Features Introduced in 2021

Learn more about Cortex XDR features introduced during 2021 by month and functional area.
The following topics describe the Cortex XDR features introduced in 2021 by month.

Features Releasing in May

New features in the Cortex® XDR™ 2.9 release.
The following table describes new features in the Cortex XDR 2.9 release.
Feature
Description
General
Cortex XDR Gateway for Onboarding and Granular RBAC
To streamline activation and management of your Cortex XDR tenants, Cortex XDR now operates as a standalone application known as the Cortex XDR Gateway. The Cortex XDR Gateway is where you view and manage existing tenants and tenants available for activation that are allocated to your CSP account. The split from the hub enables you to easily:
  • Activate new tenants.
  • View and access existing tenants.
  • View and manage granular role-based access control (RBAC) settings.
To activate and manage permissions, Cortex XDR assigns the CSP Super User role to existing administrator accounts. This role cannot be removed or changed through the Cortex XDR Gateway.
The Cortex Data Lake quota management and the sizing calculator are still on the hub.
In-App Granular Role-Based Access Control
To streamline management of your Cortex XDR user and role-based access control (RBAC) permissions, Cortex XDR now allows you to track user permissions, manage existing roles, and create new roles in the Cortex XDR app without the need to log in to the hub.
Cortex XDR now displays the following information in
Configurations
Access Management
:
  • Users
    —Displays the
    User Name
    ,
    XDR Role
    ,
    Last Login Time
    , and
    Status
    of users in your organization. You can import new users using a CSV file, search for a specific user, and edit a user’s role permissions.
  • Roles
    —Displays the Palo Alto Networks predefined roles and any additional roles that you and your organization create. You can search these available roles and create new roles that you can then assign to users enabling user access permissions.
Fine-Grained Role-Based Access Control Enhancements
To help you better manage your user access permissions, the following changes have been made to the Cortex XDR Granular Role-Based Access Control (RBAC) configurations in the Cortex XDR Gateway and Cortex XDR management console.
  • RBAC role
    Administrator
    has been renamed
    Instance Administrator
    .
  • Vulnerability Assessment
    —Existing vulnerability assessment permissions will be removed and included within the Host Insights role permissions. A user granted view and action Host Insights permissions will be automatically granted permissions to the vulnerability assessment capabilities.
  • Device Control
    —Existing device control action permission allowing you to create rules, profiles, and exceptions has been split into two permission types:
    • Device Control Rules
      —Enables you to create and modify profiles and rules.
    • Device Control Exceptions
      —Enables you to create and modify device control exceptions.
  • Endpoint Profiles
    —Existing Profiles action permission for has been split into two permissions:
    • Endpoint Profiles
      —Enables you to create and modify endpoint profiles.
    • Prevention Rules
      —Enables you to add rules into a restriction profile.
  • Endpoint Groups
    —Existing Endpoint Administration permissions has been split into two new sets view and action permissions to manage your endpoints:
    • Endpoint Management
      —Enables read-only access (View).
    • Endpoint Management
      —Enables read-write access (Action).
    • Endpoint Group
      —Enables read-only access (View).
    • Endpoint Group
      —Enables read-write access (Action).
  • Cortex XDR App Pages
    View and Action permissions have been added for Cortex XDR app pages:
    • Dashboard
    • Reports
    • Query Builder
    • Query Center
To provide continuity for existing roles and privileges, Cortex XDR assigns the updated permissions by default but you now have the option to configure the view and action access independently for both your new and your preexisting roles.
Cortex XDR Tenant Switcher
When using multitenancy within the scope of a Cortex XDR tenant, you can now use the Tenant Navigator, which enables you to switch directly to another owned tenant. The tenant navigator includes the following selections:
  • Cortex XDR tenant gateway link
  • List of Cortex XDR tenants to which you have access grouped by CSP account. For accounts with more than five tenants, a search option is available to help you quickly find a specific tenant. If there are more than 5 tenants within a specific account, a list of tenants is available for that CSP account.
When you choose a tenant, Cortex XDR pivots your display directly to the main page of the gateway or the main page of the tenant.
Improved Quick Launcher Access
To enable easier access to the Quick Launcher, you can now access it from the Cortex XDR top navigation bar as well as from all other navigation menus in the app.
Settings Navigation Change
To align the page title with navigation paths in Cortex XDR, the Settings menu (accessible from the gear icon ) is now named
Configurations
.
The Quick Launcher also reflects the name change.
Enhanced Session Security Settings
The Cortex XDR management console now provides enhanced security settings for user sessions. These security settings include the following categories:
  • Session Expiration
    —Enables you to define the number of hours after which the user login session will expire. You can also define a one-week expiration for the Cortex XDR dashboard.
  • Allowed Sessions
    —Enables you to define approved domains and approved IP address ranges through which you allow access to Cortex XDR.
  • User Expiration
    —Enables you to deactivate an inactive user and also configure the automated user deactivation period.
For more detailed information, see the Cortex XDR Administrator's Guide.
Native Search Deprecation
The XQL Search and Query Builder are now the main search options in Cortex XDR and provide more flexibility and powerful querying capabilities. The Native Search option is deprecated and, as a result:
  • Existing BIOC rules created by Native Search actions are still available and function as they did before. This includes the option to export the rule and set metadata, such as Type, Severity, MITRE Technique, and MITRE Tactics. However you can no longer edit the rule.
  • Queries created using Native Search actions are still available in the Query Center for viewing historical results. However, you can no longer rerun or edit these queries. You can still edit the schedule of past scheduled queries by right-clicking the Query Center and then
    Show Scheduled Query
    .
Network Events Deprecation
(
Starting with the next Cortex XDR release
)
After Cortex XDR introduced network collection events, that are stitched across endpoints and the Palo Alto Networks next-generation firewalls logs, there is no longer need to support raw
Network
events. Starting with the next Cortex XDR release,
Network
events will be deprecated. In light of the upcoming change, Palo Alto Networks encourages you to define BIOC rules and/or searches by using
Network Connections
in the Query Builder. When searching in XQL, you should avoid using the
xdr_agent_network
preset and use the
newtork_story
preset instead.
Audit Logs
One-Year Retention of Audit Log Entries
All entries that are accumulated in the Cortex XDR audit logs are now available for your retrospective review for an extended period of one year from the date of their creation.
New Management Audit Logs for Policy Changes
For increased visibility into policy configuration changes, Cortex XDR introduces new policy audit logs for the Create, Edit, Reorder, Update, and Delete Subtypes. The new policy audit logs include:
  • Create Policy
    • Success:
      New
      platform
      policy rule
      rule-name
      with target
      target-name
      created
    • Failure:
      rule-name
      policy rule failed to create
  • Edit Policy Name
    • Success:
      platform
      policy rule
      rule-name
      renamed to
      new rule-name
    • Failure:
      Rename of
      rule-name
      policy rule
      new rule-name
      has failed.
  • Edit Policy Status
    • Success:
      platform
      policy rule
      status
      changed to
      new status
    • Failure:
      platform
      policy rule
      rule-name
      failed to update status
  • Edit Policy Profiles
    • Success:
      platform
      policy rule
      rule-name
      updated to include the following profiles
      profile-names
    • Failure:
      platform
      policy rule
      rule-name
      failed to update
  • Edit Policy Scope
    • Success:
      platform
      policy rule
      rule-name
      updated to include
      scope
    • Failure:
      platform
      policy rule
      rule-name
      failed to update
  • Edit Policy Profile and Scope
    • Success:
      platform
      policy rule
      rule-name
      scope updated to include:
      scope
      and the following profiles:
      profiles
    • Failure:
      platform
      policy rule
      rule-name
      failed to update
  • Reorder Policy
    • Success:
      platform
      policy rule
      rule-name
      reordered
    • Failure:
      platform
      policy rule
      rule-name
      failed to reorder
  • Delete Policy
    • Success:
      platform
      policy rule
      rule-name
      delete
    • Failure:
      platform
      policy rule
      rule-name
      failed to delete
  • Update Policy
    • Success:
      Policy rules were updated.
