Features Introduced in 2022

Learn more about Cortex XDR features introduced during 2022 by month and functional area.
The following topics describe the Cortex XDR features introduced in 2022 by month.

Features Releasing in May

New features in the Cortex® XDR 3.3 release.
The following table describes new features in the Cortex XDR 3.3 release. The release is divided into two deployments: May 15, 2022 and May 22, 2022.
Feature
Description
Investigation and Response
New Incident and Alert Severity
To streamline the management of your incidents and alerts, Cortex XDR now enables you to define a new Critical severity type for your incidents and alerts.
The Critical severity type is now visible in the Incident and Alert tables, IP Address/Hash Views, Detection Rules, and API calls. You can also search for Critical severity in the Quick Launcher.
New XQL Configuration for Case Sensitivity
(
Requires a Cortex XDR Pro license
)
To make it easier for you to configure whether case sensitivity is applied across Cortex XDR in one central area, Cortex XDR now includes a new XQL Configuration section in the
Settings
Configurations
General
Server Settings
. This section enables you to configure whether
Case Sensitivity (case_sensitive)
is applied throughout the application. This setting overwrites any other default configuration except for BIOCs, which will remain case insensitive no matter what this configuration is set to.
Translate to XQL Enhancements
(
Requires a Cortex XDR Pro per TB license
)
To help you easily convert your existing Splunk queries to the Cortex XDR Query Language (XQL) syntax, Cortex XDR now includes additional enhancements to improve the overall user experience and supports more Splunk functions and stages that can be translated to XQL.
New XQL Syntactic Sugar Available for JSON Functions
(
Requires a Cortex XDR Pro license
)
To make it easier for you to write your Cortex XDR Query Language (XQL) queries, Cortex XDR now enables using a syntactic sugar for the following JSON functions.
  • json_extract, using the following syntactic sugar format.
    <json_object_formatted_string> -> <field_path>{}
  • json_extract_array, using the following syntactic sugar format.
    <json_array_string> -> <field_path>[]
  • json_extract_scalar, using the following syntactic sugar format.
    <json_object_formatted_string> -> <field_path>
New XQL Operator and Functions Available
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, Cortex XDR Query Language (XQL) now supports using the following new operator and functions.
    • incidr
      ,
      not incidr
      —To search for an IP address or IP range using CIDR notation.
  • Functions
    • arraycreate—Returns an array based on the given parameters defined for the array elements.
    • arraymerge—Merges a number of arrays, including a number of arraymap() function arrays, into a single array.
    • object_create—Returns an object based on the given parameters defined for the key and value pairs.
The new operator and functions can also be used in the [INGEST] section when creating Parsing Rules.
Correlation Rule Alert Enrichment Based on User Defined Fields
(
Requires a Cortex XDR Pro license
)
To help you better manage the Alerts associated with your Correlation Rules, Cortex XDR enables you to enhance
Alerts
with user defined settings. When configuring an
Action
to generate an
Alert
for a Correlation Rule, you can now customize the following Alert Settings.
  • Alert Name
    —New field which can be customized using static or dynamic values.
  • Alert Source
    —New field which can be customized using static or dynamic values.
  • Severity
    —Cortex XDR-defined values now include
    Critical
    . In addition to Cortex XDR-defined values, you can now select user defined fields from inside the query.
  • Category
    —In addition to Cortex XDR-defined values, you can now select user defined fields from inside the query.
Retrieve Endpoint Support File Enhancements
To streamline the process of retrieving endpoint support files, Cortex XDR now allows you to download one or more endpoint support files to a Cortex XDR server, instead of locally, that can then be accessed by a secured link.
Support files are stored by Cortex XDR for 30 days, however the secured link is valid for only 7 days. Following the 7 day period, in order to access the files you will need to generate a new link.
Improvement in Searching Child or Common Schemas in MSSP and MTH XQL queries
To improve Cortex XDR Query Language (XQL) query results, Cortex XDR has enhanced the
XQL Search
. Whensearching data in multiple MSSP and MTH tenants , XQL queries now return all child or common datasets with the same dataset name, even if the fields contain different data types or one of the datasets is missing some fields. In this case, Cortex XDR displays only the common fields.
Search and Destroy action validates hash against VirusTotal and WildFire
Cortex XDR validates the hash against VirusTotal and Wildfire, to provide additional context before initializing the File Destroy action.
External Data Ingestion
Data Collector Enhancements to Support Additional Log Formats for Data Ingestion
(
Requires a Cortex XDR Pro per TB license
)
To expand the current data ingestion capabilities for existing data collectors, Cortex XDR now supports the following additional log formats for the data collectors listed.
