Features Introduced in 2022
Learn more about Cortex XDR features introduced during
2022 by month and functional area.
The following topics describe the Cortex
XDR features introduced in 2022 by month.
Features Releasing in July
New features in the Cortex® XDR 3.4 release.
The following table describes new features
in the Cortex XDR 3.4 and Cortex XDR Agent 7.8 releases. The release
is divided into two deployments: July, 24, 2022 and August, 7, 2022.
The information shared here is for
INFORMATIONAL PURPOSES ONLY
and
is not a binding commitment.Feature | Description |
---|---|
General | |
New Support for Single Sign-on with SAML
IdP | To help easily and securely authenticate users
across enterprise-wide applications and websites with one set of
credentials, Cortex XDR now supports single sign-on (SSO) with the Security
Assertion Markup Language (SAML) 2.0 standard that allows users
to authenticate using their organization's Identity Provider (IdP).
To configure SSO, administrators are required to sign in to Cortex
XDR with their CSP credentials and configure the SAML 2.0 settings
in the new Settings Configurations Access Management Single Sign-On |
Archive Actions in the Actions Center | Cortex XDR has added the option to archive
actions in the Action Center. |
IPv6 Support | To enable you to use Cortex XDR security capabilities
on your IPv6 environment, Cortex XDR now supports the following
features for IPv6-only networks. Server side:
Agent
side:
|
Windows Java EPM Default Setting | From Cortex XDR version 3.4.0, the Windows
Java Endpoint Protection Modules default configuration is set to
on. |
Investigation and Response | |
XQL Comp Stage Supports Raw Events ( Requires
a Cortex XDR Pro license ) | Cortex XDR Query Language (XQL) now
supports using raw events in a comp stage with up to 50 fields,
which will display up to 100 events. |
New XQL Functions for the Comp Stage ( Requires
a Cortex XDR Pro license ) | To help you create more scalable queries in
terms of memory usage and time, Cortex XDR Query Language (XQL) now
supports using the following new approximate aggregate functions
with the comp stage.
|
XQL Time Frame Configuration Function Enhancements ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) timeframe configuration
function (added with a config stage command)
now enables you to perform searches using relative time frame command formats. |
XQL Enhancements for Timestamp Functions ( Requires
a Cortex XDR Pro license ) | To make it easier for your to convert a random
string to a time object in XQL without having to use 2 functions ( parse_timestamp and to_epoch ), Cortex XDR Query Language (XQL) now
supports using the following single function, which includes an
optional time zone parameter (default UTC.
,
where seconds is the default. In addition, it is now possible
to add an optional time zone parameter (default UTC) to the following
functions.
|
XQL Enhancement to Support EDR Mount Events
and Support EDR for Other User-Related Operations ( Requires
a Cortex XDR Pro license ) | To expand your investigation capabilities, Cortex XDR Query Language (XQL) now
supports the following changes related to endpoint detection and response
(EDR) mount events and support EDR for other user-related operations.
|
New XQL incidr6 Function and Operator Available ( Requires
a Cortex XDR Pro license ) | To expand your investigation capabilities, Cortex XDR Query Language (XQL) now
supports using a new incidr6 function and operator.
|
Machine Learning Based Incident Scoring ( Requires
a Cortex XDR Pro license ) | To streamline prioritization and investigation
of your incidents, Cortex XDR introduces the SmartScore. SmartScore
is an automatic Cortex XDR calculated score based on machine learning
and assigned to incidents to help you better triage incidents that
require immediate attention. SmartScore is available in addition
to the current Incident Score, however, only incidents with no Incident
Score will be applied the SmartScore. Enabling the Smart
Score can be configured globally in the Incident Response Incident Configuration Incident
Scoring score in the Incident view.To
help improve the SmartScore, Cortex XDR invites you to provide feedback.
In the Incident view, when hovering over
the displayed score or closing an incident, you have the option
to provide feedback on the assigned score. The feedback is sent
anonymously and is used to improve the calculations. |
New Network Traffic Analysis Dashboard ( Requires
a Cortex XDR Pro license ) | To help you better visualize and track your Cortex
XDR Network Traffic, Cortex XDR introduces a new predefined dashboard
called NTA Dashboard consisting of the following
widgets:
|
New Incident and Alert Tagging ( Requires
a Cortex XDR agent 7.8 or a later release ) | To streamline how you manage your incidents
and alerts, Cortex XDR now allows you to filter the Incidents and Alerts tables according
to the new Tags field that displays the Endpoint
Groups, Endpoint Tags, and Data Sources associated with the alert. |
Local Analysis and WildFire Alert Aggregation | To streamline and improve investigation
of your alerts, as of Cortex XDR version 3.4, alerts triggered by
Local Analysis and WildFire with the same agent ID and file hash
are aggregated every 60 minutes and displayed as a single alert in
the Alerts table. To easily track the aggregated alerts,
in the Alert Name field, aggregated alerts are displayed as Local
Analysis Malware along with the number of alerts that were grouped. |
External Data Ingestion | |
New Cortex Data Lake Data Collector ( Requires
a Cortex XDR Pro per TB license ) | To streamline the connection and management
of all Palo Alto Networks generated logs across products in Cortex
XDR with or without a Cortex Data Lake, Cortex XDR can now ingest
detection data from Cortex Data Lakes in a more flexible manner
using the new Cortex Data Lake data collector.These
changes apply both during activation using the Cortex Gateway and
throughout the tenant lifecycle.During activation, you now
have the option to connect to either 1 or more existing Cortex Data
Lakes via the Cortex Gateway or choose not
to connect at all. In addition, you can connect directly to Cortex
XDR using the Cortex Data Lake data collector.To
receive data, configure Settings Configurations Data Collection Collection Integrations Cortex
Data Lake data collector in Cortex XDR.The following
options are available.
