Features Introduced in 2021

Learn more about Cortex XDR features introduced during 2021 by month and functional area.
The following topics describe the Cortex XDR features introduced in 2021 by month.

Features Releasing in August

New features in the Cortex® XDR™ 3.0 release.
The following table describes new features in the Cortex XDR 3.0 release.
Feature
Description
General
India Region Support
You can now deploy Cortex XDR in the India region. When you choose the IN region during activation and setup of Cortex Data Lake, you keep all Cortex XDR logs and data within the India boundary.
If you use Cortex XDR Prevent or Cortex XDR Pro per Endpoint, when the Cortex XDR agent identifies unknown files, Cortex XDR sends them to the WildFire Singapore Cloud for analysis. Starting October 2021 Cortex XDR will integrate with WildFire located in India to allow you to keep all Cortex XDR Agent WildFire traffic within the Indian boundary.
WildFire India portal will not display information for past events that occurred prior to the transition to the new India cloud location, however, you will still have access to the WildFire Singapore portal to view the history.
In addition, all information regarding the calculated verdicts, such as the WildFire verdict and WildFire report, will be available in the Cortex XDR portal.
Cortex XDR Enhanced License Details
For increased visibility into your Cortex XDR license details, Cortex XDR now displays in the Cortex XDR License window a list of all the license and add-on types allocated to your account. To help you easily track your licenses, the list includes the start and end dates of your current and future licenses.
Host Insights Evaluation Period Extension
(
Requires a Host Insights add-on license
)
The free evaluation period of the Host Insights add-on in Cortex XDR is now extended from 30 days to 60 days. You can use this extended 60-day period for better evaluation of the Host Insights add-on functionality.
New Compute Units Add-On
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, Cortex XDR now enables you to purchase compute units to carry out additional investigation actions.
As of Cortex XDR version 3.0, the compute units can be used to run additional XQL Query APIs in addition to the free quota provided by Cortex XDR.
The Compute Units add-on provides you with an additional 1 compute unit (formally query units) per day, in addition to your free daily quota to run XQL Query APIs. Each XQL query consumes compute units based on the timeframe, complexity, and the number of API response results. Compute units are first deducted from your free daily quota followed by the Compute Units add-on.
To help you track your compute units, in the Cortex XDR app, you can view the following information:
  • Enable Cortex XDR to send a notification when the Compute Units pool reached a defined threshold.
  • Track your compute usage and remaining available quota in the XQL API Usage page.
Allowed Domains for Distribution List
For an added layer of security when sending reports using email, Cortex XDR now allows you to specify one or more domain names that can be used in your distribution lists. By defining a domain, you can for example ensure information is not sent outside your organization.
Independent Configuration of Access Permissions for Settings
To provide more granular control of permissions for your administrators, Cortex XDR now enables you to configure read-only and read-write permissions independently for all Settings. To provide continuity for existing admin roles and privileges, Cortex XDR assigns both by default but you now have the option to configure the view and action settings independently for both your new and your preexisting admin roles.
You can now define granular role-based access control for the following pages in the Cortex XDR management console:
  • Dashboard
  • Report
  • Query
Directory Sync Services Renaming
To align with the new naming in the hub, Directory Sync Services has been renamed to Cloud Identity Engine.
XDR for Cloud
Cortex XDR Agent for Kubernetes Hosts
(
Requires a Cortex XDR agent 7.5 or a later release for Linux and Cortex XDR Cloud per Host license
)
Starting with this release, you can deploy the Cortex XDR agent on Kubernetes Clusters as a daemonSet on any Kubernetes cluster. Being natively integrated in Kubernetes using the deamonSet, the agent provides visibility into containers and ensures full coverage of your critical production workloads.
To deploy the agent, you must have the new license type Cloud per Host and then create a Cortex XDR agent YAML installation package in Cortex XDR which allows you to configure attributes such as namespace default value and nodeselector. Once the Kubernetes agent is running on the endpoint, Cortex XDR displays the Kubernetes Cluster and includes in the causality card a visual indication on processes that are running within containers, including information about the container itself such as its name, ID, image, etc.
For more information, refer to Cortex XDR agent administrator guide.
Extended Visibility to Your Cloud Network Flow Logs
(
Requires a Cortex XDR Pro per TB license
)
To extend visibility into your cloud network traffic and to further enrich incident data, Cortex XDR can now ingest cloud network traffic logs from:
  • Google Cloud Platform using the
    Google Cloud Platform
    data collector.
  • Amazon Web Services using the new
    Amazon S3
    data collector.
  • Microsoft Azure platforms using the new
    Azure Network Watcher
    data collector.
For more information on these collectors, see External Data Ingestion Vendor Support.
Cortex XDR normalizes the logs from the different platforms into a single XDR schema and creates searchable datasets. Additionally, Cortex XDR optimizes and reconstructs the flow logs into single session communications which are later stitched into network stories and alerts.
To begin receiving logs you must first set up the relevant
Configurations
Data Collection
Collection Integrations
settings for the vendor in Cortex XDR. As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset using the vendor and product you specified during the log collector setup. You can then use XQL Search to initiate queries on the dataset.
Extended Visibility to Your Cloud Platform
(
Requires a Cortex XDR Pro per TB license
)
To extend visibility into your cloud platform, Cortex XDR can now ingest cloud audit logs from
  • Google Cloud Platform using the
    Google Cloud Platform
    data collector.
  • Amazon Web Services using the new
    Amazon S3
    data collector.
  • Microsoft Azure platforms using the new
    Azure Event Hub
    data collector.
For more information on these collectors, see External Data Ingestion Vendor Support.
Cortex XDR normalizes the audit logs from the different cloud platforms into a single XDR schema to create raw datasets, for each platform individually as well as into a single collective searchable dataset.
To begin receiving logs you must first set up the relevant
Configurations
Data Collection
Collection Integrations
settings for the vendor in Cortex XDR. As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset using the vendor and product you specified during the log collector setup. You can then use XQL Search to initiate queries on the dataset.
New Cloud Investigation Capabilities
(
Requires a Cortex XDR Pro per TB license
)
To streamline investigation of cloud-related alerts, Cortex XDR developed a proprietary algorithm that highlights the most relevant events and alerts associated with a cloud-related alert.
To help you identify and investigate cloud- specific data associated with cloud-related alerts, Cortex XDR displays a new Cloud Causality View and includes the following table fields:
    • Enables you to swiftly investigate a cloud-alert by displaying the series of events and artifacts that are shared with the alert.
    • Cloud Referenced Resource
    • Cloud Operation Type
    • Cloud Operation Sub-Type
    • Cloud Identity Type
    • Cloud Project
    • Cloud Provider
    • Cloud Resource Type
    • Cloud Resource Sub-Type
Prisma Cloud Alert Ingestion
Requires a Cortex XDR Pro per TB license
To provide additional alert visibility and improved analytics, Cortex XDR can now ingest Prisma Cloud alerts. To receive alerts, configure
Configurations
Data Collection
Collection Integrations
settings for the product in Cortex XDR.
Cortex XDR adds Prisma Cloud alerts to the Cortex XDR Alerts table and groups them into Incidents. Additionally, when Cortex XDR begins collecting data, the app creates a new dataset (
prisma_cloud_raw
) that you can use to initiate XQL Search queries and to create Correlation Rules.
Prisma Cloud Compute Alert Ingestion
Requires a Cortex XDR Pro per TB license
To provide additional alert visibility and improved analytics, Cortex XDR can now ingest Prisma Cloud Compute alerts. To receive alerts, configure
Configurations
Data Collection
Collection Integrations
settings for the product in Cortex XDR.
Cortex XDR adds Prisma Cloud Compute alerts to the Cortex XDR Alerts table and groups them into Incidents. Additionally, when Cortex XDR begins collecting data, the app creates a new dataset (
prisma_cloud_compute_raw
) that you can use to initiate XQL Search queries and to create Correlation Rules.
Forensics
New Comprehensive Forensics Add-On
(
Requires a Forensics add-on license and a Cortex XDR agent 7.4 or later for Windows
)
Cortex XDR now offers a new add-on that enables you to perform comprehensive forensic investigations on your Windows endpoints.
With its deep data collection, the Forensics add-on enables you to find the source and scope of an attack, and determine what, if any, data was accessed. As an end-to-end solution, Cortex XDR Forensics helps you with every step of an incident response, from data collection, analysis, threat hunting, and remediation.
Using a host timeline, you can view user activity across multiple forensic artifacts in a single table. For a more detailed view, right-click on any row in the timeline for a complete listing of all fields for that item. The historical artifacts collected by the Forensics add-on can provide investigators with insight into Windows file access and process execution, even for files and executables that have been deleted from the host.
The triage functionality in the Forensics add-on collects detailed system information, including a full file listing for all of the connected drives, full event logs, and registry hives, so you can get a complete holistic picture of an endpoint.
You can perform a deep dive on a single endpoint or search for artifacts across all your endpoints from the Forensics workbench. For advanced detective work, you can use the XQL Search feature to query across all data, including endpoint, network, cloud and identity data.
You can access the Forensics add-on from the Add-Ons tab, under which the Host Insights add-on is also available (if licensed). Also, the configuration options that were previously labeled as
Forensics
are now labeled as
Alerts Data.
Identity Analytics
Identity Analytics Module Activation Modification
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, as of Cortex XDR 3.0 the Identity Analytics module will be included with any Cortex XDR Pro licenses with no additional charge.
Enablement of Identity Analyticshas been removed from the Cortex XDR License dialog and relocated to
Settings
Configurations
Cortex XDR Analytics
.
User Score Management
(
Requires a Cortex XDR Pro license
)
To help you detect suspicious user activity and compromised accounts within your network, Cortex XDR, calculates a User Score based on Incident Scoring Rules and Cortex XDR System Rules that allows you to easily identify the most high-risk users in your organization.
The User Scores are displayed under
Asset Management
User Scores
, providing you with a central location from which you can view and investigate information relating to the user scores.
In addition, Cortex XDR displays the top 5 users with the highest User Scores in a new dashboard widget.
User View
(
Requires a Cortex XDR Pro license
)
To streamline your incident investigation process, using Identity Analytics capabilities, Cortex XDR now provides a dedicated User View providing easy access when investigating a user in your organization.
The User View automatically aggregates and displays the user details, user score trends, aggregated host logins, and associated incidents and insights.
You can access the User View from right-click pivot menu of the:
  • Users section of the Incident View Key Assets & Artifacts tab
  • User Scores Table
  • Analytics Alert View User Node
  • Top 5 Notable Users Widget
Investigation and Response
New XQL Correlation Rules
(
Requires a Cortex XDR Pro license
)
To help you analyze correlations of multi-events from multiple sources, Cortex XDR now contains a new XQL-based engine for creating scheduled rules called Correlation Rules. Correlation Rules are accessible in Cortex XDR from the new
Rules
Correlations
menu, which reveals the
Correlation Rules
page.
The following are some of the main features of Correlation Rules.
  • Ability to add new Correlation Rules from either the
    Correlation Rules
    page or when building a query in XQL Search.
  • When right-clicking any Correlation Rule in the
    Correlation Rules
    page, these options are available.
    • Open in XQL
      —Opens the rule in XQL Search either in a new tab or in the same tab.
    • View related alerts
      —Displays the related alerts in the Alerts page in a new tab or the same tab.
    • Execute Correlation Rule
      —Runs the rule.
    • Disables
      —Disables the rule.
    • Edit rule
      —Opens the
      Edit Correlation Rule
      editor so you can update the rule settings.
    • Save as new
      —Enables you to create a new Correlation Rule based on the settings of the existing rule.
    • Delete
      —Deletes the rule.
    • Show rows with ‘[rule Description]’
      —Filters the Correlation Rules list to only display rules that match the
      Description
      of the rule.
    • Hide rows with ‘[rule Description]’
      —Filters the Correlation Rules list to remove any rule that matches the
      Description
      of the rule.
    • Copy entire row
      —Copies the contents of the entire Correlation Rule in the row of the table.
  • When setting up Correlation Rules, you have additional capabilities.
    • Define the timing for when the Correlation Rule should run.
    • Define whether alerts generated by the Correlation Rule are suppressed by a duration time, field, or both.
    • Set the resulting action for the Correlation Rule as either to generate an alert or save the data to a dataset.
