Features Introduced in 2021
Learn more about Cortex XDR features introduced during
2021 by month and functional area.
The following topics describe the Cortex
XDR features introduced in 2021 by month.
Features Releasing in March
The following table describes new features in the Cortex
®
XDR™
2.8 release. Cortex XDR 2.8 will be divided into two deployments:
March 14, 2021 and March 21, 2021. Customers will be notified in
advance of their 2.8 release availability.The information shared here is for
INFORMATIONAL PURPOSES
ONLY
and is not a binding commitment. The following table describes new features in the Cortex XDR
2.8 release.
Feature | Description |
|---|---|
Endpoint
Management | |
Proxy Communication IP Address Changes | Cortex XDR now uses new IP addresses for proxy
communication that may require firewall adjustments. If your Cortex
XDR agents connect to Cortex XDR through a proxy, adjust or configure
your firewall security policy to allow access to the new IP addresses
according to your region:
cortex-xdr App-ID, no
firewall adjustment is necessary and the FQDNs remain unchanged. |
Broker VM | |
Approved Remote Terminal Commands | The edit_routes command
is now deprecated. To enable updates to your static network routes,
Cortex XDR allows you to execute the restart_routes command.
The command invokes a restart of the routing service, applying updates
you make to your network route configuration file. |
API | |
Enhanced Visibility of Mac Addresses | The response for the Get Alerts API now
includes the mac_address field to provide
greater visibility for alerts that have multiple associated MAC
addresses.The new field returns a list of one or more MAC
addresses and will supersede the existing mac field
which will be deprecated in a future release. |
Features Introduced in February
The following table describes new features in the Cortex XDR
2.7 release.
Feature | Description |
|---|---|
General | |
Extended Tab Viewing Options | The option to view results in the same or a
new tab are now available in the pivot menus of the following tables:
|
In-App New Version Notification | Cortex XDR now displays a notification when
you log in to your tenant following a Cortex XDR version upgrade.
The notification displays the updated version number and lists selected new
features available for your license type. From the notification,
you can choose to pivot to the Release Notes for
more information or you can dismiss the notification and view at
another time by navigating to in the Cortex XDR management console. |
Audit Logs SHA256 Value Enhancement | To improve your investigation capabilities,
Cortex XDR now includes the SHA256 value in the Management Audit
and Agent Audit logs for files that you restored and quarantined. The
Management Audit Log and Agent Audit Log Description field
in the Cortex XDR management console and the Get Audit Agent Report
and the Get Audit Management Log APIs now display the file Description in
a new format:
|
Auto-Disable BIOC Rules Log Description Update
in Audit Logs | The Auto-Disabled behavioral indicator of
compromise (BIOC) rule Description field
displayed in the Management Audit Log page and the Get Audit Management
Log API now display the rule description in
a new format:BIOC rule #<rule number> has been automatically disabled because it reached 10,000 matches in the last 24 hours. Rule name: <rule name>, severity: <severity> |
Investigation
and Response | |
XQL Query Language Enhancements ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) is extended
in the following ways:
|
New Datasets for XQL Search ( Requires
a Cortex XDR Pro license ) | Cortex XDR now enables you to query the
following data using the Cortex XDR Query Language (XQL):
In addition, log records received
from a security information and event management (SIEM) system are
parsed into key-value pairs. Log record field values that are not
identified as an integer, string, or timestamp are ingested as a
JSON record. |
Network Preset Name Change in XQL Search ( Requires
a Cortex XDR Pro license ) | The Network preset for XQL Search of EDR
data is changed—it is now Agent Network. This is only a name change;
this preset still provides the same network events sent from agents
as before this change. The Agent Network preset is not the
same as the Network Story preset that provides stitched network
events from different sources. |
Additional XQL Search Pivot Functionality ( Requires
a Cortex XDR Pro license ) | To continue investigation, you can now pivot from XQL Search results
to the Causality View and Timeline View. These options are supported
for results that identify the following types of events: process
(except for those with an event subtype of termination), network,
file, registry, injection, load image, system calls, network stories,
and Windows event logs. From the events table in the Causality
View and Timeline View, you can similarly pivot from an event to View
in XQL in either the same tab or a new tab. This can
be useful if you want to further refine the query to continue investigation. |
Histograms
for XQL Search Queries ( Requires a Cortex XDR Pro license ) | Cortex XDR now automatically generates histograms
for every field that is part of an XQL Search result. A histogram
is a type of visualization of the results within a specific query. Histograms
are similar to bar charts that show the distribution of values within
a specific field across a result set. Each time you generate a new
query, Cortex XDR will regenerate the histogram based on the updated
result set. Histograms are not supported for JSON and array
fields. |
New Visualizations for Widgets Based on XQL
Search Queries ( Requires a Cortex XDR Pro license ) | To help you better view and visualize data
based on XQL search queries, you can now view your XQL search results in
three new modes:
Cortex
XDR expanded the type of available widgets so that you can now display
the search results using:
To
easily save a visualization after you create a widget, find the
widget in the Widget Library. |
New
Cortex XDR Widget Library | To streamline widget visibility and management,
Cortex XDR now enables you to search, view, and edit both your custom widgets
and the Cortex XDR predefined widgets in the new Widget Library. The
library is a one-stop page where you can easily add or create widgets
to your dashboards and reports to help you continuously monitor
your XQL query results, logs, and data visually. |
New Incident Management Page | To streamline the Investigation menu,
a new Incident Management page is now available.