As
all required storage for endpoint data and alerts is included within
Cortex XDR, new Cortex XDR tenants with Cortex XDR Prevent or Cortex
XDR Pro per Endpoint licenses will not include a Cortex Data Lake
integration. |
New Route 53 Log Type for Amazon S3 Data
Collector ( Requires a Cortex XDR Pro per TB license ) | To expand the current data ingestion capabilities
for the Amazon S3 data collector, Cortex
XDR now supports collecting logs with a Log Type called Route 53 with
an option to Normalize DNS logs (selected
by default) when using the Amazon S3 data collector. |
Office 365 Data Collector Enhancements for
Normalizing Exchange Online Audit Logs to Stories ( Requires
a Cortex XDR Pro per TB license ) | To enhance your investigation capabilities, Cortex
XDR now supports normalizing audit logs into stories, when an Office 365 data
collector is configured to collect Exchange Online logs. |
Office 365 Data Collector Enhancements to
Collect All Sign-in Event Types with Azure AD Authentication Logs ( Requires
a Cortex XDR Pro per TB license ) | To extend your investigation capabilities, Cortex
XDR now supports configuring an Office 365 data collector
for Azure AD Authentication Logs to Collect
all sign-in event types from a beta version of Microsoft
Graph API, which is still subject to change. In addition to classic
interactive user sign-ins, selecting this option allows you to collect.
From
this release, when selecting Azure AD Authentication Logs ,
this new option to Collect all sign-in event types is
selected by default.For existing customers that have
already configured an Office 365 data collector
with Azure AD Authentication Logs , this option
is not selected. |
XDR Collectors Enhancements for Normalizing
Windows DNS Debug Logs ( Requires a Cortex XDR Pro per
TB license ) | To expand your investigation capabilities, you
can configure Cortex XDR to normalize Windows DNS Debug Logs when
collecting the logs with the XDR Collectors . |
New Winlogbeat Event XDR Collector ( Requires
a Cortex XDR Pro per TB license ) | To enable collection of Windows event logs
on your entire network, The Cortex XDR now provides a WinlogBeat
XDR Collector on your Windows endpoints. You can now configure Winlogbeat
profiles, Filebeat profiles, or both You can also include Winlogbeat
profiles in your policies.As soon as Cortex XDR begins collecting data,
the app automatically creates a new dataset for event logs, msft_windows_raw .To
use the Winlogbeat XDR Collector, you must upgrade your XDR Collector agents
to XDRC version 1.2.0. |
Endpoint Protection | |
New Protection Modules | To provide you with more detection and protection
coverage capabilities, Cortex XDR introduces two new modules, the Anti-Webshell
Protection module and the Credential Gathering Protection module.
You
can select Enabled, Report Only, or Disabled for each module to
decide the level of protection. |
New Granular Prevention Actions | To provide you with more granular prevention
capabilities, Cortex XDR now supports more actions for handling
behavioral threat protection security alerts.You can view the actions
taken in the new Prevention Actions tab in the Alert Causality View. |
New Audit Log Entry | To better secure your Cortex XDR agent installations,
Cortex XDR now creates an audit log entry when anti-tamper protection
is disabled locally on an agent. |
Clear Agent Database ( Requires
a Cortex XDR agent 7.8 or a later release ) | To expand your endpoint management capabilities,
from the All Endpoints table, you can now
clear the agent state of one or endpoints. Clearing the agent
database is available only when using the debugging mode, and can be
tracked in the Action Center . |
Periodic Endpoint Table Cleanup ( Requires
a Cortex XDR agent 7.8 or a later release ) | To streamline and improve management of
your endpoints, Cortex XDR now allows you to define a periodic cleanup
of the All Endpoints table, where duplicated entities of the same endpoint
are removed. The cleanup can be defined according to the
Host Name, Host IP Address, and MAC Address fields, and can run
every 6 hours, 12 hours, 1 day, or 7 days. |
New Minor Content Update Setting ( Requires
a Cortex XDR agent 7.8 or a later release ) | To ensure your Cortex XDR tenant is running
with the most up-to-date data protection, Cortex XDR now enables
by default minor content updates. Setting for this update
can be found in Settings Configurations Agent Configurations Content Management Enable minor content version updates |
End-User Isolation Message ( Requires
a Cortex XDR agent 7.8 or a later release ) | To ensure end-users are aware of isolated endpoints,
Cortex XDR now allows you to define a constant Isolation
and Network Connectivity message that appears on endpoints
that have been isolated. |
Device Control Exception Enhancement ( Requires
a Cortex XDR agent 7.8 or a later release ) | You can now add a comment to your Device
Permanent Exceptions. |
Support File Data Protection | To provide an extra layer of protection
to the generated support file from the endpoint, the zip file is
now password protected by an encrypted password. You can obtain
the password by copying the encrypted code and running it in the Retrieve
Support File Password option from the Tokens
and Password button in the All Endpoints page. |
File System Scanning ( Linux ) | Cortex XDR can scan your Linux endpoints for
dormant malware. The agent examines the files on the endpoint. There
is a default list of scanned directories which can be expanded or minimized.
