Features Introduced in 2022

Learn more about Cortex XDR features introduced during 2022 by month and functional area.
The following topics describe the Cortex XDR features introduced in 2022 by month.

Features Releasing in July

New features in the Cortex® XDR 3.4 release.
The following table describes new features in the Cortex XDR 3.4 and Cortex XDR Agent 7.8 releases. The release is divided into two deployments: July, 24, 2022 and August, 7, 2022. The information shared here is for
INFORMATIONAL PURPOSES ONLY
and is not a binding commitment.
Feature
Description
General
New Support for Single Sign-on with SAML IdP
To help easily and securely authenticate users across enterprise-wide applications and websites with one set of credentials, Cortex XDR now supports single sign-on (SSO) with the Security Assertion Markup Language (SAML) 2.0 standard that allows users to authenticate using their organization's Identity Provider (IdP). To configure SSO, administrators are required to sign in to Cortex XDR with their CSP credentials and configure the SAML 2.0 settings in the new
Settings
Configurations
Access Management
Single Sign-On
page.
Archive Actions in the Actions Center
Cortex XDR has added the option to archive actions in the Action Center.
IPv6 Support
To enable you to use Cortex XDR security capabilities on your IPv6 environment, Cortex XDR now supports the following features for IPv6-only networks.
Server side:
  • New and updated Endpoint table columns for IPv6.
  • All endpoint actions including Live Terminal initiation.
  • Alerts, which now include a Host IPv6 column.
  • Causality chain, which now displays the IPv6 addresses reported from the endpoints.
  • Incidents with all IPv6 artifacts and displays, except Incident grouping.
  • XQL Querying IPv6 ranges on the IPv6 column
Agent side:
  • Communication with the server (routed via supported addresses).
  • Reporting of IP addresses to the cloud.
  • Proxy (system proxies, cloud defined proxies).
  • EDR (network events, remote actors, file events, remote IP).
  • Isolation.
  • P2P updates.
  • Live Terminal.
Windows Java EPM Default Setting
From Cortex XDR version 3.4.0, the Windows Java Endpoint Protection Modules default configuration is set to on.
Investigation and Response
XQL Comp Stage Supports Raw Events
(
Requires a Cortex XDR Pro license
)
Cortex XDR Query Language (XQL) now supports using raw events in a comp stage with up to 50 fields, which will display up to 100 events.
New XQL Functions for the Comp Stage
(
Requires a Cortex XDR Pro license
)
To help you create more scalable queries in terms of memory usage and time, Cortex XDR Query Language (XQL) now supports using the following new approximate aggregate functions with the comp stage.
  • approx_count
    —Counts the number of distinct values in the given field column, and returns a single integer value.
    comp approx_count(<field>)
  • approx_top
    —Depending on the number of parameters, returns either the approximate sum or count of top elements for the given field. The return value is an array with up to
    <number>
    of JSON strings.
    • Sum—
      comp approx_top(<field1>, <number>, <field2>)
    • Count—
      comp approx_top(<field>, <number>)
  • approx_quantiles
    —Returns the approximate boundaries for a group of distinct or non distinct values (default
    false
    ) for the specified field column.This function returns an array of
    <number> + 1
    elements, where the first element is the approximate minimum and the last element is the approximate maximum.
    comp approx_quantiles(<field>, <number>, <true|false>)
XQL Time Frame Configuration Function Enhancements
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL)
timeframe
configuration function (added with a
config
stage command) now enables you to perform searches using relative time frame command formats.
XQL Enhancements for Timestamp Functions
(
Requires a Cortex XDR Pro license
)
To make it easier for your to convert a random string to a time object in XQL without having to use 2 functions (
parse_timestamp
and
to_epoch
), Cortex XDR Query Language (XQL) now supports using the following single function, which includes an optional time zone parameter (default UTC.
parse_epoch(“<format string>“, “<timestamp field>“, “<time zone>“, “<MILLIS | SECONDS | MICROS>")
, where seconds is the default.
In addition, it is now possible to add an optional time zone parameter (default UTC) to the following functions.
  • date_floor
  • bin
XQL Enhancement to Support EDR Mount Events and Support EDR for Other User-Related Operations
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, Cortex XDR Query Language (XQL) now supports the following changes related to endpoint detection and response (EDR) mount events and support EDR for other user-related operations.
  • The following new event types (
    event_type
    ) have been added to support EDR mount events
    • ENUM.MOUNT
      , which contains the following event subtypes (
      event_sub_type
      ).
      • Mount—
        ENUM.DEVICE_PLUG
      • Unmount—
        ENUM.DEVICE_UNPLUG
    • ENUM.USER_SESSION
      , which provides information about user-related operations that happened in user sessions (windows only) with the following event subtypes (
      event_sub_type
      ).
      • ENUM.USER_SESSION_GET_CLIPBOARD
        —Indicates whether an application has read from the clipboard and lists the application which copied the data into the clipboard.
      • ENUM.USER_SESSION_SET_CLIPBOARD
        —Indicates whether an application has set data into the clipboard, where only metadata about the clipboard is sent.
      • ENUM.USER_SESSION_WINDOW_FOCUS_CHANGE
        —Indicates whether the foreground window has changed and supplies the title for the top window of the foreground window.
      • ENUM.USER_SESSION_WINDOW_TITLE_CHANGE
        —Indicates whether the title of the top window of the foreground window has changed.
  • When collecting USB events, the following fields are also collected, which are available with the event types listed above.
    • Vendor—
      action_device_usb_vendor_name
    • Product—
      action_device_usb_product_name
  • The
    device_control
    preset now includes all the above changes related to EDR mount events.
    When querying the
    device_control
    preset, Cortex XDR agents up to version 7.8 send any preexisting data for these events collected. New 7.8 Cortex XDR agents and onwards only send new events.
New XQL incidr6 Function and Operator Available
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, Cortex XDR Query Language (XQL) now supports using a new incidr6 function and operator.
  • Operator
    • incidr6
      ,
      not incidr6
      —To search for an IPv6 address or IPv6 range using CIDR notation.
  • Function
    • incidr6
      —Accepts an IPv6 address, and an IPv6 range using CIDR notation, and returns true if the address is in range.
Machine Learning Based Incident Scoring
(
Requires a Cortex XDR Pro license
)
To streamline prioritization and investigation of your incidents, Cortex XDR introduces the SmartScore.
SmartScore is an automatic Cortex XDR calculated score based on machine learning and assigned to incidents to help you better triage incidents that require immediate attention.
SmartScore is available in addition to the current Incident Score, however, only incidents with no Incident Score will be applied the SmartScore.
Enabling the Smart Score can be configured globally in the
Incident Response
Incident Configuration
Incident Scoring
page, or per incident by selecting the
score
in the
Incident
view.