    • Failure:
      Failed to update policy rules
Improved Management Audit Logs for Extensions Policies and Profiles
For improved accuracy, Cortex XDR now logs Extensions Policy and Profile actions under Extensions Policy Rules or Extensions Profile type
  • For Extensions Policies actions, a new
    Extensions Policy Rules
    log type is added with the following available descriptions:
    • Extensions policy rules were updated
      .
    • Failed to update extensions policy rules
      .
  • For Extensions Profiles actions, the following audit logs will be logged as
    Extensions Profile
    type:
    • Failed to create an extensions profile
      .
    • Failed to delete an extensions profile
      .
    • Failed to edit an extensions profile
      .
This change applies to future audit logs. Previously-created audit logs retain their current descriptions. For more information on Cortex XDR auditing, see Monitor Administrative Activity.
Policy Change Visibility in Management Audit Logs
You can now view the specifics of what has changed in the configuration of your policies by viewing the management audit logs. For each policy log, you can view the detailed changes instead of the previously displayed message (
Policy rules were updated.
). Hover with the pointer over the specific entry to view the info in a tooltip. This enables you to know exactly what has changed and, if necessary, roll back the change.
Enhanced Management Logs Incident ID Value
To improve your investigation capabilities, Cortex XDR now includes the Incident ID value in the Management Audit logs when you perform an action on a single incident. The following list displays examples of the updates by log subtype:
  • Assign Incident
    • Previous
      Changed assignee of 1 incident to email@paloaltonetworks.com
    • Updated
      Incident 12345 assigned to email@paloaltonetworks.com
  • Change Incident Severity
    • Previous
      Changed severity of 1 incident to Medium
    • Updated
      Changed incident 12345 severity to Medium
  • Change Incident Status
    • Previous
      Changed status of 1 incident to Resolved - Handled Threat
    • Updated
      Changed incident 12345 status to Resolved - Threat Handled
  • Change Scoring
    • Previous
      Changed scoring of 1 incident to 122
    • Updated
      Changed scoring of incident #12345 to 122
  • Change Scoring
    • Previous
      Changed scoring of 1 incident to rule-based scoring
    • Updated
      Changed scoring of incident #12345 to rule-based scoring
Updated Management Audit Logs for Threat Handled Incident Status
To maintain consistency, Cortex XDR has updated the following management audit log for change in status of Threat Handled incidents:
  • Previous
    Changed status of 5 incidents to Resolved - Handled Threat
  • Updated
    Changed status of 5 incidents to Resolved - Threat Handled
Improved Management Audit Logs for Host Insights Vulnerability Assessment Data Collection
(
Requires a Cortex XDR Pro per Endpoint license and Host-Insights add-on
)
When you rerun the host-insights data collection scan, either from the
Vulnerability Management
endpoints view or from the
Asset View
, Cortex XDR now uses the same management audit log types as follows:
  • Log type
    Host Insights
  • Subtype
    Collect host insights from an endpoint
  • Available descriptions
    • Endpoint host insights collection initiated successfully
    • Failed initiating host insights collection from an endpoint
This change applies to future audit logs. Previously-created audit logs retain their current descriptions. For more information on Cortex XDR auditing, see Monitor Administrative Activity
Enhanced Audit Log for Operations in Rules Exceptions
The Cortex XDR management console now enables you to view audit logs for Create, Edit, and Delete operations of Rules Exceptions. In addition, the existing management audit logs for import and export of Rules Exceptions are now logged under the Rules Exceptions type.
Investigation and Response
XQL Multi-Language Data Support
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) can now support data provided in multiple languages, such as in XQL queries, lookups, widgets, and external data ingestion.
New XQL Datasets with Dataset Permission Enforcement
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes the following new datasets called
device_control
,
endpoints
, and
host_inventory
. These datasets support dataset permission enforcements in the Cortex XDR Query Language (XQL), Query Center, and XQL Widgets. To view or access any of these datasets, you need role-based access control (RBAC) permissions to the Device Control, Endpoint Administration, and Host Inventory views.
New Standardized User Format for Events and Alerts
(
Requires a Cortex XDR Pro license
To streamline the way usernames appear in network events and alerts, Cortex XDR now processes and displays usernames in the following standardized format, also termed “normalized user”:
<company domain>
\
<username>
In the Cortex XDR Query Language (XQL), every user field included in the raw data, for network, authentication, and login events, has an equivalent normalized user field associated with it that displays the user information in the standardized format. For example, the
login_data
field has the
login_data_dst_normalized_user
field to display the content in the standardized format. We recommend that you use these
normalized_user
fields when building your queries to ensure the most accurate results.
As a result, any alert triggered based on network, authentication, or login events, now displays the
User Name
in the new standardized format in the Alerts and
Incidents
pages. This change impacts every alert for Cortex XDR Analytics and Cortex XDR Analytics BIOC, including BIOC and IOC alerts triggered on one of these event types.
New XQL IP Location Stage
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes a new stage command that enables you to associate the IPv4 address of any field to a list of predefined attributes related to the geolocation. To support this, you can now add the iploc stage to your queries using the format:
iploc
<field name>
To improve your query performance, we recommend that you filter the data in your query before you run the
iploc
stage command. In addition, limiting the number of fields in the results table further improves the performance.
New XQL Bin Stage
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes a new stage command that enables you to group events by quantity or time span. The most common use case is for time charts.
To support this feature, you can now add the bin stage command to your queries using these formats depending on whether you are grouping by quantity or time span:
  • Quantity
    :
    bin
    <field>
    bins =
    <number>
  • Time span
    :
    bin
    <field>
    span =
    <time>
    timeshift =
    <epoch time>
    • <time>
      is a combination of a number and time suffix.
    • timeshift =
      <epoch time>
      is optional and enables you to designate a particular start time for grouping the events according to the Unix epoch time.
When you group events by quantity, the
<field>
in the
bin
stage command must be a number. When you group by time, the
<field>
must be a date type.
New XQL Time Frame Configuration Function
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes a new configuration function that enables you to perform searches within a specific time frame from the query execution. To support this feature, you can now add the config stage command to your queries with the timeframe function using these formats:
  • Relative time
    :
    config timeframe =
    <number><time unit>
  • Exact time
    :
    config timeframe between "
    <Year-Month-Day H:M:S ±Timezone>
    " and "
    <Year-Month-Day H:M:S ±Timezone>
    "
    Where the
    ±Timezone
    format is
    ±xxxx
    and if none is configured the default is UTC.
New Support for Linux System Authentication Logs
(
Requires a Cortex XDR Pro license
)
EDR data collected for Linux now contains Linux system authentication logs. These Linux system authentication logs are now available using XQL queries and the Query Builder. As a result, in the Query Builder, the
Event Log
now includes both Windows and Linux event logs and the corresponding
event_type
in XQL has been renamed from
WINDOWS_EVENT_LOG
to
EVENT_LOG
.
