To streamline the management of your incidents and alerts, Cortex XDR now enables you to define a new Critical severity type for your incidents and alerts.

The Critical severity type is now visible in the Incident and Alert tables, IP Address/Hash Views, Detection Rules, and API calls. You can also search for Critical severity in the Quick Launcher.

To make it easier for you to configure whether case sensitivity is applied across Cortex XDR in one central area, Cortex XDR now includes a new XQL Configuration section in the

Settings

Configurations

General

Server Settings

. This section enables you to configure whether

Case Sensitivity (case_sensitive)

is applied throughout the application. This setting overwrites any other default configuration except for BIOCs, which will remain case insensitive no matter what this configuration is set to.

To help you easily convert your existing Splunk queries to the Cortex XDR Query Language (XQL) syntax, Cortex XDR now includes additional enhancements to improve the overall user experience and supports more Splunk functions and stages that can be translated to XQL.

To make it easier for you to write your Cortex XDR Query Language (XQL) queries, Cortex XDR now enables using a syntactic sugar for the following JSON functions.

To expand your investigation capabilities, Cortex XDR Query Language (XQL) now supports using the following new operator and functions.

The new operator and functions can also be used in the [INGEST] section when creating Parsing Rules.

To help you better manage the Alerts associated with your Correlation Rules, Cortex XDR enables you to enhance

Alerts

with user defined settings. When configuring an

Action

to generate an

Alert

for a Correlation Rule, you can now customize the following Alert Settings.

To streamline the process of retrieving endpoint support files, Cortex XDR now allows you to download one or more endpoint support files to a Cortex XDR server, instead of locally, that can then be accessed by a secured link.

Support files are stored by Cortex XDR for 30 days, however the secured link is valid for only 7 days. Following the 7 day period, in order to access the files you will need to generate a new link.

To improve Cortex XDR Query Language (XQL) query results, Cortex XDR has enhanced the

XQL Search

. Whensearching data in multiple MSSP and MTH tenants , XQL queries now return all child or common datasets with the same dataset name, even if the fields contain different data types or one of the datasets is missing some fields. In this case, Cortex XDR displays only the common fields.

Cortex XDR validates the hash against VirusTotal and Wildfire, to provide additional context before initializing the File Destroy action.

To expand the current data ingestion capabilities for existing data collectors, Cortex XDR now supports the following additional log formats for the data collectors listed.

To prevent email from building up in the compliance mailbox when collecting Microsoft Office 365 emails via Microsoft’s Graph API, Cortex XDR has improved the Office 365 data collector so that after the emails are ingested they are deleted from the compliance mailbox.

To expand your investigation capabilities, you can configure Cortex XDR to normalize Azure AD audit logs when using an Office 365 data collector.

To enhance the current data ingestion capabilities, Cortex XDR now includes the file hash in the attachment details when using an Office 365 data collector to ingest Microsoft Office 365 emails via Microsoft’s Graph API.

Cortex XDR can now ingest logs and data from Google Workspace using a new data collector called Google Workspace for the following types of content.

To receive data, configure

Settings

Configurations

Data Collection

Collection Integrations

for the

Google Workspace

data collector in Cortex XDR.

As soon as Cortex XDR begins receiving logs, the app automatically creates an applicable dataset matching the content type for the data collected. This enables you to search the logs using XQL Search.

Cortex XDR can now ingest Palo Alto Networks IoT Security solution alerts and assets directly using a new data collector called IOT Security via an API.

Cortex XDR adds IOT Security alerts to the Cortex XDR Alerts table and groups them into Incidents. Cortex XDR also adds IOT Devices to the Cortex XDR Assets table.

As soon as Cortex XDR begins collecting data, the app automatically creates a new dataset for devices only (

panw_iot_security_devices_raw

). This enables you to initiate XQL Search queries and create Correlation Rules.

To expand your investigation and analytics capabilities, Cortex XDR now uses a structured schema when using the Workday data collector. To get the best Analytics results, use the fields from the recommended schema.

To align the Cortex XDR Collectors data collection capabilities with the other data collectors available, Cortex XDR now supports all sections in the filebeat.yml configuration file, such as support for Filebeat fields and tags. As a result, this enables you to use

fields

to identify the product/vendor for the data collected by the XDR Collectors so the collected events go through the ingestion flow (Parsing Rules).

Cortex XDR now supports using Filebeat version 7.17.1 when using XDR Collectors for On-premise Data Collection on Windows and Linux machines.

To extend the current data collection capabilities for JSON and Raw logs, Cortex XDR now supports collecting multiline JSON and Raw logs using the following data collectors.

To enable you to save your data in an external location, Cortex XDR now supports exporting logs using Event Forwarding.

Cortex XDR added a new

Event Forwarding

section under

Settings

Configurations

Data Management

where you can activate your Event Forwarding licenses and specify the path and credentials of your external storage destination.