To help improve the SmartScore, Cortex XDR invites you to provide feedback. In the
Incident
view, when hovering over the displayed score or closing an incident, you have the option to provide feedback on the assigned score. The feedback is sent anonymously and is used to improve the calculations.
New Network Traffic Analysis Dashboard
(
Requires a Cortex XDR Pro license
)
To help you better visualize and track your Cortex XDR Network Traffic, Cortex XDR introduces a new predefined dashboard called
NTA Dashboard
consisting of the following widgets:
  • Overview
  • Threats
  • Network Zones
  • Geo Locations
  • DNS Activity
  • HTTP Activity
  • URL Activity
New Incident and Alert Tagging
(
Requires a Cortex XDR agent 7.8 or a later release
)
To streamline how you manage your incidents and alerts, Cortex XDR now allows you to filter the
Incidents
and
Alerts
tables according to the new
Tags
field that displays the Endpoint Groups, Endpoint Tags, and Data Sources associated with the alert.
Local Analysis and WildFire Alert Aggregation
To streamline and improve investigation of your alerts, as of Cortex XDR version 3.4, alerts triggered by Local Analysis and WildFire with the same agent ID and file hash are aggregated every 60 minutes and displayed as a single alert in the Alerts table.
To easily track the aggregated alerts, in the Alert Name field, aggregated alerts are displayed as Local Analysis Malware along with the number of alerts that were grouped.
External Data Ingestion
New Cortex Data Lake Data Collector
(
Requires a Cortex XDR Pro per TB license
)
To streamline the connection and management of all Palo Alto Networks generated logs across products in Cortex XDR with or without a Cortex Data Lake, Cortex XDR can now ingest detection data from Cortex Data Lakes in a more flexible manner using the new
Cortex Data Lake
data collector.
These changes apply both during activation using the
Cortex Gateway
and throughout the tenant lifecycle.
During activation, you now have the option to connect to either 1 or more existing Cortex Data Lakes via the
Cortex Gateway
or choose not to connect at all. In addition, you can connect directly to Cortex XDR using the
Cortex Data Lake
data collector.
To receive data, configure
Settings
Configurations
Data Collection
Collection Integrations
for the
Cortex Data Lake
data collector in Cortex XDR.
The following options are available.
  • Connect one or more existing Cortex Data Lakes.
  • Remove the connection of a Cortex Data Lake.
As all required storage for endpoint data and alerts is included within Cortex XDR, new Cortex XDR tenants with Cortex XDR Prevent or Cortex XDR Pro per Endpoint licenses will not include a Cortex Data Lake integration.
New Route 53 Log Type for Amazon S3 Data Collector
(
Requires a Cortex XDR Pro per TB license
)
To expand the current data ingestion capabilities for the
Amazon S3
data collector, Cortex XDR now supports collecting logs with a
Log Type
called
Route 53
with an option to
Normalize DNS logs
(selected by default) when using the Amazon S3 data collector.
Office 365 Data Collector Enhancements for Normalizing Exchange Online Audit Logs to Stories
(
Requires a Cortex XDR Pro per TB license
)
To enhance your investigation capabilities, Cortex XDR now supports normalizing audit logs into stories, when an
Office 365
data collector is configured to collect
Exchange Online
logs.
Office 365 Data Collector Enhancements to Collect All Sign-in Event Types with Azure AD Authentication Logs
(
Requires a Cortex XDR Pro per TB license
)
To extend your investigation capabilities, Cortex XDR now supports configuring an
Office 365
data collector for
Azure AD Authentication Logs
to
Collect all sign-in event types
from a beta version of Microsoft Graph API, which is still subject to change. In addition to classic interactive user sign-ins, selecting this option allows you to collect.
  • Non-interactive user sign-ins.
  • Service principal sign-ins.
  • Managed Identities for Azure resource sign-ins.
From this release, when selecting
Azure AD Authentication Logs
, this new option to
Collect all sign-in event types
is selected by default.
For existing customers that have already configured an
Office 365
data collector with
Azure AD Authentication Logs
, this option is not selected.
XDR Collectors Enhancements for Normalizing Windows DNS Debug Logs
(
Requires a Cortex XDR Pro per TB license
)
To expand your investigation capabilities, you can configure Cortex XDR to normalize Windows DNS Debug Logs when collecting the logs with the
XDR Collectors
.
New Winlogbeat Event XDR Collector
(
Requires a Cortex XDR Pro per TB license
)
To enable collection of Windows event logs on your entire network, The Cortex XDR now provides a WinlogBeat XDR Collector on your Windows endpoints. You can now configure Winlogbeat profiles, Filebeat profiles, or both You can also include Winlogbeat profiles in your policies.As soon as Cortex XDR begins collecting data, the app automatically creates a new dataset for event logs,
msft_windows_raw
.To use the Winlogbeat XDR Collector, you must upgrade your XDR Collector agents to XDRC version 1.2.0.
Endpoint Protection
New Protection Modules
To provide you with more detection and protection coverage capabilities, Cortex XDR introduces two new modules, the
Anti-Webshell Protection module
and the
Credential Gathering Protection
module.
  • Anti Webshell Protection module—Protects from processes that attempt to drop malicious webshells.
  • Credential Gathering Protection module—Protects from processes that attempt to steal passwords and other sensitive credentials.
You can select Enabled, Report Only, or Disabled for each module to decide the level of protection.
New Granular Prevention Actions
To provide you with more granular prevention capabilities, Cortex XDR now supports more actions for handling behavioral threat protection security alerts.You can view the actions taken in the new
Prevention Actions
tab in the Alert Causality View.
New Audit Log Entry
To better secure your Cortex XDR agent installations, Cortex XDR now creates an audit log entry when anti-tamper protection is disabled locally on an agent.
Clear Agent Database
(
Requires a Cortex XDR agent 7.8 or a later release
)
To expand your endpoint management capabilities, from the
All Endpoints
table, you can now clear the agent state of one or endpoints.
Clearing the agent database is available only when using the debugging mode, and can be tracked in the
Action Center
.
Periodic Endpoint Table Cleanup
(
Requires a Cortex XDR agent 7.8 or a later release
)
To streamline and improve management of your endpoints, Cortex XDR now allows you to define a periodic cleanup of the All Endpoints table, where duplicated entities of the same endpoint are removed.
The cleanup can be defined according to the Host Name, Host IP Address, and MAC Address fields, and can run every 6 hours, 12 hours, 1 day, or 7 days.
New Minor Content Update Setting
(
Requires a Cortex XDR agent 7.8 or a later release
)
To ensure your Cortex XDR tenant is running with the most up-to-date data protection, Cortex XDR now enables by default minor content updates.
Setting for this update can be found in
Settings
Configurations
Agent Configurations
Content Management
Enable minor content version updates
.