Improved Office 365 Data Collector
(
Requires a Cortex XDR Pro per TB license
)
To prevent email from building up in the compliance mailbox when collecting Microsoft Office 365 emails via Microsoft’s Graph API, Cortex XDR has improved the Office 365 data collector so that after the emails are ingested they are deleted from the compliance mailbox.
Office 365 Data Collector Enhancements for Normalizing Azure AD Audit Logs
(
Requires a Cortex XDR Pro per TB license
)
To expand your investigation capabilities, you can configure Cortex XDR to normalize Azure AD audit logs when using an Office 365 data collector.
Office 365 Data Collector Enhancements to include File Hash in Email Attachment Details
(
Requires a Cortex XDR Pro per TB license
)
To enhance the current data ingestion capabilities, Cortex XDR now includes the file hash in the attachment details when using an Office 365 data collector to ingest Microsoft Office 365 emails via Microsoft’s Graph API.
New Google Workspace Data Collector
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest logs and data from Google Workspace using a new data collector called Google Workspace for the following types of content.
  • Gmail
  • Admin Console
  • Google Chrome
  • Google Drive
  • User Accounts
  • Token
  • SAML
  • Login
  • Rules
  • Google Chat
  • Enterprise Groups
To receive data, configure
Settings
Configurations
Data Collection
Collection Integrations
for the
Google Workspace
data collector in Cortex XDR.
As soon as Cortex XDR begins receiving logs, the app automatically creates an applicable dataset matching the content type for the data collected. This enables you to search the logs using XQL Search.
New Palo Alto Networks IoT Security Data Collector
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest Palo Alto Networks IoT Security solution alerts and assets directly using a new data collector called IOT Security via an API.
Cortex XDR adds IOT Security alerts to the Cortex XDR Alerts table and groups them into Incidents. Cortex XDR also adds IOT Devices to the Cortex XDR Assets table.
As soon as Cortex XDR begins collecting data, the app automatically creates a new dataset for devices only (
panw_iot_security_devices_raw
). This enables you to initiate XQL Search queries and create Correlation Rules.
Workday Data Collector Enhancements
To expand your investigation and analytics capabilities, Cortex XDR now uses a structured schema when using the Workday data collector. To get the best Analytics results, use the fields from the recommended schema.
XDR Collector Collection Enhancements
(
Requires a Cortex XDR Pro per TB license
)
To align the Cortex XDR Collectors data collection capabilities with the other data collectors available, Cortex XDR now supports all sections in the filebeat.yml configuration file, such as support for Filebeat fields and tags. As a result, this enables you to use
fields
to identify the product/vendor for the data collected by the XDR Collectors so the collected events go through the ingestion flow (Parsing Rules).
Upgrade Filebeat Version to 7.17.1 for XDR Collectors
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR now supports using Filebeat version 7.17.1 when using XDR Collectors for On-premise Data Collection on Windows and Linux machines.
New Support for Collecting JSON and Raw Multiline Logs
(
Requires a Cortex XDR Pro per TB license
)
To extend the current data collection capabilities for JSON and Raw logs, Cortex XDR now supports collecting multiline JSON and Raw logs using the following data collectors.
Data Management
Event Forwarding to External Storage
To enable you to save your data in an external location, Cortex XDR now supports exporting logs using Event Forwarding.
Cortex XDR added a new
Event Forwarding
section under
Settings
Configurations
Data Management
where you can activate your Event Forwarding licenses and specify the path and credentials of your external storage destination.
  • Event Forwarding GB
    exports parsed logs for XDR pro TB to an external SIEM for storage. This enables you to keep data in your own storage in addition to the XDR data layer, e.g. for compliance requirements and machine learning purposes.
  • Event Forwarding EP
    exports raw EDR data for XDR pro EP and XDR Cloud endpoints.
Endpoint Protection
Global Analytics Profiles
(
Cortex XDR agent 7.7 or a later release
Cortex XDR now leverages aggregated and anonymized cross-tenant profiles to detect abnormal behavior allowing the detection of new behaviors across multiple tenants and catch new types of attacks that might not arise from a single tenant.
Alerts raised by the cross-tenant profiles will be marked in the
Alerts
table as
Global Analytics
type alerts.
Agent tokens maintained and managed by Cortex XDR
(
Cortex XDR agent 7.7.1 or a later release
Cortex XDR now offers a solution to ease password management and its distribution. Cortex XDR maintains and manages tokens for each of the agents and can generate temporary tokens on demand.
When performing an action on the agent that requires a password entry, all you need to do is retrieve the hash from the agent to get the token password from Cortex XDR for that agent.
The token is automatically assigned to every endpoint and can be used to perform any action requiring a password on the agent. If needed, the admin can create a token for any endpoint or a group of endpoints with an expiration and use to manage those endpoints for the pre-defined period. The token can also be retrieved for an endpoint that lost connectivity to the server by extracting the token hash on the endpoint and retrieving the original token from that hash on the server.
