Insights add-on ) | When you rerun the host-insights data collection scan,
either from the Vulnerability Management endpoints
view or from the Asset View , Cortex XDR now uses
the same management audit log types as follows:
This
change applies to future audit logs. Previously-created audit logs
retain their current descriptions. For more information on Cortex
XDR auditing, see Monitor Administrative Activity |
Enhanced Audit Log for Operations in Rules Exceptions | The Cortex XDR management console now enables you
to view audit logs for Create,
Edit, and Delete operations of Rules Exceptions. In addition, the existing
management audit logs for import and export of Rules Exceptions
are now logged under the Rules Exceptions type. |
Investigation and Response | |
XQL Multi-Language Data Support ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) can
now support data provided in multiple languages, such as in XQL
queries, lookups, widgets, and external data ingestion. |
New XQL Datasets with Dataset Permission Enforcement ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
includes the following new datasets called device_control , endpoints ,
and host_inventory . These datasets support
dataset permission enforcements in the Cortex XDR Query Language
(XQL), Query Center, and XQL Widgets. To view or access any of these
datasets, you need role-based access
control (RBAC) permissions to the Device Control, Endpoint
Administration, and Host Inventory views. |
New Standardized User Format for Events
and Alerts ( Requires a Cortex XDR Pro license | To streamline the way usernames appear in
network events and alerts, Cortex XDR now processes and displays usernames
in the following standardized format, also termed “normalized
user”: <company domain> \<username> In
the Cortex XDR Query Language (XQL),
every user field included in the raw data, for network, authentication,
and login events, has an equivalent normalized user field associated
with it that displays the user information in the standardized format. For
example, the login_data field has the login_data_dst_normalized_user field
to display the content in the standardized format. We recommend
that you use these normalized_user fields when
building your queries to ensure the most accurate results.As
a result, any alert triggered based on network, authentication,
or login events, now displays the User Name in
the new standardized format in the Alerts and Incidents pages.
This change impacts every alert for Cortex XDR Analytics and Cortex XDR
Analytics BIOC, including BIOC and IOC alerts triggered on one of
these event types. |
New XQL IP Location Stage ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
includes a new stage command that enables you to associate the IPv4
address of any field to a list of predefined attributes related
to the geolocation. To support this, you can now add the iploc stage to your queries
using the format: iploc <field name> To
improve your query performance, we recommend that you filter the
data in your query before you run the iploc stage command.
In addition, limiting the number of fields in the results table
further improves the performance. |
New XQL Bin Stage ( Requires a
Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
includes a new stage command that enables you to group events by
quantity or time span. The most common use case is for time charts. To
support this feature, you can now add the bin stage command to your
queries using these formats depending on whether you are grouping
by quantity or time span:
When
you group events by quantity, the <field> in
the bin stage command must be a number. When
you group by time, the <field> must be a date type. |
New XQL Time Frame Configuration Function ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
includes a new configuration function that enables you to perform
searches within a specific time frame from the query execution.
To support this feature, you can now add the config stage command to
your queries with the timeframe function using
these formats:
|
New Support for Linux System Authentication Logs ( Requires
a Cortex XDR Pro license ) | EDR data collected
for Linux now contains Linux system authentication logs.
These Linux system authentication logs are now available using XQL queries
and the Query Builder. As a result, in the Query Builder, the Event
Log now includes both Windows and Linux event logs and
the corresponding event_type in XQL has been
renamed from WINDOWS_EVENT_LOG to EVENT_LOG . |
New Visualizations for Widgets Based on
XQL Search Queries ( Requires a Cortex XDR Pro license ) | To help you better view and visualize data based on
XQL search queries, Cortex XDR expanded the type of available widgets
so that you can now display the search results using:
|
Incident
Thresholds for Alert Grouping | To keep incidents fresh and relevant, Cortex
XDR now provides the following two new thresholds after which an
incident stops adding alerts:
After the incident
reaches either threshold, it stops accepting alerts and Cortex XDR
groups subsequent related alerts in a new incident. For increased
visibility, Cortex XDR also provides a new Alerts Grouping Status field
in the Incidents table to identify the grouping status: Enabled when
the incident is open to accepting new related alerts or Disabled if
either threshold is reached and the incident is closed to further alerts
or if the incident reached the 1,000 alert limit. To view the exact
reason for a Disabled status, you can hover over the status field. |
MITRE, Severity, and Alert Grouping Visibility
in Incident Table | You can now view the following MITRE, severity,
and alert grouping fields in the Incident Table. Each
field displays the following information:
Incidents
created prior to Cortex XDR version 2.9 are updated as follows:
|
Incident Table View Enhancement | To streamline your incident investigation
process and reduce the number of steps it takes to investigate an incident,
Cortex XDR now allows you to display the Incidents page in one
of two new views:
The List
view displays the current table. The new Detail view positions the
incident table rows in a left-side pane and displays the complete Incident View on