End-User Isolation Message
(
Requires a Cortex XDR agent 7.8 or a later release
)
To ensure end-users are aware of isolated endpoints, Cortex XDR now allows you to define a constant
Isolation and Network Connectivity
message that appears on endpoints that have been isolated.
Device Control Exception Enhancement
(
Requires a Cortex XDR agent 7.8 or a later release
)
You can now add a comment to your Device Permanent Exceptions.
Support File Data Protection
To provide an extra layer of protection to the generated support file from the endpoint, the zip file is now password protected by an encrypted password. You can obtain the password by copying the encrypted code and running it in the
Retrieve Support File Password
option from the
Tokens and Password
button in the
All Endpoints
page.
File System Scanning
(
Linux
)
Cortex XDR can scan your Linux endpoints for dormant malware. The agent examines the files on the endpoint. There is a default list of scanned directories which can be expanded or minimized. When a malicious file is detected during the scan, the agent reports the malware to Cortex XDR, so you can take action to remove the malware before it attempts to harm the endpoint. You can scan the endpoints in the following ways:
  • Periodic scan
  • Custom scan
Helm Charts Upgrade
(
Linux
)
The agent installation now includes the new package type Helm Installer. The Helm Installer is used for fresh installations and upgrades of Cortex XDR agents running on Kubernetes.
Forensics
File Name Field with Regex Support
To enable you to drill down further when performing a Forensic File Search, the
File Name
field has been added in the
Action Center
. The
File Name
field allows you to add a regular expression to match against the names of files within the paths specified.
Stacking UI for Process Execution and Persistence Data
To assist you in hunting malware across your computer network, Cortex XDR has added the option to group by particular columns (file name or file hashes) within the
Forensics
tables
Process Execution
and
Persistence
. The grouping button will show the number of affected endpoints for each grouped column. This enables you to perform hunting via frequency analysis and provides a birds eye view of potential malware files that require further analysis.
Windows Memory Collection
Certain forensic artifacts are never written to disk; they only exist in memory. Cortex XDR can now collect the entire contents of memory from Windows endpoints. Once a memory image has been captured from one of your XDR endpoints, you can download the image, and perform a full analysis using industry-standard tools. In the
Action Center
, create a new action and select
Memory Collection
. This enables you to select a Windows endpoint from which the memory image is captured. You can then download a zip file containing the image. You also have the option to add
Memory Collection
to an offline triage configuration. This option enables you to capture the memory image along with the other triage options selected from offline endpoints.
API
New User Value in Get All Endpoints
When running
Get All Endpoints
API, Cortex XDR now displays the
user
value in the response.
New Update Alerts API
To expand your API capabilities, Cortex XDR now allows you to update the severity, status, and comment of existing alerts by running the new
Update Alerts
API.
New Get License Info API
To expand your API capabilities, Cortex XDR now allows you to get your tenant license information by running the new
Get License Info
API.

Features Releasing in May

New features in the Cortex® XDR 3.3 release.
The following table describes new features in the Cortex XDR 3.3 release. The release is divided into two deployments: May 15, 2022 and May 22, 2022.
Feature
Description
Investigation and Response
New Incident and Alert Severity
To streamline the management of your incidents and alerts, Cortex XDR now enables you to define a new Critical severity type for your incidents and alerts.
The Critical severity type is now visible in the Incident and Alert tables, IP Address/Hash Views, Detection Rules, and API calls. You can also search for Critical severity in the Quick Launcher.
New XQL Configuration for Case Sensitivity
(
Requires a Cortex XDR Pro license
)
To make it easier for you to configure whether case sensitivity is applied across Cortex XDR in one central area, Cortex XDR now includes a new XQL Configuration section in the
Settings
Configurations
General
Server Settings
. This section enables you to configure whether
Case Sensitivity (case_sensitive)
is applied throughout the application. This setting overwrites any other default configuration except for BIOCs, which will remain case insensitive no matter what this configuration is set to.
Translate to XQL Enhancements
(
Requires a Cortex XDR Pro per TB license
)
To help you easily convert your existing Splunk queries to the Cortex XDR Query Language (XQL) syntax, Cortex XDR now includes additional enhancements to improve the overall user experience and supports more Splunk functions and stages that can be translated to XQL.
New XQL Syntactic Sugar Available for JSON Functions
(
Requires a Cortex XDR Pro license
)
To make it easier for you to write your Cortex XDR Query Language (XQL) queries, Cortex XDR now enables using a syntactic sugar for the following JSON functions.
  • json_extract, using the following syntactic sugar format.
    <json_object_formatted_string> -> <field_path>{}
  • json_extract_array, using the following syntactic sugar format.
    <json_array_string> -> <field_path>[]
  • json_extract_scalar, using the following syntactic sugar format.
    <json_object_formatted_string> -> <field_path>
New XQL Operator and Functions Available
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, Cortex XDR Query Language (XQL) now supports using the following new operator and functions.
    • incidr
      ,
      not incidr
      —To search for an IP address or IP range using CIDR notation.
  • Functions
    • arraycreate—Returns an array based on the given parameters defined for the array elements.
    • arraymerge—Merges a number of arrays, including a number of arraymap() function arrays, into a single array.
    • object_create—Returns an object based on the given parameters defined for the key and value pairs.
The new operator and functions can also be used in the [INGEST] section when creating Parsing Rules.
Correlation Rule Alert Enrichment Based on User Defined Fields
(
Requires a Cortex XDR Pro license
)
To help you better manage the Alerts associated with your Correlation Rules, Cortex XDR enables you to enhance
Alerts
with user defined settings. When configuring an
Action
to generate an
Alert
for a Correlation Rule, you can now customize the following Alert Settings.
  • Alert Name
    —New field which can be customized using static or dynamic values.
  • Alert Source
    —New field which can be customized using static or dynamic values.
  • Severity
    —Cortex XDR-defined values now include
    Critical
    . In addition to Cortex XDR-defined values, you can now select user defined fields from inside the query.
  • Category
    —In addition to Cortex XDR-defined values, you can now select user defined fields from inside the query.
Retrieve Endpoint Support File Enhancements
To streamline the process of retrieving endpoint support files, Cortex XDR now allows you to download one or more endpoint support files to a Cortex XDR server, instead of locally, that can then be accessed by a secured link.
Support files are stored by Cortex XDR for 30 days, however the secured link is valid for only 7 days. Following the 7 day period, in order to access the files you will need to generate a new link.
Improvement in Searching Child or Common Schemas in MSSP and MTH XQL queries
To improve Cortex XDR Query Language (XQL) query results, Cortex XDR has enhanced the
XQL Search
. Whensearching data in multiple MSSP and MTH tenants , XQL queries now return all child or common datasets with the same dataset name, even if the fields contain different data types or one of the datasets is missing some fields. In this case, Cortex XDR displays only the common fields.