Endpoint Content Version Status Enhancement
(
Cortex XDR agent 7.7 or a later release
To help you gain better visibility of your endpoint content versions, Cortex XDR now displays the following new field in the
All Endpoints
table
Content Status
and new widget
Agent Content Status Breakdown
.
Displays the status of the content version on the relevant endpoint. Cortex XDR attempts to contact an endpoint and check the content version over a 7 day period. Only following this period can Cortex XDR display whether the endpoint content version is up to date or outdated.
  • Up to Date
    - The endpoint is running with the latest content version
  • Waiting for Update
    - Cortex XDR is in the process of updating the new content version. Depending on your bandwidth and network connection, updating the content version may take time.
  • Outdated
    - The endpoint is running on an outdated content version.
  • Offline
    - The endpoint is disconnected.
Content Status is calculated every 30 minutes, therefore, there could be a delay of up to 30 minutes in displaying the data.
New Endpoint Tagging
(
Cortex XDR agent 7.7.1 or a later release
To streamline how you manage your endpoints, Cortex XDR now allows you to tag endpoints using the Cortex XDR management console and on the endpoint during installation and agent lifespan.
Each endpoint can be assigned one or more dynamic tags you define allowing you flexibility with how you filter and group your endpoints.
To easily track the tags associated with the endpoints, in the
All Endpoints
and
Forensics
tables, a new
Endpoint Tags
field displays how the tag was assigned to the endpoint; via the management console -
Server
, or installation and cytool arguments -
Agent
.
CIS Benchmark Capabilities
(
Requires a Cortes XDR Cloud per Host License
)
To streamline and improve your incident investigation effort and time on Linux, Docker, and Kubernetes platforms, Cortex XDR now incorporates CIS Critical Security Controls to provide you with tools to prevent the next incident.
In addition to vulnerabilities already presented at the asset level, Cortex XDR now displays compliance violation information and the context of suspicious resources. Using predefined Cortex XDR or customized endpoint regulation policies, you can now find and prioritize incidents that involve resources with a high-risk level, enabling you to present and investigate an accurate and prioritized incident response process.
To track and manage security and compliance violations detected by Cortex XDR, a new
Compliance Dashboard
and
Compliance Violation Table
display the following aggregated data:
  • Compliance Rate
    - The compliance rate of the passed and failed checks.
  • Compliance Rate per Regulation
    - Breakdown of the compliance rate per regulation policy.
  • Most violated Compliance Checks
    - The compliance checks with the highest number of violated assets.
  • Top Violated Assets
    - Assets with the highest number of failed compliance checks.
  • Number of Violations by Severity
    - The sum of failed compliance checks by severity.
  • Number of Checks by Status
    - The sum of checks by status.
Endpoint Log Collection
(
Cortex XDR agent 7.7.1 or a later release
To help Cortex XDR better track your Cortex XDR agent stability, Cortex XDR can collect your agent logs to improve the agent stability.
Collection of the logs is enabled by default and is recommended by Cortex XDR. You can choose to disable in
Settings
General
Agent Configurations
Cortex XDR Log Collection
> section.
Scope-Based Access Control (SBAC) for Endpoint Policies and Profiles
(
Cortex XDR agent 7.7.1 or a later release
Cortex XDR now enables you to segment how you manage policies and profiles of endpoint groups.
By default, all users have management access to endpoints in your tenant. However, after you (as an administrator) assign a management scope to a Cortex XDR user, the user is then able to create, edit, and remove policies and profiles specific only to the endpoint groups within that scope.
New Block List Hash Capabilities
(
Cortex XDR agent 7.7.1 or a later release
To streamline hash termination in your environment, Cortex XDR now allows you to define an optional setting to terminate hashes on the endpoint regardless of the malware profile settings.
From the
Action Center
Block List
page, select to
Override Report mode
.
Export and Import of Endpoint Policies and Profiles
(
Cortex XDR agent 7.7.1 or a later release
Cortex XDR now allows you from the Policy Management tables to export and import endpoint policies and profiles.
Broker VM
Version 16.0.45
New Apache Kafka Collector in the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
The broker VM now provides a new Apache Kafka Collector applet that enables you to monitor and collect events from a topic of an Apache Kafka server for self-managed on-premise configurations.
After you activate the
Kafka Collector
applet, you can collect events as datasets (
<Vendor>_<Product>_raw
) by defining the following.
  • Apache Kafka connection details including the Bootstrap Server List and Authentication Method.
  • Topics Collection configuration for the various Apache Kafka topics that you want to collect.