From this page, you can view starred incidents, manage scoring rules, and view incident exclusions. |
Custom
Incident Scoring Rules ( Requires a Cortex XDR Pro license ) | To streamline the investigation process
and better highlight incidents that are significant in your environment,
Cortex XDR now enables you to define custom incident scoring rules that
prioritize your incidents according to the needs of your organization. Define
scoring rules in the Cortex XDR management console on the page.
Each rule is based on a defined score, an Alert attribute, or the
entity on which it occurred. When an alert matching the defined
rule is raised, Cortex XDR adds the alert score to the total score
of the incident. By default, the alert score is applied only to
the first alert that matches the defined rule. Subsequent alerts
for the same incident do not receive any score. The incident
score is displayed as a filterable Score field
in the Incident table and as a tag in the Incident View. |
Featured Alert Fields ( Requires
a Cortex XDR Pro license ) | To streamline the investigation process
and better highlight alerts that are significant to you, Cortex
XDR now enables you to label specific alert attributes as Featured Alert Fields. Featured
fields help you track alerts that involve a specific:
Label a field as Featured in and then
filter and sort alerts containing the featured fields in the Alerts
Table using the new table fields:
To
easily locate alerts containing featured fields, alerts containing
one or more of the featured fields are flagged in the Alert
Name field with a
flag.Alert notification emails
now include whether the alert contains one or more featured fields:
|
IOC Rule Functionality Enhancements ( Requires
a Cortex XDR Pro license ) | To ensure your indicators of compromise (IOCs) rules raise alerts
efficiently and do not overcrowd your Alerts table, Cortex XDR now
automatically performs the following tasks:
|
Network Causality Event Timestamp Investigation ( Requires
a Cortex XDR Pro license ) | To help you investigate the time frame of
security processes and connections made over your network, Cortex
XDR now displays the network event timestamp in the Network Causality View. When
selecting the Network Appliance node in the Network Causality View,
the event timestamp is now displayed in the Entity Data section
of the card. |
Enhanced Timestamp Investigation | To enhance your investigation capabilities,
you can now narrow the Timestamp field results
in the Cortex XDR tables by right-clicking to display rows that
are 30 days before or 30 days after the selected field value. |
Events Table Results Enhancements | The Events table (available from the Causality View and Timeline View) now includes
the following enhancements:
|
Slack Notifications Enhancement | To help streamline investigations for alerts
you receive on Slack, Cortex XDR now
provides a link in Slack notifications to the alert details in Cortex
XDR. If the alert is part of an Incident, the notification also
includes the link to investigate the incident in Cortex XDR. |
Hostname Visibility in Alerts | Hostname visibility in the Cortex XDR Alerts Table
is now displayed according to the following guidelines:
|
Native Search Deprecation | For queries on data in your Cortex XDR tenant,
Cortex XDR provides query functions using the XQL Search that enable
you to query the data, create widgets, and schedule queries, all
of which supersede the Native Search. The Native
Search will remain available from the Query Builder only until the
next release. |
Remote Malicious Causality Chains Response (Windows) ( Requires Cortex
XDR agent 7.3 or a later version ) | When the Cortex XDR agent identifies a remote
network connection that attempts to perform malicious activity—such
as encrypt endpoint files—the agent can now block the IP address
to close all existing communication and block new connections from this
IP address to the endpoint. You can view the list of all blocked
IP addresses per endpoint from the Cortex XDR Action
Center , as well as unblock them to re-enable communication
as appropriate. You set the action mode in your Malware Security profile
where you can also add a specific and known safe IP address or IP
address range to the IP addresses allow list. This capability is supported
for network connections made in IPv4 only.When Cortex
XDR blocks an IP address per endpoint, that address remains blocked
throughout all agent profiles and policies, including any host-firewall
policy rules. |
Network Isolation of macOS Endpoints (macOS
10.15.4 and later) ( Requires Cortex XDR agent 7.3 or a later
version ) | Cortex XDR now extends the Network isolation
response action to macOS endpoints. To prevent a compromised macOS
endpoint from communicating, you can now isolate your endpoint to
halt all network access on the endpoint except for traffic to Cortex
XDR. After you isolate an endpoint, the
Cortex XDR agent reports an Isolated check-in status and the endpoint
remains isolated from the network until you cancel this isolation
from Cortex XDR. Note the following limitations:
|
Live Terminal Enhancements (Windows and Mac) ( Requires Cortex
XDR agent 7.3 or a later version ) | To improve the awareness and visibility of