      -When generating an alert, you can also define the alert settings, which includes the Alerts Field Mapping for incident enrichment, Alert Severity, MITRE Attack Tactics and Techniques, and other alert settings.
      -When saving the data to a dataset, you can test and fine-tune new rules before initiating alerts and applying correlation of correlation use-cases.
There may be future changes to the Correlation Rules offerings, which can impact your licensing agreements. You will receive notification ahead of time before any changes are implemented.
New XQL Personal Query Library
(
Requires a Cortex XDR Pro license
)
Cortex XDR now provides as part of the XQL Query Library a new personal query library for saving and managing your own queries. When creating a query in XQL Search or managing your queries from the Query Center, you can now save this query to your personal library using the
Save As
Query to Library
option.
You can also decide whether the query is shared with others (on the same tenant) in their Query Library or make it unshared and only visible by you.
The XQL Query Library contains a powerful search mechanism that enables you to search in any field related to the query, such as the query name, description, creator, query text, and labels. In addition, adding a label to your query enables you to search for these queries using these labels in the XQL Query Library.
Dataset Management Enhancements
(
Requires a Cortex XDR Pro license
)
To help you better manage your datasets and understand your data storage availability, Cortex XDR has now implemented the following enhancements in the Dataset Management page.
  • License details for the Cortex XDR Pro licenses and Cortex XDR Pro per RTN retention licenses.
  • A storage bar with all the datasets usage information.
  • For each dataset listed in the table, the following information is available: Total Days Stored, Total Size Stored, Average Daily Size, Total Events, Average Event Size, First Stored Date (hidden by default), Last Stored Date, and Default Query Target (hidden by default).
-The ingestion details are now listed in the
Data Ingestion Dashboard
. In an upcoming release, the ingestion details will be integrated to the
Dataset Management
page.
-Before the Cortex XDR ingestion and storage enforcements are applied based on your licensing agreements, you will be notified ahead of time explaining these changes and the implementation timeline.
New XQL Dataset for Cloud Identity Engine
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes a dedicated dataset called
pan_dss_raw
for you to query data related to the Cloud Identity Engine (previously called Directory Sync Service (DSS)), which enables you to leverage Active Directory user, group, and computer information in Cortex XDR.
To set up this Cloud Identity Engine dataset you need to Set Up Cloud Identity Engine. Otherwise, you will not have a
pan_dss_raw
dataset.
New USB Device Visibility in XQL
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now supports the ingestion of connect and disconnect events of USB devices that are reported by the agent. You can use XQL Search to query for this data and build widgets based on the
xdr_data
dataset, where the following use cases are supported:
  • Displaying devices by Vendor ID, Vendor Name, Product ID, and Product Name.
  • Displaying hosts that a specific device, based on serial number, is connected.
  • Query for USB devices that are connected to specific hosts or groups of hosts.
Examples of XQL queries that query the USB device data.
  • This query returns the
    action_device_usb_product_namefield
    from all
    xdr_data
    records, where the
    event_type
    is
    DEVICE
    .
    dataset = xdr_data | filter event_type= DEVICE | fields action_device_usb_product_name
  • This query returns the
    action_device_usb_vendor_name
    field from all
    device_control
    records (preset of the
    xdr_data
    dataset) where the
    event_type
    is
    DEVICE
    .
    preset = device_control| filter event_type = DEVICE| fields action_device_usb_vendor_name
For more information, see
Ingest Connect and Disconnect Events of USB Devices
in Device Control.
XQL ASN Data Support
(
Requires a Cortex XDR Pro per TB license
)
The Cortex XDR Query Language (XQL) now supports querying for Autonomous System Number (ASN) data in XQL Search. As part of the
xdr_data
dataset, these new fields are available:
action_as_data
and
dst_action_as_data
, which includes this data:
  • as_number
    —The Autonomous System Number (ASN), which uniquely identifies each network on the Internet.
  • organization
    —Defines the organization for the ASN.
  • isp
    —The Internet service provider associated with the ASN.
  • domain
    —Domain name.
  • is_proxy
    —Boolean value indicating whether the ASN is coming from a proxy server.
New GlobalProtect Access Authentication Log Visibility in XQL
(
Requires a Cortex XDR Pro per TB license
)
To increase your network visibility, the Palo Alto Network (PANW) firewall can now send GlobalProtect access authentication logs to Cortex XDR. As a result, the Cortex XDR Query Language (XQL) can now support querying for this data using the
xdr_data
dataset in XQL Search.
To ensure GlobalProtect access authentication logs are sent to Cortex XDR, verify that your PANW firewall’s
Log Settings
for GlobalProtect have the
Cortex Data Lake
checkbox selected.
Custom XQL Widget Report Attachments
You can now attach the XQL queries you saved as custom widgets to your report templates.
When editing or creating a report template, you can now attach one or more of your XQL query custom widgets to your report. The XQL query widget is added to the report as a CSV file along with the customized PDF.
Each XQL query widget creates a separate CSV file that you can:
  • Send by email as separate attachments for each widget. The total size of an attachment in the email cannot exceed 20MB.
  • Send by slack as part of a ZIP file that includes the PDF.
  • Download from the Reports page.
Redesigned Incident View and Investigation Capabilities
To streamline your incident investigation process and reduce the number of steps it takes to analyze an incident, Cortex XDR has redesigned the Incident View to showcase and navigate across all incident data in one dedicated page.
The enhanced Incidents page capabilities now allow you to investigate and manage incidents without the need to pivot to other pages. The Incident page is now divided into two main sections, Left Pane Incident List and Details Pane.
  • Left-pane Incident List
    Scroll through each incident row to view the incident name, description, ID, score, and the number of related assets and artifacts. From each row, you can edit the incident assignee, status, name, and description.
  • Details Pane
    Displays the incident details of the incident selected in the left-pane list. Navigate across the following tabs to investigate the incident details:
    • Overview
      Made up of an Incident Header listing the incident details, the MITRE tactics and techniques, and widgets to visualize the number of alerts, type of sources, hosts, and users associated with the incident.
    • Timeline
      A chronological representation of alerts and actions relating to the incident. Select an alert or action to display an additional pane of information related to the entity, and add an optional comment.
    • Alerts & Insights
      Displays a table of the alerts and insights associated with the incident. The tables include the sorting and response actions available in Cortex XDR.
    • Key Assets & Artifacts
      Displays information and allows to perform response actions for hosts, users, and key artifacts associated with the incident.
    • Executions (Requires a Cortex XDR Pro License)
      Present the causality chains associated with the incident.
The new incident view is supported for incidents created after Cortex XDR 3.0. Incidents created before Cortex XDR 3.0, are displayed in the legacy view.
To enable flexibility, you can select to display incidents created after Cortex XDR 3.0 Cortex using either the Legacy or Advanced view.
New Incident Resolved Statuses
The incident Resolved statuses have been updated to allow for greater flexibility. As of Cortex XDR 3.0, the Resolved status resolution reason
Resolved - Threat Handled
has been deprecated and replaced with
Resolved - True Positive
. Incidents with
Resolved - Threat Handled
status will not be changed and are still available to search, but will no longer be available as a status resolution reason.
In addition, Cortex XDR created a new resolution reason
Resolved - Security Testing
.
New Cortex XDR Dashboard for Security Operations Center Manager
Cortex XDR introduces a new predefined dashboard for Security Operations Center (SOC) Manager to help you better visualize and manage the Cortex XDR incident findings.
The
Security Admin Dashboard
displays the following new widgets:
  • Incident Status Board
    Display the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time:
    • Total number of open incidents, how many are unassigned, and how many are overdue according to the incident severity.
    • Breakdown of open incidents according to the status New and Under Investigation.
    • Breakdown of resolved incidents according to resolved reason.
  • Resolved Incident MTTR
    Display either the last 30 days, 7 days, or 24 hours of the following information according to incident creation time and resolved statuses:
    • Total Mean Time to Resolve (MTTR) of all incidents, according to severity, created during the selected timeframe and the average time it took to resolve the incidents compared to the defined Target MTTR.
  • Overdue Incidents of Top 5 Assignees
    Display the last 30 days, 7 days, or 24 hours of the following information according to the incidents creation time:
    • Top 5 assignees, by assignee name, with the highest number of overdue incidents.
  • Incidents Over Time
    Display the following information over 14 days:
    • Number of new incidents created per day.
    • Number of resolved incidents per day.
  • Newest Incidents
    Display the following details for the 5 most recent incidents:
    • Starred
    • Severity
    • ID
    • Score
    • Description
    • Creation time
Centric View of Alert Information
When viewing listed alerts as you investigate incidents, Cortex XDR now provides a centric view for a single alert, each accessible from a dedicated panel that opens when you click on the specific row of an alert. These dedicated panel views provide you with various details about the alert, such as timestamp, name, description, detected action, MITRE information, host information, and rule information.
Quick Actions in Tables Enhancements
To enhance the quick actions available in Cortex XDR, Cortex XDR has now added the quick actionscapability to the following tables:
  • Incidents:
    • Star / Unstar
  • Alerts:
    • Exclude / Undo Exclusion
  • Endpoints:
    • Isolate / Cancel endpoint isolation
The new icons are available in table rows upon a left-click of the row and provide an alternative to the right-click pivot menus.
Granular Exceptions for BTP Alerts
You now have the option to create more granular Behavioral Threat Protection (BTP) exceptions for BTP alerts. These new additional BTP exceptions include the following Causality Group Owner (CGO) attributes:
  • CGO hash value
  • CGO signer entity (for Windows and Mac only)
  • CGO process path—directory path of the CGO process.
  • CGO command arguments—if a CGO process path is selected.
All previous BTP exception options are still available as usual.
Enhanced Child Process Node Investigation
To help you investigate the children of a process node in a Causality View, when right-clicking the Process node to view the Children table, Cortex XDR now displays the Process Start Time field indicating when each child process started.
Asset Management Enhancement
(
Requires a Cortex XDR Pro license
)
To help you identify and retrieve information of unmanaged assets in your network, you can now configure in your Windows Agent Profile a Cortex XDR agent scan of your endpoints using Ping that provides updated identifiers of your network assets, such as IP addresses and OS platforms. The scan is automatically distributed by Cortex XDR to all the agents configured in the profile and cannot be initiated by request.
The scan results can be viewed in the Asset Management table.
Enhanced Endpoint Administration Table Filter Options
You can now filter the following Endpoint Administration fields:
  • Group Names - Use
    !=
    to identify endpoints that are not part of a given group.
  • IP Address - Use
    Not in rage
    to identify endpoints not part of a defined IP address rage.
IP View IP Address Visibility
When investigating an IP address, in the IP view, the default aggregation has been adjusted to display information on whether the IP address is an internal or external IP address.
For external IP addresses, the default Connection Type displayed is incoming, while for the internal IP addresses, the default Connection Type is Outgoing.
Audit Logs
Management Logs for Cortex XDR Gateway
To help you track Permission Management changes in the Cortex XDR Gateway, users with Account Admin role permissions can now access the
Cortex XDR Gateway Management Audit Logs
page.
In the
Cortex XDR Gateway
Management Audit Log
page, you can now track the permission auditing actions performed on your CSP accounts. The Management Audit Log table lists the following fields of log information:
  • Timestamp (Displayed in UTC)
  • Email
  • User Name
  • Type
  • Subtype
  • Result
  • Severity
  • Description
External Data Ingestion
New 3rd Party Parsing Rules
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR now includes a new editor for creating 3rd party Parsing Rules, which enables you to:
  • Remove unused data that is not required for analytics, hunting, or regulation.
  • Reduce your data storage costs.
    Pre-process all incoming data for complex rule performance.
  • Add tag/tags to the ingested data as part of the ingestion flow.
Cortex XDR provides a number of default Parsing Rules that you can easily modify as required. You can access these Parsing Rules by selecting
Configurations
Data Management
Parsing Rules
.
New XDR Collectors Configuration for On-premises Data Collection
(
Requires a Cortex XDR Pro per TB license
)
To extend the current data collection offerings, Cortex XDR now provides a new XDR Collectors configuration that is dedicated for on-premises data collection on Windows and Linux machines. The collector includes a dedicated installer, content updates, and policy management via the XDR console in
Configurations
XDR Collectors
.