Search and Destroy action validates hash against VirusTotal and WildFire
Cortex XDR validates the hash against VirusTotal and Wildfire, to provide additional context before initializing the File Destroy action.
External Data Ingestion
Data Collector Enhancements to Support Additional Log Formats for Data Ingestion
(
Requires a Cortex XDR Pro per TB license
)
To expand the current data ingestion capabilities for existing data collectors, Cortex XDR now supports the following additional log formats for the data collectors listed.
Improved Office 365 Data Collector
(
Requires a Cortex XDR Pro per TB license
)
To prevent email from building up in the compliance mailbox when collecting Microsoft Office 365 emails via Microsoft’s Graph API, Cortex XDR has improved the Office 365 data collector so that after the emails are ingested they are deleted from the compliance mailbox.
Office 365 Data Collector Enhancements for Normalizing Azure AD Audit Logs
(
Requires a Cortex XDR Pro per TB license
)
To expand your investigation capabilities, you can configure Cortex XDR to normalize Azure AD audit logs when using an Office 365 data collector.
Office 365 Data Collector Enhancements to include File Hash in Email Attachment Details
(
Requires a Cortex XDR Pro per TB license
)
To enhance the current data ingestion capabilities, Cortex XDR now includes the file hash in the attachment details when using an Office 365 data collector to ingest Microsoft Office 365 emails via Microsoft’s Graph API.
New Google Workspace Data Collector
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest logs and data from Google Workspace using a new data collector called Google Workspace for the following types of content.
  • Gmail
  • Admin Console
  • Google Chrome
  • Google Drive
  • User Accounts
  • Token
  • SAML
  • Login
  • Rules
  • Google Chat
  • Enterprise Groups
To receive data, configure
Settings
Configurations
Data Collection
Collection Integrations
for the
Google Workspace
data collector in Cortex XDR.
As soon as Cortex XDR begins receiving logs, the app automatically creates an applicable dataset matching the content type for the data collected. This enables you to search the logs using XQL Search.
New Palo Alto Networks IoT Security Data Collector
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest Palo Alto Networks IoT Security solution alerts and assets directly using a new data collector called IOT Security via an API.
Cortex XDR adds IOT Security alerts to the Cortex XDR Alerts table and groups them into Incidents. Cortex XDR also adds IOT Devices to the Cortex XDR Assets table.
As soon as Cortex XDR begins collecting data, the app automatically creates a new dataset for devices only (
panw_iot_security_devices_raw
). This enables you to initiate XQL Search queries and create Correlation Rules.
Workday Data Collector Enhancements
To expand your investigation and analytics capabilities, Cortex XDR now uses a structured schema when using the Workday data collector. To get the best Analytics results, use the fields from the recommended schema.
XDR Collector Collection Enhancements
(
Requires a Cortex XDR Pro per TB license
)
To align the Cortex XDR Collectors data collection capabilities with the other data collectors available, Cortex XDR now supports all sections in the filebeat.yml configuration file, such as support for Filebeat fields and tags. As a result, this enables you to use
fields
to identify the product/vendor for the data collected by the XDR Collectors so the collected events go through the ingestion flow (Parsing Rules).
Upgrade Filebeat Version to 7.17.1 for XDR Collectors
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR now supports using Filebeat version 7.17.1 when using XDR Collectors for On-premise Data Collection on Windows and Linux machines.
New Support for Collecting JSON and Raw Multiline Logs
(
Requires a Cortex XDR Pro per TB license
)
To extend the current data collection capabilities for JSON and Raw logs, Cortex XDR now supports collecting multiline JSON and Raw logs using the following data collectors.
Data Management
Event Forwarding to External Storage
To enable you to save your data in an external location, Cortex XDR now supports exporting logs using Event Forwarding.
Cortex XDR added a new
Event Forwarding
section under
Settings
Configurations
Data Management
where you can activate your Event Forwarding licenses and specify the path and credentials of your external storage destination.
  • Event Forwarding GB
    exports parsed logs for XDR pro TB to an external SIEM for storage. This enables you to keep data in your own storage in addition to the XDR data layer, e.g. for compliance requirements and machine learning purposes.
  • Event Forwarding EP
    exports raw EDR data for XDR pro EP and XDR Cloud endpoints.
Endpoint Protection
Global Analytics Profiles
(
Cortex XDR agent 7.7 or a later release
)
Cortex XDR now leverages aggregated and anonymized cross-tenant profiles to detect abnormal behavior allowing the detection of new behaviors across multiple tenants and catch new types of attacks that might not arise from a single tenant.
Alerts raised by the cross-tenant profiles will be marked in the
Alerts
table as
Global Analytics
type alerts.
Agent tokens maintained and managed by Cortex XDR
(
Cortex XDR agent 7.7.1 or a later release
)
Cortex XDR now offers a solution to ease password management and its distribution. Cortex XDR maintains and manages tokens for each of the agents and can generate temporary tokens on demand.
When performing an action on the agent that requires a password entry, all you need to do is retrieve the hash from the agent to get the token password from Cortex XDR for that agent.
The token is automatically assigned to every endpoint and can be used to perform any action requiring a password on the agent. If needed, the admin can create a token for any endpoint or a group of endpoints with an expiration and use to manage those endpoints for the pre-defined period. The token can also be retrieved for an endpoint that lost connectivity to the server by extracting the token hash on the endpoint and retrieving the original token from that hash on the server.
Endpoint Content Version Status Enhancement
(
Cortex XDR agent 7.7 or a later release
)
To help you gain better visibility of your endpoint content versions, Cortex XDR now displays the following new field in the
All Endpoints
table
Content Status
and new widget
Agent Content Status Breakdown
.
Displays the status of the content version on the relevant endpoint. Cortex XDR attempts to contact an endpoint and check the content version over a 7 day period. Only following this period can Cortex XDR display whether the endpoint content version is up to date or outdated.
  • Up to Date
    - The endpoint is running with the latest content version
  • Waiting for Update
    - Cortex XDR is in the process of updating the new content version. Depending on your bandwidth and network connection, updating the content version may take time.
  • Outdated
    - The endpoint is running on an outdated content version.
  • Offline
    - The endpoint is disconnected.
Content Status is calculated every 30 minutes, therefore, there could be a delay of up to 30 minutes in displaying the data.
New Endpoint Tagging
(
Cortex XDR agent 7.7.1 or a later release
)
To streamline how you manage your endpoints, Cortex XDR now allows you to tag endpoints using the Cortex XDR management console and on the endpoint during installation and agent lifespan.
Each endpoint can be assigned one or more dynamic tags you define allowing you flexibility with how you filter and group your endpoints.
To easily track the tags associated with the endpoints, in the
All Endpoints
and
Forensics
tables, a new
Endpoint Tags
field displays how the tag was assigned to the endpoint; via the management console -
Server
, or installation and cytool arguments -
Agent
.