the remaining of the page allowing you to scroll through the incident
rows and display each incident view without the need to pivot to
another tab or window.To ensure visibility of the incident
data, each row in the pane displays the incident description and
incorporates icons that provide the following details:
In addition, you can
sort the incident rows according to the available fields. The
current right-click menu options are also available in the Detail
view. |
Causality View Loading Time Enhancements | To improve loading time, as of Cortex XDR
version 2.9, when navigating to the Causality View from an
alert or event, Cortex XDR now displays the causality data as follows:
|
Added Option to View The Observed Behaviors
of Behavioral Threat Protection Alerts | The Cortex XDR management console now allows
you to view the observed behaviors of Behavioral Threat Protection alerts. To view the observed behaviors,
right-click on an alert in the alert table or in the incident view
and select View Observed Behaviors .The
option to view the Observed Behaviors table already exists in the
Causality Card. The new view option is another pivot option to view
the same information, and both options remain available. |
Featured Alert Fields Enhancement ( Requires
a Cortex XDR Pro license ) | To streamline the investigation process
and better highlight alerts that are significant to you, Cortex
XDR now includes Active Directory Groups and Organizational Unit (OU)
as optional Featured Alert Fields labels.Define
a Featured AD or OU in . To
easily locate alerts containing featured AD or OU fields, in the Alerts
Table , alerts are flagged in the Alert Name field
with a flag and appear in the Contains Featured User or Contains Featured
Host fields associated with the AD/OU. |
Enhanced Alerts Deduplication | To better identify and deduplicate Analytics,
IOC or BIOC alerts for the same activity, the deduplication period is
now calculated according to the actual time the event took place,
rather than according to the time the event was reported to Cortex
XDR. This change applies to future alerts. Previously-created
alerts remain the same. |
Quick Actions in Tables | To streamline investigation in Cortex XDR,
you can quickly initiate actions using new icons that are available
in throughout Cortex XDR. The new icons are available in table rows
upon a left click of the row and provide an alternative to the right-click
pivot menus. The new icons are available for rows in the
following tables:
|
Centric View of CVE, Endpoint, and Application information,
with additional Vulnerability Assessment Enhancements | To streamline your investigation under Vulnerability Assessment,
Cortex XDR now provides a centric view for a single CVE, Endpoint,
and Application, each accessible when you click on a specific row
of the Vulnerability Assessment and Host Insights panels. These
views list the affected applications, endpoints, or applied vulnerabilities,
in an exportable and searchable manner, together with additional
information on each entity. The CVEs tab under Vulnerability
Assessment now includes additional fields to better fine-tune your vulnerability
investigation. This includes:
Other
view enhancements:
In
addition, Cortex XDR now calculates an unlimited number of vulnerabilities
per endpoint, as opposed to a limit of 500 vulnerabilities per endpoint
in previous versions. This update means that you might
see a higher number of CVEs in Vulnerability Assessment screens,
as well as in reports and dashboards. |
Low and Informational Categorization for
Agent Alerts | The Cortex XDR management console now displays Behavioral
Threat Protection (BTP) alerts at Low or Informational
severity. These are displayed as Insights in the Incident
View and the Causality View panels.
Low severity alerts are also displayed in the Alerts table. |
Authentication Story Enrichment ( Requires
a Cortex XDR Pro per Endpoint license and a Cortex XDR agent 7.3
or later for Linux ) | Starting with this release, Cortex XDR includes
Linux authentication logs in authentication stories and will generate
alerts accordingly. |
External Data Ingestion | |
Zscaler Cloud Firewall Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | If you use Zscaler Cloud Firewall in your
network, you can now forward your firewall and network logs to Cortex
XDR for analysis. This enables you to take advantage of Cortex XDR
anomalous behavior detection and investigation capabilities. To
begin analyzing your traffic logs, you set up a Syslog Collector
and configure your firewall to forward logs to the Syslog Collector.
To provide seamless log ingestion, Cortex XDR automatically maps
the fields in your traffic logs to the Cortex XDR log format. As
soon as Cortex XDR begins receiving logs, the app automatically
creates a Zscaler XQL dataset ( <Vendor> _<Product> _raw<Vendor> and <Product> fields
defined on the Zscaler syslog configuration. This enables you to
search the logs using XQL Search. |
Windows DHCP Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | To provide additional network asset visibility
in Cortex XDR Asset Management and improved
analytics, Cortex XDR can now ingest Windows DHCP logs.
To receive logs, configure settings
for the vendor in Cortex XDR, which replaces the preexisting settings.
In addition, you must install and configure an Elasticsearch Filebeat
agent on your Windows DHCP Server.As soon as Cortex XDR begins
receiving logs, the app automatically creates a Windows DHCP XQL
dataset ( windows_dhcp_raw ). This enables
you to search the logs using XQL Search. |
Syslog Collector Applet Enhancements ( Requires
a Cortex XDR Pro per TB license ) | The Syslog Collector applet
now includes these enhancements:
|
Additional External Alerts Fields Available
for Mapping ( Requires a Cortex XDR Pro license ) | When you ingest alerts from external sources
using either the Syslog Collector or Cortex XDR API, you can now map
these additional optional fields to the alerts table:
|
New Behavior for Ingesting Null Fields ( Requires
a Cortex XDR Pro license ) | To expand your investigation and analytics capabilities,
Cortex XDR now ingests any field with a null value, as opposed to
the previous behavior of not ingesting these null value fields.