Amazon S3 Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest Amazon S3 logs. To receive logs, configure
Configurations
Data Collection
Collection Integrations
settings for the vendor in Cortex XDR.
As soon as Cortex XDR begins receiving logs, the app automatically creates an Amazon S3 XQL dataset (
aws_s3_raw
). This enables you to search the logs using XQL Search.
Workday Reports Data Ingestion
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest Workday reports data. To receive reports data, configure
Configurations
Data Collection
Collection Integrations
settings for the vendor in Cortex XDR.
As soon as Cortex XDR begins receiving data, the app automatically creates a Workday XQL dataset (
workday_workday_raw
) and enables you to search the data using XQL Search. In addition, Cortex XDR will add the workday fields next to each user in the
Key Assets
list in the
Incident View
, and in the
User
node in the
Causality View
of
Identity Analytics
alerts.
ServiceNow CMDB Data Ingestion
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest ServiceNow CMDB data. To receive data from the ServiceNow CMDB database, configure
Configurations
Data Collection
Collection Integrations
settings for the vendor in Cortex XDR.
As soon as Cortex XDR begins receiving data, the app automatically creates the following ServiceNow CMDB XQL datasets based on the selected table(s) using the format:
servicenow_cmdb_<table name>_raw
. This enables you to search the data using XQL Search.
Windows DHCP Example File Available in the User Interface
(
Requires a Cortex XDR Pro per TB license
)
To help you configure Windows DHCP log ingestion using Elasticsearch Filebeat, Cortex XDR now provides in the Windows DHCP user interface a downloadable
filebeat.yml
file. This Elasticsearch Filebeat default configuration file must be populated with values provided when you configure the
Collection Integrations
settings in Cortex XDR for the Windows DHCP Collector.
Analytics
Analytics Alert Causality View Enhancement
(
Requires a Cortex XDR Pro license
)
To streamline your investigation of multi-event analytics alerts, Cortex XDR now displays a new Analytics Node identifying alerts that include more than one event type.
In the Events Table, Cortex XDR lists all the events associated with the alert according to the event type.
Multi-Severity for Analytics BIOC Rules
(
Requires a Cortex XDR Pro license
)
To expand your investigation and analytics capabilities, Cortex XDR now provides predefined Analytics BIOC Rules that raise alerts with different severity levels.
In the Analytics BIOC Rules table, the Severity field now also displays a Multi-Severity flag. Hover over the flag to see the severities defined for the rule.
Endpoint Protection
Enhancements to the Cortex XDR Host Firewall
(
Requires a Cortex XDR agent 7.5 or a later release for Windows
)
Now the Cortex XDR host firewall offers improved enforcement capabilities, better policy management, and greater visibility and troubleshooting capabilities into your network:
  • Rules enforcement
    —The Cortex XDR host firewall rules are integrated with the Windows Security Center, and you can configure rules for all IP protocols, using multiple IP address notations, and more parameters.
  • Policy management
    —Now the policy consists of rule groups that are reusable across all profiles, and there are default inbound and outbound rule groups provided by Palo Alto Networks. Additionally, you can import your rules directly into Cortex XDR.
  • Visibility and troubleshooting
    —The Cortex XDR agent now reports aggregated host firewall enforcement events, and you can also view all single activities the agent performed in your network by retrieving a detailed log file. For Cortex XDR Pro customers, the host firewall events are now also queryable via XQL to enable data and network analysis.
For more details, refer to the Cortex XDR administrator guide.
Cortex XDR 3.0 host firewall includes new features which are supported only with Cortex XDR agents 7.5 and later, such as multiple IP addresses, reporting mode, and more. For an older agent release, existing host firewall rules remain unaffected. However, if you create a rule from Cortex XDR 3.0, or edit an already existing rule that was created in an old Cortex XDR release and add one of these unsupported parameters, the agent could display unexpected behavior and the host firewall policy will be disabled on the endpoint.
Network Packet Inspection Engine
(
Requires a Cortex XDR agent 7.5 or a later release for Windows
)
To address the threats surfacing with the growing remote workforce in your organization and the growing corporate network boundaries, the new Network Packet Inspection Engine provides coverage already at the network level. By analyzing the network packet data, the Cortex XDR agent can detect malicious behavior, and block or report it back to Cortex XDR.
The new engine leverages both Palo Alto Networks NGFW content rules, and new Cortex XDR content rules created by the Research Team.
To enable this capability, edit your Malware Security Profile settings.
Improved Security Content
*Starting with PTU 200 and later
To ensure your network is constantly protected against the latest and newest threats in the wild, the Cortex XDR research team will now start releasing more frequent content updates in-between major content versions. When you enable minor content updates, the Cortex XDR agent receives minor content updates, starting with the next content releases. Otherwise, if you do not wish to deploy minor content updates, your Cortex XDR agents will keep receiving content updates for major releases which usually occur on a weekly basis.
The content version numbering format remains XXX-YYYY, where XXX indicates the version and YYYY indicates the build number. To distinguish between major and minor releases, XXX is rounded up to the nearest ten for every major release, and incremented by one for a minor release. For example, 180-<build_num> and 190-<build_num> are major releases, and 181-<build_num>, 182-<build_num>, and 191-<build_num> are minor releases.
To enable this capability, you need to update the Global Agent Settings for your tenant.
Separate Actions for Files Unknown to WildFire and Files with Benign LC Score
(
Requires a Cortex XDR agent 7.5 or a later release for Windows
)
To better manage your anti-malware flow, you can now configure separate actions for files that are unknown to WildFire and files with Benign Low Confidence score. To adjust your settings, refer to the Malware Security Profile settings.
Quarantine Malicious ELF Files
(
Requires a Cortex XDR agent 7.5 or a later release for Linux
)
You can now configure your anti-malware flow to automatically quarantine malicious ELF files. To enable this capability, adjust your Malware Security Profile settings.
Configurable Device Control Enforcement Pop-Up Message
(
Requires a Cortex XDR agent 7.5 or a later release for Windows
)
You can now personalize the Cortex XDR notification pop-up on the endpoint when the user attempts to connect a USB device that is either blocked on the endpoint or allowed in read-only mode.
To enable this, refer to your Agent Settings Profile.
Improved Logs Protection
(
Requires a Cortex XDR agent 7.5 or a later release for Linux
)
The Cortex XDR agent logs directory is now accessible to privileged users only.
Support for Azure-based Virtual Environments
(
Requires a Cortex XDR agent 7.5 or a later release for Windows
)
Support is now available for Cortex XDR agents running on Microsoft Azure-based VMs and virtual desktops (WVD or AVD).
Extending Gatekeeper Protection to Bundles
(
Requires a Cortex XDR agent 7.5 or a later release for Mac
)
The Cortex XDR Gatekeeper Enhancement protection module now provides coverage also for suspicious bundle executions.
Audit Log for Unauthorized Agent Shutdown
(
Requires a Cortex XDR agent 7.5 or a later release for Mac
)
Now when a deliberate termination of the agent is detected on the endpoint, an audit log is reported to Cortex XDR.
Simplified Network Bandwidth Allocation for Security Content Updates
For optimized performance and reduced bandwidth consumption, ensure you install new agents with the distribution package available for Windows Cortex XDR agents 7.3 and later. Otherwise, if you deploy the agent installer via SCCM, it is recommended to configure the bandwidth you allocate in your organization for the Palo Alto Networks content security updates. Cortex XDR now provides two recommendations, based on the number of agents you want to update (active or future gents), and according to the time frame during which you want the update to complete (within a day or a week). You can choose one of the recommended values or enter one of your own, between 20 - 10000 Mbps.
To adjust your settings, update the Global Agent Settings for your tenant.
Gradual Rollout for Automatic Agent Upgrades
To better control the rollout of a new Cortex XDR agent release in your organization, during the first week only a single batch of agents is upgraded. After that, auto-upgrades continue to be deployed across your network in parallel batches as configured.
Broker VM
New FTP Collector in the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
The broker VM now provides a new FTP Collector applet that enables you to monitor and collect logs from files and folders via FTP, FTPS, and SFTP directly to your log repository for query and visualization purposes.
After you activate the FTP Collector applet, you can collect files as datasets (
<Vendor>_<Product>_raw
) by defining the following:
  • FTP, FTPS, or SFTP (default) connection details with the path to the folder containing the files that you want to monitor and upload to Cortex XDR.
  • Settings related to the list of files to monitor and upload to Cortex XDR, where the log format is either JSON, CSV, or Raw. Once the files are uploaded to Cortex XDR, you can define whether in the source directory the files are renamed or deleted.
New Files and Folder Collector in the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
The broker VM now provides a new Files and Folders Collector applet that enables you to monitor and collect logs from files and folders in a network share for a Windows directory, directly to your log repository for query and visualization purposes.
After you activate the
Files and Folders Collector
applet, you can collect files as datasets (
<Vendor>_<Product>_raw
) by defining the following:
  • Details of the
    Folder Path
    on the network share containing the files that you want to monitor and upload to Cortex XDR.
  • Settings related to the list of files to monitor and upload to Cortex XDR, where the log format is either JSON, CSV, or Raw.
New Database Collector in the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
The broker VM now provides a new Database Collector applet that enables you to collect data from a client relational database directly to your log repository for query and visualization purposes.
After you activate the Database Collector applet, you can collect data as datasets (
<Vendor>_<Product>_raw
) by defining the following:
  • Database connection details, where the
    Connection Type
    can be
    MySQL
    ,
    PostgreSQL
    , and MSSQL.
  • Settings related to the query details for collecting the data from the database to monitor and upload to Cortex XDR.
New NetFlow Collector in the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
The broker VM now provides a new NetFlow Collector applet that enables you to collect logs with flow records from Netflow (Versions 5 and 9) and from IPFIX directly to your log repository for query and visualization purposes.
After you activate the NetFlow Collector applet, you can collect data as XQL datasets (
<Vendor>_<Product>_raw
) by defining the following:
  • The number of the
    UDP Port
    on which the flow records are received (default
    2055
  • The IP address or CIDR of the
    Source Network
    device that sends the flow records to Cortex XDR (default
    Any
    ).
  • The
    Vendor
    and
    Product
    name used to identify the XQL dataset as (
    <Vendor>_<Product>_raw
    ), where the flow records are stored in Cortex XDR (default
    IP Flow
    ).
Enhanced WEC Certificates Renewal Mechanism
(
Requires a Cortex XDR Pro per TB license
)
The renewal process for the Windows Event Collector (WEC) certificatesare now streamlined to keep you informed of your WEC certificate status and help you avoid any disruption to your WEC data collection. The following improvements are now implemented:
  • For any tenant with an active WEC applet containing a Certificate Authority (CA) certificate that expires in less than 90 days, a notification appears in the
    Broker VMs
    page,
    Windows Event Forwarder Configurations
    window, and a new notification is displayed in the notification area until the WEC certificate is replaced.
  • The WEC CA certificate is now increased for an extended period of time.
  • The broker VM applet now includes an automatic renewal mechanism for a WEC server certificate, which has a lifespan of 12 months.
  • The WEC client certificate after the renewal is issued with a lifespan of 5 years.
  • On the
    Broker VMs
    page, you can now renew your WEC server certificates by right-clicking the applet and selecting
    Windows Event Collector
    Renew WEC Server Certificate
    .
After you receive a notification for renewing your WEC CA certificate, we recommend that you do not add any new WEF clients until the WEC certification renewal process is complete. Events from these WEF clients that are added afterwards will not be collected by the server until the WEC certificates are renewed.
API
Get Violations API Enhancements
To expand Get Violations API, when running
device_control/get_violations/
:
  • If a custom device has been deleted, the response value has been updated from
    user-defined
    to
    user-defined (Deleted)
    .
  • You can now filter by
    type=”user-defined”
    and
    user-defined-deleted
    .
Get Incident API Enhancement
To expand the Get Incidents API, Cortex XDR now supports
in
operator for the
status
field.
New Incident Resolved Statuses
The Resolved status resolution reason
Resolved - Threat Handled
will be deprecated in Cortex XDR version 3.1 and replaced with
Resolved - True Positive
.
Until Cortex XDR 3.1, when running the Update an Incident API, if you enter
Resolved - Threat Handled
in the
status
field, Cortex XDR will return a message notifying of this change.
In addition, you can now enter a new status:
Resolved - Security Testing
.