CIS Benchmark Capabilities
(
Requires a Cortes XDR Cloud per Host License
)
To streamline and improve your incident investigation effort and time on Linux, Docker, and Kubernetes platforms, Cortex XDR now incorporates CIS Critical Security Controls to provide you with tools to prevent the next incident.
In addition to vulnerabilities already presented at the asset level, Cortex XDR now displays compliance violation information and the context of suspicious resources. Using predefined Cortex XDR or customized endpoint regulation policies, you can now find and prioritize incidents that involve resources with a high-risk level, enabling you to present and investigate an accurate and prioritized incident response process.
To track and manage security and compliance violations detected by Cortex XDR, a new
Compliance Dashboard
and
Compliance Violation Table
display the following aggregated data:
  • Compliance Rate
    - The compliance rate of the passed and failed checks.
  • Compliance Rate per Regulation
    - Breakdown of the compliance rate per regulation policy.
  • Most violated Compliance Checks
    - The compliance checks with the highest number of violated assets.
  • Top Violated Assets
    - Assets with the highest number of failed compliance checks.
  • Number of Violations by Severity
    - The sum of failed compliance checks by severity.
  • Number of Checks by Status
    - The sum of checks by status.
Endpoint Log Collection
(
Cortex XDR agent 7.7.1 or a later release
)
To help Cortex XDR better track your Cortex XDR agent stability, Cortex XDR can collect your agent logs to improve the agent stability.
Collection of the logs is enabled by default and is recommended by Cortex XDR. You can choose to disable in
Settings
General
Agent Configurations
Cortex XDR Log Collection
> section.
Scope-Based Access Control (SBAC) for Endpoint Policies and Profiles
(
Cortex XDR agent 7.7.1 or a later release
)
Cortex XDR now enables you to segment how you manage policies and profiles of endpoint groups.
By default, all users have management access to endpoints in your tenant. However, after you (as an administrator) assign a management scope to a Cortex XDR user, the user is then able to create, edit, and remove policies and profiles specific only to the endpoint groups within that scope.
New Block List Hash Capabilities
(
Cortex XDR agent 7.7.1 or a later release
)
To streamline hash termination in your environment, Cortex XDR now allows you to define an optional setting to terminate hashes on the endpoint regardless of the malware profile settings.
From the
Action Center
Block List
page, select to
Override Report mode
.
Export and Import of Endpoint Policies and Profiles
(
Cortex XDR agent 7.7.1 or a later release
)
Cortex XDR now allows you from the Policy Management tables to export and import endpoint policies and profiles.
Broker VM
Version 16.1.4
New Apache Kafka Collector in the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
The broker VM now provides a new Apache Kafka Collector applet that enables you to monitor and collect events from a topic of an Apache Kafka server for self-managed on-premise configurations.
After you activate the
Kafka Collector
applet, you can collect events as datasets (
<Vendor>_<Product>_raw
) by defining the following.
  • Apache Kafka connection details including the Bootstrap Server List and Authentication Method.
  • Topics Collection configuration for the various Apache Kafka topics that you want to collect.
New Support for Displaying Denied URLs Notification in the Local Agent Settings Applet of the Broker VM
To help you easily troubleshoot connectivity issues for a Local Agent Settings applet on the Palo Alto Networks Broker VM, Cortex XDR now displays a list of
Denied URLs
. These URLs are displayed when you hover over the
Local Agent Settings
applet in the Broker VMs page to view the
Connectivity Status
in the
APPS
column of the table. As a result, in a situation where the
Local Agent Settings
applet is reported as activated with a failed connection, you can easily determine the URLs that need to be allowed in your network environment.
New Dataset Fields Available for Broker VM
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, the following new fields are now available, where applicable, for any dataset and can be queried in XQL Search.
  • _broker_name
    —The
    _broker_name
    is taken from the
    Device Name
    configured for the Broker VM.
  • _log_source_file_name
    —The log file name that the event came from configured for the Broker VM applet.
  • _log_source_file_path
    —The file path to the log file that the event came from configured for the Broker VM applet.
Broker VM XDR Console Enhancements
To help you better manage your registered Broker VMs, Cortex XDR now enables you to configure the Broker VM SSL Certificates in the Cortex XDR Console. Previously, SSL certificates could only be configured by logging in to the Broker VM using the IP address.
Broker VM Hardening
To align the broker VM to the Center for Internet Security (CIS) guidelines, the broker VM has been hardened so it's now compatible with CIS level 2 hardening requirements.
These changes are only supported through a fresh install of the broker VM starting from version 16.0 and are not supported with an upgrade.
Forensics
Search Collections added to Forensics add-on
To enable the collection of forensically relevant search results, the Cortex XDR Forensics add-on now includes Search Collections by default. The current default Search Collections include the following.
  • Credential Harvesting
  • Process Execution
  • Lateral Movement
  • Persistence
  • Suspicious Indicators
  • Antivirus Events
  • Powershell Events
  • Network Events
  • Sysmon Events
  • Authentication Events
New Wildfire Verdict field added to Forensics artifacts
Cortex XDR has expanded its Forensics capabilities by displaying the WildFire verdict for the following Execution and Persistence type artifacts.
  • Prefetch
  • RecentFileCache
  • Shimcache
  • UserAssist
  • Drivers
  • Registry
  • Scheduled Tasks
  • Services
  • Startup Folders
If there is a WildFire verdict, the relevant
Verdict
is displayed.
  • Unknown
  • Benign
  • Malware
  • Grayware
Also, a link to the WildFire analysis report is available for review.
Audit Logs
New Management Audit Log Type
To extend visibility to the management audit logs, a new log type called Security Settings was added with the following subtypes.
  • Change Session Expiration
  • Change Session's Approved Domains
  • Change Session's Approved CIDRs
  • Change User Expiration Settings
API
Improved Endpoint Visibility
To help you better manage your endpoint content versions, Cortex XDR now displays in the
Get Endpoint
API response the following new fields:
  • Content Status Table Field
    Displays the status of the content version on the relevant endpoint. Cortex XDR attempts to contact an endpoint and check the content version over a 7 day period. Only following this period can Cortex XDR display whether the endpoint content version is up to date or outdated.
    • Up to Date
      - The endpoint is running with the latest content version
    • Waiting for Update
      - Cortex XDR is in the process of updating the new content version. Depending on your bandwidth and network connection, updating the content version may take time.
    • Outdated
      - The endpoint is running on an outdated content version.
    • Offline
      - The endpoint is disconnected.
      Content Status is calculated every 30 minutes, therefore, there could be a delay of up to 30 minutes in displaying the data.