New Visualizations for Widgets Based on XQL Search Queries
(
Requires a Cortex XDR Pro license
)
To help you better view and visualize data based on XQL search queries, Cortex XDR expanded the type of available widgets so that you can now display the search results using:
  • Funnel graph
  • Word Cloud graph
  • Map
  • Single Value Trend graph
  • Graph Header
Incident Thresholds for Alert Grouping
To keep incidents fresh and relevant, Cortex XDR now provides the following two new thresholds after which an incident stops adding alerts:
  • 30 days after the incident was created
  • 14 days since the last alert in the incident was detected (excludes backward scan alerts)
After the incident reaches either threshold, it stops accepting alerts and Cortex XDR groups subsequent related alerts in a new incident.
For increased visibility, Cortex XDR also provides a new
Alerts Grouping Status
field in the Incidents table to identify the grouping status:
Enabled
when the incident is open to accepting new related alerts or
Disabled
if either threshold is reached and the incident is closed to further alerts or if the incident reached the 1,000 alert limit. To view the exact reason for a Disabled status, you can hover over the status field.
MITRE, Severity, and Alert Grouping Visibility in Incident Table
You can now view the following MITRE, severity, and alert grouping fields in the Incident Table.
Each field displays the following information:
  • MITRE ATT&CK Tactic
    —MITRE tactics found in the alerts.
  • MITRE ATT&CK Technique
    —MITRE techniques found in the alerts.
  • Alert Categories
    —Type of Alert categories found in the alerts.
  • WildFire Hits
    —Number of the Malware, Phishing, and Grayware artifacts that are part of the incident.
  • High Severity Alerts
    —Number of high severity alerts that are part of the incident.
  • Medium Severity Alerts
    —Number of medium severity alerts that are part of the incident.
  • Low Severity Alerts
    —Number of low severity alerts that are part of the incident.
  • Alerts Grouping Status
    —Displays whether Alert Grouping is currently enabled.
Incidents created prior to Cortex XDR version 2.9 are updated as follows:
  • MITRE Attack Tactics, MITRE Attack Techniques, and Alert Categories fields will remain empty.
  • WildFire Hits field will begin with an empty value, however when an new alert is added to the incident the filed is updated.
  • High Severity, Medium Severity, Low Severity, Alert Grouping Status fields are updated with the corresponding value.
  • If an incident is merged or moved with other incidents, Cortex XDR will recalculate and update the fields.
Incident Table View Enhancement
To streamline your incident investigation process and reduce the number of steps it takes to investigate an incident, Cortex XDR now allows you to display the Incidents page in one of two new views:
  • Split Pane Mode
  • Table View
The List view displays the current table. The new Detail view positions the incident table rows in a left-side pane and displays the complete
Incident View
on the remaining of the page allowing you to scroll through the incident rows and display each incident view without the need to pivot to another tab or window.
To ensure visibility of the incident data, each row in the pane displays the incident description and incorporates icons that provide the following details:
  • Severity
  • Status
  • Score
  • Star
  • Assignee
  • Update Time
  • Incident Description
In addition, you can sort the incident rows according to the available fields.
The current right-click menu options are also available in the Detail view.
Causality View Loading Time Enhancements
To improve loading time, as of Cortex XDR version 2.9, when navigating to the Causality View from an alert or event, Cortex XDR now displays the causality data as follows:
  • Visualize the branch between the CGO and the actor process of the alert/event.
  • Display up to nine additional process branches that reveal alerts related to the alert/event. Branches containing alerts with the nearest timestamp to the original alert/event are displayed first.
  • Causality cards that contain more causality data display a
    Showing Partial Causality
    flag. You can manually add additional child or parent processes branches by right-clicking on the process nodes displayed in the graph.
Added Option to View The Observed Behaviors of Behavioral Threat Protection Alerts
The Cortex XDR management console now allows you to view the observed behaviors of Behavioral Threat Protection alerts. To view the observed behaviors, right-click on an alert in the alert table or in the incident view and select
View Observed Behaviors
.
The option to view the Observed Behaviors table already exists in the Causality Card. The new view option is another pivot option to view the same information, and both options remain available.
Featured Alert Fields Enhancement
(
Requires a Cortex XDR Pro license
)
To streamline the investigation process and better highlight alerts that are significant to you, Cortex XDR now includes
Active Directory Groups
and
Organizational Unit
(OU) as optional Featured Alert Fields labels.
Define a Featured AD or OU in
Investigation
Incident Management
Feature Fields
Active Directory
.
To easily locate alerts containing featured AD or OU fields, in the
Alerts Table
, alerts are flagged in the
Alert Name
field with a flag and appear in the
Contains Featured User
or
Contains Featured Host
fields associated with the AD/OU.
Enhanced Alerts Deduplication
To better identify and deduplicate Analytics, IOC or BIOC alerts for the same activity, the deduplication period is now calculated according to the actual time the event took place, rather than according to the time the event was reported to Cortex XDR.
This change applies to future alerts. Previously-created alerts remain the same.
Quick Actions in Tables
To streamline investigation in Cortex XDR, you can quickly initiate actions using new icons that are available in throughout Cortex XDR. The new icons are available in table rows upon a left click of the row and provide an alternative to the right-click pivot menus.
The new icons are available for rows in the following tables:
  • Incidents:
    • Open Incidents View (same or new tab)
    • Star an incident or clear the star
  • Alerts:
    • Open the Causality View (same or new tab)
    • Exclude an alert or cancel alert exclusion
  • Endpoints:
    • Isolate an endpoint or cancel isolation
    • Initiate Live Terminal
    • Open the Asset View
    • Open Incidents (same or new tab)
Centric View of CVE, Endpoint, and Application information, with additional Vulnerability Assessment Enhancements
To streamline your investigation under Vulnerability Assessment, Cortex XDR now provides a centric view for a single CVE, Endpoint, and Application, each accessible when you click on a specific row of the Vulnerability Assessment and Host Insights panels. These views list the affected applications, endpoints, or applied vulnerabilities, in an exportable and searchable manner, together with additional information on each entity.
The CVEs tab under Vulnerability Assessment now includes additional fields to better fine-tune your vulnerability investigation. This includes:
  • Additional CVSS fields, including Exploitability and Impact Metrics.
  • Affected endpoints column, allowing you to easily search for CVEs on a specific endpoint.
  • The last username who modified the comment and timestamp.
Other view enhancements:
  • The
    Hosts
    tab under Vulnerability Assessment has been renamed to ‘Endpoints’ and now includes the Endpoint Group details.
  • The
    Apps
    tab was removed from the Vulnerability Assessment panel, and is accessible, same as today, under the
    Host Insights
    menu.
In addition, Cortex XDR now calculates an unlimited number of vulnerabilities per endpoint, as opposed to a limit of 500 vulnerabilities per endpoint in previous versions.
This update means that you might see a higher number of CVEs in Vulnerability Assessment screens, as well as in reports and dashboards.
Low and Informational Categorization for Agent Alerts
The Cortex XDR management console now displays Behavioral Threat Protection (BTP) alerts at Low or Informational severity. These are displayed as Insights in the
Incident View
and the
Causality View
panels. Low severity alerts are also displayed in the Alerts table.
Authentication Story Enrichment
(
Requires a Cortex XDR Pro per Endpoint license and a Cortex XDR agent 7.3 or later for Linux
)
Starting with this release, Cortex XDR includes Linux authentication logs in authentication stories and will generate alerts accordingly.