the endpoint end user, now when you initiate a Live Terminal session
from Cortex XDR to the endpoint, you can prompt the end user to approve
the connection request. Additionally, you can configure the Cortex
XDR agent to display a blinking light (
) on
the tray icon (or in the status bar for Mac endpoints) for the duration
of the remote session to indicate to the end user that a live terminal session
is in progress. Both settings are optional and you can configure
them independently. |
External Data Ingestion | |
PingFederate Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest logs from PingFederate. To receive
logs, you must enable PingFederate to send logs in CEF format to
the Syslog Collector that you set up on the broker VM. As
soon as Cortex XDR begins receiving logs, the app automatically
creates a PingFederate XQL dataset ( ping_identity_pingfederate_raw )
and enables you to search the logs using XQL Search. Log information
from PingFederate is also visible, when relevant, in the xdr_data dataset and
in the authentication_story preset. |
Amazon CloudWatch and AWS CloudTrail Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest Amazon CloudWatch and AWS CloudTrail Logs.
To receive logs, configure SaaS Log Collection settings for
the vendor in Cortex XDR.As soon as Cortex XDR begins receiving
logs, the app automatically creates an Amazon AWS XQL dataset ( amazon_aws_raw )
and enables you to search the logs using XQL Search. |
Elasticsearch Filebeat Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | When you use Elasticsearch Filebeat to
log activity on your endpoints or servers, Cortex XDR can now ingest those
file logs. To receive logs, configure the collection settings for Filebeat
in Cortex XDR and the output settings in your Filebeat installations. As
soon as Cortex XDR begins receiving logs, Cortex XDR automatically
creates a dataset for each collected vendor and product and makes
logs available in XQL Search queries. |
HTTP Log Collector ( Requires a Cortex
XDR Pro per TB license ) | You can now set up an HTTP Log Collector to receive
logs in text or JSON format. To begin receiving logs you must first
set up the HTTP Log Collector and use the provided examples to construct
an HTTP POST request. As soon as Cortex XDR begins receiving
logs, Cortex XDR automatically creates a dataset using the vendor
and product you specified during the log collector setup. You can
then use XQL Search to initiate queries on the dataset. |
Google Kubernetes Engine (GKE) Log Ingestion ( Requires
a Cortex XDR Pro per TB license ) | As an alternative to setting up a GCP Pub/Sub,
Cortex XDR can now ingest container logs from Google Kubernetes Engine (GKE) using
Elasticsearch Filebeat. To receive logs, you must install Filebeat
on your containers and enable SaaS Log Collection settings for Filebeat. As
soon as Cortex XDR begins receiving logs, the app automatically
creates a GKE XQL dataset—using the product and vendor that you
specify during Filebeat setup—and enables you to search the logs
using XQL Search. |
Extended Log Ingestion for Syslog in LEEF
Format ( Requires a Cortex XDR Pro per TB license ) | Cortex XDR extends log ingestion support
to vendors sending LEEF over Syslog. As with
log ingestion for CEF over Syslog, you can configure the protocol,
the IP address and port, and the format settings for the syslog
collector. After Cortex XDR begins receiving logs from the
third-party source, it automatically parses the logs in LEEF format
and creates a dataset. Cortex XDR extracts the vendor and product
name to identify the dataset as <vendor> _<product> _raw |
Analytics | |
Analytics BIOC Visibility and Management ( Requires
a Cortex XDR Pro license ) | If you have Analytics enabled, Cortex XDR
now provides visibility into and enables management of your Analytics BIOC rules by
pivoting from the BIOC Rules table to a dedicated page. For
each rule, Cortex XDR displays identifying information, such as
name and ID, severity, rule activation status, and any relevant
MITRE ATT&CK information. Cortex XDR also enables you to disable
or enable Analytics BIOC rules as needed. To view and manage
Analytics BIOC rules, you must have the corresponding permissions
enabled for your role. |
Asset Management | |
Enhancements to Asset Management ( Requires
a Cortex XDR Pro license ) | Cortex XDR now displays also the MAC address
vendor name, and the platform running on your managed and unmanaged assets. |
Export Network Assets to File ( Requires
a Cortex XDR Pro license ) | You can now export your Asset Management table results
to a tab-separated values (TSV) file. |
Endpoint
Security and Management | |
Flexible Agent License Revocation ( Requires
a Cortex XDR Pro license ) | To enable a flexible revocation policy for
Cortex XDR agent licenses, you can now configure the number of days
after which the license should be returned when an agent loses the
connection to Cortex XDR. In addition, you can configure the number
of days after which the agent and related data is removed from the
Cortex XDR management console and database. For more information,
see Cortex XDR Agent License Revocation. |
Enhanced Local Analysis