When a malicious file is detected during the scan, the agent reports
the malware to Cortex XDR, so you can take action to remove the
malware before it attempts to harm the endpoint. You can scan the
endpoints in the following ways:
|
Helm Charts Upgrade ( Linux ) | The agent installation now includes the new
package type Helm Installer. The Helm Installer is used for fresh
installations and upgrades of Cortex XDR agents running on Kubernetes. |
Forensics | |
File Name Field with Regex Support | To enable you to drill down further when performing
a Forensic File Search, the File Name field
has been added in the Action Center . The File Name field
allows you to add a regular expression to match against the names of
files within the paths specified. |
Stacking UI for Process Execution and Persistence
Data | To assist you in hunting malware across your
computer network, Cortex XDR has added the option to group by particular
columns (file name or file hashes) within the Forensics tables Process
Execution and Persistence . The grouping
button will show the number of affected endpoints for each grouped
column. This enables you to perform hunting via frequency analysis
and provides a birds eye view of potential malware files that require
further analysis. |
Windows Memory Collection | Certain forensic artifacts are never written to
disk; they only exist in memory. Cortex XDR can now collect the
entire contents of memory from Windows endpoints. Once a memory
image has been captured from one of your XDR endpoints, you can
download the image, and perform a full analysis using industry-standard tools.
In the Action Center , create a new action
and select Memory Collection . This enables
you to select a Windows endpoint from which the memory image is
captured. You can then download a zip file containing the image.
You also have the option to add Memory Collection to an
offline triage configuration. This option enables you to capture
the memory image along with the other triage options selected from offline
endpoints. |
API | |
New User Value in Get All Endpoints | When running Get All Endpoints API,
Cortex XDR now displays the user value
in the response. |
New Update Alerts API | To expand your API capabilities, Cortex XDR
now allows you to update the severity, status, and comment of existing
alerts by running the new Update Alerts API. |
New Get License Info API | To expand your API capabilities, Cortex XDR
now allows you to get your tenant license information by running
the new Get License Info API. |
Features Releasing in May
New features in the Cortex® XDR 3.3 release.
The following table describes new features
in the Cortex XDR 3.3 release. The release is divided into two deployments:
May 15, 2022 and May 22, 2022.
Feature | Description |
---|---|
Investigation and Response | |
New Incident and Alert Severity | To streamline the management of your incidents
and alerts, Cortex XDR now enables you to define a new Critical severity
type for your incidents and alerts. The Critical severity
type is now visible in the Incident and Alert tables, IP Address/Hash Views,
Detection Rules, and API calls. You can also search for Critical
severity in the Quick Launcher. |
New XQL Configuration for Case Sensitivity ( Requires
a Cortex XDR Pro license ) | To make it easier for you to configure whether
case sensitivity is applied across Cortex XDR in one central area,
Cortex XDR now includes a new XQL Configuration section
in the Settings Configurations General Server Settings Case Sensitivity (case_sensitive) is
applied throughout the application. This setting overwrites any
other default configuration except for BIOCs, which will remain
case insensitive no matter what this configuration is set to. |
Translate to XQL Enhancements ( Requires
a Cortex XDR Pro per TB license ) | To help you easily convert your existing Splunk
queries to the Cortex XDR Query Language (XQL) syntax,
Cortex XDR now includes additional enhancements to improve the overall
user experience and supports more Splunk functions and stages that can
be translated to XQL. |
New XQL Syntactic Sugar Available for JSON
Functions ( Requires a Cortex XDR Pro license ) | To make it easier for you to write your Cortex XDR Query Language (XQL) queries,
Cortex XDR now enables using a syntactic sugar for the following
JSON functions.
|
New XQL Operator and Functions Available ( Requires
a Cortex XDR Pro license ) | To expand your investigation capabilities, Cortex XDR Query Language (XQL) now
supports using the following new operator and functions.