New Support for Displaying Denied URLs Notification in the Local Agent Settings Applet of the Broker VM
To help you easily troubleshoot connectivity issues for a Local Agent Settings applet on the Palo Alto Networks Broker VM, Cortex XDR now displays a list of
Denied URLs
. These URLs are displayed when you hover over the
Local Agent Settings
applet in the Broker VMs page to view the
Connectivity Status
in the
APPS
column of the table. As a result, in a situation where the
Local Agent Settings
applet is reported as activated with a failed connection, you can easily determine the URLs that need to be allowed in your network environment.
New Dataset Fields Available for Broker VM
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, the following new fields are now available, where applicable, for any dataset and can be queried in XQL Search.
  • _broker_name
    —The
    _broker_name
    is taken from the
    Device Name
    configured for the Broker VM.
  • _log_source_file_name
    —The log file name that the event came from configured for the Broker VM applet.
  • _log_source_file_path
    —The file path to the log file that the event came from configured for the Broker VM applet.
Broker VM XDR Console Enhancements
To help you better manage your registered Broker VMs, Cortex XDR now enables you to configure the Broker VM SSL Certificates in the Cortex XDR Console. Previously, SSL certificates could only be configured by logging in to the Broker VM using the IP address.
Broker VM Hardening
To align the broker VM to the Center for Internet Security (CIS) guidelines, the broker VM has been hardened so it's now compatible with CIS level 2 hardening requirements.
These changes are only supported through a fresh install of the broker VM starting from version 16.0 and are not supported with an upgrade.
Forensics
Search Collections added to Forensics add-on
To enable the collection of forensically relevant search results, the Cortex XDR Forensics add-on now includes Search Collections by default. The current default Search Collections include the following.
  • Credential Harvesting
  • Process Execution
  • Lateral Movement
  • Persistence
  • Suspicious Indicators
  • Antivirus Events
  • Powershell Events
  • Network Events
  • Sysmon Events
  • Authentication Events
New Wildfire Verdict field added to Forensics artifacts
Cortex XDR has expanded its Forensics capabilities by displaying the WildFire verdict for the following Execution and Persistence type artifacts.
  • Prefetch
  • RecentFileCache
  • Shimcache
  • UserAssist
  • Drivers
  • Registry
  • Scheduled Tasks
  • Services
  • Startup Folders
If there is a WildFire verdict, the relevant
Verdict
is displayed.
  • Unknown
  • Benign
  • Malware
  • Grayware
Also, a link to the WildFire analysis report is available for review.
Audit Logs
New Management Audit Log Type
To extend visibility to the management audit logs, a new log type called Security Settings was added with the following subtypes.
  • Change Session Expiration
  • Change Session's Approved Domains
  • Change Session's Approved CIDRs
  • Change User Expiration Settings
API
Improved Endpoint Visibility
To help you better manage your endpoint content versions, Cortex XDR now displays in the
Get Endpoint
API response the following new fields:
  • Content Status Table Field
    Displays the status of the content version on the relevant endpoint. Cortex XDR attempts to contact an endpoint and check the content version over a 7 day period. Only following this period can Cortex XDR display whether the endpoint content version is up to date or outdated.
    • Up to Date
      - The endpoint is running with the latest content version
    • Waiting for Update
      - Cortex XDR is in the process of updating the new content version. Depending on your bandwidth and network connection, updating the content version may take time.
    • Outdated
      - The endpoint is running on an outdated content version.
    • Offline
      - The endpoint is disconnected.
      Content Status is calculated every 30 minutes, therefore, there could be a delay of up to 30 minutes in displaying the data.
  • operating_system
  • mac_address
  • assigned_prevention_policy
  • assigned_extensions_policy

Features Releasing in February

New features in the Cortex® XDR™ 3.2 release.
The following table describes new features in the Cortex XDR 3.2 release. The release will be divided into two deployments: February 27, 2022 and March 6, 2022.
Feature
Description
General
Redesigned Cortex XDR Console
To streamline the investigation of your Cortex XDR data, a redesigned console now showcases the Cortex XDR capabilities in a clear and efficient way using a new responsive sidebar navigation.
The sidebar navigation allows you to easily find your way through the Cortex XDR investigation capabilities while providing greater real estate to display and assess your data.
Cortex XDR Gateway Renaming
To ensure a cohesive user experience, Cortex XDR Gateway has been renamed Cortex Gateway.
In-App Cortex XDR Agent End-of-Life Notification
Cortex XDR now displays a notification 90 days prior to agent version end-of-life (EOL). Tenants with active agents of the version will receive a notification in the Notification Center indicating an upcoming EOL. The same notification will appear again 30 days before the due date if additional agents with this version remain.
In addition, in the
Endpoint Administration
table, endpoints with non-supported versions will be flagged with a red indicator.