Incident ID Enhancement for Action APIs
To expand your investigation and action capabilities, Cortex XDR now allows you to add an optional
incident ID
field to the following APIs so you can track these actions in the Incident View Timeline:
  • Restore File
  • Retrieve File
  • Quarantine Files
  • Allow List Files
  • Block List Files
  • Isolate Endpoints
  • Unisolate Endpoints
  • Scan Endpoints
  • Cancel Scan Endpoints
  • Run Script
  • Run Snippet Code Script
Managed Threat Hunting
Managed Threat Hunting Communication and Tracking Enhancements
To streamline communication with the Managed Threat Hunting team, Cortex XDR now allows you to track and investigate the Managed Threat Hunting findings and communicate with the Managed Threat Hunting team directly from the Cortex XDR app using a new commenting tool.
In the Managed Threat Huntingpage, you can add, edit, and track comments made by the Managed Threat Hunting team and users who have Investigation Admin role permissions.

Features Releasing in May

New features in the Cortex® XDR™ 2.9 release.
The following table describes new features in the Cortex XDR 2.9 release.
Feature
Description
General
Cortex XDR Gateway for Onboarding and Granular RBAC
To streamline activation and management of your Cortex XDR tenants, Cortex XDR now operates as a standalone application known as the Cortex XDR Gateway. The Cortex XDR Gateway is where you view and manage existing tenants and tenants available for activation that are allocated to your CSP account. The split from the hub enables you to easily:
  • Activate new tenants.
  • View and access existing tenants.
  • View and manage granular role-based access (RBAC) settings.
To activate and manage permissions, Cortex XDR assigns the Account Admin role to existing CSP Super User accounts. This role cannot be removed or changed through the Cortex XDR Gateway.
The Cortex Data Lake quota management and the sizing calculator are still on the hub.
In-App Granular Role-Based Access Control
To streamline management of your Cortex XDR user and role-based access control (RBAC) permissions, Cortex XDR now allows you to track user permissions, manage existing roles, and create new roles in the Cortex XDR app without the need to log in to the hub.
Cortex XDR now displays the following information in
Configurations
Access Management
:
  • Users
    —Displays the
    User Name
    ,
    XDR Role
    ,
    Last Login Time
    , and
    Status
    of users in your organization. You can import new users using a CSV file, search for a specific user, and edit a user’s role permissions.
  • Roles
    —Displays the Palo Alto Networks predefined roles and any additional roles that you and your organization create. You can search these available roles and create new roles that you can then assign to users enabling user access permissions.
Fine-Grained Role-Based Access Control Enhancements
To help you better manage your user access permissions, the following changes have been made to the Cortex XDR Granular Role-Based Access Control (RBAC) configurations in the Cortex XDR Gateway and Cortex XDR management console.
  • RBAC role
    Administrator
    has been renamed
    Instance Administrator
    .
  • Vulnerability Assessment
    —Existing vulnerability assessment permissions will be removed and included within the Host Insights role permissions. A user granted view and action Host Insights permissions will be automatically granted permissions to the vulnerability assessment capabilities.
  • Device Control
    —Existing device control action permission allowing you to create rules, profiles, and exceptions has been split into two permission types:
    • Device Control Rules
      —Enables you to create and modify profiles and rules.
    • Device Control Exceptions
      —Enables you to create and modify device control exceptions.
  • Endpoint Profiles
    —Existing Profiles action permission for has been split into two permissions:
    • Endpoint Profiles
      —Enables you to create and modify endpoint profiles.
    • Prevention Rules
      —Enables you to add rules into a restriction profile.
  • Endpoint Groups
    —Existing Endpoint Administration permissions has been split into two new sets view and action permissions to manage your endpoints:
    • Endpoint Management
      —Enables read-only access (View).
    • Endpoint Management
      —Enables read-write access (Action).
    • Endpoint Group
      —Enables read-only access (View).
    • Endpoint Group
      —Enables read-write access (Action).
  • Cortex XDR App Pages
    View and Action permissions have been added for Cortex XDR app pages:
    • Dashboard
    • Reports
    • Query Builder
    • Query Center
To provide continuity for existing roles and privileges, Cortex XDR assigns the updated permissions by default but you now have the option to configure the view and action access independently for both your new and your preexisting roles.
Streamlined Configurations Menu
To provide a more intuitive navigation, the
Configurations
menu in Cortex XDR is now organized by the feature areas:
  • General
    —Additional settings to personalize your Cortex XDR dashboard and experience. For endpoint licenses, you can also configure global agent settings.
  • Cortex XDR-Analytics
    —(
    Cortex XDR Pro
    ) Activate the Cortex XDR analytics engine to analyze logs and events and raise Analytics alerts.
  • Broker VM
    —Configure and view the Broker VMs on which you deploy applets that facilitate log collection from external vendors and communication with agents outside your network.
  • XDR Collectors
    —(
    Cortex XDR Pro per TB
    ) Manage your Cortex XDR Collectors for on-premises data collection on Windows and Linux machines. The collector includes a dedicated installer, content updates, and policy management.
  • Data Collection
    —(
    Cortex XDR Pro per TB
    ) Configure settings for data collection from internal sources, such as Pathfinder and external log, and alert sources, such as SaaS providers.
  • Data Management
    —(
    Cortex XDR Pro
    ) Manage datasets for XQL Search, configure ingestion rules, and manage storage for external logs.
  • Integrations
    —Manage integrations with Palo Alto Networks products such as WildFire and AutoFocus and other third-party integrations, such as Slack and VirusTotal.
  • Access Management
    —Manage your Cortex XDR user and role-based access control (RBAC) permissions.
Cortex XDR Tenant Switcher
When using multitenancy within the scope of a Cortex XDR tenant, you can now use the Tenant Navigator, which enables you to switch directly to another owned tenant. The tenant navigator includes the following selections:
  • Cortex XDR tenant gateway link
  • List of Cortex XDR tenants to which you have access grouped by CSP account. For accounts with more than five tenants, a search option is available to help you quickly find a specific tenant. If there are more than 5 tenants within a specific account, a list of tenants is available for that CSP account.
When you choose a tenant, Cortex XDR pivots your display directly to the main page of the gateway or the main page of the tenant.
Improved Quick Launcher Access
To enable easier access to the Quick Launcher, you can now access it from the Cortex XDR top navigation bar as well as from all other navigation menus in the app.
Settings Navigation Change
To align the page title with navigation paths in Cortex XDR, the Settings menu (accessible from the gear icon ) is now named
Configurations
.
The Quick Launcher also reflects the name change.
Enhanced Session Security Settings
The Cortex XDR management console now provides enhanced security settings for user sessions. These security settings include the following categories:
  • Session Expiration
    —Enables you to define the number of hours after which the user login session will expire. You can also define a one-week expiration for the Cortex XDR dashboard.
  • Allowed Sessions
    —Enables you to define approved domains and approved IP address ranges through which you allow access to Cortex XDR.
  • User Expiration
    —Enables you to deactivate an inactive user and also configure the automated user deactivation period.
For more detailed information, see the Cortex XDR Administrator's Guide.
Native Search Deprecation
The XQL Search and Query Builder are now the main search options in Cortex XDR and provide more flexibility and powerful querying capabilities. The Native Search option is deprecated and, as a result:
  • Existing BIOC rules created by Native Search actions are still available and function as they did before. This includes the option to export the rule and set metadata, such as Type, Severity, MITRE Technique, and MITRE Tactics. However you can no longer edit the rule.
  • Queries created using Native Search actions are still available in the Query Center for viewing historical results. However, you can no longer rerun or edit these queries. You can still edit the schedule of past scheduled queries by right-clicking the Query Center and then
    Show Scheduled Query
    .
Network Events Deprecation
(
Starting with the next Cortex XDR release
)
After Cortex XDR introduced network collection events, that are stitched across endpoints and the Palo Alto Networks next-generation firewalls logs, there is no longer need to support raw
Network
events. Starting with the next Cortex XDR release,
Network
events will be deprecated. In light of the upcoming change, Palo Alto Networks encourages you to define BIOC rules and/or searches by using
Network Connections
in the Query Builder. When searching in XQL, you should avoid using the
xdr_agent_network
preset and use the
newtork_story
preset instead.
Audit Logs
One-Year Retention of Audit Log Entries
All entries that are accumulated in the Cortex XDR audit logs are now available for your retrospective review for an extended period of one year from the date of their creation.
New Management Audit Logs for Policy Changes
For increased visibility into policy configuration changes, Cortex XDR introduces new policy audit logs for the Create, Edit, Reorder, Update, and Delete Subtypes. The new policy audit logs include:
  • Create Policy
    • Success:
      New
      platform
      policy rule
      rule-name
      with target
      target-name
      created
    • Failure:
      rule-name
      policy rule failed to create
  • Edit Policy Name
    • Success:
      platform
      policy rule
      rule-name
      renamed to
      new rule-name
    • Failure:
      Rename of
      rule-name
      policy rule
      new rule-name
      has failed.
  • Edit Policy Status
    • Success:
      platform
      policy rule
      status
      changed to
      new status
    • Failure:
      platform
      policy rule
      rule-name
      failed to update status
  • Edit Policy Profiles
    • Success:
      platform
      policy rule
      rule-name
      updated to include the following profiles
      profile-names
    • Failure:
      platform
      policy rule
      rule-name
      failed to update
  • Edit Policy Scope
    • Success:
      platform
      policy rule
      rule-name
      updated to include
      scope
    • Failure:
      platform
      policy rule
      rule-name
      failed to update
  • Edit Policy Profile and Scope
    • Success:
      platform
      policy rule
      rule-name
      scope updated to include:
      scope
      and the following profiles:
      profiles
    • Failure:
      platform
      policy rule
      rule-name
      failed to update
  • Reorder Policy
    • Success:
      platform
      policy rule
      rule-name
      reordered
    • Failure:
      platform
      policy rule
      rule-name
      failed to reorder
  • Delete Policy
    • Success:
      platform
      policy rule
      rule-name
      delete
    • Failure:
      platform
      policy rule
      rule-name
      failed to delete
  • Update Policy
    • Success:
      Policy rules were updated.
    • Failure:
      Failed to update policy rules
Improved Management Audit Logs for Extensions Policies and Profiles
For improved accuracy, Cortex XDR now logs Extensions Policy and Profile actions under Extensions Policy Rules or Extensions Profile type
  • For Extensions Policies actions, a new
    Extensions Policy Rules
    log type is added with the following available descriptions:
    • Extensions policy rules were updated
      .
    • Failed to update extensions policy rules
      .
  • For Extensions Profiles actions, the following audit logs will be logged as
    Extensions Profile
    type:
    • Failed to create an extensions profile
      .
    • Failed to delete an extensions profile
      .
    • Failed to edit an extensions profile
      .
This change applies to future audit logs. Previously-created audit logs retain their current descriptions. For more information on Cortex XDR auditing, see Monitor Administrative Activity.
Policy Change Visibility in Management Audit Logs
You can now view the specifics of what has changed in the configuration of your policies by viewing the management audit logs. For each policy log, you can view the detailed changes instead of the previously displayed message (
Policy rules were updated.
). Hover with the pointer over the specific entry to view the info in a tooltip. This enables you to know exactly what has changed and, if necessary, roll back the change.