It is also now possible to use the Cortex XDR Query Language (XQL)
to query ingestion rules for null values. |
Analytics | |
Improved Accuracy for Malware Protection ( Requires
a Cortex XDR agent 7.4 or later release for Windows ) | Starting with this release, WildFire introduces analysis
scores for files with Benign verdict to indicate the level of confidence
WildFire has in the Benign verdict. For example, a file by a trusted
signer or a file that was tested manually would get a high confidence
Benign score, whereas a file that did not display any suspicious
behavior at the time of testing would get a lower confidence Benign score.
Files with a low confidence score are displayed as Benign Low Confidence
(LC). When Cortex XDR receives a Benign Low Confidence verdict,
the agent enforces the Malware Security profile settings you currently
have in place (Run local analysis to determine the file verdict,
Allow, or Block). As soon as you deploy your Cortex XDR
7.4 agents, Cortex XDR will enforce this new behavior according
to the settings you already have in your existing Malware Security
profile for files unknown to WildFire. If you want to change it,
you need to change the existing settings. |
Cortex XDR Identity Analytics Add-On Module ( Requires
a Cortex XDR Pro license ) | To expand your investigation capabilities,
Cortex XDR now offers a new Identity Analytics add-on module.
The add-on requires a Cortex XDR Pro per TB license and a separate
module license. The module license is currently free, however will
entail an additional cost in the future. The Identity Analytics
add-on displays in the Analytics Alert View suspicious user
activity such as stolen or misused credentials, lateral movement,
credential harvesting, or brute-force data collected by the Cortex
XDR Analytics engine detectors.When investigating an analytics
type alert, a new User node appears in the
causality view. Hover over the node to display user profile information,
such as recent authentication statistics, user role, and if associated
with Active Directory groups or Organizational Units. When selecting
the alert node, in the Alert Description and Event
Table sections, Cortex XDR displays the recent logins,
hosts, alerts, and process executions associated with the user. |
Auto-Disable of Alerts from Analytics Detectors ( Requires
a Cortex XDR Pro per TB license ) | To ensure the analytics detectors raise
alerts efficiently and do not overcrowd your Alerts table, Cortex
XDR automatically disables alerts from detectors that reach 5000
or more hits over a 24 hour period. |
Endpoint Security
and Management | |
Cortex XDR Agent Deployment with Installer
and Content Update Package ( Requires a Cortex XDR agent
7.4 or later release for Windows ) | To reduce the network load and time typically required
for the initial roll-out or major upgrades of the Cortex XDR agent,
Cortex XDR now offers an agent installation and content update package.
The package includes the agent installer and the latest supported content
available at the time of the bundle download, eliminating the Content
Update download phase from the Cortex XDR Server post agent installation.You
can deploy the package using a third party tool such as SCCM, or manually
on the endpoint. For more information on the installation
process, refer to the Cortex XDR Agent administrator
guide. |
Cortex XDR Agent Installer and Content Caching on
the Broker VM ( Requires a Cortex XDR agent 7.4 or later
and Broker VM 12.0.58 or later ) | To reduce external bandwidth usage and time required
for Cortex XDR agent installations, upgrades, and content updates,
Cortex XDR now offers an additional option to cache the files on
your Cortex XDR Broker VM. When both P2P and Broker VM download
sources are selected, the agent first queries a peer agent for the
files. If the files are unavailable or the process fails, the agent queries
the Broker VM where the files are stored for a 30-days retention
period since an agent last asked for them. If the download from
the Broker VM fails as well, the agent retrieves the files directly
from the Cortex XDR server. The option to retrieve the files from
the Server is always enabled. To enable the Broker VM caching
option, you must first:
For
the detailed workflow on how to set up caching on the Broker VM,
refer to the Cortex XDR administrator’s guide. |
Peer-to-Peer Distribution of Cortex XDR
Agent Installers | To reduce bandwidth load when distributing
installers from Cortex XDR to the Cortex XDR agents, Cortex XDR now
leverages P2P distribution to include agent installers, in addition
to content updates. In your Agent Settings profile, you can choose
the download source from which agents retrieve release upgrades
and content updates: P2P, Palo Alto Networks Broker VM, and the
Cortex XDR server. Peer-to-peer distribution is enabled by default
in the Agent Settings profile,
and requires that you enable UDP and TCP over port 33221 (You can
change this port number later on through the Agent Settings profile). |
Device Control Enforcement on Previously Connected
USB Devices ( Requires a Cortex XDR agent 7.4 or later
release for Windows ) | When the Cortex XDR agent starts enforcing
Device Control on the endpoint, it now enforces the policy rules
not only on newly connected devices, but also on devices that were
previously connected to the endpoint before the policy enforcement
was applied. |
Native Support for Apple Silicon (M1) ( Requires
a Cortex XDR agent 7.4 or later release for Mac ) | Starting with this release, you can install
the Cortex XDR agent on macOS based devices with Apple Silicon (M1).