External Data Ingestion
Zscaler Cloud Firewall Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
If you use Zscaler Cloud Firewall in your network, you can now forward your firewall and network logs to Cortex XDR for analysis. This enables you to take advantage of Cortex XDR anomalous behavior detection and investigation capabilities. To begin analyzing your traffic logs, you set up a Syslog Collector and configure your firewall to forward logs to the Syslog Collector. To provide seamless log ingestion, Cortex XDR automatically maps the fields in your traffic logs to the Cortex XDR log format.
As soon as Cortex XDR begins receiving logs, the app automatically creates a Zscaler XQL dataset (
<Vendor>
_
<Product>
_raw
) based on the
<Vendor>
and
<Product>
fields defined on the Zscaler syslog configuration. This enables you to search the logs using XQL Search.
Windows DHCP Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
To provide additional network asset visibility in Cortex XDR
Asset Management
and improved analytics, Cortex XDR can now ingest Windows DHCP logs. To receive logs, configure
Configurations
Data Collection
Collection Integrations
settings for the vendor in Cortex XDR, which replaces the preexisting
Settings
SaaS Integrations
settings. In addition, you must install and configure an Elasticsearch Filebeat agent on your Windows DHCP Server.
As soon as Cortex XDR begins receiving logs, the app automatically creates a Windows DHCP XQL dataset (
windows_dhcp_raw
). This enables you to search the logs using XQL Search.
Syslog Collector Applet Enhancements
(
Requires a Cortex XDR Pro per TB license
)
The Syslog Collector applet now includes these enhancements:
  • Supports a
    Secure TCP
    protocol with a TLS encrypted VPN.
  • For a particular
    Protocol/Port
    entry, you can now map the syslog sources based on your own IP address or CIDR. This is configured by setting the order of the IP address or CIDR in the new
    Source Network
    column.
Additional External Alerts Fields Available for Mapping
(
Requires a Cortex XDR Pro license
)
When you ingest alerts from external sources using either the Syslog Collector or Cortex XDR API, you can now map these additional optional fields to the alerts table:
  • Process Command Line
  • Process SHA256
  • Domain
  • Process File Path
  • Hostname
  • Username
New Behavior for Ingesting Null Fields
(
Requires a Cortex XDR Pro license
)
To expand your investigation and analytics capabilities, Cortex XDR now ingests any field with a null value, as opposed to the previous behavior of not ingesting these null value fields. It is also now possible to use the Cortex XDR Query Language (XQL) to query ingestion rules for null values.
Analytics
Improved Accuracy for Malware Protection
(
Requires a Cortex XDR agent 7.4 or later release for Windows
)
Starting with this release, WildFire introduces analysis scores for files with Benign verdict to indicate the level of confidence WildFire has in the Benign verdict. For example, a file by a trusted signer or a file that was tested manually would get a high confidence Benign score, whereas a file that did not display any suspicious behavior at the time of testing would get a lower confidence Benign score. Files with a low confidence score are displayed as Benign Low Confidence (LC).
When Cortex XDR receives a Benign Low Confidence verdict, the agent enforces the Malware Security profile settings you currently have in place (Run local analysis to determine the file verdict, Allow, or Block).
As soon as you deploy your Cortex XDR 7.4 agents, Cortex XDR will enforce this new behavior according to the settings you already have in your existing Malware Security profile for files unknown to WildFire. If you want to change it, you need to change the existing settings.
Cortex XDR Identity Analytics Add-On Module
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, Cortex XDR now offers a new Identity Analytics add-on module. The add-on requires a Cortex XDR Pro per TB license and a separate module license. The module license is currently free, however will entail an additional cost in the future.
The Identity Analytics add-on displays in the
Analytics Alert View
suspicious user activity such as stolen or misused credentials, lateral movement, credential harvesting, or brute-force data collected by the Cortex XDR Analytics engine detectors.
When investigating an analytics type alert, a new
User
node appears in the causality view. Hover over the node to display user profile information, such as recent authentication statistics, user role, and if associated with Active Directory groups or Organizational Units. When selecting the alert node, in the
Alert Description
and
Event Table
sections, Cortex XDR displays the recent logins, hosts, alerts, and process executions associated with the user.
Auto-Disable of Alerts from Analytics Detectors
(
Requires a Cortex XDR Pro per TB license
)
To ensure the analytics detectors raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR automatically disables alerts from detectors that reach 5000 or more hits over a 24 hour period.
Endpoint Security and Management
Cortex XDR Agent Deployment with Installer and Content Update Package
(
Requires a Cortex XDR agent 7.4 or later release for Windows
)
To reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent, Cortex XDR now offers an agent installation and content update package. The package includes the agent installer and the latest supported content available at the time of the bundle download, eliminating the Content Update download phase from the Cortex XDR Server post agent installation.You can deploy the package using a third party tool such as SCCM, or manually on the endpoint.
For more information on the installation process, refer to the Cortex XDR Agent administrator guide.
Cortex XDR Agent Installer and Content Caching on the Broker VM
(
Requires a Cortex XDR agent 7.4 or later and Broker VM 12.0.58 or later
)
To reduce external bandwidth usage and time required for Cortex XDR agent installations, upgrades, and content updates, Cortex XDR now offers an additional option to cache the files on your Cortex XDR Broker VM.
When both P2P and Broker VM download sources are selected, the agent first queries a peer agent for the files. If the files are unavailable or the process fails, the agent queries the Broker VM where the files are stored for a 30-days retention period since an agent last asked for them. If the download from the Broker VM fails as well, the agent retrieves the files directly from the Cortex XDR server. The option to retrieve the files from the Server is always enabled.
To enable the Broker VM caching option, you must first:
  1. On your Broker VM settings, configure an FQDN address and enable agent caching in your
    Local Agent
    applet.
  2. In your Agent Settings profile, add Broker VM as a
    Download Source
    and configure the Broker VM FQDN address.
For the detailed workflow on how to set up caching on the Broker VM, refer to the Cortex XDR administrator’s guide.
Peer-to-Peer Distribution of Cortex XDR Agent Installers
To reduce bandwidth load when distributing installers from Cortex XDR to the Cortex XDR agents, Cortex XDR now leverages P2P distribution to include agent installers, in addition to content updates. In your Agent Settings profile, you can choose the download source from which agents retrieve release upgrades and content updates: P2P, Palo Alto Networks Broker VM, and the Cortex XDR server. Peer-to-peer distribution is enabled by default in the Agent Settings profile, and requires that you enable UDP and TCP over port 33221 (You can change this port number later on through the Agent Settings profile).
Device Control Enforcement on Previously Connected USB Devices
(
Requires a Cortex XDR agent 7.4 or later release for Windows
)
When the Cortex XDR agent starts enforcing Device Control on the endpoint, it now enforces the policy rules not only on newly connected devices, but also on devices that were previously connected to the endpoint before the policy enforcement was applied.
Native Support for Apple Silicon (M1)
(
Requires a Cortex XDR agent 7.4 or later release for Mac
)
Starting with this release, you can install the Cortex XDR agent on macOS based devices with Apple Silicon (M1). To resolve issues that could occur, refer to the Cortex XDR 7.4 agent list of known issues.
Context-based Global Exceptions for the Gatekeeper Enhancement Protection Module
(
Requires a Cortex XDR agent 7.4 or later release for Mac
)
Now when the Cortex XDR Gatekeeper Enhancement security module raises an alert, you can create a global exception for this specific source-child combination only, while allowing Cortex XDR to continue enforcing the Gatekeeper Enhancement protection module on the source process running other child processes.
Cortex XDR Agent Silent Uninstall
(
Requires a Cortex XDR agent 7.4 or later release for Mac
)
Starting with this release, when you uninstall the Cortex XDR agent from the Cortex XDR management console, the process is silent and does not prompt the end-user for approvals on the endpoint.