Cortex XDR now leverages aggregated and anonymized cross-tenant profiles to detect abnormal behavior allowing the detection of new behaviors across multiple tenants and catch new types of attacks that might not arise from a single tenant.

Alerts raised by the cross-tenant profiles will be marked in the

Alerts

table as

Global Analytics

type alerts.

Cortex XDR now offers a solution to ease password management and its distribution. Cortex XDR maintains and manages tokens for each of the agents and can generate temporary tokens on demand.

When performing an action on the agent that requires a password entry, all you need to do is retrieve the hash from the agent to get the token password from Cortex XDR for that agent.

The token is automatically assigned to every endpoint and can be used to perform any action requiring a password on the agent. If needed, the admin can create a token for any endpoint or a group of endpoints with an expiration and use to manage those endpoints for the pre-defined period. The token can also be retrieved for an endpoint that lost connectivity to the server by extracting the token hash on the endpoint and retrieving the original token from that hash on the server.

To help you gain better visibility of your endpoint content versions, Cortex XDR now displays the following new field in the

All Endpoints

table

Content Status

and new widget

Agent Content Status Breakdown

.

Displays the status of the content version on the relevant endpoint. Cortex XDR attempts to contact an endpoint and check the content version over a 7 day period. Only following this period can Cortex XDR display whether the endpoint content version is up to date or outdated.

To streamline how you manage your endpoints, Cortex XDR now allows you to tag endpoints using the Cortex XDR management console and on the endpoint during installation and agent lifespan.

Each endpoint can be assigned one or more dynamic tags you define allowing you flexibility with how you filter and group your endpoints.

To easily track the tags associated with the endpoints, in the

All Endpoints

and

Forensics

tables, a new

Endpoint Tags

field displays how the tag was assigned to the endpoint; via the management console -

Server

, or installation and cytool arguments -

Agent

.

To streamline and improve your incident investigation effort and time on Linux, Docker, and Kubernetes platforms, Cortex XDR now incorporates CIS Critical Security Controls to provide you with tools to prevent the next incident.

In addition to vulnerabilities already presented at the asset level, Cortex XDR now displays compliance violation information and the context of suspicious resources. Using predefined Cortex XDR or customized endpoint regulation policies, you can now find and prioritize incidents that involve resources with a high-risk level, enabling you to present and investigate an accurate and prioritized incident response process.

To track and manage security and compliance violations detected by Cortex XDR, a new

Compliance Dashboard

and

Compliance Violation Table

display the following aggregated data:

To help Cortex XDR better track your Cortex XDR agent stability, Cortex XDR can collect your agent logs to improve the agent stability.

Collection of the logs is enabled by default and is recommended by Cortex XDR. You can choose to disable in

Settings

General

Agent Configurations

Cortex XDR Log Collection

> section.

Cortex XDR now enables you to segment how you manage policies and profiles of endpoint groups.

By default, all users have management access to endpoints in your tenant. However, after you (as an administrator) assign a management scope to a Cortex XDR user, the user is then able to create, edit, and remove policies and profiles specific only to the endpoint groups within that scope.

To streamline hash termination in your environment, Cortex XDR now allows you to define an optional setting to terminate hashes on the endpoint regardless of the malware profile settings.

From the

Action Center

Block List

page, select to

Override Report mode

.

Cortex XDR now allows you from the Policy Management tables to export and import endpoint policies and profiles.

The broker VM now provides a new Apache Kafka Collector applet that enables you to monitor and collect events from a topic of an Apache Kafka server for self-managed on-premise configurations.

After you activate the

Kafka Collector

applet, you can collect events as datasets (

<Vendor>_<Product>_raw

) by defining the following.

To help you easily troubleshoot connectivity issues for a Local Agent Settings applet on the Palo Alto Networks Broker VM, Cortex XDR now displays a list of

Denied URLs

. These URLs are displayed when you hover over the

Local Agent Settings

applet in the Broker VMs page to view the

Connectivity Status

in the

APPS

column of the table. As a result, in a situation where the

Local Agent Settings

applet is reported as activated with a failed connection, you can easily determine the URLs that need to be allowed in your network environment.

To expand your investigation capabilities, the following new fields are now available, where applicable, for any dataset and can be queried in XQL Search.

To help you better manage your registered Broker VMs, Cortex XDR now enables you to configure the Broker VM SSL Certificates in the Cortex XDR Console. Previously, SSL certificates could only be configured by logging in to the Broker VM using the IP address.

To align the broker VM to the Center for Internet Security (CIS) guidelines, the broker VM has been hardened so it's now compatible with CIS level 2 hardening requirements.

To enable the collection of forensically relevant search results, the Cortex XDR Forensics add-on now includes Search Collections by default. The current default Search Collections include the following.