New Support to Display a Release Banner a Week before a Scheduled Release
To help you prepare for a scheduled release and become familiar with the upcoming features, Cortex XDR now displays a
New Release
banner a week before a scheduled release. Starting from Cortex XDR version 3.3, the
New Release
banner will be displayed in the user interface a week before the scheduled release date. This banner will indicate the date, scheduled release time frame, version number, and provide a link to the
Release Notes
, where you can get more information about the upcoming features.
New Support for Role-Based Access Control Managing User Groups Permissions
To enable you to properly manage user groups permissions for a number of different system users in Cortex XDR, Cortex XDR now provides the following enhancements for managing user groups and group roles using role-based access control (RBAC).
  • A new User Groups page is now available for managing user groups in
    Configurations
    Access Management
    User Groups
    . You can perform the following tasks from this page.
    • Import a single existing group from Active Directory that you want to manage in Cortex XDR.
      This feature is only available if you enabled the Cloud Identity Engine in
      Configurations
      Integrations
      Cloud Identity Engine
      .
    • Create a new user group for a number of different system users or groups.
    • Save an existing group as a new group.
    • Edit a group.
    • Remove a group.
  • The Users page in
    Configurations
    Access Management
    Users
    contains the following enhancements for managing user groups and group roles.
    • A new right-click option on a user row is now available called
      Update User Role/Group
      , which enables you to perform the following.
      • Add a particular user to a group.
      • Set and manage a role for all these system users belonging to the same group at once.
      • Show Accumulated Permissions
        for the user(s) based on the
        Direct Role
        and
        Group Roles
        assigned to the user(s).
    • The
      Users
      table now contains the following new columns.
      • Groups
        : Lists the groups that a user belongs to, where any group imported from Active Directory has the letters
        AD
        added beside the group name.
      • Group Roles
        : Lists the different group roles based on the groups the user belongs to. When you hover over the group role, the group associated with this role is displayed.
  • The Permissions page of the
    Cortex Gateway
    (previously called
    Cortex XDR Gateway
    ) now includes the following enhancements.
    • A notification has been added indicating that
      Groups
      and
      Group Roles
      can only be configured in Cortex XDR in the
      Configurations
      Access Management
      User Groups
      page.
    • New columns for the
      Groups
      and
      Group Roles
      are now included in the table.
  • An improved user experience when creating a
    New Role
    in the
    Roles
    page, so it is easier to set permissions. The
    Create Role
    page has been updated with separate tabs for
    Components
    and
    Datasets
    . The Cortex XDR
    Components
    are now listed according to navigation screens and you can set permissions for each component to
    View
    ,
    View
    and
    Edit
    , or
    None
    , where some components have an additional actions level to define.
New Critical Environment Cortex XDR Version
Cortex XDR now allows you to define endpoints with Critical Environment Cortex XDR agent versions.
Critical Environment Versions are designed for sensitive and highly regulated environments and do not contain all updates and content existing in the standard version. Therefore, it is recommended to restrict the use of these versions to the required minimum.
Defining an endpoint with a Critical Environment agent version will require you to create and define the following:
  • Agent Configuration
  • Agent Installer
  • Upgrade and Auto-Upgrade Paths
  • Agent Settings
To easily track the endpoints defined as Critical Environment, in the
Endpoint Administration
table, Cortex XDR displays a new
Version Type
field stating whether the endpoint is defined as a
Standard
or
Critical Environment
agent.
Forensics
Forensics Add-On Sub-domain Name Change
When enrolling in the Forensics Add-On, users with Account Admin and Instance Admin permissions can now change the tenant subdomain:
oldName.xdr.us.paloaltonetworks.com
to
newName.xdr.us.paloaltonetworks.com
Investigation and Response
New Personalized Cortex XDR Dashboard
To help you better visualize and manage your incidents, tasks, and MTTR, Cortex XDR introduces a new predefined dashboard called My Dashboard with the following new widgets.
  • My Incidents
    —Displays the incidents assigned to the logged-in user.
  • My MTTR
    —Displays the Mean Time to Resolve (MTTR) incidents assigned to the logged-in user, compared to the defined Target MTTR.
  • My Open Incidents by Severity
    —Displays the number of open incidents assigned to the logged-in user over the last 30 days.
  • My Incidents Over Time
    —Displays the daily number of new and resolved incidents assigned to the logged-in user over the past 14 days.
New Cloud Inventory Dashboard
To help you better visualize and manage your assets on the cloud, Cortex XDR introduces a new predefined dashboard called Cloud Inventory Dashboard with the following new widgets.
  • Accounts by Cloud Provider
    —Displays the number of accounts held in each cloud provider.
  • Compute Instances Over Time
    —Displays the number of times a virtual machine instance is used over time.
  • Assets by Cloud Provider
    —Displays the number of assets stored in each cloud provider.