Scope-Based Access Control (SBAC) for Endpoints
Cortex XDR now enables assignment of user permissions to specific endpoint groups in the organization. By default, all users have management access to all endpoints in the tenant. However, after you (as an administrator) assign a management scope to a Cortex XDR user, the user is be able to manage only the specific endpoints within that scope.
This Scope-Based Access Control (SBAC) affects the following functional areas in Cortex XDR:
  • Endpoint Administration table—view endpoints and take actions on endpoints.
    Note: Policy Management does not support SBAC.
  • Action Center—view and take actions only on endpoints that are within the scope of the user.
  • Dashboards and Reports—scoping takes place only on agent-related widgets.
The rest of the functional areas and their permissions in Cortex XDR do not support SBAC. Accordingly, if these permissions are granted to a scoped user, the user will be able to access all endpoints in the tenant within this functional area. For example, a scoped user with a permission to view incidents, can view all incidents in the system without limitation to a scope.
To view and modify the scope of a user, go to
Configurations
Access Management
Users
In the list of Cortex XDR users, the Endpoint Scope column now specifies any SBAC assignment.
Broker VM
Version 12.1.5
CSV Log Files Integration with the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
The broker VM now provides a new CSV Collector applet that enables you to monitor and collect CSV log files from a shared Windows directory directly to your log repository for query and visualization purposes.
After you activate the CSV Collector applet, you can ingest CSV files as datasets by defining the list of folders mounted to the broker VM and setting the list of CSV files to monitor and upload to Cortex XDR using a username and password.
Agent Proxy Listening Interface
You can now specify a proxy listening interface when activating a local agent on the broker VM, through the Activate Local Agent applet. For more information, see the Cortex XDR Administrator’s Guide.
API
New XQL API
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, Cortex XDR now enables you to run XQL queries on your data sources using APIs. The XQL APIs require a Cortex XDR Pro license and a daily Query Quota made up of query units. Cortex XDR provides a free quota of query units and you will be able to purchase additional units in future Cortex XDR versions.
Each XQL query consumes query units based on the number of API response results. Queries called without enough quota will fail.
You can run the following APIs on your tenant and MSSP child tenants:
  • start_xql_query/
    —Run an XQL query. Response returns a unique query ID used to call the
    get_query_results/
    API.
  • get_query_results/
    —Retrieve XQL query. Results return up to 1000 results.
  • get_query_results_stream
    —Retrieve XQL query with more than 1000 results.
  • get_quota/
    —Retrieve the number of used and available query units.
To help you track your XQL APIs, in the Cortex XDR app, you can view the following information:
  • Query usage and your remaining available quota.
  • Data about the XQL queries executed by APIs:
    • ID
      —Unique identifier of the XQL query API.
    • Timestamp
      —Date and time of when the XQL API was called.
    • PAPI Key ID
      —The API Key ID used to call the XQL API.
    • XQL Query
      — Query string called by the XQL API.
    • Query Unit Usage
      —Number of query units used to run the API.
New API Key Time Limit
For an added layer of security when managing your user API permissions, you can now set a time limitation on the API key used to authenticate API calls.
When creating API keys, select the option to enable an
Expiration Date
for the key. In the
API Keys
table, a new
Expiration Time
field has been added allowing you to track each key.In addition, Cortex XDR displays an API Key Expiration notification one week and one day prior to the defined expiration date.
Enhanced Visibility of Incident Data
To help you gain greater visibility of requested API data when calling Get Incidents and Get Extra Incident Data APIs, the response section now includes the following fields:
  • mitre_techniques_ids_and_names
    —Array of which MITRE technique names and IDs the incident raised
  • mitre_tactics_ids_and_names
    —Array of the MITRE tactic names and IDs the incident raised
  • wildfire_hits
    —Number of WildFire detections raised by the incident
  • alert_categories
    —Array of which alert category the incident raised
  • alerts_grouping_status
    —String representing whether the grouping is
    Enabled
    or
    Disabled
    .
Updated Alert Severity Valid Values
To ensure consistency in the Cortex XDR app Alerts table, when calling Insert Parsed Alerts API, the
severity
filed is now mandatory and does not accept the value
Unknown
.
Possible valid values are:
  • Informational
  • Low
  • Medium
  • High
Updated Featured Alert Fields API
(
Requires a Cortex XDR Pro license
)
To expand your Featured Alert Field capabilities, Cortex XDR has updated the Replace Featured Active Directory Groups
Replace Featured Active Directory Groups
API to allow you to delete and replace Organizational Unit (OU) in addition to Active Directory Groups (AD).
When calling
/replace_ad_groups/
, you can now distinguish between an AD or OU group by including the new field
type
with a value of either
group
or
OU
in your request. The field is not mandatory and is sent, by default, as
group
.
Upload Cortex XDR Indicator Request Validation
To help you gain greater visibility if an indicator has been updated correctly, when calling Insert Simple Indicators, CSVand Insert Simple Indicators, JSON APIs, you can now send a
validate
field in your request.
In the case where the update was unsuccessful, the
validate
field returns a
validation_errors
array listing the specific fields and errors that occurred.

Features Released in March

The following table describes new features in the Cortex XDR 2.8 release.
Feature
Description
Access Management
Cortex XDR Management Console IP Address Changes
Cortex XDR now uses new IP addresses for accessing the Cortex XDR management console (
<xdr-tenant>
.xdr.
<region>
.paloaltonetworks.com
). If you already use the
cortex-xdr
App-ID or the outgoing HTTPS connection is not filtered by a firewall, no firewall adjustments are necessary. However, if your HTTPS connection is filtered through a firewall (and you do not use the App-ID), you must adjust your configuration to use the new IP addresses according to your region. The FQDN for the Cortex XDR management console remains unchanged.
Broker VM
Approved Remote Terminal Commands
When you connect to a broker VM remotely, Cortex XDR now allows you to perform the following privileged commands:
  • The
    edit_routes
    command is now deprecated. To enable updates to your static network routes, Cortex XDR allows you to execute the
    restart_routes
    command. The command invokes a restart of the routing service, applying updates you make to your network route configuration file.
  • squid_tail
    —Display the Proxy applet Squid log file in real-time.
API
Enhanced Visibility of Mac Addresses
To provide greater visibility for alerts that have multiple associated MAC addresses, the Get Alerts API response now includes the
mac_address
field.
The new field returns a list of one or more MAC addresses and will supersede the existing
mac
field which will be deprecated in a future release.

Features Introduced in February

The following table describes new features in the Cortex XDR 2.7 release.
Feature
Description
General
Extended Tab Viewing Options
The option to view results in the same or a new tab are now available in the pivot menus of the following tables:
  • Query Center
    —Open query results
  • Scheduled Queries
    —View executed queries
  • Endpoint Management
    —Open the related Asset View and related incidents of an endpoint
  • Asset Management
    —Open asset and agent details views
  • BIOC rules
    —Open the related rule query
In-App New Version Notification
Cortex XDR now displays a notification when you log in to your tenant following a Cortex XDR version upgrade. The notification displays the updated version number and lists selected new features available for your license type.
From the notification, you can choose to pivot to the
Release Notes
for more information or you can dismiss the notification and view at another time by navigating to
User
What’s new
in the Cortex XDR management console.
Audit Logs SHA256 Value Enhancement
To improve your investigation capabilities, Cortex XDR now includes the SHA256 value in the Management Audit and Agent Audit logs for files that you restored and quarantined.