Cortex XDR has expanded its Forensics capabilities by displaying the WildFire verdict for the following Execution and Persistence type artifacts.

If there is a WildFire verdict, the relevant

Verdict

is displayed.

Also, a link to the WildFire analysis report is available for review.

To extend visibility to the management audit logs, a new log type called Security Settings was added with the following subtypes.

To streamline the investigation of your Cortex XDR data, a redesigned console now showcases the Cortex XDR capabilities in a clear and efficient way using a new responsive sidebar navigation.

The sidebar navigation allows you to easily find your way through the Cortex XDR investigation capabilities while providing greater real estate to display and assess your data.

To ensure a cohesive user experience, Cortex XDR Gateway has been renamed Cortex Gateway.

Cortex XDR now displays a notification 90 days prior to agent version end-of-life (EOL). Tenants with active agents of the version will receive a notification in the Notification Center indicating an upcoming EOL. The same notification will appear again 30 days before the due date if additional agents with this version remain.

In addition, in the

Endpoint Administration

table, endpoints with non-supported versions will be flagged with a red indicator.

To help you prepare for a scheduled release and become familiar with the upcoming features, Cortex XDR now displays a

New Release

banner a week before a scheduled release. Starting from Cortex XDR version 3.3, the

New Release

banner will be displayed in the user interface a week before the scheduled release date. This banner will indicate the date, scheduled release time frame, version number, and provide a link to the

Release Notes

, where you can get more information about the upcoming features.

To enable you to properly manage user groups permissions for a number of different system users in Cortex XDR, Cortex XDR now provides the following enhancements for managing user groups and group roles using role-based access control (RBAC).

Cortex XDR now allows you to define endpoints with Critical Environment Cortex XDR agent versions.

Critical Environment Versions are designed for sensitive and highly regulated environments and do not contain all updates and content existing in the standard version. Therefore, it is recommended to restrict the use of these versions to the required minimum.

Defining an endpoint with a Critical Environment agent version will require you to create and define the following:

To easily track the endpoints defined as Critical Environment, in the

Endpoint Administration

table, Cortex XDR displays a new

Version Type

field stating whether the endpoint is defined as a

Standard

or

Critical Environment

agent.

When enrolling in the Forensics Add-On, users with Account Admin and Instance Admin permissions can now change the tenant subdomain:

oldName.xdr.us.paloaltonetworks.com

to

newName.xdr.us.paloaltonetworks.com

To help you better visualize and manage your incidents, tasks, and MTTR, Cortex XDR introduces a new predefined dashboard called My Dashboard with the following new widgets.

To help you better visualize and manage your assets on the cloud, Cortex XDR introduces a new predefined dashboard called Cloud Inventory Dashboard with the following new widgets.

To help you better manage the Alerts associated with your incidents, Cortex XDR now allows you to perform the following actions on each alert:

In the

Alerts Table

, right-click an alert to now

Change Severity

and/or

Change Status

an alert.

Any update made to an alert impacts the associated incident. An incident with

all

its associated alerts marked as resolved is automatically set to

Auto-Resolved

. Cortex XDR will continue to group Alerts to an Auto-Resolved Incident for up to 6 hours. In the case where an alert is triggered during this duration, Cortex XDR will re-open the Incident.

To ensure consistency, when resolving an incident, you can now also select to

Mark all alerts as resolved

.

To help you track the alert resolution status, Cortex XDR now displays in the Alerts Table a new

Resolution Status

field.

To provide greater visibility of network assets and better align with other Cortex XDR offerings,

Assets

Asset Management

has been renamed to

Assets >

Asset Inventory. In addition, the new

All Assets

page, previously called

Assets

, now enables you to toggle between the

Legacy View

of the page and the new

Advanced View

, which includes the following features.

To improve the search and investigative functionality of the Quick Launcher, the Quick Launcher now supports searching in other tables related to

Asset Inventory

, previously called

Asset Management

, so you can query for a specific Asset Name or IP address. In addition, 2 new actions are now available when searching for Asset Inventory data.

To help you easily identify and resolve Correlation Rules errors, Cortex XDR now includes error handling by providing the following error messages in the applicable scenarios.

The Correlation Rules page indicates the error in the

LAST EXECUTION

column by displaying the last execution time in a red font and providing a description of the Correlation Rule Error when hovering over the field.

In addition, a notification is displayed to indicate these Correlation Rules errors.

To help you easily convert your existing Splunk queries to the Cortex XDR Query Language (XQL) syntax, Cortex XDR now includes in XQL Search a new toggle called Translate to XQL. When building your XQL query and this option is selected, both a

SPL query

field and

XQL query

field are displayed, so you can easily add a SPL query, which is converted to XQL in the

XQL query

field. This option is disabled by default, so only the XQL query field is displayed.