Enhanced Management Logs Incident ID Value
To improve your investigation capabilities, Cortex XDR now includes the Incident ID value in the Management Audit logs when you perform an action on a single incident. The following list displays examples of the updates by log subtype:
  • Assign Incident
    • Previous
      Changed assignee of 1 incident to email@paloaltonetworks.com
    • Updated
      Incident 12345 assigned to email@paloaltonetworks.com
  • Change Incident Severity
    • Previous
      Changed severity of 1 incident to Medium
    • Updated
      Changed incident 12345 severity to Medium
  • Change Incident Status
    • Previous
      Changed status of 1 incident to Resolved - Handled Threat
    • Updated
      Changed incident 12345 status to Resolved - Threat Handled
  • Change Scoring
    • Previous
      Changed scoring of 1 incident to 122
    • Updated
      Changed scoring of incident #12345 to 122
  • Change Scoring
    • Previous
      Changed scoring of 1 incident to rule-based scoring
    • Updated
      Changed scoring of incident #12345 to rule-based scoring
Updated Management Audit Logs for Threat Handled Incident Status
To maintain consistency, Cortex XDR has updated the following management audit log for change in status of Threat Handled incidents:
  • Previous
    Changed status of 5 incidents to Resolved - Handled Threat
  • Updated
    Changed status of 5 incidents to Resolved - Threat Handled
Improved Management Audit Logs for Host Insights Vulnerability Assessment Data Collection
(
Requires a Cortex XDR Pro per Endpoint license and Host-Insights add-on
)
When you rerun the host-insights data collection scan, either from the
Vulnerability Management
endpoints view or from the
Asset View
, Cortex XDR now uses the same management audit log types as follows:
  • Log type
    Host Insights
  • Subtype
    Collect host insights from an endpoint
  • Available descriptions
    • Endpoint host insights collection initiated successfully
    • Failed initiating host insights collection from an endpoint
This change applies to future audit logs. Previously-created audit logs retain their current descriptions. For more information on Cortex XDR auditing, see Monitor Administrative Activity
Enhanced Audit Log for Operations in Rules Exceptions
The Cortex XDR management console now enables you to view audit logs for Create, Edit, and Delete operations of Rules Exceptions. In addition, the existing management audit logs for import and export of Rules Exceptions are now logged under the Rules Exceptions type.
Investigation and Response
XQL Multi-Language Data Support
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) can now support data provided in multiple languages, such as in XQL queries, lookups, widgets, and external data ingestion.
New XQL Datasets with Dataset Permission Enforcement
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes the following new datasets called
endpoints
and
host_inventory
. These datasets support dataset permission enforcements in the Cortex XDR Query Language (XQL), Query Center, and XQL Widgets. To view or access any of these datasets, you need role-based access control (RBAC) permissions to the Endpoint Administration and Host Inventory views.
New Standardized User Format for Events and Alerts
(
Requires a Cortex XDR Pro license
To streamline the way usernames appear in network events and alerts, Cortex XDR now processes and displays usernames in the following standardized format, also termed “normalized user”:
<company domain>
\
<username>
In the Cortex XDR Query Language (XQL), every user field included in the raw data, for network, authentication, and login events, has an equivalent normalized user field associated with it that displays the user information in the standardized format. For example, the
login_data
field has the
login_data_dst_normalized_user
field to display the content in the standardized format. We recommend that you use these
normalized_user
fields when building your queries to ensure the most accurate results.
As a result, any alert triggered based on network, authentication, or login events, now displays the
User Name
in the new standardized format in the Alerts and
Incidents
pages. This change impacts every alert for Cortex XDR Analytics and Cortex XDR Analytics BIOC, including BIOC and IOC alerts triggered on one of these event types.
New XQL IP Location Stage
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes a new stage command that enables you to associate the IPv4 address of any field to a list of predefined attributes related to the geolocation. To support this, you can now add the iploc stage to your queries using the format:
iploc
<field name>
To improve your query performance, we recommend that you filter the data in your query before you run the
iploc
stage command. In addition, limiting the number of fields in the results table further improves the performance.
New XQL Bin Stage
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes a new stage command that enables you to group events by quantity or time span. The most common use case is for time charts.
To support this feature, you can now add the bin stage command to your queries using these formats depending on whether you are grouping by quantity or time span:
  • Quantity
    :
    bin
    <field>
    bins =
    <number>
  • Time span
    :
    bin
    <field>
    span =
    <time>
    timeshift =
    <epoch time>
    • <time>
      is a combination of a number and time suffix.
    • timeshift =
      <epoch time>
      is optional and enables you to designate a particular start time for grouping the events according to the Unix epoch time.
When you group events by quantity, the
<field>
in the
bin
stage command must be a number. When you group by time, the
<field>
must be a date type.
New XQL Time Frame Configuration Function
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes a new configuration function that enables you to perform searches within a specific time frame from the query execution. To support this feature, you can now add the config stage command to your queries with the timeframe function using these formats:
  • Relative time
    :
    config timeframe =
    <number><time unit>
  • Exact time
    :
    config timeframe between "
    <Year-Month-Day H:M:S ±Timezone>
    " and "
    <Year-Month-Day H:M:S ±Timezone>
    "
    Where the
    ±Timezone
    format is
    ±xxxx
    and if none is configured the default is UTC.
New Support for Linux System Authentication Logs
(
Requires a Cortex XDR Pro license
)
EDR data collected for Linux now contains Linux system authentication logs. These Linux system authentication logs are now available using XQL queries and the Query Builder. As a result, in the Query Builder, the
Event Log
now includes both Windows and Linux event logs and the corresponding
event_type
in XQL has been renamed from
WINDOWS_EVENT_LOG
to
EVENT_LOG
.
New Visualizations for Widgets Based on XQL Search Queries
(
Requires a Cortex XDR Pro license
)
To help you better view and visualize data based on XQL search queries, Cortex XDR expanded the type of available widgets so that you can now display the search results using:
  • Funnel graph
  • Word Cloud graph
  • Map
  • Single Value Trend graph
  • Graph Header
Incident Thresholds for Alert Grouping
To keep incidents fresh and relevant, Cortex XDR now provides the following two new thresholds after which an incident stops adding alerts:
  • 30 days after the incident was created
  • 14 days since the last alert in the incident was detected (excludes backward scan alerts)
After the incident reaches either threshold, it stops accepting alerts and Cortex XDR groups subsequent related alerts in a new incident.
For increased visibility, Cortex XDR also provides a new
Alerts Grouping Status
field in the Incidents table to identify the grouping status:
Enabled
when the incident is open to accepting new related alerts or
Disabled
if either threshold is reached and the incident is closed to further alerts or if the incident reached the 1,000 alert limit. To view the exact reason for a Disabled status, you can hover over the status field.
MITRE, Severity, and Alert Grouping Visibility in Incident Table
You can now view the following MITRE, severity, and alert grouping fields in the Incident Table.
Each field displays the following information:
  • MITRE ATT&CK Tactic
    —MITRE tactics found in the alerts.
  • MITRE ATT&CK Technique
    —MITRE techniques found in the alerts.
  • Alert Categories
    —Type of Alert categories found in the alerts.
  • WildFire Hits
    —Number of the Malware, Phishing, and Grayware artifacts that are part of the incident.
  • High Severity Alerts
    —Number of high severity alerts that are part of the incident.
  • Medium Severity Alerts
    —Number of medium severity alerts that are part of the incident.
  • Low Severity Alerts
    —Number of low severity alerts that are part of the incident.
  • Alerts Grouping Status
    —Displays whether Alert Grouping is currently enabled.
Incidents created prior to Cortex XDR version 2.9 are updated as follows:
  • MITRE Attack Tactics, MITRE Attack Techniques, and Alert Categories fields will remain empty.
  • WildFire Hits field will begin with an empty value, however when an new alert is added to the incident the filed is updated.
  • High Severity, Medium Severity, Low Severity, Alert Grouping Status fields are updated with the corresponding value.
  • If an incident is merged or moved with other incidents, Cortex XDR will recalculate and update the fields.
Incident Table View Enhancement
To streamline your incident investigation process and reduce the number of steps it takes to investigate an incident, Cortex XDR now allows you to display the Incidents page in one of two new views:
  • Split Pane Mode
  • Table View
The List view displays the current table. The new Detail view positions the incident table rows in a left-side pane and displays the complete
Incident View
on the remaining of the page allowing you to scroll through the incident rows and display each incident view without the need to pivot to another tab or window.
To ensure visibility of the incident data, each row in the pane displays the incident description and incorporates icons that provide the following details:
  • Severity
  • Status
  • Score
  • Star
  • Assignee
  • Update Time
  • Incident Description
In addition, you can sort the incident rows according to the available fields.
The current right-click menu options are also available in the Detail view.
Causality View Loading Time Enhancements
To improve loading time, as of Cortex XDR version 2.9, when navigating to the Causality View from an alert or event, Cortex XDR now displays the causality data as follows:
  • Visualize the branch between the CGO and the actor process of the alert/event.
  • Display up to nine additional process branches that reveal alerts related to the alert/event. Branches containing alerts with the nearest timestamp to the original alert/event are displayed first.
  • Causality cards that contain more causality data display a
    Showing Partial Causality
    flag. You can manually add additional child or parent processes branches by right-clicking on the process nodes displayed in the graph.
Added Option to View The Observed Behaviors of Behavioral Threat Protection Alerts
The Cortex XDR management console now allows you to view the observed behaviors of Behavioral Threat Protection alerts. To view the observed behaviors, right-click on an alert in the alert table or in the incident view and select
View Observed Behaviors
.
The option to view the Observed Behaviors table already exists in the Causality Card. The new view option is another pivot option to view the same information, and both options remain available.
Featured Alert Fields Enhancement
(
Requires a Cortex XDR Pro license
)
To streamline the investigation process and better highlight alerts that are significant to you, Cortex XDR now includes
Active Directory Groups
and
Organizational Unit
(OU) as optional Featured Alert Fields labels.
Define a Featured AD or OU in
Investigation
Incident Management
Feature Fields
Active Directory
.
To easily locate alerts containing featured AD or OU fields, in the
Alerts Table
, alerts are flagged in the
Alert Name
field with a flag and appear in the
Contains Featured User
or
Contains Featured Host
fields associated with the AD/OU.
Enhanced Alerts Deduplication
To better identify and deduplicate Analytics, IOC or BIOC alerts for the same activity, the deduplication period is now calculated according to the actual time the event took place, rather than according to the time the event was reported to Cortex XDR.
This change applies to future alerts. Previously-created alerts remain the same.
Quick Actions in Tables
To streamline investigation in Cortex XDR, you can quickly initiate actions using new icons that are available in throughout Cortex XDR. The new icons are available in table rows upon a left click of the row and provide an alternative to the right-click pivot menus.
The new icons are available for rows in the following tables:
  • Incidents:
    • Open Incidents View (same or new tab)
    • Star an incident or clear the star
  • Alerts:
    • Open the Causality View (same or new tab)
    • Exclude an alert or cancel alert exclusion
  • Endpoints:
    • Isolate an endpoint or cancel isolation
    • Initiate Live Terminal
    • Open the Asset View
    • Open Incidents (same or new tab)
Centric View of CVE, Endpoint, and Application information, with additional Vulnerability Assessment Enhancements
To streamline your investigation under Vulnerability Assessment, Cortex XDR now provides a centric view for a single CVE, Endpoint, and Application, each accessible when you click on a specific row of the Vulnerability Assessment and Host Insights panels. These views list the affected applications, endpoints, or applied vulnerabilities, in an exportable and searchable manner, together with additional information on each entity.
The CVEs tab under Vulnerability Assessment now includes additional fields to better fine-tune your vulnerability investigation. This includes:
  • Additional CVSS fields, including Exploitability and Impact Metrics.
  • Affected endpoints column, allowing you to easily search for CVEs on a specific endpoint.
  • The last username who modified the comment and timestamp.
Other view enhancements:
  • The
    Hosts
    tab under Vulnerability Assessment has been renamed to ‘Endpoints’ and now includes the Endpoint Group details.
  • The
    Apps
    tab was removed from the Vulnerability Assessment panel, and is accessible, same as today, under the
    Host Insights
    menu.
In addition, Cortex XDR now calculates an unlimited number of vulnerabilities per endpoint, as opposed to a limit of 500 vulnerabilities per endpoint in previous versions.
This update means that you might see a higher number of CVEs in Vulnerability Assessment screens, as well as in reports and dashboards.
Low and Informational Categorization for Agent Alerts
The Cortex XDR management console now displays Behavioral Threat Protection (BTP) alerts at Low or Informational severity. These are displayed as Insights in the
Incident View
and the
Causality View
panels. Low severity alerts are also displayed in the Alerts table.
Authentication Story Enrichment
(
Requires a Cortex XDR Pro per Endpoint license and a Cortex XDR agent 7.3 or later for Linux
)
Starting with this release, Cortex XDR includes Linux authentication logs in authentication stories and will generate alerts accordingly.
External Data Ingestion
Zscaler Cloud Firewall Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
If you use Zscaler Cloud Firewall in your network, you can now forward your firewall and network logs to Cortex XDR for analysis. This enables you to take advantage of Cortex XDR anomalous behavior detection and investigation capabilities. To begin analyzing your traffic logs, you set up a Syslog Collector and configure your firewall to forward logs to the Syslog Collector. To provide seamless log ingestion, Cortex XDR automatically maps the fields in your traffic logs to the Cortex XDR log format.