  • operating_system
  • mac_address
  • assigned_prevention_policy
  • assigned_extensions_policy

Features Releasing in February

New features in the Cortex® XDR™ 3.2 release.
The following table describes new features in the Cortex XDR 3.2 release. The release will be divided into two deployments: February 27, 2022 and March 6, 2022.
Feature
Description
General
Redesigned Cortex XDR Console
To streamline the investigation of your Cortex XDR data, a redesigned console now showcases the Cortex XDR capabilities in a clear and efficient way using a new responsive sidebar navigation.
The sidebar navigation allows you to easily find your way through the Cortex XDR investigation capabilities while providing greater real estate to display and assess your data.
Cortex XDR Gateway Renaming
To ensure a cohesive user experience, Cortex XDR Gateway has been renamed Cortex Gateway.
In-App Cortex XDR Agent End-of-Life Notification
Cortex XDR now displays a notification 90 days prior to agent version end-of-life (EOL). Tenants with active agents of the version will receive a notification in the Notification Center indicating an upcoming EOL. The same notification will appear again 30 days before the due date if additional agents with this version remain.
In addition, in the
Endpoint Administration
table, endpoints with non-supported versions will be flagged with a red indicator.
New Support to Display a Release Banner a Week before a Scheduled Release
To help you prepare for a scheduled release and become familiar with the upcoming features, Cortex XDR now displays a
New Release
banner a week before a scheduled release. Starting from Cortex XDR version 3.3, the
New Release
banner will be displayed in the user interface a week before the scheduled release date. This banner will indicate the date, scheduled release time frame, version number, and provide a link to the
Release Notes
, where you can get more information about the upcoming features.
New Support for Role-Based Access Control Managing User Groups Permissions
To enable you to properly manage user groups permissions for a number of different system users in Cortex XDR, Cortex XDR now provides the following enhancements for managing user groups and group roles using role-based access control (RBAC).
  • A new User Groups page is now available for managing user groups in
    Configurations
    Access Management
    User Groups
    . You can perform the following tasks from this page.
    • Import a single existing group from Active Directory that you want to manage in Cortex XDR.
      This feature is only available if you enabled the Cloud Identity Engine in
      Configurations
      Integrations
      Cloud Identity Engine
      .
    • Create a new user group for a number of different system users or groups.
    • Save an existing group as a new group.
    • Edit a group.
    • Remove a group.
  • The Users page in
    Configurations
    Access Management
    Users
    contains the following enhancements for managing user groups and group roles.
    • A new right-click option on a user row is now available called
      Update User Role/Group
      , which enables you to perform the following.
      • Add a particular user to a group.
      • Set and manage a role for all these system users belonging to the same group at once.
      • Show Accumulated Permissions
        for the user(s) based on the
        Direct Role
        and
        Group Roles
        assigned to the user(s).
    • The
      Users
      table now contains the following new columns.
      • Groups
        : Lists the groups that a user belongs to, where any group imported from Active Directory has the letters
        AD
        added beside the group name.
      • Group Roles
        : Lists the different group roles based on the groups the user belongs to. When you hover over the group role, the group associated with this role is displayed.
  • The Permissions page of the
    Cortex Gateway
    (previously called
    Cortex XDR Gateway
    ) now includes the following enhancements.
    • A notification has been added indicating that
      Groups
      and
      Group Roles
      can only be configured in Cortex XDR in the
      Configurations
      Access Management
      User Groups
      page.
    • New columns for the
      Groups
      and
      Group Roles
      are now included in the table.
  • An improved user experience when creating a
    New Role
    in the
    Roles
    page, so it is easier to set permissions. The
    Create Role
    page has been updated with separate tabs for
    Components
    and
    Datasets
    . The Cortex XDR
    Components
    are now listed according to navigation screens and you can set permissions for each component to
    View
    ,
    View
    and
    Edit
    , or
    None
    , where some components have an additional actions level to define.
New Critical Environment Cortex XDR Version
Cortex XDR now allows you to define endpoints with Critical Environment Cortex XDR agent versions.
Critical Environment Versions are designed for sensitive and highly regulated environments and do not contain all updates and content existing in the standard version. Therefore, it is recommended to restrict the use of these versions to the required minimum.
Defining an endpoint with a Critical Environment agent version will require you to create and define the following:
  • Agent Configuration
  • Agent Installer
  • Upgrade and Auto-Upgrade Paths
  • Agent Settings
To easily track the endpoints defined as Critical Environment, in the
Endpoint Administration
table, Cortex XDR displays a new
Version Type
field stating whether the endpoint is defined as a
Standard
or
Critical Environment
agent.
Forensics
Forensics Add-On Sub-domain Name Change
When enrolling in the Forensics Add-On, users with Account Admin and Instance Admin permissions can now change the tenant subdomain:
oldName.xdr.us.paloaltonetworks.com
to
newName.xdr.us.paloaltonetworks.com
Investigation and Response
New Personalized Cortex XDR Dashboard
To help you better visualize and manage your incidents, tasks, and MTTR, Cortex XDR introduces a new predefined dashboard called My Dashboard with the following new widgets.
  • My Incidents
    —Displays the incidents assigned to the logged-in user.
  • My MTTR
    —Displays the Mean Time to Resolve (MTTR) incidents assigned to the logged-in user, compared to the defined Target MTTR.
  • My Open Incidents by Severity
    —Displays the number of open incidents assigned to the logged-in user over the last 30 days.
  • My Incidents Over Time
    —Displays the daily number of new and resolved incidents assigned to the logged-in user over the past 14 days.
New Cloud Inventory Dashboard
To help you better visualize and manage your assets on the cloud, Cortex XDR introduces a new predefined dashboard called Cloud Inventory Dashboard with the following new widgets.
  • Accounts by Cloud Provider
    —Displays the number of accounts held in each cloud provider.
  • Compute Instances Over Time
    —Displays the number of times a virtual machine instance is used over time.
  • Assets by Cloud Provider
    —Displays the number of assets stored in each cloud provider.
  • Assets by Type
    —Displays a breakdown of cloud assets by type.
  • Assets by Sub-Type
    —Displays a breakdown of cloud assets by sub-type.
  • Assets by Geo Region
    —Displays a breakdown of assets in each geographic region.
  • Assets by Region
    —Displays a breakdown of assets in each region.
  • Assets by Responsive Port Number
    —Displays the number of exposed cloud assets by port number.
  • Responsive Assets Over Time
    —Displays the number of exposed cloud assets over time.
New Alert Management Capabilities
To help you better manage the Alerts associated with your incidents, Cortex XDR now allows you to perform the following actions on each alert:
  • View and update Alert Severity
  • View and update Alert Status
In the
Alerts Table
, right-click an alert to now
Change Severity
and/or
Change Status
an alert.