  • Assets by Type
    —Displays a breakdown of cloud assets by type.
  • Assets by Sub-Type
    —Displays a breakdown of cloud assets by sub-type.
  • Assets by Geo Region
    —Displays a breakdown of assets in each geographic region.
  • Assets by Region
    —Displays a breakdown of assets in each region.
  • Assets by Responsive Port Number
    —Displays the number of exposed cloud assets by port number.
  • Responsive Assets Over Time
    —Displays the number of exposed cloud assets over time.
New Alert Management Capabilities
To help you better manage the Alerts associated with your incidents, Cortex XDR now allows you to perform the following actions on each alert:
  • View and update Alert Severity
  • View and update Alert Status
In the
Alerts Table
, right-click an alert to now
Change Severity
and/or
Change Status
an alert.
Any update made to an alert impacts the associated incident. An incident with
all
its associated alerts marked as resolved is automatically set to
Auto-Resolved
. Cortex XDR will continue to group Alerts to an Auto-Resolved Incident for up to 6 hours. In the case where an alert is triggered during this duration, Cortex XDR will re-open the Incident.
To ensure consistency, when resolving an incident, you can now also select to
Mark all alerts as resolved
.
To help you track the alert resolution status, Cortex XDR now displays in the Alerts Table a new
Resolution Status
field.
Asset Management Enhancements
To provide greater visibility of network assets and better align with other Cortex XDR offerings,
Assets
Asset Management
has been renamed to
Assets >
Asset Inventory. In addition, the new
All Assets
page, previously called
Assets
, now enables you to toggle between the
Legacy View
of the page and the new
Advanced View
, which includes the following features.
  • You can view the data in a table format by accessing the new pages for
    All Assets
    and
    Specific Assets
    , including
    On-Prem Assets
    and
    Cloud Compute Instances
    .
  • The table columns provide newly structured data with updated filtering capabilities to improve your asset visibility.
  • When any row in a table is selected, a side panel on the right with greater details is displayed, where you can view additional data divided by sections. The section heading names and data displayed change depending on the source of the assets.
The
Legacy View
in the
Asset Inventory
page will be deprecated in the upcoming Cortex XDR release.
Asset Inventory Support in Quick Launcher
To improve the search and investigative functionality of the Quick Launcher, the Quick Launcher now supports searching in other tables related to
Asset Inventory
, previously called
Asset Management
, so you can query for a specific Asset Name or IP address. In addition, 2 new actions are now available when searching for Asset Inventory data.
  • Change search to <host name of asset>
    to display additional actions related to that host. This option is only relevant when searching for an IP address that is connected to an asset.
  • Open in Asset Inventory
    is a new pivot available when the host name of an asset is selected.
Correlation Rules Enhancement to Support Error Handling and Reporting
(
Requires a Cortex XDR Pro license
)
To help you easily identify and resolve Correlation Rules errors, Cortex XDR now includes error handling by providing the following error messages in the applicable scenarios.
  • Invalid query
  • Query timeout
  • Dependency correlation did not complete
  • Unknown error
The Correlation Rules page indicates the error in the
LAST EXECUTION
column by displaying the last execution time in a red font and providing a description of the Correlation Rule Error when hovering over the field.
In addition, a notification is displayed to indicate these Correlation Rules errors.
New Support for Converting Splunk Queries to XQL Queries in XQL Search
(
Requires a Cortex XDR Pro license
)
To help you easily convert your existing Splunk queries to the Cortex XDR Query Language (XQL) syntax, Cortex XDR now includes in XQL Search a new toggle called Translate to XQL. When building your XQL query and this option is selected, both a
SPL query
field and
XQL query
field are displayed, so you can easily add a SPL query, which is converted to XQL in the
XQL query
field. This option is disabled by default, so only the XQL query field is displayed.
New XQL Array Index Value Function
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes a new function called arrayindexof that enables you to return a value related to an array in one of the following ways.
  • Returns the 0-based index of a particular array element if a particular array is not empty and the specified condition using an
    @element
    is true. The format is
    arrayindexof(<array>, "@element"<operator*>"<array element>")
    *The
    <operator>
    can be any of the ones supported, such as
    =
    and
    !=
    .
  • Returns 0 if a particular array is not empty and the specified condition is true using the format.
    arrayindexof(<array>, <condition>)
    If the condition is not met, a NULL value is returned.
New Support for using Contains and Not Contains Operators within Arrays in XQL
(
Requires a Cortex XDR Pro license
)
Cortex XDR Query Language (XQL) now supports using Contains and Not Contains operators within arrays.
New Support for an Optional by Clause in a Comp Stage in XQL
(
Requires a Cortex XDR Pro license
)
Cortex XDR Query Language (XQL) now supports using an optional by clause in a comp stage, which was previously required.