As soon as Cortex XDR begins receiving logs, the app automatically creates a Zscaler XQL dataset (
<Vendor>
_
<Product>
_raw
) based on the
<Vendor>
and
<Product>
fields defined on the Zscaler syslog configuration. This enables you to search the logs using XQL Search.
Windows DHCP Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
To provide additional network asset visibility in Cortex XDR
Asset Management
and improved analytics, Cortex XDR can now ingest Windows DHCP logs. To receive logs, configure
Configurations
Data Collection
Collection Integrations
settings for the vendor in Cortex XDR, which replaces the preexisting
Settings
SaaS Integrations
settings. In addition, you must install and configure an Elasticsearch Filebeat agent on your Windows DHCP Server.
As soon as Cortex XDR begins receiving logs, the app automatically creates a Windows DHCP XQL dataset (
windows_dhcp_raw
). This enables you to search the logs using XQL Search.
Syslog Collector Applet Enhancements
(
Requires a Cortex XDR Pro per TB license
)
The Syslog Collector applet now includes these enhancements:
  • Supports a
    Secure TCP
    protocol with a TLS encrypted VPN.
  • For a particular
    Protocol/Port
    entry, you can now map the syslog sources based on your own IP address or CIDR. This is configured by setting the order of the IP address or CIDR in the new
    Source Network
    column.
Additional External Alerts Fields Available for Mapping
(
Requires a Cortex XDR Pro license
)
When you ingest alerts from external sources using either the Syslog Collector or Cortex XDR API, you can now map these additional optional fields to the alerts table:
  • Process Command Line
  • Process SHA256
  • Domain
  • Process File Path
  • Hostname
  • Username
New Behavior for Ingesting Null Fields
(
Requires a Cortex XDR Pro license
)
To expand your investigation and analytics capabilities, Cortex XDR now ingests any field with a null value, as opposed to the previous behavior of not ingesting these null value fields. It is also now possible to use the Cortex XDR Query Language (XQL) to query ingestion rules for null values.
Analytics
Improved Accuracy for Malware Protection
(
Requires a Cortex XDR agent 7.4 or later release for Windows
)
Starting with this release, WildFire introduces analysis scores for files with Benign verdict to indicate the level of confidence WildFire has in the Benign verdict. For example, a file by a trusted signer or a file that was tested manually would get a high confidence Benign score, whereas a file that did not display any suspicious behavior at the time of testing would get a lower confidence Benign score. Files with a low confidence score are displayed as Benign Low Confidence (LC).
When Cortex XDR receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile settings you currently have in place (Run local analysis to determine the file verdict, Allow, or Block).
As soon as you deploy your Cortex XDR 7.4 agents, Cortex XDR will enforce this new behavior according to the settings you already have in your existing Malware Security profile for files unknown to WildFire. If you want to change it, you need to change the existing settings.
Cortex XDR Identity Analytics Add-On Module
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, Cortex XDR now offers a new Identity Analytics add-on module. The add-on requires a Cortex XDR Pro per TB license and a separate module license. The module license is currently free, however will entail an additional cost in the future.
The Identity Analytics add-on displays in the
Analytics Alert View
suspicious user activity such as stolen or misused credentials, lateral movement, credential harvesting, or brute-force data collected by the Cortex XDR Analytics engine detectors.
When investigating an analytics type alert, a new
User
node appears in the causality view. Hover over the node to display user profile information, such as recent authentication statistics, user role, and if associated with Active Directory groups or Organizational Units. When selecting the alert node, in the
Alert Description
and
Event Table
sections, Cortex XDR displays the recent logins, hosts, alerts, and process executions associated with the user.
Auto-Disable of Alerts from Analytics Detectors
(
Requires a Cortex XDR Pro per TB license
)
To ensure the analytics detectors raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR automatically disables alerts from detectors that reach 5000 or more hits over a 24 hour period.
Endpoint Security and Management
Cortex XDR Agent Deployment with Installer and Content Update Package
(
Requires a Cortex XDR agent 7.4 or later release for Windows
)
To reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent, Cortex XDR now offers an agent installation and content update package. The package includes the agent installer and the latest supported content available at the time of the bundle download, eliminating the Content Update download phase from the Cortex XDR Server post agent installation.You can deploy the package using a third party tool such as SCCM, or manually on the endpoint.
For more information on the installation process, refer to the Cortex XDR Agent administrator guide.
Cortex XDR Agent Installer and Content Caching on the Broker VM
(
Requires a Cortex XDR agent 7.4 or later and Broker VM 12.0.58 or later
)
To reduce external bandwidth usage and time required for Cortex XDR agent installations, upgrades, and content updates, Cortex XDR now offers an additional option to cache the files on your Cortex XDR Broker VM.
When both P2P and Broker VM download sources are selected, the agent first queries a peer agent for the files. If the files are unavailable or the process fails, the agent queries the Broker VM where the files are stored for a 30-days retention period since an agent last asked for them. If the download from the Broker VM fails as well, the agent retrieves the files directly from the Cortex XDR server. The option to retrieve the files from the Server is always enabled.
To enable the Broker VM caching option, you must first:
  1. On your Broker VM settings, configure an FQDN address and enable agent caching in your
    Local Agent
    applet.
  2. In your Agent Settings profile, add Broker VM as a
    Download Source
    and configure the Broker VM FQDN address.
For the detailed workflow on how to set up caching on the Broker VM, refer to the Cortex XDR administrator’s guide.
Peer-to-Peer Distribution of Cortex XDR Agent Installers
To reduce bandwidth load when distributing installers from Cortex XDR to the Cortex XDR agents, Cortex XDR now leverages P2P distribution to include agent installers, in addition to content updates. In your Agent Settings profile, you can choose the download source from which agents retrieve release upgrades and content updates: P2P, Palo Alto Networks Broker VM, and the Cortex XDR server. Peer-to-peer distribution is enabled by default in the Agent Settings profile, and requires that you enable UDP and TCP over port 33221 (You can change this port number later on through the Agent Settings profile).
Device Control Enforcement on Previously Connected USB Devices
(
Requires a Cortex XDR agent 7.4 or later release for Windows
)
When the Cortex XDR agent starts enforcing Device Control on the endpoint, it now enforces the policy rules not only on newly connected devices, but also on devices that were previously connected to the endpoint before the policy enforcement was applied.
Native Support for Apple Silicon (M1)
(
Requires a Cortex XDR agent 7.4 or later release for Mac
)
Starting with this release, you can install the Cortex XDR agent on macOS based devices with Apple Silicon (M1). To resolve issues that could occur, refer to the Cortex XDR 7.4 agent list of known issues.
Context-based Global Exceptions for the Gatekeeper Enhancement Protection Module
(
Requires a Cortex XDR agent 7.4 or later release for Mac
)
Now when the Cortex XDR Gatekeeper Enhancement security module raises an alert, you can create a global exception for this specific source-child combination only, while allowing Cortex XDR to continue enforcing the Gatekeeper Enhancement protection module on the source process running other child processes.
Cortex XDR Agent Silent Uninstall
(
Requires a Cortex XDR agent 7.4 or later release for Mac
)
Starting with this release, when you uninstall the Cortex XDR agent from the Cortex XDR management console, the process is silent and does not prompt the end-user for approvals on the endpoint.
Scope-Based Access Control (SBAC) for Endpoints
Cortex XDR now enables assignment of user permissions to specific endpoint groups in the organization. By default, all users have management access to all endpoints in the tenant. However, after you (as an administrator) assign a management scope to a Cortex XDR user, the user is be able to manage only the specific endpoints within that scope.
This Scope-Based Access Control (SBAC) affects the following functional areas in Cortex XDR:
  • Endpoint Administration table—view endpoints and take actions on endpoints.
    Note: Policy Management does not support SBAC.
  • Action Center—view and take actions only on endpoints that are within the scope of the user.
  • Dashboards and Reports—scoping takes place only on agent-related widgets.
The rest of the functional areas and their permissions in Cortex XDR do not support SBAC. Accordingly, if these permissions are granted to a scoped user, the user will be able to access all endpoints in the tenant within this functional area. For example, a scoped user with a permission to view incidents, can view all incidents in the system without limitation to a scope.
To view and modify the scope of a user, go to
Configurations
Access Management
Users
In the list of Cortex XDR users, the Endpoint Scope column now specifies any SBAC assignment.
Broker VM
Version 12.1.5
CSV Log Files Integration with the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
The broker VM now provides a new CSV Collector applet that enables you to monitor and collect CSV log files from a shared Windows directory directly to your log repository for query and visualization purposes.
After you activate the CSV Collector applet, you can ingest CSV files as datasets by defining the list of folders mounted to the broker VM and setting the list of CSV files to monitor and upload to Cortex XDR using a username and password.
Agent Proxy Listening Interface
You can now specify a proxy listening interface when activating a local agent on the broker VM, through the Activate Local Agent applet. For more information, see the Cortex XDR Administrator’s Guide.
API
New XQL API
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, Cortex XDR now enables you to run XQL queries on your data sources using APIs. The XQL APIs require a Cortex XDR Pro license and a daily Query Quota made up of query units. Cortex XDR provides a free quota of query units and you will be able to purchase additional units in future Cortex XDR versions.
Each XQL query consumes query units based on the number of API response results. Queries called without enough quota will fail.
You can run the following APIs on your tenant and MSSP child tenants:
  • start_xql_query/
    —Run an XQL query. Response returns a unique query ID used to call the
    get_query_results/
    API.
  • get_query_results/
    —Retrieve XQL query. Results return up to 1000 results.
  • get_query_results_stream
    —Retrieve XQL query with more than 1000 results.
  • get_quota/
    —Retrieve the number of used and available query units.
To help you track your XQL APIs, in the Cortex XDR app, you can view the following information:
  • Query usage and your remaining available quota.
  • Data about the XQL queries executed by APIs:
    • ID
      —Unique identifier of the XQL query API.
    • Timestamp
      —Date and time of when the XQL API was called.
    • PAPI Key ID
      —The API Key ID used to call the XQL API.
    • XQL Query
      — Query string called by the XQL API.
    • Query Unit Usage
      —Number of query units used to run the API.
New API Key Time Limit
For an added layer of security when managing your user API permissions, you can now set a time limitation on the API key used to authenticate API calls.
When creating API keys, select the option to enable an
Expiration Date
for the key. In the
API Keys
table, a new
Expiration Time
field has been added allowing you to track each key.In addition, Cortex XDR displays an API Key Expiration notification one week and one day prior to the defined expiration date.
Enhanced Visibility of Incident Data
To help you gain greater visibility of requested API data when calling Get Incidents and Get Extra Incident Data APIs, the response section now includes the following fields:
  • mitre_techniques_ids_and_names
    —Array of which MITRE technique names and IDs the incident raised
  • mitre_tactics_ids_and_names
    —Array of the MITRE tactic names and IDs the incident raised
  • wildfire_hits
    —Number of WildFire detections raised by the incident
  • alert_categories
    —Array of which alert category the incident raised
  • alerts_grouping_status
    —String representing whether the grouping is
    Enabled
    or
    Disabled
    .
Updated Alert Severity Valid Values
To ensure consistency in the Cortex XDR app Alerts table, when calling Insert Parsed Alerts API, the
severity
filed is now mandatory and does not accept the value
Unknown
.
Possible valid values are:
  • Informational
  • Low
  • Medium
  • High
Updated Featured Alert Fields API
(
Requires a Cortex XDR Pro license
)
To expand your Featured Alert Field capabilities, Cortex XDR has updated the Replace Featured Active Directory Groups
Replace Featured Active Directory Groups
API to allow you to delete and replace Organizational Unit (OU) in addition to Active Directory Groups (AD).
When calling
/replace_ad_groups/
, you can now distinguish between an AD or OU group by including the new field
type
with a value of either
group
or
OU
in your request. The field is not mandatory and is sent, by default, as
group
.
Upload Cortex XDR Indicator Request Validation
To help you gain greater visibility if an indicator has been updated correctly, when calling Insert Simple Indicators, CSVand Insert Simple Indicators, JSON APIs, you can now send a
validate
field in your request.
In the case where the update was unsuccessful, the
validate
field returns a
validation_errors
array listing the specific fields and errors that occurred.