The new operator and functions
can also be used in the [INGEST] section when
creating Parsing Rules. |
Correlation Rule Alert Enrichment Based
on User Defined Fields ( Requires a Cortex XDR Pro license ) | To help you better manage the Alerts associated
with your Correlation Rules, Cortex XDR enables you to enhance Alerts with
user defined settings. When configuring an Action to
generate an Alert for a Correlation Rule,
you can now customize the following Alert Settings.
|
Retrieve Endpoint Support File Enhancements | To streamline the process of retrieving endpoint
support files, Cortex XDR now allows you to download one or more
endpoint support files to a Cortex XDR server, instead of locally, that
can then be accessed by a secured link. Support files are
stored by Cortex XDR for 30 days, however the secured link is valid
for only 7 days. Following the 7 day period, in order to access
the files you will need to generate a new link. |
Improvement in Searching Child or Common
Schemas in MSSP and MTH XQL queries | To improve Cortex XDR Query Language (XQL) query
results, Cortex XDR has enhanced the XQL Search .
Whensearching data in multiple MSSP
and MTH tenants , XQL queries now return all child or common datasets
with the same dataset name, even if the fields contain different
data types or one of the datasets is missing some fields. In this
case, Cortex XDR displays only the common fields. |
Search and Destroy action validates hash
against VirusTotal and WildFire | Cortex XDR validates the hash against VirusTotal
and Wildfire, to provide additional context before initializing
the File Destroy action. |
External Data Ingestion | |
Data Collector Enhancements to Support Additional
Log Formats for Data Ingestion ( Requires a Cortex XDR
Pro per TB license ) | To expand the current data ingestion capabilities
for existing data collectors, Cortex XDR now supports the following
additional log formats for the data collectors listed.
|
Improved Office 365 Data Collector ( Requires
a Cortex XDR Pro per TB license ) | To prevent email from building up in the compliance
mailbox when collecting Microsoft Office 365 emails via Microsoft’s
Graph API, Cortex XDR has improved the Office 365 data collector
so that after the emails are ingested they are deleted from the compliance
mailbox. |
Office 365 Data Collector Enhancements for
Normalizing Azure AD Audit Logs ( Requires a Cortex XDR
Pro per TB license ) | To expand your investigation capabilities, you
can configure Cortex XDR to normalize Azure AD audit logs when using
an Office 365 data collector. |
Office 365 Data Collector Enhancements to
include File Hash in Email Attachment Details ( Requires
a Cortex XDR Pro per TB license ) | To enhance the current data ingestion capabilities,
Cortex XDR now includes the file hash in the attachment details
when using an Office 365 data collector
to ingest Microsoft Office 365 emails via Microsoft’s Graph API. |
New Google Workspace Data Collector ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest logs and data from
Google Workspace using a new data collector called Google Workspace for the
following types of content.
To receive data, configure Settings Configurations Data Collection Collection Integrations Google Workspace data
collector in Cortex XDR.As soon as Cortex XDR begins receiving logs,
the app automatically creates an applicable dataset matching the
content type for the data collected. This enables you to search
the logs using XQL Search. |
New Palo Alto Networks IoT Security Data
Collector ( Requires a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest Palo Alto Networks
IoT Security solution alerts and assets directly using a new data
collector called IOT Security via an API. Cortex
XDR adds IOT Security alerts to the Cortex XDR Alerts table and
groups them into Incidents. Cortex XDR also adds IOT Devices to
the Cortex XDR Assets table. As soon as Cortex XDR begins
collecting data, the app automatically creates a new dataset for
devices only ( panw_iot_security_devices_raw ).
This enables you to initiate XQL Search queries and create Correlation
Rules. |
Workday Data Collector Enhancements | To expand your investigation and analytics
capabilities, Cortex XDR now uses a structured schema when using
the Workday data collector.