The Management Audit Log and Agent Audit Log
Description
field in the Cortex XDR management console and the Get Audit Agent Report and the Get Audit Management Log APIs now display the file
Description
in a new format:
  • Management Audit Logs
    • Restore quarantined file hash
      <full SHA256>
      on <endpoint name>
    • Quarantine <file path>,
      SHA256: <full SHA256>
      on <endpoint name>
  • Agent Audit Logs
    • Restored file <file path>,
      SHA256: <full SHA256>
      on <endpoint name>
    • Quarantined file <file path>,
      SHA256: <full SHA256>
      on <endpoint name>
Auto-Disable BIOC Rules Log Description Update in Audit Logs
The Auto-Disabled behavioral indicator of compromise (BIOC) rule
Description
field displayed in the Management Audit Log page and the Get Audit Management Log API now display the rule
description
in a new format:
BIOC rule #<rule number> has been automatically disabled because it reached 10,000 matches in the last 24 hours. Rule name: <rule name>, severity: <severity>
Investigation and Response
XQL Query Language Enhancements
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) is extended in the following ways:
New Datasets for XQL Search
(
Requires a Cortex XDR Pro license
)
Cortex XDR now enables you to query the following data using the Cortex XDR Query Language (XQL):
  • Next-generation firewall logs (available as a new dataset). These fields and data are identical to the log record information that is available using the Explore app.
  • Device control connect and disconnect events (added to the xdr_data dataset).
In addition, log records received from a security information and event management (SIEM) system are parsed into key-value pairs. Log record field values that are not identified as an integer, string, or timestamp are ingested as a JSON record.
Network Preset Name Change in XQL Search
(
Requires a Cortex XDR Pro license
)
The Network preset for XQL Search of EDR data is changed—it is now Agent Network. This is only a name change; this preset still provides the same network events sent from agents as before this change.
The Agent Network preset is not the same as the Network Story preset that provides stitched network events from different sources.
Additional XQL Search Pivot Functionality
(
Requires a Cortex XDR Pro license
)
To continue investigation, you can now pivot from XQL Search results to the Causality View and Timeline View. These options are supported for results that identify the following types of events: process (except for those with an event subtype of termination), network, file, registry, injection, load image, system calls, network stories, and Windows event logs.
From the events table in the Causality View and Timeline View, you can similarly pivot from an event to
View in XQL
in either the same tab or a new tab. This can be useful if you want to further refine the query to continue investigation.
Histograms for XQL Search Queries
(
Requires a Cortex XDR Pro license
)
Cortex XDR now automatically generates histograms for every field that is part of an XQL Search result. A histogram is a type of visualization of the results within a specific query. Histograms are similar to bar charts that show the distribution of values within a specific field across a result set. Each time you generate a new query, Cortex XDR will regenerate the histogram based on the updated result set.
Histograms are not supported for JSON and array fields.
New Visualizations for Widgets Based on XQL Search Queries
(
Requires a Cortex XDR Pro license
)
To help you better view and visualize data based on XQL search queries, you can now view your XQL search results in three new modes:
  • Raw
    —Displays the raw format of the entity in the database.
  • JSON
    —Displays the entity with a key value distinction.
  • Tree
    —A dynamic view of the JSON hierarchy with the option to collapse and expand the different hierarchies.
Cortex XDR expanded the type of available widgets so that you can now display the search results using:
  • Pie charts
    —Includes options for full circle (default), donut, and semicircle charts.
  • Area graphs
    —Includes options for standard, stacked, and percentage graphs.
  • Bubble graphs
    —Includes options for standard, packed, and group packed graphs.
  • Scatter graphs
  • Single value totals
  • Gauge graphs
    —Includes options for radial, filler, and marker graphs.
  • Table
    —Displays the results table data.
To easily save a visualization after you create a widget, find the widget in the Widget Library.
New Cortex XDR Widget Library
To streamline widget visibility and management, Cortex XDR now enables you to search, view, and edit both your custom widgets and the Cortex XDR predefined widgets in the new Widget Library.
The library is a one-stop page where you can easily add or create widgets to your dashboards and reports to help you continuously monitor your XQL query results, logs, and data visually.
New Incident Management Page
To streamline the
Investigation
menu, a new
Incident Management
page is now available. From this page, you can view starred incidents, manage scoring rules, and view incident exclusions.
Custom Incident Scoring Rules
(
Requires a Cortex XDR Pro license
)
To streamline the investigation process and better highlight incidents that are significant in your environment, Cortex XDR now enables you to define custom incident scoring rules that prioritize your incidents according to the needs of your organization.
Define scoring rules in the Cortex XDR management console on the
Investigations
Incident Management
page. Each rule is based on a defined score, an Alert attribute, or the entity on which it occurred. When an alert matching the defined rule is raised, Cortex XDR adds the alert score to the total score of the incident. By default, the alert score is applied only to the first alert that matches the defined rule. Subsequent alerts for the same incident do not receive any score.
The incident score is displayed as a filterable
Score
field in the Incident table and as a tag in the Incident View.
Featured Alert Fields
(
Requires a Cortex XDR Pro license
)
To streamline the investigation process and better highlight alerts that are significant to you, Cortex XDR now enables you to label specific alert attributes as Featured Alert Fields.
Featured fields help you track alerts that involve a specific:
  • Host Name
  • User Name
  • IP Address
Label a field as Featured in
Investigation
Incident Management
Feature Alert Fields
and then filter and sort alerts containing the featured fields in the Alerts Table using the new table fields:
  • Contains Featured Host
  • Contains Featured User
  • Contains Featured IP Address
To easily locate alerts containing featured fields, alerts containing one or more of the featured fields are flagged in the
Alert Name
field with a flag.
Alert notification emails now include whether the alert contains one or more featured fields:
  • "contains_featured_host":[
    "NO"/”YES”
    ],
  • "contains_featured_user":[
    "NO"/”YES”
    ],
  • "contains_featured_ip":[
    "NO"/”YES”
    ],
IOC Rule Functionality Enhancements
(
Requires a Cortex XDR Pro license
)
To ensure your indicators of compromise (IOCs) rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR now automatically performs the following tasks:
  • Disables any IOC rules that reach 5,000 or more hits over a 24-hour period.
  • Creates a Rule Exception based on the
    Process SHA256
    field for IOC rules that hit more than 100 endpoints over a 72-hour period.
Network Causality Event Timestamp Investigation
(
Requires a Cortex XDR Pro license
)
To help you investigate the time frame of security processes and connections made over your network, Cortex XDR now displays the network event timestamp in the Network Causality View.
When selecting the Network Appliance node in the Network Causality View, the event timestamp is now displayed in the Entity Data section of the card.
Enhanced Timestamp Investigation
To enhance your investigation capabilities, you can now narrow the
Timestamp
field results in the Cortex XDR tables by right-clicking to display rows that are 30 days before or 30 days after the selected field value.
Events Table Results Enhancements
The Events table (available from the Causality View and Timeline View) now includes the following enhancements:
  • The maximum number of related events increased from 10,000 to 100,000.
  • You can now export the related events to a tab-separated values (TSV) file.
  • The following fields are no longer displayed:
    • FILE
      File Macro SHA256
    • INJECTION
      Injection Type
Slack Notifications Enhancement
To help streamline investigations for alerts you receive on Slack, Cortex XDR now provides a link in Slack notifications to the alert details in Cortex XDR. If the alert is part of an Incident, the notification also includes the link to investigate the incident in Cortex XDR.