Prevention (Windows) ( Requires a Cortex XDR Prevent or Cortex
XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later
version ) | The Local Analysis module, which prevents
the execution of malicious Portable Executables (PEs) and Office
documents with macros, now includes a new rule-based static engine
that provides an additional layer of protection. The new engine
provides additional context to Cortex XDR alerts by matching the
samples that are under agent examination to static rules that inspect multiple
file attributes and features. The Local Analysis rules are
maintained by the Palo Alto Networks Research team and are updated
through content updates. You cannot add, modify, or remove rules
from the Local Analysis module. |
Bulk Alias Edits for Endpoints ( Requires
a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license ) | To enable you to quickly change the alias for multiple
endpoints, you can now perform the action from the Endpoint
Control menu on the Endpoint Administration page. |
Vulnerable Drivers Protection (Windows) ( Requires
a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex
XDR agent 7.2 or a later version ) | Cortex XDR can now leverage the latest threat
research to quickly deploy behavioral threat protection (BTP) rules
that detect attempts to load vulnerable drivers. As with other BTP
rules, Cortex XDR can deliver changes to vulnerable driver rules
with content updates. To configure vulnerable drivers protection,
you must enable Behavioral Threat Protection and configure
the Action mode for vulnerable drivers protection as
part of a Malware Security Profile.By
default, Cortex XDR blocks all identified attempts to run vulnerable
drivers. If you change the default ( Block ), you can Report (and
allow) vulnerable drivers or disable the module. |
Device Control for VDI (Windows) ( Requires
a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex
XDR agent 7.3 or a later version ) | Cortex XDR now extends Device Control for USB
devices to include virtual desktop infrastructure (VDI). The Cortex
XDR agent enforces the Device Control policy rules on USB devices
after the end user logs on to the VDI instance. USB Devices that
were connected prior to the agent enforcing the Device Control policy
rules are not blocked after the fact. Note the following limitations:
|
Unpatched Vulnerabilities Protection (Windows) ( Requires
a Cortex XDR agent 7.1 or a later version ) | Palo Alto Networks
strongly recommends that you upgrade your operating system as soon
as possible to address vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094. For more
information, refer to the Microsoft Security Response Center. For
Cortex XDR agents 7.1 and later releases running on unpatched Windows
endpoints, a new capability in the Exploit Security profile will
modify IP4 and IPv6 settings temporarily on the endpoint as a workaround
to protect unpatched endpoints from these known vulnerabilities.
After the endpoint is patched with a fix for these vulnerabilities,
the Cortex XDR agent automatically reverts all modified Windows
system settings to their values before modification. Before
applying this workaround on your endpoints, refer to the Cortex
XDR Administrator’s Guide for
the full details and impact this workaround could have on your network. |
Extended Device Control to Read-Only Disk
Drives (Windows and Mac) ( Requires a Cortex XDR Prevent
or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.0
or a later version for Windows endpoints and Cortex XDR agent 7.2
or a later version for Mac endpoints ) | You can now set a Device Control policy
profile to allow disk drives to connect in read-only mode on the
specified endpoints. |
Peer-to-Peer Content
Distribution (Mac and Linux) ( Requires a Cortex XDR Prevent
or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3
or a later version ) | Cortex XDR now extends peer-to-peer content
distribution to Mac and Linux endpoints. To reduce bandwidth load
when distributing content from Cortex XDR to the Cortex XDR agents,
you can enable agents on your LAN network to retrieve the new content
version from other agents that already retrieved it. Peer-to-peer
content distribution is enabled by default in the Agent Settings Profile. |
Agent Installation Using a Unified Configuration
Profile File for MDMs (Mac) | For a seamless installation of the Cortex XDR
agent that does not require end user interaction, Palo Alto Networks
now provides a unified configuration profile that you can upload
to any third party deployment software of your choice. You can download
a configuration profile already signed by Palo Alto Networks, or
an unsigned configuration profile, if you prefer or are required
to sign using your own signing certificate. You can use the unified configuration
profile to deploy any version of the Cortex XDR agent. For more
information, refer to Install the Cortex XDR Agent
Using a Unified Configuration Profile for MDMs. |
Custom Agent Installation Directory (Linux) ( Requires
a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex
XDR agent 7.3 or a later version ) | You can now install your Cortex XDR agent in
a custom directory on Linux endpoints instead of using the default ./opt directory.