To get the best Analytics results, use the fields from the recommended
schema. |
XDR Collector Collection Enhancements ( Requires
a Cortex XDR Pro per TB license ) | To align the Cortex XDR Collectors data collection
capabilities with the other data collectors available, Cortex XDR
now supports all sections in the filebeat.yml configuration
file, such as support for Filebeat fields and tags. As a result,
this enables you to use fields to identify
the product/vendor for the data collected by the XDR Collectors
so the collected events go through the ingestion flow (Parsing Rules). |
Upgrade Filebeat Version to 7.17.1 for XDR
Collectors ( Requires a Cortex XDR Pro per TB license ) | Cortex XDR now supports using Filebeat version
7.17.1 when using XDR Collectors for On-premise
Data Collection on Windows and Linux machines. |
New Support for Collecting JSON and Raw
Multiline Logs ( Requires a Cortex XDR Pro per TB license ) | To extend the current data collection capabilities
for JSON and Raw logs, Cortex XDR now supports collecting multiline
JSON and Raw logs using the following data collectors. |
Data Management | |
Event Forwarding to External Storage | To enable you to save your data in an external
location, Cortex XDR now supports exporting logs using Event Forwarding. Cortex
XDR added a new Event Forwarding section
under Settings Configurations Data Management
|
Endpoint Protection | |
Global Analytics Profiles ( Cortex
XDR agent 7.7 or a later release ) | Cortex XDR now leverages aggregated and
anonymized cross-tenant profiles to detect abnormal behavior allowing
the detection of new behaviors across multiple tenants and catch
new types of attacks that might not arise from a single tenant. Alerts
raised by the cross-tenant profiles will be marked in the Alerts table
as Global Analytics type alerts. |
Agent tokens maintained and managed by Cortex
XDR ( Cortex XDR agent 7.7.1 or a later release ) | Cortex XDR now offers a solution to ease password
management and its distribution. Cortex XDR maintains and manages tokens for each of the
agents and can generate temporary tokens on demand. When performing
an action on the agent that requires a password entry, all you need
to do is retrieve the hash from the agent to get the token password
from Cortex XDR for that agent. The token is automatically
assigned to every endpoint and can be used to perform any action
requiring a password on the agent. If needed, the admin can create
a token for any endpoint or a group of endpoints with an expiration
and use to manage those endpoints for the pre-defined period. The
token can also be retrieved for an endpoint that lost connectivity to
the server by extracting the token hash on the endpoint and retrieving
the original token from that hash on the server. |
Endpoint Content Version Status Enhancement ( Cortex
XDR agent 7.7 or a later release ) | To help you gain better visibility of your endpoint
content versions, Cortex XDR now displays the following new field
in the All Endpoints table Content
Status and new widget Agent Content Status Breakdown . Displays
the status of the content version on the relevant endpoint. Cortex
XDR attempts to contact an endpoint and check the content version
over a 7 day period. Only following this period can Cortex XDR display
whether the endpoint content version is up to date or outdated.
Content
Status is calculated every 30 minutes, therefore, there could be a
delay of up to 30 minutes in displaying the data. |
New Endpoint Tagging ( Cortex XDR
agent 7.7.1 or a later release ) | To streamline how you manage your endpoints,
Cortex XDR now allows you to tag endpoints using the Cortex XDR
management console and on the endpoint during installation and agent
lifespan. Each endpoint can be assigned one or more dynamic
tags you define allowing you flexibility with how you filter and
group your endpoints. To easily track the tags associated
with the endpoints, in the All Endpoints and Forensics tables,
a new Endpoint Tags field displays how the
tag was assigned to the endpoint; via the management console - Server ,
or installation and cytool arguments - Agent . |
CIS Benchmark Capabilities ( Requires
a Cortes XDR Cloud per Host License ) | To streamline and improve your incident investigation
effort and time on Linux, Docker, and Kubernetes platforms, Cortex
XDR now incorporates CIS Critical Security Controls to
provide you with tools to prevent the next incident. In addition
to vulnerabilities already presented at the asset level, Cortex
XDR now displays compliance violation information and the context
of suspicious resources. Using predefined Cortex XDR or customized
endpoint regulation policies, you can now find and prioritize incidents
that involve resources with a high-risk level, enabling you to present
and investigate an accurate and prioritized incident response process. To
track and manage security and compliance violations detected by
Cortex XDR, a new Compliance Dashboard and Compliance
Violation Table display the following aggregated data:
|
Endpoint Log Collection ( Cortex
XDR agent 7.7.1 or a later release ) | To help Cortex XDR better track your Cortex
XDR agent stability, Cortex XDR can collect your agent logs to improve
the agent stability. Collection of the logs is enabled by
default and is recommended by Cortex XDR. You can choose to disable
in Settings General Agent Configurations Cortex XDR
Log Collection |
Scope-Based Access Control (SBAC) for Endpoint
Policies and Profiles ( Cortex XDR agent 7.7.1 or a later release ) | Cortex XDR now enables you to segment how
you manage policies and profiles of endpoint groups. By default,
all users have management access to endpoints in your tenant. However, after
you (as an administrator) assign a management scope to a Cortex
XDR user, the user is then able to create, edit, and remove policies
and profiles specific only to the endpoint groups within that scope. |
New Block List Hash Capabilities ( Cortex
XDR agent 7.7.1 or a later release ) | To streamline hash termination in your environment,
Cortex XDR now allows you to define an optional setting to terminate
hashes on the endpoint regardless of the malware profile settings. From
the Action Center Block List Override Report mode . |
Export and Import of Endpoint Policies and
Profiles ( Cortex XDR agent 7.7.1 or a later release ) | Cortex XDR now allows you from the Policy
Management tables to export and import endpoint policies and profiles. |
Broker VM Version
16.1.4 | |
New Apache Kafka Collector in the Broker
VM ( Requires a Cortex XDR Pro per TB license ) | The broker VM now provides a new Apache Kafka Collector applet that
enables you to monitor and collect events from a topic of an Apache
Kafka server for self-managed on-premise configurations. After
you activate the Kafka Collector applet,
you can collect events as datasets (<Vendor>_<Product>_raw )
by defining the following.