To resolve issues that could occur, refer to the Cortex XDR 7.4
agent list of known issues. |
Context-based Global Exceptions for the
Gatekeeper Enhancement Protection Module ( Requires a
Cortex XDR agent 7.4 or later release for Mac ) | Now when the Cortex XDR Gatekeeper Enhancement security
module raises an alert, you can create a global exception for this
specific source-child combination only, while allowing Cortex XDR
to continue enforcing the Gatekeeper Enhancement protection module
on the source process running other child processes. For more
details, see Add a Global Endpoint Policy
Exception. |
Cortex XDR Agent Silent Uninstall ( Requires
a Cortex XDR agent 7.4 or later release for Mac ) | Starting with this release, when you uninstall
the Cortex XDR agent from the Cortex XDR management console, the
process is silent and does not prompt the end-user for approvals
on the endpoint. |
Scope-Based Access Control (SBAC) for Endpoints | Cortex XDR now enables assignment of user permissions
to specific endpoint groups in the organization. By default, all
users have management access to all endpoints in the tenant. However,
after you (as an administrator) assign a management scope to a Cortex
XDR user, the user is be able to manage only the specific endpoints
within that scope. This Scope-Based Access Control (SBAC) affects
the following functional areas in Cortex XDR:
The rest of the functional areas and their
permissions in Cortex XDR do not support SBAC. Accordingly, if these permissions
are granted to a scoped user, the user will be able to access all
endpoints in the tenant within this functional area. For example,
a scoped user with a permission to view incidents, can view all
incidents in the system without limitation to a scope. To
view and modify the scope of a user, go to In
the list of Cortex XDR users, the Endpoint Scope column now specifies
any SBAC assignment. |
Broker VM Version
12.1.5 | |
CSV Log Files Integration with the Broker
VM ( Requires a Cortex XDR Pro per TB license ) | The broker VM now provides a new CSV Collector applet
that enables you to monitor and collect CSV log files from a shared
Windows directory directly to your log repository for query and
visualization purposes. After you activate the CSV Collector
applet, you can ingest CSV files as datasets by defining the list
of folders mounted to the broker VM and setting the list of CSV
files to monitor and upload to Cortex XDR using a username and password. |
Agent Proxy Listening Interface | You can now specify a proxy listening interface
when activating a local agent on the broker VM, through the Activate
Local Agent applet. For more information, see the Cortex XDR Administrator’s Guide. |
API | |
New XQL API ( Requires a Cortex
XDR Pro license ) | To expand your investigation capabilities,
Cortex XDR now enables you to run XQL queries on your data sources using
APIs. The XQL APIs require a Cortex XDR
Pro license and a daily Query Quota made up of query units. Cortex
XDR provides a free quota of query units and you will be able to
purchase additional units in future Cortex XDR versions. Each
XQL query consumes query units based on the number of API response
results. Queries called without enough quota will fail. You
can run the following APIs on your tenant and MSSP child tenants:
To help you track
your XQL APIs, in the Cortex XDR app, you can view the following
information:
|
New API Key Time Limit | For an added layer of security when managing
your user API permissions, you can
now set a time limitation on the API key used to authenticate API calls. When
creating API keys, select the option to enable an Expiration
Date for the key. In the API Keys table,
a new Expiration Time field has been added
allowing you to track each key.In addition, Cortex XDR displays
an API Key Expiration notification one week and one day prior to
the defined expiration date. |
Enhanced Visibility of Incident Data | To help you gain greater visibility of requested
API data when calling Get Incidents and Get Extra Incident Data APIs,
the response section now includes the following fields:
|
Updated Alert Severity Valid Values | To ensure consistency in the Cortex XDR
app Alerts table, when calling Insert Parsed Alerts API,
the severity filed is now mandatory
and does not accept the value Unknown . Possible
valid values are:
|
Updated Featured Alert Fields API ( Requires
a Cortex XDR Pro license ) | To expand your Featured Alert Field capabilities, Cortex
XDR has updated the Replace Featured Active Directory
Groups Replace Featured Active Directory Groups API to
allow you to delete and replace Organizational Unit (OU) in addition
to Active Directory Groups (AD).When calling /replace_ad_groups/ , you
can now distinguish between an AD or OU group by including the new
field type with a value of either group or OU in
your request. The field is not mandatory and is sent, by default,
as group . |
Upload Cortex XDR Indicator Request Validation | To help you gain greater visibility if an
indicator has been updated correctly, when calling Insert Simple Indicators, CSVand Insert Simple Indicators, JSON APIs,
you can now send a validate field in
your request. In the case where the update was unsuccessful,
the validate field returns a validation_errors array listing
the specific fields and errors that occurred. |
Features Released in March
The following table describes new features in the Cortex XDR
2.8 release.
Feature | Description |
|---|---|
Access
Management | |
Cortex XDR Management Console IP Address
Changes | Cortex XDR now uses new IP addresses for accessing
the Cortex XDR management console ( <xdr-tenant> .xdr.<region> .paloaltonetworks.comcortex-xdr App-ID
or the outgoing HTTPS connection is not filtered by a firewall,
no firewall adjustments are necessary. However, if your HTTPS connection is
filtered through a firewall (and you do not use the App-ID), you
must adjust your configuration to use the new IP addresses according
to your region. The FQDN for the Cortex XDR management console remains
unchanged. |
Broker VM | |
Approved Remote Terminal Commands | When you connect to a broker VM remotely, Cortex XDR now
allows you to perform the following privileged commands:
|
API | |
Enhanced Visibility of Mac Addresses | To provide greater visibility for alerts
that have multiple associated MAC addresses, the Get Alerts API response
now includes the mac_address field. The
new field returns a list of one or more MAC addresses and will supersede
the existing mac field which will be deprecated
in a future release. |
Features Introduced in February
The following table describes new features in the Cortex XDR
2.7 release.