The Cortex XDR Query Language (XQL) now includes a new function called arrayindexof that enables you to return a value related to an array in one of the following ways.

Cortex XDR Query Language (XQL) now supports using Contains and Not Contains operators within arrays.

Cortex XDR Query Language (XQL) now supports using an optional by clause in a comp stage, which was previously required.

The Cortex XDR Query Language (XQL) is extended to support case_sensitive value queries in functions and stages, as opposed to this previously only being supported in filters. If you do not provide this stage in your query, the default behavior is true; case is considered when evaluating field values.

To expand the current data ingestion capabilities for existing data collectors, Cortex XDR now supports the following additional log formats for the data collectors listed.

Cortex XDR can now ingest the following logs and data from Microsoft Office 365 Management Activity API and Microsoft Graph API using a new data collector called Office 365.

To receive data, configure

Configurations

Data Collection

Collection Integrations

settings for the Microsoft

Office 365

data collector in Cortex XDR.

As soon as Cortex XDR begins receiving logs, the app automatically creates an applicable dataset matching the log type for the data collected. This enables you to search the logs using XQL Search.

Cortex XDR now supports using Elasticsearch Filebeat version 7.16 with the Windows DHCP Data Collector.

To expand your investigation capabilities, the following XDR Collector fields (where applicable) are available for any dataset and can be queried in XQL Search.

To enhance the data retention offerings, Cortex XDR now supports a new period based retention policy for the following retentions.

To support these changes, the following updates have been implemented in the user interface.

To improve the overall user experience and minimize user errors when creating Parsing Rules, Cortex XDR now includes a new Simulate view in the Parsing Rules editor. This view enables you to test your Parsing Rules on actual logs and validate their outputs. The editor includes the following sections.

To help you avoid sending unnecessary data to the XDR server and reduce traffic, storage, and computing costs, Cortex XDR now supports using Parsing Rules to define the specific data captured by the broker VM in a new section called [COLLECT]. The

[COLLECT]

section is optional to configure, but once added this section runs before the

[INGEST]

section to enable data reduction and data manipulation at the broker VM. The

[COLLECT]

section uses the same syntax as the

[INGEST]

section and is configured in the same screen. It also follows the format as detailed in the following example.

To enhance the current Parsing Rules offerings in Cortex XDR, Cortex XDR now supports configuring the following new function and stage command in the INGEST section.

To allow for greater flexibility when investigating your data, Cortex XDR now displays in the

Endpoint Administration

table the

Cloud Instance Metadata

field.

The field provides IBM and Alibaba Cloud data reported by the endpoint.

To help better manage your agent auto-upgrades, Cortex XDR now allows you to define a

Delayed Auto Upgrade Roll-out

.

In the Agent Settings, select whether to rollout an auto-upgrade immediately or define a delay period of 7-45 days from the agent release date.

To help better manage your agent upgrades, Cortex XDR now allows you in the

Action Center

to track in the

Status

field which agent upgrade failed and directly create an Upgrade action for one or more of the failed agents.

To help you easily route all traffic between the Cortex XDR management server and Cortex XDR agents using the broker VM, it is now possible to designate the broker VM as a proxy server for another broker VM (i.e. chaining). Previously, the broker VM could only act as a proxy server for agents. This is now available to configure when logging in to the broker VM (

https://<broker_vm_ip_address>/.

), and configuring the broker VM settings. In the Proxy Server section, when you set the

Type

to

HTTP

to route broker VM communication, you need to add the IP address and port number (set when activating the Agent Proxy) for the other broker VM registered in your tenant that you want to designate as a proxy for this broker VM.

To clarify the difference between the two options available for creating and downloading logs under

Broker Management

in Cortex XDR, the right-click option previously called

Download Latest Logs

was renamed to Generate New Logs. This option regenerates the most up-to-date logs and downloads them once they are ready, as opposed to the other option called

Download Logs (TIMESTAMP)

, which downloads the logs from the last creation date reflected in the TIMESTAMP.

The broker VM’s Files and Folders Collector applet now supports collecting logs from files and folders in a network share for a Windows directory in tail mode, as opposed to only batch mode. When you configure the

Files and Folders Collector

applet, a new toggle button called

Mode

is now displayed when configuring the

Files and Folders Settings

. There are 2 modes available.

To expand your API capabilities, Cortex XDR now allows you to filter the

Get Alerts

API results according to the timestamp of when Cortex XDR created the alert using

server_creation_time

.

To expand your alert investigation capabilities, Cortex XDR now displays in the

Get Alerts

and

Get Extra Incident Data

APIs response whether an PAN NGFW type alert contains a PCAP triggering packet.

Using the new

Retrieve PCAP Packet

API, you can now retrieve a list of alert IDs and the associated PCAP data.