Hostname Visibility in Alerts
Hostname visibility in the Cortex XDR Alerts Table is now displayed according to the following guidelines:
  • When a hostname associated with an IP address is known in the Palo Alto Networks Next-Generation Firewalls alerts, Cortex XDR displays the hostname in the
    Host
    field.
  • When a hostname associated with an IP address is unknown in the Palo Alto Networks Next-Generation Firewalls and third-party source alerts, the
    Host
    field is blank and no longer displays the IP address. However, the IP address is still available in the
    Host IP
    address field.
Native Search Deprecation
For queries on data in your Cortex XDR tenant, Cortex XDR provides query functions using the XQL Search that enable you to query the data, create widgets, and schedule queries, all of which supersede the Native Search.
The Native Search will remain available from the Query Builder only until the next release.
Remote Malicious Causality Chains Response (Windows)
(
Requires Cortex XDR agent 7.3 or a later version
)
When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypt endpoint files—the agent can now block the IP address to close all existing communication and block new connections from this IP address to the endpoint.
You can view the list of all blocked IP addresses per endpoint from the Cortex XDR
Action Center
, as well as unblock them to re-enable communication as appropriate. You set the action mode in your Malware Security profile where you can also add a specific and known safe IP address or IP address range to the IP addresses allow list. This capability is supported for network connections made in IPv4 only.
When Cortex XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules.
Network Isolation of macOS Endpoints (macOS 10.15.4 and later)
(
Requires Cortex XDR agent 7.3 or a later version
)
Cortex XDR now extends the Network isolation response action to macOS endpoints. To prevent a compromised macOS endpoint from communicating, you can now isolate your endpoint to halt all network access on the endpoint except for traffic to Cortex XDR. After you isolate an endpoint, the Cortex XDR agent reports an Isolated check-in status and the endpoint remains isolated from the network until you cancel this isolation from Cortex XDR.
Note the following limitations:
  • If during isolation you need the Cortex XDR agent to communicate with an application or proxy, add the process to the Network Isolation Allow List Network Isolation Allow List.
  • To ensure that an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
Live Terminal Enhancements (Windows and Mac)
(
Requires Cortex XDR agent 7.3 or a later version
)
To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light ( ) on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress. Both settings are optional and you can configure them independently.
External Data Ingestion
PingFederate Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest logs from PingFederate. To receive logs, you must enable PingFederate to send logs in CEF format to the Syslog Collector that you set up on the broker VM.
As soon as Cortex XDR begins receiving logs, the app automatically creates a PingFederate XQL dataset (
ping_identity_pingfederate_raw
) and enables you to search the logs using XQL Search. Log information from PingFederate is also visible, when relevant, in the
xdr_data
dataset and in the
authentication_story
preset.
Amazon CloudWatch and AWS CloudTrail Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest Amazon CloudWatch and AWS CloudTrail Logs. To receive logs, configure
SaaS Log Collection
settings for the vendor in Cortex XDR.
As soon as Cortex XDR begins receiving logs, the app automatically creates an Amazon AWS XQL dataset (
amazon_aws_raw
) and enables you to search the logs using XQL Search.
Elasticsearch Filebeat Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
When you use Elasticsearch Filebeat to log activity on your endpoints or servers, Cortex XDR can now ingest those file logs. To receive logs, configure the collection settings for Filebeat in Cortex XDR and the output settings in your Filebeat installations.
As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset for each collected vendor and product and makes logs available in XQL Search queries.
HTTP Log Collector
(
Requires a Cortex XDR Pro per TB license
)
You can now set up an HTTP Log Collector to receive logs in text or JSON format. To begin receiving logs you must first set up the HTTP Log Collector and use the provided examples to construct an HTTP POST request.
As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset using the vendor and product you specified during the log collector setup. You can then use XQL Search to initiate queries on the dataset.
Google Kubernetes Engine (GKE) Log Ingestion
(
Requires a Cortex XDR Pro per TB license
)
As an alternative to setting up a GCP Pub/Sub, Cortex XDR can now ingest container logs from Google Kubernetes Engine (GKE) using Elasticsearch Filebeat. To receive logs, you must install Filebeat on your containers and enable SaaS Log Collection settings for Filebeat.
As soon as Cortex XDR begins receiving logs, the app automatically creates a GKE XQL dataset—using the product and vendor that you specify during Filebeat setup—and enables you to search the logs using XQL Search.
Extended Log Ingestion for Syslog in LEEF Format
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR extends log ingestion support to vendors sending LEEF over Syslog. As with log ingestion for CEF over Syslog, you can configure the protocol, the IP address and port, and the format settings for the syslog collector.
After Cortex XDR begins receiving logs from the third-party source, it automatically parses the logs in LEEF format and creates a dataset. Cortex XDR extracts the vendor and product name to identify the dataset as
<vendor>
_
<product>
_raw
. You can then use XQL Search queries to view logs and create new BIOC rules.
Analytics
Analytics BIOC Visibility and Management
(
Requires a Cortex XDR Pro license
)
If you have Analytics enabled, Cortex XDR now provides visibility into and enables management of your Analytics BIOC rules by pivoting from the BIOC Rules table to a dedicated page.
For each rule, Cortex XDR displays identifying information, such as name and ID, severity, rule activation status, and any relevant MITRE ATT&CK information. Cortex XDR also enables you to disable or enable Analytics BIOC rules as needed.
To view and manage Analytics BIOC rules, you must have the corresponding permissions enabled for your role.
Asset Management
Enhancements to Asset Management
(
Requires a Cortex XDR Pro license
)
Cortex XDR now displays also the MAC address vendor name, and the platform running on your managed and unmanaged assets.
Export Network Assets to File
(
Requires a Cortex XDR Pro license
)
You can now export your Asset Management table results to a tab-separated values (TSV) file.
Endpoint Security and Management
Flexible Agent License Revocation
(
Requires a Cortex XDR Pro license
)
To enable a flexible revocation policy for Cortex XDR agent licenses, you can now configure the number of days after which the license should be returned when an agent loses the connection to Cortex XDR. In addition, you can configure the number of days after which the agent and related data is removed from the Cortex XDR management console and database. For more information, see Cortex XDR Agent License Revocation.
Enhanced Local Analysis Prevention (Windows)
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version
)
The Local Analysis module, which prevents the execution of malicious Portable Executables (PEs) and Office documents with macros, now includes a new rule-based static engine that provides an additional layer of protection. The new engine provides additional context to Cortex XDR alerts by matching the samples that are under agent examination to static rules that inspect multiple file attributes and features.
The Local Analysis rules are maintained by the Palo Alto Networks Research team and are updated through content updates. You cannot add, modify, or remove rules from the Local Analysis module.
Bulk Alias Edits for Endpoints
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license
)
To enable you to quickly change the alias for multiple endpoints, you can now perform the action from the
Endpoint Control
menu on the
Endpoint Administration
page.
Vulnerable Drivers Protection (Windows)
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.2 or a later version
)
Cortex XDR can now leverage the latest threat research to quickly deploy behavioral threat protection (BTP) rules that detect attempts to load vulnerable drivers. As with other BTP rules, Cortex XDR can deliver changes to vulnerable driver rules with content updates.
To configure vulnerable drivers protection, you must enable
Behavioral Threat Protection
and configure the
Action mode for vulnerable drivers protection
as part of a Malware Security Profile.
By default, Cortex XDR blocks all identified attempts to run vulnerable drivers. If you change the default (
Block
), you can
Report
(and allow) vulnerable drivers or disable the module.