Feature | Description |
|---|---|
General | |
Extended Tab Viewing Options | The option to view results in the same or a
new tab are now available in the pivot menus of the following tables:
|
In-App New Version Notification | Cortex XDR now displays a notification when
you log in to your tenant following a Cortex XDR version upgrade.
The notification displays the updated version number and lists selected new
features available for your license type. From the notification,
you can choose to pivot to the Release Notes for
more information or you can dismiss the notification and view at
another time by navigating to in the Cortex XDR management console. |
Audit Logs SHA256 Value Enhancement | To improve your investigation capabilities,
Cortex XDR now includes the SHA256 value in the Management Audit
and Agent Audit logs for files that you restored and quarantined. The
Management Audit Log and Agent Audit Log Description field
in the Cortex XDR management console and the Get Audit Agent Report
and the Get Audit Management Log APIs now display the file Description in
a new format:
|
Auto-Disable BIOC Rules Log Description Update
in Audit Logs | The Auto-Disabled behavioral indicator of
compromise (BIOC) rule Description field
displayed in the Management Audit Log page and the Get Audit Management
Log API now display the rule description in
a new format:BIOC rule #<rule number> has been automatically disabled because it reached 10,000 matches in the last 24 hours. Rule name: <rule name>, severity: <severity> |
Investigation
and Response | |
XQL Query Language Enhancements ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) is extended
in the following ways:
|
New Datasets for XQL Search ( Requires
a Cortex XDR Pro license ) | Cortex XDR now enables you to query the
following data using the Cortex XDR Query Language (XQL):
In addition, log records received
from a security information and event management (SIEM) system are
parsed into key-value pairs. Log record field values that are not
identified as an integer, string, or timestamp are ingested as a
JSON record. |
Network Preset Name Change in XQL Search ( Requires
a Cortex XDR Pro license ) | The Network preset for XQL Search of EDR
data is changed—it is now Agent Network. This is only a name change;
this preset still provides the same network events sent from agents
as before this change. The Agent Network preset is not the
same as the Network Story preset that provides stitched network
events from different sources. |
Additional XQL Search Pivot Functionality ( Requires
a Cortex XDR Pro license ) | To continue investigation, you can now pivot from XQL Search results
to the Causality View and Timeline View. These options are supported
for results that identify the following types of events: process
(except for those with an event subtype of termination), network,
file, registry, injection, load image, system calls, network stories,
and Windows event logs. From the events table in the Causality
View and Timeline View, you can similarly pivot from an event to View
in XQL in either the same tab or a new tab. This can
be useful if you want to further refine the query to continue investigation. |
Histograms
for XQL Search Queries ( Requires a Cortex XDR Pro license ) | Cortex XDR now automatically generates histograms
for every field that is part of an XQL Search result. A histogram
is a type of visualization of the results within a specific query. Histograms
are similar to bar charts that show the distribution of values within
a specific field across a result set. Each time you generate a new
query, Cortex XDR will regenerate the histogram based on the updated
result set. Histograms are not supported for JSON and array
fields. |
New Visualizations for Widgets Based on XQL
Search Queries ( Requires a Cortex XDR Pro license ) | To help you better view and visualize data
based on XQL search queries, you can now view your XQL search results in
three new modes:
Cortex
XDR expanded the type of available widgets so that you can now display
the search results using:
To
easily save a visualization after you create a widget, find the
widget in the Widget Library. |
New
Cortex XDR Widget Library | To streamline widget visibility and management,
Cortex XDR now enables you to search, view, and edit both your custom widgets
and the Cortex XDR predefined widgets in the new Widget Library. The
library is a one-stop page where you can easily add or create widgets
to your dashboards and reports to help you continuously monitor
your XQL query results, logs, and data visually. |
New Incident Management Page | To streamline the Investigation menu,
a new Incident Management page is now available.
From this page, you can view starred incidents, manage scoring rules, and view incident exclusions. |
Custom
Incident Scoring Rules ( Requires a Cortex XDR Pro license ) | To streamline the investigation process
and better highlight incidents that are significant in your environment,
Cortex XDR now enables you to define custom incident scoring rules that
prioritize your incidents according to the needs of your organization. Define
scoring rules in the Cortex XDR management console on the page.