XQL Query Language Enhancements for Case Sensitivity
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) is extended to support case_sensitive value queries in functions and stages, as opposed to this previously only being supported in filters. If you do not provide this stage in your query, the default behavior is true; case is considered when evaluating field values.
This can impact your current query results, including Correlations and XQL based dashboards, as previously case was not considered when evaluating field values in functions and stages, and now case is considered by default.
External Data Ingestion
Data Collector Enhancements to Support Additional Log Formats for Data Ingestion
(
Requires a Cortex XDR Pro per TB license
)
To expand the current data ingestion capabilities for existing data collectors, Cortex XDR now supports the following additional log formats for the data collectors listed.
New Microsoft Office 365 Data Collection
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest the following logs and data from Microsoft Office 365 Management Activity API and Microsoft Graph API using a new data collector called Office 365.
  • Microsoft Office 365 audit events from Management Activity API.
  • Microsoft Office 365 emails via Microsoft’s Graph API.
  • Azure AD authentication and audit events from Microsoft Graph API. As a result, the previous
    Azure AD
    data collector has been integrated to this new
    Office 365
    data collector. To maintain backward compatibility, the previous data collector configuration is maintained and continues working as before.
To receive data, configure
Configurations
Data Collection
Collection Integrations
settings for the Microsoft
Office 365
data collector in Cortex XDR.
As soon as Cortex XDR begins receiving logs, the app automatically creates an applicable dataset matching the log type for the data collected. This enables you to search the logs using XQL Search.
Support Filebeat Version 7.16 for Windows DHCP Collector
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR now supports using Elasticsearch Filebeat version 7.16 with the Windows DHCP Data Collector.
New Dataset Fields Available for XDR Collectors
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, the following XDR Collector fields (where applicable) are available for any dataset and can be queried in XQL Search.
  • _log_source_file_name
    —Displays the file name from where the event originated.
  • _log_source_file_path
    —Displays the file path of the file from where the event originated.
Data Management
New Period Based Retention Policy
(
Requires new retention licenses
)
To enhance the data retention offerings, Cortex XDR now supports a new period based retention policy for the following retentions.
  • Hot Storage
    —Fully searchable storage, for investigation and threat hunting. Hot storage was always supported and is now referred to explicitly in the user interface and documentation as hot storage.
  • Cold Storage
    —Cheaper storage usually for long-term compliance needs with a limited search option. Cold storage is new for this release.
To support these changes, the following updates have been implemented in the user interface.
  • XQL Search—Hot Storage queries are performed on a dataset using the format
    dataset = <dataset name>
    , while Cold Storage queries are performed using a new syntax
    cold_dataset = <dataset name>
    . You can also build a query that investigates data in both a
    cold_dataset
    and hot
    dataset
    in the same query.
  • Compute Units Usage Page: Any
    cold_dataset
    query consumes Compute Units (CU) based on your quota, which are also consumed by the XQL API. As a result, the previous
    Configurations
    Data Management
    XQL API Usage
    page has been renamed to
    Compute Units Usage
    . This page now displays both information related to your public APIs and Cold Storage.
    You can always increase the free tier of Compute Units provided by purchasing an add-on.
  • Query Center—This page now includes a new column called
    COMPUTE UNIT USAGE
    to display the Public APIs and Cold Storage usage. In addition, the previous
    COMPUTE UNIT USAGE
    column is now renamed to
    SIMULATE COMPUTE UNITS
    to display Hot Storage usage.
  • Dataset Management Page—Updated to reflect these changes.
Note: The new New Period Based Retention Policy offerings require new licenses for v3.2.
New Simulate View in the Parsing Rules Editor
(
Requires a Cortex XDR Pro per TB license
)
To improve the overall user experience and minimize user errors when creating Parsing Rules, Cortex XDR now includes a new Simulate view in the Parsing Rules editor. This view enables you to test your Parsing Rules on actual logs and validate their outputs. The editor includes the following sections.
  • A list of the current
    User defined rules
    on the left side of the window.
  • A table of the existing
    XQL Samples
    on the right side of the window, which contain sample logs listing the
    Vendor
    ,
    Product
    ,
    Raw_Log
    , and
    Sample Time
    . For each Vendor and Product, up to 5 different samples are available to choose from. From this list, you can select the logs used to simulate the rule.
  • Log Output
    displays a table of the relevant logs per dataset, including other columns, at the bottom of the window.
New Support for using Parsing Rules in the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
To help you avoid sending unnecessary data to the XDR server and reduce traffic, storage, and computing costs, Cortex XDR now supports using Parsing Rules to define the specific data captured by the broker VM in a new section called [COLLECT]. The
[COLLECT]
section is optional to configure, but once added this section runs before the
[INGEST]
section to enable data reduction and data manipulation at the broker VM. The
[COLLECT]
section uses the same syntax as the
[INGEST]
section and is configured in the same screen. It also follows the format as detailed in the following example.