Features Released in March

The following table describes new features in the Cortex XDR 2.8 release.
Feature
Description
Access Management
Cortex XDR Management Console IP Address Changes
Cortex XDR now uses new IP addresses for accessing the Cortex XDR management console (
<xdr-tenant>
.xdr.
<region>
.paloaltonetworks.com
). If you already use the
cortex-xdr
App-ID or the outgoing HTTPS connection is not filtered by a firewall, no firewall adjustments are necessary. However, if your HTTPS connection is filtered through a firewall (and you do not use the App-ID), you must adjust your configuration to use the new IP addresses according to your region. The FQDN for the Cortex XDR management console remains unchanged.
Broker VM
Approved Remote Terminal Commands
When you connect to a broker VM remotely, Cortex XDR now allows you to perform the following privileged commands:
  • The
    edit_routes
    command is now deprecated. To enable updates to your static network routes, Cortex XDR allows you to execute the
    restart_routes
    command. The command invokes a restart of the routing service, applying updates you make to your network route configuration file.
  • squid_tail
    —Display the Proxy applet Squid log file in real-time.
API
Enhanced Visibility of Mac Addresses
To provide greater visibility for alerts that have multiple associated MAC addresses, the Get Alerts API response now includes the
mac_address
field.
The new field returns a list of one or more MAC addresses and will supersede the existing
mac
field which will be deprecated in a future release.

Features Introduced in February

The following table describes new features in the Cortex XDR 2.7 release.
Feature
Description
General
Extended Tab Viewing Options
The option to view results in the same or a new tab are now available in the pivot menus of the following tables:
  • Query Center
    —Open query results
  • Scheduled Queries
    —View executed queries
  • Endpoint Management
    —Open the related Asset View and related incidents of an endpoint
  • Asset Management
    —Open asset and agent details views
  • BIOC rules
    —Open the related rule query
In-App New Version Notification
Cortex XDR now displays a notification when you log in to your tenant following a Cortex XDR version upgrade. The notification displays the updated version number and lists selected new features available for your license type.
From the notification, you can choose to pivot to the
Release Notes
for more information or you can dismiss the notification and view at another time by navigating to
User
What’s new
in the Cortex XDR management console.
Audit Logs SHA256 Value Enhancement
To improve your investigation capabilities, Cortex XDR now includes the SHA256 value in the Management Audit and Agent Audit logs for files that you restored and quarantined.
The Management Audit Log and Agent Audit Log
Description
field in the Cortex XDR management console and the Get Audit Agent Report and the Get Audit Management Log APIs now display the file
Description
in a new format:
  • Management Audit Logs
    • Restore quarantined file hash
      <full SHA256>
      on <endpoint name>
    • Quarantine <file path>,
      SHA256: <full SHA256>
      on <endpoint name>
  • Agent Audit Logs
    • Restored file <file path>,
      SHA256: <full SHA256>
      on <endpoint name>
    • Quarantined file <file path>,
      SHA256: <full SHA256>
      on <endpoint name>
Auto-Disable BIOC Rules Log Description Update in Audit Logs
The Auto-Disabled behavioral indicator of compromise (BIOC) rule
Description
field displayed in the Management Audit Log page and the Get Audit Management Log API now display the rule
description
in a new format:
BIOC rule #<rule number> has been automatically disabled because it reached 10,000 matches in the last 24 hours. Rule name: <rule name>, severity: <severity>
Investigation and Response
XQL Query Language Enhancements
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) is extended in the following ways:
New Datasets for XQL Search
(
Requires a Cortex XDR Pro license
)
Cortex XDR now enables you to query the following data using the Cortex XDR Query Language (XQL):
  • Next-generation firewall logs (available as a new dataset). These fields and data are identical to the log record information that is available using the Explore app.
  • Device control connect and disconnect events (added to the xdr_data dataset).
In addition, log records received from a security information and event management (SIEM) system are parsed into key-value pairs. Log record field values that are not identified as an integer, string, or timestamp are ingested as a JSON record.
Network Preset Name Change in XQL Search
(
Requires a Cortex XDR Pro license
)
The Network preset for XQL Search of EDR data is changed—it is now Agent Network. This is only a name change; this preset still provides the same network events sent from agents as before this change.
The Agent Network preset is not the same as the Network Story preset that provides stitched network events from different sources.
Additional XQL Search Pivot Functionality
(
Requires a Cortex XDR Pro license
)
To continue investigation, you can now pivot from XQL Search results to the Causality View and Timeline View. These options are supported for results that identify the following types of events: process (except for those with an event subtype of termination), network, file, registry, injection, load image, system calls, network stories, and Windows event logs.
From the events table in the Causality View and Timeline View, you can similarly pivot from an event to
View in XQL
in either the same tab or a new tab. This can be useful if you want to further refine the query to continue investigation.
Histograms for XQL Search Queries
(
Requires a Cortex XDR Pro license
)
Cortex XDR now automatically generates histograms for every field that is part of an XQL Search result. A histogram is a type of visualization of the results within a specific query. Histograms are similar to bar charts that show the distribution of values within a specific field across a result set. Each time you generate a new query, Cortex XDR will regenerate the histogram based on the updated result set.
Histograms are not supported for JSON and array fields.
New Visualizations for Widgets Based on XQL Search Queries
(
Requires a Cortex XDR Pro license
)
To help you better view and visualize data based on XQL search queries, you can now view your XQL search results in three new modes:
  • Raw
    —Displays the raw format of the entity in the database.
  • JSON
    —Displays the entity with a key value distinction.
  • Tree
    —A dynamic view of the JSON hierarchy with the option to collapse and expand the different hierarchies.
Cortex XDR expanded the type of available widgets so that you can now display the search results using:
  • Pie charts
    —Includes options for full circle (default), donut, and semicircle charts.
  • Area graphs
    —Includes options for standard, stacked, and percentage graphs.
  • Bubble graphs
    —Includes options for standard, packed, and group packed graphs.
  • Scatter graphs
  • Single value totals
  • Gauge graphs
    —Includes options for radial, filler, and marker graphs.
  • Table
    —Displays the results table data.
To easily save a visualization after you create a widget, find the widget in the Widget Library.
New Cortex XDR Widget Library
To streamline widget visibility and management, Cortex XDR now enables you to search, view, and edit both your custom widgets and the Cortex XDR predefined widgets in the new Widget Library.
The library is a one-stop page where you can easily add or create widgets to your dashboards and reports to help you continuously monitor your XQL query results, logs, and data visually.
New Incident Management Page
To streamline the
Investigation
menu, a new
Incident Management
page is now available. From this page, you can view starred incidents, manage scoring rules, and view incident exclusions.
Custom Incident Scoring Rules
(
Requires a Cortex XDR Pro license
)
To streamline the investigation process and better highlight incidents that are significant in your environment, Cortex XDR now enables you to define custom incident scoring rules that prioritize your incidents according to the needs of your organization.
Define scoring rules in the Cortex XDR management console on the
Investigations
Incident Management
page. Each rule is based on a defined score, an Alert attribute, or the entity on which it occurred. When an alert matching the defined rule is raised, Cortex XDR adds the alert score to the total score of the incident. By default, the alert score is applied only to the first alert that matches the defined rule. Subsequent alerts for the same incident do not receive any score.
The incident score is displayed as a filterable
Score
field in the Incident table and as a tag in the Incident View.
Featured Alert Fields
(
Requires a Cortex XDR Pro license
)
To streamline the investigation process and better highlight alerts that are significant to you, Cortex XDR now enables you to label specific alert attributes as Featured Alert Fields.
Featured fields help you track alerts that involve a specific:
  • Host Name
  • User Name
  • IP Address
Label a field as Featured in
Investigation
Incident Management
Feature Alert Fields
and then filter and sort alerts containing the featured fields in the Alerts Table using the new table fields:
  • Contains Featured Host
  • Contains Featured User
  • Contains Featured IP Address
To easily locate alerts containing featured fields, alerts containing one or more of the featured fields are flagged in the
Alert Name
field with a flag.
Alert notification emails now include whether the alert contains one or more featured fields:
  • "contains_featured_host":[
    "NO"/”YES”
    ],
  • "contains_featured_user":[
    "NO"/”YES”
    ],
  • "contains_featured_ip":[
    "NO"/”YES”
    ],
IOC Rule Functionality Enhancements
(
Requires a Cortex XDR Pro license
)
To ensure your indicators of compromise (IOCs) rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR now automatically performs the following tasks:
  • Disables any IOC rules that reach 5,000 or more hits over a 24-hour period.
  • Creates a Rule Exception based on the
    Process SHA256
    field for IOC rules that hit more than 100 endpoints over a 72-hour period.
Network Causality Event Timestamp Investigation
(
Requires a Cortex XDR Pro license
)
To help you investigate the time frame of security processes and connections made over your network, Cortex XDR now displays the network event timestamp in the Network Causality View.
When selecting the Network Appliance node in the Network Causality View, the event timestamp is now displayed in the Entity Data section of the card.
Enhanced Timestamp Investigation
To enhance your investigation capabilities, you can now narrow the
Timestamp
field results in the Cortex XDR tables by right-clicking to display rows that are 30 days before or 30 days after the selected field value.
Events Table Results Enhancements
The Events table (available from the Causality View and Timeline View) now includes the following enhancements:
  • The maximum number of related events increased from 10,000 to 100,000.
  • You can now export the related events to a tab-separated values (TSV) file.
  • The following fields are no longer displayed:
    • FILE
      File Macro SHA256
    • INJECTION
      Injection Type
Slack Notifications Enhancement
To help streamline investigations for alerts you receive on Slack, Cortex XDR now provides a link in Slack notifications to the alert details in Cortex XDR. If the alert is part of an Incident, the notification also includes the link to investigate the incident in Cortex XDR.
Hostname Visibility in Alerts
Hostname visibility in the Cortex XDR Alerts Table is now displayed according to the following guidelines:
  • When a hostname associated with an IP address is known in the Palo Alto Networks Next-Generation Firewalls alerts, Cortex XDR displays the hostname in the
    Host
    field.
  • When a hostname associated with an IP address is unknown in the Palo Alto Networks Next-Generation Firewalls and third-party source alerts, the
    Host
    field is blank and no longer displays the IP address. However, the IP address is still available in the
    Host IP
    address field.
Native Search Deprecation
For queries on data in your Cortex XDR tenant, Cortex XDR provides query functions using the XQL Search that enable you to query the data, create widgets, and schedule queries, all of which supersede the Native Search.
The Native Search will remain available from the Query Builder only until the next release.
Remote Malicious Causality Chains Response (Windows)
(
Requires Cortex XDR agent 7.3 or a later version
)
When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypt endpoint files—the agent can now block the IP address to close all existing communication and block new connections from this IP address to the endpoint.
You can view the list of all blocked IP addresses per endpoint from the Cortex XDR
Action Center
, as well as unblock them to re-enable communication as appropriate. You set the action mode in your Malware Security profile where you can also add a specific and known safe IP address or IP address range to the IP addresses allow list. This capability is supported for network connections made in IPv4 only.
When Cortex XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules.
Network Isolation of macOS Endpoints (macOS 10.15.4 and later)
(
Requires Cortex XDR agent 7.3 or a later version
)
Cortex XDR now extends the Network isolation response action to macOS endpoints. To prevent a compromised macOS endpoint from communicating, you can now isolate your endpoint to halt all network access on the endpoint except for traffic to Cortex XDR. After you isolate an endpoint, the Cortex XDR agent reports an Isolated check-in status and the endpoint remains isolated from the network until you cancel this isolation from Cortex XDR.
Note the following limitations:
  • If during isolation you need the Cortex XDR agent to communicate with an application or proxy, add the process to the Network Isolation Allow List Network Isolation Allow List.
  • To ensure that an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
Live Terminal Enhancements (Windows and Mac)
(
Requires Cortex XDR agent 7.3 or a later version
)
To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light ( ) on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress. Both settings are optional and you can configure them independently.
External Data Ingestion
PingFederate Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest logs from PingFederate. To receive logs, you must enable PingFederate to send logs in CEF format to the Syslog Collector that you set up on the broker VM.