Each rule is based on a defined score, an Alert attribute, or the
entity on which it occurred. When an alert matching the defined
rule is raised, Cortex XDR adds the alert score to the total score
of the incident. By default, the alert score is applied only to
the first alert that matches the defined rule. Subsequent alerts
for the same incident do not receive any score. The incident
score is displayed as a filterable Score field
in the Incident table and as a tag in the Incident View. |
Featured Alert Fields ( Requires
a Cortex XDR Pro license ) | To streamline the investigation process
and better highlight alerts that are significant to you, Cortex
XDR now enables you to label specific alert attributes as Featured Alert Fields. Featured
fields help you track alerts that involve a specific:
Label a field as Featured in and then
filter and sort alerts containing the featured fields in the Alerts
Table using the new table fields:
To
easily locate alerts containing featured fields, alerts containing
one or more of the featured fields are flagged in the Alert
Name field with a
flag.Alert notification emails
now include whether the alert contains one or more featured fields:
|
IOC Rule Functionality Enhancements ( Requires
a Cortex XDR Pro license ) | To ensure your indicators of compromise (IOCs) rules raise alerts
efficiently and do not overcrowd your Alerts table, Cortex XDR now
automatically performs the following tasks:
|
Network Causality Event Timestamp Investigation ( Requires
a Cortex XDR Pro license ) | To help you investigate the time frame of
security processes and connections made over your network, Cortex
XDR now displays the network event timestamp in the Network Causality View. When
selecting the Network Appliance node in the Network Causality View,
the event timestamp is now displayed in the Entity Data section
of the card. |
Enhanced Timestamp Investigation | To enhance your investigation capabilities,
you can now narrow the Timestamp field results
in the Cortex XDR tables by right-clicking to display rows that
are 30 days before or 30 days after the selected field value. |
Events Table Results Enhancements | The Events table (available from the Causality View and Timeline View) now includes
the following enhancements:
|
Slack Notifications Enhancement | To help streamline investigations for alerts
you receive on Slack, Cortex XDR now
provides a link in Slack notifications to the alert details in Cortex
XDR. If the alert is part of an Incident, the notification also
includes the link to investigate the incident in Cortex XDR. |
Hostname Visibility in Alerts | Hostname visibility in the Cortex XDR Alerts Table
is now displayed according to the following guidelines:
|
Native Search Deprecation | For queries on data in your Cortex XDR tenant,
Cortex XDR provides query functions using the XQL Search that enable
you to query the data, create widgets, and schedule queries, all
of which supersede the Native Search. The Native
Search will remain available from the Query Builder only until the
next release. |
Remote Malicious Causality Chains Response (Windows) ( Requires Cortex
XDR agent 7.3 or a later version ) | When the Cortex XDR agent identifies a remote
network connection that attempts to perform malicious activity—such
as encrypt endpoint files—the agent can now block the IP address
to close all existing communication and block new connections from this
IP address to the endpoint. You can view the list of all blocked
IP addresses per endpoint from the Cortex XDR Action
Center , as well as unblock them to re-enable communication
as appropriate. You set the action mode in your Malware Security profile
where you can also add a specific and known safe IP address or IP
address range to the IP addresses allow list. This capability is supported
for network connections made in IPv4 only.When Cortex
XDR blocks an IP address per endpoint, that address remains blocked
throughout all agent profiles and policies, including any host-firewall
policy rules. |
Network Isolation of macOS Endpoints (macOS
10.15.4 and later) ( Requires Cortex XDR agent 7.3 or a later
version ) | Cortex XDR now extends the Network isolation
response action to macOS endpoints. To prevent a compromised macOS
endpoint from communicating, you can now isolate your endpoint to
halt all network access on the endpoint except for traffic to Cortex
XDR. After you isolate an endpoint, the
Cortex XDR agent reports an Isolated check-in status and the endpoint
remains isolated from the network until you cancel this isolation
from Cortex XDR. Note the following limitations:
|
Live Terminal Enhancements (Windows and Mac) ( Requires Cortex
XDR agent 7.3 or a later version ) | To improve the awareness and visibility of
the endpoint end user, now when you initiate a Live Terminal session
from Cortex XDR to the endpoint, you can prompt the end user to approve
the connection request. Additionally, you can configure the Cortex
XDR agent to display a blinking light (
) on
the tray icon (or in the status bar for Mac endpoints) for the duration
of the remote session to indicate to the end user that a live terminal session
is in progress. Both settings are optional and you can configure
them independently. |
External Data Ingestion | |
PingFederate Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest logs from PingFederate. To receive
logs, you must enable PingFederate to send logs in CEF format to
the Syslog Collector that you set up on the broker VM. As
soon as Cortex XDR begins receiving logs, the app automatically
creates a PingFederate XQL dataset ( ping_identity_pingfederate_raw )
and enables you to search the logs using XQL Search. Log information
from PingFederate is also visible, when relevant, in the xdr_data dataset and
in the authentication_story preset. |
Amazon CloudWatch and AWS CloudTrail Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest Amazon CloudWatch and AWS CloudTrail Logs.