[COLLECT:vendor="Apache", product="ApacheServer", target_brokers = (bvm1, bvm2, bvm3), no_hit = drop]alter source_log = json_extract_scalar(_raw_log, "$.source") | filter source_log = "WebApp-Logs"| fields source_log, _raw_log;
Parsing Rules Supports using an arrayfilter Function and iploc Stage Command
(
Requires a Cortex XDR Pro per TB license
)
To enhance the current Parsing Rules offerings in Cortex XDR, Cortex XDR now supports configuring the following new function and stage command in the INGEST section.
  • arrayfilter () function—Filters the results of an array in one of the following ways.
    • Returns the results when a certain condition is applied to the array.
    • Returns the results when a particular array is set to a specific array element.
  • iploc stage: Associates the IPv4 address of any field to a list of predefined attributes related to the geolocation.
Endpoint Protection
Enhanced Endpoint Cloud Metadata
(
Requires a Cortex XDR Pro license
)
To allow for greater flexibility when investigating your data, Cortex XDR now displays in the
Endpoint Administration
table the
Cloud Instance Metadata
field.
The field provides IBM and Alibaba Cloud data reported by the endpoint.
Agent Auto-Upgrade Delay
To help better manage your agent auto-upgrades, Cortex XDR now allows you to define a
Delayed Auto Upgrade Roll-out
.
In the Agent Settings, select whether to rollout an auto-upgrade immediately or define a delay period of 7-45 days from the agent release date.
New Upgrade Agents Action Center Capabilities
To help better manage your agent upgrades, Cortex XDR now allows you in the
Action Center
to track in the
Status
field which agent upgrade failed and directly create an Upgrade action for one or more of the failed agents.
Broker VM
Version 15.1.4
New Support for Configuring the Broker VM as Proxy Server for another Broker VM
To help you easily route all traffic between the Cortex XDR management server and Cortex XDR agents using the broker VM, it is now possible to designate the broker VM as a proxy server for another broker VM (i.e. chaining). Previously, the broker VM could only act as a proxy server for agents. This is now available to configure when logging in to the broker VM (
https://<broker_vm_ip_address>/.
), and configuring the broker VM settings. In the Proxy Server section, when you set the
Type
to
HTTP
to route broker VM communication, you need to add the IP address and port number (set when activating the Agent Proxy) for the other broker VM registered in your tenant that you want to designate as a proxy for this broker VM.
New Support to Improve the Right-Click Option for Generating New Logs in the Broker VM
To clarify the difference between the two options available for creating and downloading logs under
Broker Management
in Cortex XDR, the right-click option previously called
Download Latest Logs
was renamed to Generate New Logs. This option regenerates the most up-to-date logs and downloads them once they are ready, as opposed to the other option called
Download Logs (TIMESTAMP)
, which downloads the logs from the last creation date reflected in the TIMESTAMP.
New Support for Tail Mode Data Collection for the Files and Folder Collector in the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
The broker VM’s Files and Folders Collector applet now supports collecting logs from files and folders in a network share for a Windows directory in tail mode, as opposed to only batch mode. When you configure the
Files and Folders Collector
applet, a new toggle button called
Mode
is now displayed when configuring the
Files and Folders Settings
. There are 2 modes available.
  • Tail
    —Continuously monitors files for new data (default).
  • Batch
    —Reads entire file and then renames/deletes uploaded files.
For backward compatibility, any
Files and Folders Collector
applet previously configured before version 3.2 will have the
Mode
automatically set to
Batch
.
API
New Get Alert Timestamp Filter
To expand your API capabilities, Cortex XDR now allows you to filter the
Get Alerts
API results according to the timestamp of when Cortex XDR created the alert using
server_creation_time
.
New Retrieve PAN NGFW Alert Packet Data API
To expand your alert investigation capabilities, Cortex XDR now displays in the
Get Alerts
and
Get Extra Incident Data
APIs response whether an PAN NGFW type alert contains a PCAP triggering packet.
Using the new
Retrieve PCAP Packet
API, you can now retrieve a list of alert IDs and the associated PCAP data.
Multitenants and MSSPs
Forensics Add-On Multitenant Management Support Enhancements
To expand your Forensics MSSP functionality, Cortex now allows you to view the following Forensics tables of your child tenants:
  • Forensics Search
  • Forensics Search Collections
  • Host Timelines
  • Process Execution
  • File Access
  • Persistence
  • Command History
  • Network
  • Remote Access
  • Triage All
  • File Listing
  • Registry Listing
  • Event Logs
  • Volatile

Recommended For You