|
New Support for Displaying Denied URLs Notification
in the Local Agent Settings Applet of the Broker VM | To help you easily troubleshoot connectivity
issues for a Local Agent Settings applet
on the Palo Alto Networks Broker VM, Cortex XDR now displays a list
of Denied URLs . These URLs are displayed
when you hover over the Local Agent Settings applet
in the Broker VMs page to view the Connectivity Status in
the APPS column of the table. As a result,
in a situation where the Local Agent Settings applet
is reported as activated with a failed connection, you can easily
determine the URLs that need to be allowed in your network environment. |
New Dataset Fields Available for Broker
VM ( Requires a Cortex XDR Pro license ) | To expand your investigation capabilities, the
following new fields are now available, where applicable, for any
dataset and can be queried in XQL Search.
|
Broker VM XDR Console Enhancements | To help you better manage your registered
Broker VMs, Cortex XDR now enables you to configure the Broker VM
SSL Certificates in the Cortex XDR Console. Previously, SSL certificates
could only be configured by logging in to the Broker VM using the
IP address. |
Broker VM Hardening | To align the broker VM to the Center for Internet
Security (CIS) guidelines, the broker VM has been hardened so it's
now compatible with CIS level 2 hardening requirements. These
changes are only supported through a fresh install of the broker VM
starting from version 16.0 and are not supported with an upgrade. |
Forensics | |
Search Collections added to Forensics add-on | To enable the collection of forensically relevant
search results, the Cortex XDR Forensics add-on now includes Search Collections by
default. The current default Search Collections include the following.
|
New Wildfire Verdict field added to Forensics
artifacts | Cortex XDR has expanded its Forensics capabilities
by displaying the WildFire verdict for the
following Execution and Persistence type artifacts.
If there is a WildFire verdict,
the relevant Verdict is displayed.
Also, a link to the WildFire analysis report is
available for review. |
Audit Logs | |
New Management Audit Log Type | To extend visibility to the management audit
logs, a new log type called Security Settings was
added with the following subtypes.
|
API | |
Improved Endpoint Visibility | To help you better manage your endpoint content
versions, Cortex XDR now displays in the Get Endpoint API response
the following new fields:
|
Features Releasing in February
New features in the Cortex® XDR™ 3.2 release.
The following table describes new features
in the Cortex XDR 3.2 release. The release will be divided into
two deployments: February 27, 2022 and March 6, 2022.
Feature | Description |
---|---|
General | |
Redesigned Cortex XDR Console | To streamline the investigation of your Cortex
XDR data, a redesigned console now showcases the Cortex XDR capabilities
in a clear and efficient way using a new responsive sidebar navigation. The
sidebar navigation allows you to easily find your way through the
Cortex XDR investigation capabilities while providing greater real
estate to display and assess your data. |
Cortex XDR Gateway Renaming | To ensure a cohesive user experience, Cortex
XDR Gateway has been renamed Cortex Gateway. |
In-App Cortex XDR Agent End-of-Life Notification | Cortex XDR now displays a notification 90 days
prior to agent version end-of-life (EOL). Tenants with active agents
of the version will receive a notification in the Notification Center indicating
an upcoming EOL. The same notification will appear again 30 days
before the due date if additional agents with this version remain. In
addition, in the Endpoint Administration table,
endpoints with non-supported versions will be flagged with a red
indicator. |
New Support to Display a Release Banner
a Week before a Scheduled Release | To help you prepare for a scheduled release
and become familiar with the upcoming features, Cortex XDR now displays
a New Release banner a week before a scheduled
release. Starting from Cortex XDR version 3.3, the New Release banner
will be displayed in the user interface a week before the scheduled release
date. This banner will indicate the date, scheduled release time
frame, version number, and provide a link to the Release Notes ,
where you can get more information about the upcoming features. |
New Support for Role-Based Access Control
Managing User Groups Permissions | To enable you to properly manage user groups
permissions for a number of different system users in Cortex XDR,
Cortex XDR now provides the following enhancements for managing
user groups and group roles using role-based access control (RBAC).
|
New Critical Environment Cortex XDR Version | Cortex XDR now allows you to define endpoints
with Critical Environment Cortex XDR agent versions. Critical
Environment Versions are designed for sensitive and highly regulated environments
and do not contain all updates and content existing in the standard
version. Therefore, it is recommended to restrict the use of these
versions to the required minimum. Defining an endpoint with
a Critical Environment agent version will require you to create
and define the following:
To easily track the endpoints
defined as Critical Environment, in the Endpoint Administration table,
Cortex XDR displays a new Version Type field
stating whether the endpoint is defined as a Standard or Critical
Environment agent. |
Forensics | |
Forensics Add-On Sub-domain Name Change | When enrolling in the Forensics Add-On, users
with Account Admin and Instance Admin permissions can
now change the tenant subdomain: oldName.xdr.us.paloaltonetworks.com to newName.xdr.us.paloaltonetworks.com |
Investigation and Response | |
New Personalized Cortex XDR Dashboard | To help you better visualize and manage your
incidents, tasks, and MTTR, Cortex XDR introduces a new predefined
dashboard called My Dashboard with the following
new widgets.