As soon as Cortex XDR begins receiving logs, the app automatically creates a PingFederate XQL dataset (
ping_identity_pingfederate_raw
) and enables you to search the logs using XQL Search. Log information from PingFederate is also visible, when relevant, in the
xdr_data
dataset and in the
authentication_story
preset.
Amazon CloudWatch and AWS CloudTrail Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest Amazon CloudWatch and AWS CloudTrail Logs. To receive logs, configure
SaaS Log Collection
settings for the vendor in Cortex XDR.
As soon as Cortex XDR begins receiving logs, the app automatically creates an Amazon AWS XQL dataset (
amazon_aws_raw
) and enables you to search the logs using XQL Search.
Elasticsearch Filebeat Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
When you use Elasticsearch Filebeat to log activity on your endpoints or servers, Cortex XDR can now ingest those file logs. To receive logs, configure the collection settings for Filebeat in Cortex XDR and the output settings in your Filebeat installations.
As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset for each collected vendor and product and makes logs available in XQL Search queries.
HTTP Log Collector
(
Requires a Cortex XDR Pro per TB license
)
You can now set up an HTTP Log Collector to receive logs in text or JSON format. To begin receiving logs you must first set up the HTTP Log Collector and use the provided examples to construct an HTTP POST request.
As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset using the vendor and product you specified during the log collector setup. You can then use XQL Search to initiate queries on the dataset.
Google Kubernetes Engine (GKE) Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
As an alternative to setting up a GCP Pub/Sub, Cortex XDR can now ingest container logs from Google Kubernetes Engine (GKE) using Elasticsearch Filebeat. To receive logs, you must install Filebeat on your containers and enable SaaS Log Collection settings for Filebeat.
As soon as Cortex XDR begins receiving logs, the app automatically creates a GKE XQL dataset—using the product and vendor that you specify during Filebeat setup—and enables you to search the logs using XQL Search.
Extended Log Ingestion for Syslog in LEEF Format
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR extends log ingestion support to vendors sending LEEF over Syslog. As with log ingestion for CEF over Syslog, you can configure the protocol, the IP address and port, and the format settings for the syslog collector.
After Cortex XDR begins receiving logs from the third-party source, it automatically parses the logs in LEEF format and creates a dataset. Cortex XDR extracts the vendor and product name to identify the dataset as
<vendor>
_
<product>
_raw
. You can then use XQL Search queries to view logs and create new BIOC rules.
Analytics
Analytics BIOC Visibility and Management
(
Requires a Cortex XDR Pro license
)
If you have Analytics enabled, Cortex XDR now provides visibility into and enables management of your Analytics BIOC rules by pivoting from the BIOC Rules table to a dedicated page.
For each rule, Cortex XDR displays identifying information, such as name and ID, severity, rule activation status, and any relevant MITRE ATT&CK information. Cortex XDR also enables you to disable or enable Analytics BIOC rules as needed.
To view and manage Analytics BIOC rules, you must have the corresponding permissions enabled for your role.
Asset Management
Enhancements to Asset Management
(
Requires a Cortex XDR Pro license
)
Cortex XDR now displays also the MAC address vendor name, and the platform running on your managed and unmanaged assets.
Export Network Assets to File
(
Requires a Cortex XDR Pro license
)
You can now export your Asset Management table results to a tab-separated values (TSV) file.
Endpoint Security and Management
Flexible Agent License Revocation
(
Requires a Cortex XDR Pro license
)
To enable a flexible revocation policy for Cortex XDR agent licenses, you can now configure the number of days after which the license should be returned when an agent loses the connection to Cortex XDR. In addition, you can configure the number of days after which the agent and related data is removed from the Cortex XDR management console and database. For more information, see Cortex XDR Agent License Revocation.
Enhanced Local Analysis Prevention (Windows)
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version
)
The Local Analysis module, which prevents the execution of malicious Portable Executables (PEs) and Office documents with macros, now includes a new rule-based static engine that provides an additional layer of protection. The new engine provides additional context to Cortex XDR alerts by matching the samples that are under agent examination to static rules that inspect multiple file attributes and features.
The Local Analysis rules are maintained by the Palo Alto Networks Research team and are updated through content updates. You cannot add, modify, or remove rules from the Local Analysis module.
Bulk Alias Edits for Endpoints
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license
)
To enable you to quickly change the alias for multiple endpoints, you can now perform the action from the
Endpoint Control
menu on the
Endpoint Administration
page.
Vulnerable Drivers Protection (Windows)
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later version
)
Cortex XDR can now leverage the latest threat research to quickly deploy behavioral threat protection (BTP) rules that detect attempts to load vulnerable drivers. As with other BTP rules, Cortex XDR can deliver changes to vulnerable driver rules with content updates.
To configure vulnerable drivers protection, you must enable
Behavioral Threat Protection
and configure the
Action mode for vulnerable drivers protection
as part of a Malware Security Profile.
By default, Cortex XDR blocks all identified attempts to run vulnerable drivers. If you change the default (
Block
), you can
Report
(and allow) vulnerable drivers or disable the module.
Device Control for VDI (Windows)
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version
)
Cortex XDR now extends Device Control for USB devices to include virtual desktop infrastructure (VDI). The Cortex XDR agent enforces the Device Control policy rules on USB devices after the end user logs on to the VDI instance. USB Devices that were connected prior to the agent enforcing the Device Control policy rules are not blocked after the fact.
Note the following limitations:
  • Virtual environments leverage different stacks that might not be subject to the Device Control policy rules that are enforced by the Cortex XDR agent and, therefore, could lead to USB devices that are allowed to connect to the VDI instance in contrast to the configured policy rules.
  • The Cortex XDR agent provides best-effort enforcement of the Device Control policy rules on VDI instances that are running on physical endpoints where a Cortex XDR agent is not deployed.
Unpatched Vulnerabilities Protection (Windows)
(
Requires a Cortex XDR agent 7.1 or a later version
)
Palo Alto Networks strongly recommends that you upgrade your operating system as soon as possible to address vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094. For more information, refer to the Microsoft Security Response Center.
For Cortex XDR agents 7.1 and later releases running on unpatched Windows endpoints, a new capability in the Exploit Security profile will modify IP4 and IPv6 settings temporarily on the endpoint as a workaround to protect unpatched endpoints from these known vulnerabilities. After the endpoint is patched with a fix for these vulnerabilities, the Cortex XDR agent automatically reverts all modified Windows system settings to their values before modification.
Before applying this workaround on your endpoints, refer to the Cortex XDR Administrator’s Guide for the full details and impact this workaround could have on your network.
Extended Device Control to Read-Only Disk Drives (Windows and Mac)
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints
)
You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.
Peer-to-Peer Content Distribution (Mac and Linux)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version
)
Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
Agent Installation Using a Unified Configuration Profile File for MDMs (Mac)
For a seamless installation of the Cortex XDR agent that does not require end user interaction, Palo Alto Networks now provides a unified configuration profile that you can upload to any third party deployment software of your choice. You can download a configuration profile already signed by Palo Alto Networks, or an unsigned configuration profile, if you prefer or are required to sign using your own signing certificate. You can use the unified configuration profile to deploy any version of the Cortex XDR agent. For more information, refer to Install the Cortex XDR Agent Using a Unified Configuration Profile for MDMs.
Custom Agent Installation Directory (Linux)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version
)
You can now install your Cortex XDR agent in a custom directory on Linux endpoints instead of using the default
./opt
directory. To do this, set the custom path in a new installation variable
--install-path=/
<some/path>
. After you install the Cortex XDR to the custom path, all following upgrades and the removal of the agent from the endpoint are executed in the same location. For more information, see how to Install the Cortex XDR Agent for Linux.
New Operating Systems Support (Linux)
(
Requires Cortex XDR agent 7.3 or a later version
)
You can now install the Cortex XDR agent on Linux endpoints that are running on:
  • Debian 10, OpenSuse Leap 15.1, or SUSE 15 SP2.
  • Ubuntu Server 16, Ubuntu Server 18, and Ubuntu Server 20 with AWS kernel modules.
For all supported kernel versions, see the Latest kernel module version support
.
Host Insights Add-on
Search and Destroy Malicious Files on Mac Endpoints (macOS 10.15.4 and later)
(
Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.3 or a later version
)
Cortex XDR now extends the File Search and Destroy response action to Mac endpoints. You can use search and destroy to take immediate action on known and suspected malicious files. You can search from Cortex XDR for a file by hash or path on endpoints and, after you identify the presence of the file, you can immediately destroy the file from any or all endpoints on which the file exists.
Host Insights Export to File
(
Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.1 or a later version
)
You can now export all the Cortex XDR host insights tables and respective asset views to a tab-separated values (TSV) file.
Vulnerability Management Name Change
(
Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.1 or a later version
)
To better reflect the feature usage,
Vulnerability Management
is renamed to
Vulnerability Assessment
.
Multitenants and MSSPs
Cross-Tenant XQL Queries for Multi-Tenancy
(
Requires a Cortex XDR Pro license
)
To enable multitenant management that uses XQL Query to view raw data that is stored in Cortex XDR, you can now execute XQL queries on a single child tenant or up to 100 child tenants simultaneously directly from your parent tenant XQL Search page.
When executing XQL queries on a single child tenant, Cortex XDR provides the parent tenant with autocompletion and validation capabilities to all datasets available on the child tenant.
When executing XQL queries on multiple child tenants simultaneously:
  • Autocomplete and validation are supported only on Cortex XDR dataset types, such as EDR data, Cortex XDR Alerts, and Palo Alto Networks New Generation Firewall Logs.
  • Queries are executed on each child tenant separately and return up to one million results split across the selected tenants. For example, an XQL query on 10 tenants returns a maximum of 100,000 results per tenant.
You can view, track, and investigate the query results and graphs for each child tenant in your XQL Search page results table or Query Center by filtering by child tenant.
Broker VM
(
Version 11.1.1
)
Broker VM Images
MD5 values for broker images version 11.1.1:
  • OVA—
    232a6940ff81fcc5c585b1775973df37
  • VHD—
    285f301fb75db249d27491646548f3e3
  • VMDK—
    b17329ba1661c206a1097cf69945bcd9
  • Azure VHD—
    ed78bf4e56cf78dde2a2ae6840569dab
New Supported WEC Event Collection
(
Requires a Cortex XDR Pro per TB license
)
To expand the Broker VM data collection capabilities, in addition to the default WEC event IDs, you can now configure the Broker VM to collect all or specific Windows event types, such as DHCP, DNS, and IIS event types, directly from the Cortex XDR management console.
WEC Domain Controller Certificate Notifications
(
Requires a Cortex XDR Pro per TB license
)
To keep you informed of your WEC Domain Controller Certificate status and avoid service disruptions, Cortex XDR now displays a notification of the remaining time left on your license or whether your license is expired.
Approved Remote Terminal Command
When you connect to a broker VM remotely, Cortex XDR now allows you to perform the following privileged commands:
  • hostnamectl
    —Update a hostname.
  • edit_routes
    —Update static network routes.
API
New Featured Alert Fields APIs
(
Requires a Cortex XDR Pro license
)
To expand your API capabilities, Cortex XDR now provides the APIs to help you manage your featured alert fields. Using the following APIs you can delete and replace existing featured alert fields:
  • Replace Featured Hosts
  • Replace Featured Users
  • Replace Featured IP Addresses
  • Replace Featured Active Directory Groups
Enhanced Visibility of Incident Data
To help you gain greater visibility of requested API data when calling Get Incidents and Get Extra Incident Data APIs, the response section now includes the following Incident Scoring fields:
  • rule_based_score
    —The incident score calculated by the Incident Scoring Rules.
  • manual_score
    —The incident score updated manually by an
    Admin
    user.
Enhanced Visibility of Alert Data
To help you gain greater visibility of Alerts that include Featured host name, username, or IP address, the Get Alerts API response now includes the following boolean type fields:
  • contains_featured_host
    —Either
    True
    or
    False
    depending on whether the alert contains a featured host name.
  • contains_featured_user
    —Either
    True
    or
    False
    depending on whether the alert contains a featured username.
  • contains_featured_ip
    —Either
    True
    or
    False
    depending on whether the alert contains a featured IP address.
Enhanced Insert Parsed Alerts Capabilities
To enable you to include additional information when running the Insert Parsed Alerts API, you can now send the action status taken on an alert (
Reported
or
Blocked
) using the
action_status
field.

Recommended For You