Device Control for VDI (Windows)
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version
)
Cortex XDR now extends Device Control for USB devices to include virtual desktop infrastructure (VDI). The Cortex XDR agent enforces the Device Control policy rules on USB devices after the end user logs on to the VDI instance. USB Devices that were connected prior to the agent enforcing the Device Control policy rules are not blocked after the fact.
Note the following limitations:
  • Virtual environments leverage different stacks that might not be subject to the Device Control policy rules that are enforced by the Cortex XDR agent and, therefore, could lead to USB devices that are allowed to connect to the VDI instance in contrast to the configured policy rules.
  • The Cortex XDR agent provides best-effort enforcement of the Device Control policy rules on VDI instances that are running on physical endpoints where a Cortex XDR agent is not deployed.
Unpatched Vulnerabilities Protection (Windows)
(
Requires a Cortex XDR agent 7.1 or a later version
)
Palo Alto Networks strongly recommends that you upgrade your operating system as soon as possible to address vulnerabilities CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094. For more information, refer to the Microsoft Security Response Center.
For Cortex XDR agents 7.1 and later releases running on unpatched Windows endpoints, a new capability in the Exploit Security profile will modify IP4 and IPv6 settings temporarily on the endpoint as a workaround to protect unpatched endpoints from these known vulnerabilities. After the endpoint is patched with a fix for these vulnerabilities, the Cortex XDR agent automatically reverts all modified Windows system settings to their values before modification.
Before applying this workaround on your endpoints, refer to the Cortex XDR Administrator’s Guide for the full details and impact this workaround could have on your network.
Extended Device Control to Read-Only Disk Drives (Windows and Mac)
(
Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints
)
You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.
Peer-to-Peer Content Distribution (Mac and Linux)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version
)
Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
Agent Installation Using a Unified Configuration Profile File for MDMs (Mac)
For a seamless installation of the Cortex XDR agent that does not require end user interaction, Palo Alto Networks now provides a unified configuration profile that you can upload to any third party deployment software of your choice. You can download a configuration profile already signed by Palo Alto Networks, or an unsigned configuration profile, if you prefer or are required to sign using your own signing certificate. You can use the unified configuration profile to deploy any version of the Cortex XDR agent. For more information, refer to Install the Cortex XDR Agent Using a Unified Configuration Profile for MDMs.
Custom Agent Installation Directory (Linux)
(
Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version
)
You can now install your Cortex XDR agent in a custom directory on Linux endpoints instead of using the default
./opt
directory. To do this, set the custom path in a new installation variable
--install-path=/
<some/path>
. After you install the Cortex XDR to the custom path, all following upgrades and the removal of the agent from the endpoint are executed in the same location. For more information, see how to Install the Cortex XDR Agent for Linux.
New Operating Systems Support (Linux)
(
Requires Cortex XDR agent 7.3 or a later version
)
You can now install the Cortex XDR agent on Linux endpoints that are running on:
  • Debian 10, OpenSuse Leap 15.1, or SUSE 15 SP2.
  • Ubuntu Server 16, Ubuntu Server 18, and Ubuntu Server 20 with AWS kernel modules.
For all supported kernel versions, see the Latest kernel module version support
.
Host Insights Add-on
Search and Destroy Malicious Files on Mac Endpoints (macOS 10.15.4 and later)
(
Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.3 or a later version
)
Cortex XDR now extends the File Search and Destroy response action to Mac endpoints. You can use search and destroy to take immediate action on known and suspected malicious files. You can search from Cortex XDR for a file by hash or path on endpoints and, after you identify the presence of the file, you can immediately destroy the file from any or all endpoints on which the file exists.
Host Insights Export to File
(
Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.1 or a later version
)
You can now export all the Cortex XDR host insights tables and respective asset views to a tab-separated values (TSV) file.
Vulnerability Management Name Change
(
Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.1 or a later version
)
To better reflect the feature usage,
Vulnerability Management
is renamed to
Vulnerability Assessment
.
Multitenants and MSSPs
Cross-Tenant XQL Queries for Multi-Tenancy
(
Requires a Cortex XDR Pro license
)
To enable multitenant management that uses XQL Query to view raw data that is stored in Cortex XDR, you can now execute XQL queries on a single child tenant or up to 100 child tenants simultaneously directly from your parent tenant XQL Search page.
When executing XQL queries on a single child tenant, Cortex XDR provides the parent tenant with autocompletion and validation capabilities to all datasets available on the child tenant.
When executing XQL queries on multiple child tenants simultaneously:
  • Autocomplete and validation are supported only on Cortex XDR dataset types, such as EDR data, Cortex XDR Alerts, and Palo Alto Networks New Generation Firewall Logs.
  • Queries are executed on each child tenant separately and return up to one million results split across the selected tenants. For example, an XQL query on 10 tenants returns a maximum of 100,000 results per tenant.
You can view, track, and investigate the query results and graphs for each child tenant in your XQL Search page results table or Query Center by filtering by child tenant.
Broker VM
(
Version 11.1.1
)
Broker VM Images
MD5 values for broker images version 11.1.1:
  • OVA—
    232a6940ff81fcc5c585b1775973df37
  • VHD—
    285f301fb75db249d27491646548f3e3
  • VMDK—
    b17329ba1661c206a1097cf69945bcd9
  • Azure VHD—
    ed78bf4e56cf78dde2a2ae6840569dab
New Supported WEC Event Collection
(
Requires a Cortex XDR Pro per TB license
)
To expand the Broker VM data collection capabilities, in addition to the default WEC event IDs, you can now configure the Broker VM to collect all or specific Windows event types, such as DHCP, DNS, and IIS event types, directly from the Cortex XDR management console.
WEC Domain Controller Certificate Notifications
(
Requires a Cortex XDR Pro per TB license
)
To keep you informed of your WEC Domain Controller Certificate status and avoid service disruptions, Cortex XDR now displays a notification of the remaining time left on your license or whether your license is expired.
Approved Remote Terminal Command
When you connect to a broker VM remotely, Cortex XDR now allows you to perform the following privileged commands:
  • hostnamectl
    —Update a hostname.
  • edit_routes
    —Update static network routes.
API
New Featured Alert Fields APIs
(
Requires a Cortex XDR Pro license
)
To expand your API capabilities, Cortex XDR now provides the APIs to help you manage your featured alert fields. Using the following APIs you can delete and replace existing featured alert fields:
  • Replace Featured Hosts
  • Replace Featured Users
  • Replace Featured IP Addresses
  • Replace Featured Active Directory Groups
Enhanced Visibility of Incident Data
To help you gain greater visibility of requested API data when calling Get Incidents and Get Extra Incident Data APIs, the response section now includes the following Incident Scoring fields:
  • rule_based_score
    —The incident score calculated by the Incident Scoring Rules.
  • manual_score
    —The incident score updated manually by an
    Admin
    user.
Enhanced Visibility of Alert Data
To help you gain greater visibility of Alerts that include Featured host name, username, or IP address, the Get Alerts API response now includes the following boolean type fields:
  • contains_featured_host
    —Either
    True
    or
    False
    depending on whether the alert contains a featured host name.
  • contains_featured_user
    —Either
    True
    or
    False
    depending on whether the alert contains a featured username.
  • contains_featured_ip
    —Either
    True
    or
    False
    depending on whether the alert contains a featured IP address.
Enhanced Insert Parsed Alerts Capabilities
To enable you to include additional information when running the Insert Parsed Alerts API, you can now send the action status taken on an alert (
Reported
or
Blocked
) using the
action_status
field.

Recommended For You