Any update made to an alert impacts the associated incident. An incident with
all
its associated alerts marked as resolved is automatically set to
Auto-Resolved
. Cortex XDR will continue to group Alerts to an Auto-Resolved Incident for up to 6 hours. In the case where an alert is triggered during this duration, Cortex XDR will re-open the Incident.
To ensure consistency, when resolving an incident, you can now also select to
Mark all alerts as resolved
.
To help you track the alert resolution status, Cortex XDR now displays in the Alerts Table a new
Resolution Status
field.
Asset Management Enhancements
To provide greater visibility of network assets and better align with other Cortex XDR offerings,
Assets
Asset Management
has been renamed to
Assets >
Asset Inventory. In addition, the new
All Assets
page, previously called
Assets
, now enables you to toggle between the
Legacy View
of the page and the new
Advanced View
, which includes the following features.
  • You can view the data in a table format by accessing the new pages for
    All Assets
    and
    Specific Assets
    , including
    On-Prem Assets
    and
    Cloud Compute Instances
    .
  • The table columns provide newly structured data with updated filtering capabilities to improve your asset visibility.
  • When any row in a table is selected, a side panel on the right with greater details is displayed, where you can view additional data divided by sections. The section heading names and data displayed change depending on the source of the assets.
The
Legacy View
in the
Asset Inventory
page will be deprecated in the upcoming Cortex XDR release.
Asset Inventory Support in Quick Launcher
To improve the search and investigative functionality of the Quick Launcher, the Quick Launcher now supports searching in other tables related to
Asset Inventory
, previously called
Asset Management
, so you can query for a specific Asset Name or IP address. In addition, 2 new actions are now available when searching for Asset Inventory data.
  • Change search to <host name of asset>
    to display additional actions related to that host. This option is only relevant when searching for an IP address that is connected to an asset.
  • Open in Asset Inventory
    is a new pivot available when the host name of an asset is selected.
Correlation Rules Enhancement to Support Error Handling and Reporting
(
Requires a Cortex XDR Pro license
)
To help you easily identify and resolve Correlation Rules errors, Cortex XDR now includes error handling by providing the following error messages in the applicable scenarios.
  • Invalid query
  • Query timeout
  • Dependency correlation did not complete
  • Unknown error
The Correlation Rules page indicates the error in the
LAST EXECUTION
column by displaying the last execution time in a red font and providing a description of the Correlation Rule Error when hovering over the field.
In addition, a notification is displayed to indicate these Correlation Rules errors.
New Support for Converting Splunk Queries to XQL Queries in XQL Search
(
Requires a Cortex XDR Pro license
)
To help you easily convert your existing Splunk queries to the Cortex XDR Query Language (XQL) syntax, Cortex XDR now includes in XQL Search a new toggle called Translate to XQL. When building your XQL query and this option is selected, both a
SPL query
field and
XQL query
field are displayed, so you can easily add a SPL query, which is converted to XQL in the
XQL query
field. This option is disabled by default, so only the XQL query field is displayed.
New XQL Array Index Value Function
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) now includes a new function called arrayindexof that enables you to return a value related to an array in one of the following ways.
  • Returns the 0-based index of a particular array element if a particular array is not empty and the specified condition using an
    @element
    is true. The format is
    arrayindexof(<array>, "@element"<operator*>"<array element>")
    *The
    <operator>
    can be any of the ones supported, such as
    =
    and
    !=
    .
  • Returns 0 if a particular array is not empty and the specified condition is true using the format.
    arrayindexof(<array>, <condition>)
    If the condition is not met, a NULL value is returned.
New Support for using Contains and Not Contains Operators within Arrays in XQL
(
Requires a Cortex XDR Pro license
)
Cortex XDR Query Language (XQL) now supports using Contains and Not Contains operators within arrays.
New Support for an Optional by Clause in a Comp Stage in XQL
(
Requires a Cortex XDR Pro license
)
Cortex XDR Query Language (XQL) now supports using an optional by clause in a comp stage, which was previously required.
XQL Query Language Enhancements for Case Sensitivity
(
Requires a Cortex XDR Pro license
)
The Cortex XDR Query Language (XQL) is extended to support case_sensitive value queries in functions and stages, as opposed to this previously only being supported in filters. If you do not provide this stage in your query, the default behavior is true; case is considered when evaluating field values.
This can impact your current query results, including Correlations and XQL based dashboards, as previously case was not considered when evaluating field values in functions and stages, and now case is considered by default.
External Data Ingestion
Data Collector Enhancements to Support Additional Log Formats for Data Ingestion
(
Requires a Cortex XDR Pro per TB license
)
To expand the current data ingestion capabilities for existing data collectors, Cortex XDR now supports the following additional log formats for the data collectors listed.
New Microsoft Office 365 Data Collection
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR can now ingest the following logs and data from Microsoft Office 365 Management Activity API and Microsoft Graph API using a new data collector called Office 365.
  • Microsoft Office 365 audit events from Management Activity API.
  • Microsoft Office 365 emails via Microsoft’s Graph API.
  • Azure AD authentication and audit events from Microsoft Graph API. As a result, the previous
    Azure AD
    data collector has been integrated to this new
    Office 365
    data collector. To maintain backward compatibility, the previous data collector configuration is maintained and continues working as before.
To receive data, configure
Configurations
Data Collection
Collection Integrations
settings for the Microsoft
Office 365
data collector in Cortex XDR.
As soon as Cortex XDR begins receiving logs, the app automatically creates an applicable dataset matching the log type for the data collected. This enables you to search the logs using XQL Search.
Support Filebeat Version 7.16 for Windows DHCP Collector
(
Requires a Cortex XDR Pro per TB license
)
Cortex XDR now supports using Elasticsearch Filebeat version 7.16 with the Windows DHCP Data Collector.
New Dataset Fields Available for XDR Collectors
(
Requires a Cortex XDR Pro license
)
To expand your investigation capabilities, the following XDR Collector fields (where applicable) are available for any dataset and can be queried in XQL Search.
  • _log_source_file_name
    —Displays the file name from where the event originated.
  • _log_source_file_path
    —Displays the file path of the file from where the event originated.
Data Management
New Period Based Retention Policy
(
Requires new retention licenses
)
To enhance the data retention offerings, Cortex XDR now supports a new period based retention policy for the following retentions.
  • Hot Storage
    —Fully searchable storage, for investigation and threat hunting. Hot storage was always supported and is now referred to explicitly in the user interface and documentation as hot storage.
  • Cold Storage
    —Cheaper storage usually for long-term compliance needs with a limited search option. Cold storage is new for this release.
To support these changes, the following updates have been implemented in the user interface.
  • XQL Search—Hot Storage queries are performed on a dataset using the format
    dataset = <dataset name>
    , while Cold Storage queries are performed using a new syntax
    cold_dataset = <dataset name>
    . You can also build a query that investigates data in both a
    cold_dataset
    and hot
    dataset
    in the same query.