|
New Cloud Inventory Dashboard | To help you better visualize and manage your
assets on the cloud, Cortex XDR introduces a new predefined dashboard
called Cloud Inventory Dashboard with the
following new widgets.
|
New Alert Management Capabilities | To help you better manage the Alerts associated
with your incidents, Cortex XDR now allows you to perform the following
actions on each alert:
In the Alerts Table ,
right-click an alert to now Change Severity and/or Change
Status an alert. Any update made to an alert
impacts the associated incident. An incident with all its
associated alerts marked as resolved is automatically set to Auto-Resolved . Cortex
XDR will continue to group Alerts to an Auto-Resolved Incident for
up to 6 hours. In the case where an alert is triggered during this duration,
Cortex XDR will re-open the Incident.To ensure consistency,
when resolving an incident, you can now also select to Mark
all alerts as resolved .To help you track the
alert resolution status, Cortex XDR now displays in the Alerts Table
a new Resolution Status field. |
Asset Management Enhancements | To provide greater visibility of network assets
and better align with other Cortex XDR offerings, Assets Asset Management Assets > Asset Inventory. In addition,
the new All Assets page, previously called Assets ,
now enables you to toggle between the Legacy View of
the page and the new Advanced View , which
includes the following features.
The Legacy View in
the Asset Inventory page will be deprecated in
the upcoming Cortex XDR release. |
Asset Inventory Support in Quick Launcher | To improve the search and investigative functionality
of the Quick Launcher, the Quick
Launcher now supports searching in other tables related to Asset
Inventory , previously called Asset Management ,
so you can query for a specific Asset Name or IP address. In addition, 2
new actions are now available when searching for Asset Inventory
data.
|
Correlation Rules Enhancement to Support
Error Handling and Reporting ( Requires a Cortex XDR Pro license ) | To help you easily identify and resolve Correlation
Rules errors, Cortex XDR now includes error handling by providing
the following error messages in the applicable scenarios.
The Correlation Rules page
indicates the error in the LAST EXECUTION column
by displaying the last execution time in a red font and providing
a description of the Correlation Rule Error when hovering over the field.In
addition, a notification is displayed to indicate these Correlation
Rules errors. |
New Support for Converting Splunk Queries
to XQL Queries in XQL Search ( Requires a Cortex XDR Pro license ) | To help you easily convert your existing Splunk
queries to the Cortex XDR Query Language (XQL) syntax,
Cortex XDR now includes in XQL Search a new toggle called Translate to XQL. When
building your XQL query and this option is selected, both a SPL
query field and XQL query field
are displayed, so you can easily add a SPL query, which is converted
to XQL in the XQL query field. This option
is disabled by default, so only the XQL query field is displayed. |
New XQL Array Index Value Function ( Requires
a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) now
includes a new function called arrayindexof that enables you
to return a value related to an array in one of the following ways.
|
New Support for using Contains and Not Contains
Operators within Arrays in XQL ( Requires a Cortex XDR
Pro license ) | Cortex XDR Query Language (XQL) now
supports using Contains and Not Contains operators within arrays. |
New Support for an Optional by Clause in
a Comp Stage in XQL ( Requires a Cortex XDR Pro license ) | Cortex XDR Query Language (XQL) now
supports using an optional by clause in a comp stage, which was
previously required. |
XQL Query Language Enhancements for Case
Sensitivity ( Requires a Cortex XDR Pro license ) | The Cortex XDR Query Language (XQL) is
extended to support case_sensitive value queries
in functions and stages, as opposed to this previously only being
supported in filters. If you do not provide this stage in your query,
the default behavior is true; case is considered when evaluating
field values. This can impact your current query results,
including Correlations and XQL based dashboards, as previously case
was not considered when evaluating field values in functions and
stages, and now case is considered by default. |
External Data Ingestion | |
Data Collector Enhancements to Support Additional
Log Formats for Data Ingestion ( Requires a Cortex XDR
Pro per TB license ) | To expand the current data ingestion capabilities
for existing data collectors, Cortex XDR now supports the following
additional log formats for the data collectors listed.
|
New Microsoft Office 365 Data Collection ( Requires
a Cortex XDR Pro per TB license ) | Cortex XDR can now ingest the following logs
and data from Microsoft Office 365 Management Activity API and Microsoft
Graph API using a new data collector called Office 365.