To receive logs, configure SaaS Log Collection settings for
the vendor in Cortex XDR.As soon as Cortex XDR begins receiving
logs, the app automatically creates an Amazon AWS XQL dataset ( amazon_aws_raw )
and enables you to search the logs using XQL Search. |
Elasticsearch Filebeat Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | When you use Elasticsearch Filebeat to
log activity on your endpoints or servers, Cortex XDR can now ingest those
file logs. To receive logs, configure the collection settings for Filebeat
in Cortex XDR and the output settings in your Filebeat installations. As
soon as Cortex XDR begins receiving logs, Cortex XDR automatically
creates a dataset for each collected vendor and product and makes
logs available in XQL Search queries. |
HTTP Log Collector ( Requires a Cortex
XDR Pro per TB license ) | You can now set up an HTTP Log Collector to receive
logs in text or JSON format. To begin receiving logs you must first
set up the HTTP Log Collector and use the provided examples to construct
an HTTP POST request. As soon as Cortex XDR begins receiving
logs, Cortex XDR automatically creates a dataset using the vendor
and product you specified during the log collector setup. You can
then use XQL Search to initiate queries on the dataset. |
Google Kubernetes Engine (GKE) Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | As an alternative to setting up a GCP Pub/Sub,
Cortex XDR can now ingest container logs from Google Kubernetes Engine (GKE) using
Elasticsearch Filebeat. To receive logs, you must install Filebeat
on your containers and enable SaaS Log Collection settings for Filebeat. As
soon as Cortex XDR begins receiving logs, the app automatically
creates a GKE XQL dataset—using the product and vendor that you
specify during Filebeat setup—and enables you to search the logs
using XQL Search. |
Extended Log Ingestion for Syslog in LEEF
Format ( Requires a Cortex XDR Pro per TB license ) | Cortex XDR extends log ingestion support
to vendors sending LEEF over Syslog. As with
log ingestion for CEF over Syslog, you can configure the protocol,
the IP address and port, and the format settings for the syslog
collector. After Cortex XDR begins receiving logs from the
third-party source, it automatically parses the logs in LEEF format
and creates a dataset. Cortex XDR extracts the vendor and product
name to identify the dataset as <vendor> _<product> _raw |
Analytics | |
Analytics BIOC Visibility and Management ( Requires
a Cortex XDR Pro license ) | If you have Analytics enabled, Cortex XDR
now provides visibility into and enables management of your Analytics BIOC rules by
pivoting from the BIOC Rules table to a dedicated page. For
each rule, Cortex XDR displays identifying information, such as
name and ID, severity, rule activation status, and any relevant
MITRE ATT&CK information. Cortex XDR also enables you to disable
or enable Analytics BIOC rules as needed. To view and manage
Analytics BIOC rules, you must have the corresponding permissions
enabled for your role. |
Asset Management | |
Enhancements to Asset Management ( Requires
a Cortex XDR Pro license ) | Cortex XDR now displays also the MAC address
vendor name, and the platform running on your managed and unmanaged assets. |
Export Network Assets to File ( Requires
a Cortex XDR Pro license ) | You can now export your Asset Management table results
to a tab-separated values (TSV) file. |
Endpoint
Security and Management | |
Flexible Agent License Revocation ( Requires
a Cortex XDR Pro license ) | To enable a flexible revocation policy for
Cortex XDR agent licenses, you can now configure the number of days
after which the license should be returned when an agent loses the
connection to Cortex XDR. In addition, you can configure the number
of days after which the agent and related data is removed from the
Cortex XDR management console and database. For more information,
see Cortex XDR Agent License Revocation. |
Enhanced Local Analysis
Prevention (Windows) ( Requires a Cortex XDR Prevent or Cortex
XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later
version ) | The Local Analysis module, which prevents
the execution of malicious Portable Executables (PEs) and Office
documents with macros, now includes a new rule-based static engine
that provides an additional layer of protection. The new engine
provides additional context to Cortex XDR alerts by matching the
samples that are under agent examination to static rules that inspect multiple
file attributes and features. The Local Analysis rules are
maintained by the Palo Alto Networks Research team and are updated
through content updates. You cannot add, modify, or remove rules
from the Local Analysis module. |
Bulk Alias Edits for Endpoints ( Requires
a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license ) | To enable you to quickly change the alias for multiple
endpoints, you can now perform the action from the Endpoint
Control menu on the Endpoint Administration page. |
Vulnerable Drivers Protection (Windows) ( Requires
a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex
XDR agent 7.2 or a later version ) | Cortex XDR can now leverage the latest threat
research to quickly deploy behavioral threat protection (BTP) rules
that detect attempts to load vulnerable drivers. As with other BTP
rules, Cortex XDR can deliver changes to vulnerable driver rules
with content updates. To configure vulnerable drivers protection,
you must enable Behavioral Threat Protection and configure
the Action mode for vulnerable drivers protection as
part of a Malware Security Profile.By
default, Cortex XDR blocks all identified attempts to run vulnerable
drivers. If you change the default ( Block ), you can Report (and
allow) vulnerable drivers or disable the module. |
Device Control for VDI (Windows) ( Requires
a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex
XDR agent 7.3 or a later version ) | Cortex XDR now extends Device Control for USB
devices to include virtual desktop infrastructure (VDI). The Cortex
XDR agent enforces the Device Control policy rules on USB devices
after the end user logs on to the VDI instance. USB Devices that
were connected prior to the agent enforcing the Device Control policy
rules are not blocked after the fact. Note the following limitations:
|
Unpatched Vulnerabilities Protection (Windows) ( Requires
a Cortex XDR agent 7.1 or a later version ) | Palo Alto Networks
strongly recommends that you upgrade your operating system as soon
as possible to address vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094. For more
information, refer to the Microsoft Security Response Center. For
Cortex XDR agents 7.1 and later releases running on unpatched Windows
endpoints, a new capability in the Exploit Security profile will
modify IP4 and IPv6 settings temporarily on the endpoint as a workaround
to protect unpatched endpoints from these known vulnerabilities.