  • Compute Units Usage Page: Any
    cold_dataset
    query consumes Compute Units (CU) based on your quota, which are also consumed by the XQL API. As a result, the previous
    Configurations
    Data Management
    XQL API Usage
    page has been renamed to
    Compute Units Usage
    . This page now displays both information related to your public APIs and Cold Storage.
    You can always increase the free tier of Compute Units provided by purchasing an add-on.
  • Query Center—This page now includes a new column called
    COMPUTE UNIT USAGE
    to display the Public APIs and Cold Storage usage. In addition, the previous
    COMPUTE UNIT USAGE
    column is now renamed to
    SIMULATE COMPUTE UNITS
    to display Hot Storage usage.
  • Dataset Management Page—Updated to reflect these changes.
Note: The new New Period Based Retention Policy offerings require new licenses for v3.2.
New Simulate View in the Parsing Rules Editor
(
Requires a Cortex XDR Pro per TB license
)
To improve the overall user experience and minimize user errors when creating Parsing Rules, Cortex XDR now includes a new Simulate view in the Parsing Rules editor. This view enables you to test your Parsing Rules on actual logs and validate their outputs. The editor includes the following sections.
  • A list of the current
    User defined rules
    on the left side of the window.
  • A table of the existing
    XQL Samples
    on the right side of the window, which contain sample logs listing the
    Vendor
    ,
    Product
    ,
    Raw_Log
    , and
    Sample Time
    . For each Vendor and Product, up to 5 different samples are available to choose from. From this list, you can select the logs used to simulate the rule.
  • Log Output
    displays a table of the relevant logs per dataset, including other columns, at the bottom of the window.
New Support for using Parsing Rules in the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
To help you avoid sending unnecessary data to the XDR server and reduce traffic, storage, and computing costs, Cortex XDR now supports using Parsing Rules to define the specific data captured by the broker VM in a new section called [COLLECT]. The
[COLLECT]
section is optional to configure, but once added this section runs before the
[INGEST]
section to enable data reduction and data manipulation at the broker VM. The
[COLLECT]
section uses the same syntax as the
[INGEST]
section and is configured in the same screen. It also follows the format as detailed in the following example.
[COLLECT:vendor="Apache", product="ApacheServer", target_brokers = (bvm1, bvm2, bvm3), no_hit = drop]alter source_log = json_extract_scalar(_raw_log, "$.source") | filter source_log = "WebApp-Logs"| fields source_log, _raw_log;
Parsing Rules Supports using an arrayfilter Function and iploc Stage Command
(
Requires a Cortex XDR Pro per TB license
)
To enhance the current Parsing Rules offerings in Cortex XDR, Cortex XDR now supports configuring the following new function and stage command in the INGEST section.
  • arrayfilter () function—Filters the results of an array in one of the following ways.
    • Returns the results when a certain condition is applied to the array.
    • Returns the results when a particular array is set to a specific array element.
  • iploc stage: Associates the IPv4 address of any field to a list of predefined attributes related to the geolocation.
Endpoint Protection
Enhanced Endpoint Cloud Metadata
(
Requires a Cortex XDR Pro license
)
To allow for greater flexibility when investigating your data, Cortex XDR now displays in the
Endpoint Administration
table the
Cloud Instance Metadata
field.
The field provides IBM and Alibaba Cloud data reported by the endpoint.
Agent Auto-Upgrade Delay
To help better manage your agent auto-upgrades, Cortex XDR now allows you to define a
Delayed Auto Upgrade Roll-out
.
In the Agent Settings, select whether to rollout an auto-upgrade immediately or define a delay period of 7-45 days from the agent release date.
New Upgrade Agents Action Center Capabilities
To help better manage your agent upgrades, Cortex XDR now allows you in the
Action Center
to track in the
Status
field which agent upgrade failed and directly create an Upgrade action for one or more of the failed agents.
Broker VM
Version 15.1.4
New Support for Configuring the Broker VM as Proxy Server for another Broker VM
To help you easily route all traffic between the Cortex XDR management server and Cortex XDR agents using the broker VM, it is now possible to designate the broker VM as a proxy server for another broker VM (i.e. chaining). Previously, the broker VM could only act as a proxy server for agents. This is now available to configure when logging in to the broker VM (
https://<broker_vm_ip_address>/.
), and configuring the broker VM settings. In the Proxy Server section, when you set the
Type
to
HTTP
to route broker VM communication, you need to add the IP address and port number (set when activating the Agent Proxy) for the other broker VM registered in your tenant that you want to designate as a proxy for this broker VM.
New Support to Improve the Right-Click Option for Generating New Logs in the Broker VM
To clarify the difference between the two options available for creating and downloading logs under
Broker Management
in Cortex XDR, the right-click option previously called
Download Latest Logs
was renamed to Generate New Logs. This option regenerates the most up-to-date logs and downloads them once they are ready, as opposed to the other option called
Download Logs (TIMESTAMP)
, which downloads the logs from the last creation date reflected in the TIMESTAMP.
New Support for Tail Mode Data Collection for the Files and Folder Collector in the Broker VM
(
Requires a Cortex XDR Pro per TB license
)
The broker VM’s Files and Folders Collector applet now supports collecting logs from files and folders in a network share for a Windows directory in tail mode, as opposed to only batch mode. When you configure the
Files and Folders Collector
applet, a new toggle button called
Mode
is now displayed when configuring the
Files and Folders Settings
. There are 2 modes available.
  • Tail
    —Continuously monitors files for new data (default).
  • Batch
    —Reads entire file and then renames/deletes uploaded files.
For backward compatibility, any
Files and Folders Collector
applet previously configured before version 3.2 will have the
Mode
automatically set to
Batch
.
API
New Get Alert Timestamp Filter
To expand your API capabilities, Cortex XDR now allows you to filter the
Get Alerts
API results according to the timestamp of when Cortex XDR created the alert using
server_creation_time
.
New Retrieve PAN NGFW Alert Packet Data API
To expand your alert investigation capabilities, Cortex XDR now displays in the
Get Alerts
and
Get Extra Incident Data
APIs response whether an PAN NGFW type alert contains a PCAP triggering packet.
Using the new
Retrieve PCAP Packet
API, you can now retrieve a list of alert IDs and the associated PCAP data.
Multitenants and MSSPs
Forensics Add-On Multitenant Management Support Enhancements
To expand your Forensics MSSP functionality, Cortex now allows you to view the following Forensics tables of your child tenants:
  • Forensics Search
  • Forensics Search Collections
  • Host Timelines
  • Process Execution
  • File Access
  • Persistence
  • Command History
  • Network
  • Remote Access
  • Triage All
  • File Listing
  • Registry Listing
  • Event Logs
  • Volatile

Recommended For You