To do this, set the custom path in a new installation variable --install-path=/ .
After you install the Cortex XDR to the custom path, all following
upgrades and the removal of the agent from the endpoint are executed
in the same location. For more information, see how to Install the Cortex XDR Agent
for Linux.<some/path> |
New Operating Systems Support (Linux) ( Requires Cortex
XDR agent 7.3 or a later version ) | You can now install the Cortex XDR agent
on Linux endpoints that are running on:
For all supported kernel
versions, see the Latest kernel module version
support |
Host Insights Add-on | |
Search and Destroy Malicious Files on Mac
Endpoints (macOS 10.15.4 and later) ( Requires a Cortex
XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex
XDR agent 7.3 or a later version ) | Cortex XDR now extends the File Search and
Destroy response action to Mac endpoints. You can use search and destroy to
take immediate action on known and suspected malicious files. You
can search from Cortex XDR for a file by hash or path on endpoints
and, after you identify the presence of the file, you can immediately
destroy the file from any or all endpoints on which the file exists. |
Host Insights Export to File ( Requires
a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex
XDR agent 7.1 or a later version ) | You can now export all the Cortex XDR host insights tables and
respective asset views to a tab-separated values (TSV) file. |
Vulnerability Management Name Change ( Requires
a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex
XDR agent 7.1 or a later version ) | To better reflect the feature usage, Vulnerability Management is
renamed to Vulnerability Assessment . |
Multitenants
and MSSPs | |
Cross-Tenant XQL Queries for Multi-Tenancy ( Requires
a Cortex XDR Pro license ) | To enable multitenant management that uses
XQL Query to view raw data that is stored in Cortex XDR, you can
now execute XQL queries on a single child tenant or up to 100 child
tenants simultaneously directly from your parent tenant XQL Search page. When executing XQL queries on
a single child tenant, Cortex XDR provides the parent tenant with autocompletion
and validation capabilities to all datasets available on the child
tenant. When executing XQL queries on multiple child tenants simultaneously:
You can view, track, and investigate
the query results and graphs for each child tenant in your XQL Search
page results table or Query Center by filtering by child tenant. |
Broker
VM ( Version 11.1.1 ) | |
Broker VM Images | MD5 values for broker images version 11.1.1:
|
New Supported WEC Event Collection ( Requires
a Cortex XDR Pro per TB license ) | To expand the Broker VM data collection
capabilities, in addition to the default WEC event IDs, you can
now configure the Broker VM to collect all or specific Windows event types,
such as DHCP, DNS, and IIS event types, directly from the Cortex
XDR management console. |
WEC Domain Controller Certificate Notifications ( Requires
a Cortex XDR Pro per TB license ) | To keep you informed of your WEC Domain
Controller Certificate status and avoid service disruptions, Cortex
XDR now displays a notification of the remaining
time left on your license or whether your license is expired. |
Approved Remote Terminal Command | When you connect to a broker VM remotely, Cortex XDR now
allows you to perform the following privileged commands:
|
API | |
New Featured Alert Fields APIs ( Requires
a Cortex XDR Pro license ) | To expand your API capabilities, Cortex
XDR now provides the APIs to help you manage your featured alert fields.
Using the following APIs you can delete and replace existing featured
alert fields:
|
Enhanced Visibility of Incident Data | To help you gain greater visibility of requested
API data when calling Get Incidents and Get Extra Incident Data APIs, the response section
now includes the following Incident Scoring fields:
|
Enhanced Visibility of Alert Data | To help you gain greater visibility of Alerts
that include Featured host name, username, or IP address, the Get Alerts API response
now includes the following boolean type fields:
|
Enhanced Insert Parsed Alerts Capabilities | To enable you to include additional information
when running the Insert Parsed Alerts API,
you can now send the action status taken on an alert ( Reported or Blocked )
using the action_status field. |