After the endpoint is patched with a fix for these vulnerabilities,
the Cortex XDR agent automatically reverts all modified Windows
system settings to their values before modification. Before
applying this workaround on your endpoints, refer to the Cortex
XDR Administrator’s Guide for
the full details and impact this workaround could have on your network. |
Extended Device Control to Read-Only Disk
Drives (Windows and Mac) ( Requires a Cortex XDR Prevent
or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.0
or a later version for Windows endpoints and Cortex XDR agent 7.2
or a later version for Mac endpoints ) | You can now set a Device Control policy
profile to allow disk drives to connect in read-only mode on the
specified endpoints. |
Peer-to-Peer Content
Distribution (Mac and Linux) ( Requires a Cortex XDR Prevent
or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3
or a later version ) | Cortex XDR now extends peer-to-peer content
distribution to Mac and Linux endpoints. To reduce bandwidth load
when distributing content from Cortex XDR to the Cortex XDR agents,
you can enable agents on your LAN network to retrieve the new content
version from other agents that already retrieved it. Peer-to-peer
content distribution is enabled by default in the Agent Settings Profile. |
Agent Installation Using a Unified Configuration
Profile File for MDMs (Mac) | For a seamless installation of the Cortex XDR
agent that does not require end user interaction, Palo Alto Networks
now provides a unified configuration profile that you can upload
to any third party deployment software of your choice. You can download
a configuration profile already signed by Palo Alto Networks, or
an unsigned configuration profile, if you prefer or are required
to sign using your own signing certificate. You can use the unified configuration
profile to deploy any version of the Cortex XDR agent. For more
information, refer to Install the Cortex XDR Agent
Using a Unified Configuration Profile for MDMs. |
Custom Agent Installation Directory (Linux) ( Requires
a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex
XDR agent 7.3 or a later version ) | You can now install your Cortex XDR agent in
a custom directory on Linux endpoints instead of using the default ./opt directory.
To do this, set the custom path in a new installation variable --install-path=/ .
After you install the Cortex XDR to the custom path, all following
upgrades and the removal of the agent from the endpoint are executed
in the same location. For more information, see how to Install the Cortex XDR Agent
for Linux.<some/path> |
New Operating Systems Support (Linux) ( Requires Cortex
XDR agent 7.3 or a later version ) | You can now install the Cortex XDR agent
on Linux endpoints that are running on:
For all supported kernel
versions, see the Latest kernel module version
support |
Host Insights Add-on | |
Search and Destroy Malicious Files on Mac
Endpoints (macOS 10.15.4 and later) ( Requires a Cortex
XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex
XDR agent 7.3 or a later version ) | Cortex XDR now extends the File Search and
Destroy response action to Mac endpoints. You can use search and destroy to
take immediate action on known and suspected malicious files. You
can search from Cortex XDR for a file by hash or path on endpoints
and, after you identify the presence of the file, you can immediately
destroy the file from any or all endpoints on which the file exists. |
Host Insights Export to File ( Requires
a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex
XDR agent 7.1 or a later version ) | You can now export all the Cortex XDR host insights tables and
respective asset views to a tab-separated values (TSV) file. |
Vulnerability Management Name Change ( Requires
a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex
XDR agent 7.1 or a later version ) | To better reflect the feature usage, Vulnerability Management is
renamed to Vulnerability Assessment . |
Multitenants
and MSSPs | |
Cross-Tenant XQL Queries for Multi-Tenancy ( Requires
a Cortex XDR Pro license ) | To enable multitenant management that uses
XQL Query to view raw data that is stored in Cortex XDR, you can
now execute XQL queries on a single child tenant or up to 100 child
tenants simultaneously directly from your parent tenant XQL Search page. When executing XQL queries on
a single child tenant, Cortex XDR provides the parent tenant with autocompletion
and validation capabilities to all datasets available on the child
tenant. When executing XQL queries on multiple child tenants simultaneously:
You can view, track, and investigate
the query results and graphs for each child tenant in your XQL Search
page results table or Query Center by filtering by child tenant. |
Broker
VM ( Version 11.1.1 ) | |
Broker VM Images | MD5 values for broker images version 11.1.1:
|
New Supported WEC Event Collection ( Requires
a Cortex XDR Pro per TB license ) | To expand the Broker VM data collection
capabilities, in addition to the default WEC event IDs, you can
now configure the Broker VM to collect all or specific Windows event types,
such as DHCP, DNS, and IIS event types, directly from the Cortex
XDR management console. |
WEC Domain Controller Certificate Notifications ( Requires
a Cortex XDR Pro per TB license ) | To keep you informed of your WEC Domain
Controller Certificate status and avoid service disruptions, Cortex
XDR now displays a notification of the remaining
time left on your license or whether your license is expired. |
Approved Remote Terminal Command | When you connect to a broker VM remotely, Cortex XDR now
allows you to perform the following privileged commands:
|
API | |
New Featured Alert Fields APIs ( Requires
a Cortex XDR Pro license ) | To expand your API capabilities, Cortex
XDR now provides the APIs to help you manage your featured alert fields.
Using the following APIs you can delete and replace existing featured
alert fields:
|
Enhanced Visibility of Incident Data | To help you gain greater visibility of requested
API data when calling Get Incidents and Get Extra Incident Data APIs, the response section
now includes the following Incident Scoring fields:
|
Enhanced Visibility of Alert Data | To help you gain greater visibility of Alerts
that include Featured host name, username, or IP address, the Get Alerts API response
now includes the following boolean type fields:
|
Enhanced Insert Parsed Alerts Capabilities | To enable you to include additional information
when running the Insert Parsed Alerts API,
you can now send the action status taken on an alert ( Reported or Blocked )
using the action_status field. |