To
receive data, configure Configurations Data Collection Collection Integrations Office 365 data collector
in Cortex XDR.As soon as Cortex XDR begins receiving logs,
the app automatically creates an applicable dataset matching the
log type for the data collected. This enables you to search the
logs using XQL Search. |
Support Filebeat Version 7.16 for Windows
DHCP Collector ( Requires a Cortex XDR Pro per TB license ) | Cortex XDR now supports using Elasticsearch
Filebeat version 7.16 with the Windows DHCP Data Collector. |
New Dataset Fields Available for XDR Collectors ( Requires
a Cortex XDR Pro license ) | To expand your investigation capabilities, the
following XDR Collector fields (where applicable) are available
for any dataset and can be queried in XQL Search.
|
Data Management | |
New Period Based Retention Policy ( Requires
new retention licenses ) | To enhance the data retention offerings, Cortex
XDR now supports a new period based retention policy for the following retentions.
To support these changes, the
following updates have been implemented in the user interface.
Note: The new New
Period Based Retention Policy offerings require new licenses for
v3.2. |
New Simulate View in the Parsing Rules Editor ( Requires
a Cortex XDR Pro per TB license ) | To improve the overall user experience and
minimize user errors when creating Parsing Rules, Cortex XDR now
includes a new Simulate view in the Parsing Rules
editor. This view enables you to test your Parsing Rules on actual
logs and validate their outputs. The editor includes the following sections.
|
New Support for using Parsing Rules in the
Broker VM ( Requires a Cortex XDR Pro per TB license ) | To help you avoid sending unnecessary data
to the XDR server and reduce traffic, storage, and computing costs,
Cortex XDR now supports using Parsing Rules to define the specific
data captured by the broker VM in a new section called [COLLECT]. The [COLLECT] section
is optional to configure, but once added this section runs before
the [INGEST] section to enable data reduction
and data manipulation at the broker VM. The [COLLECT] section uses
the same syntax as the [INGEST] section and is
configured in the same screen. It also follows the format as detailed
in the following example.
|
Parsing Rules Supports using an arrayfilter
Function and iploc Stage Command ( Requires a Cortex XDR
Pro per TB license ) | To enhance the current Parsing Rules offerings
in Cortex XDR, Cortex XDR now supports configuring the following
new function and stage command in the INGEST section.
|
Endpoint Protection | |
Enhanced Endpoint Cloud Metadata ( Requires
a Cortex XDR Pro license ) | To allow for greater flexibility when investigating
your data, Cortex XDR now displays in the Endpoint Administration table
the Cloud Instance Metadata field. The
field provides IBM and Alibaba Cloud data reported by the endpoint. |
Agent Auto-Upgrade Delay | To help better manage your agent auto-upgrades,
Cortex XDR now allows you to define a Delayed Auto Upgrade Roll-out .In
the Agent Settings, select whether to rollout an auto-upgrade immediately
or define a delay period of 7-45 days from the agent release date. |
New Upgrade Agents Action Center Capabilities | To help better manage your agent upgrades,
Cortex XDR now allows you in the Action Center to
track in the Status field which agent upgrade
failed and directly create an Upgrade action for one
or more of the failed agents. |
Broker VM Version
15.1.4 | |
New Support for Configuring the Broker VM
as Proxy Server for another Broker VM | To help you easily route all traffic between the
Cortex XDR management server and Cortex XDR agents using the broker
VM, it is now possible to designate the broker VM as a proxy server
for another broker VM (i.e. chaining). Previously, the broker VM
could only act as a proxy server for agents. This is now available
to configure when logging in to the broker VM ( https://<broker_vm_ip_address>/. ),
and configuring the broker VM settings. In the Proxy Server section,
when you set the Type to HTTP to
route broker VM communication, you need to add the IP address and
port number (set when activating the Agent Proxy) for the other
broker VM registered in your tenant that you want to designate as
a proxy for this broker VM. |
New Support to Improve the Right-Click Option
for Generating New Logs in the Broker VM | To clarify the difference between the two options
available for creating and downloading logs under Broker Management in
Cortex XDR, the right-click option previously called Download
Latest Logs was renamed to Generate New Logs. This
option regenerates the most up-to-date logs and downloads them once
they are ready, as opposed to the other option called Download
Logs (TIMESTAMP) , which downloads the logs from the
last creation date reflected in the TIMESTAMP. |
New Support for Tail Mode Data Collection
for the Files and Folder Collector in the Broker VM ( Requires
a Cortex XDR Pro per TB license ) | The broker VM’s Files and Folders Collector applet
now supports collecting logs from files and folders in a network
share for a Windows directory in tail mode, as opposed to only batch
mode. When you configure the Files and Folders Collector applet,
a new toggle button called Mode is now displayed
when configuring the Files and Folders Settings .
There are 2 modes available.
For backward compatibility, any Files
and Folders Collector applet previously configured before
version 3.2 will have the Mode automatically
set to Batch . |
API | |
New Get Alert Timestamp Filter | To expand your API capabilities, Cortex XDR
now allows you to filter the Get Alerts API
results according to the timestamp of when Cortex XDR created the
alert using server_creation_time . |
New Retrieve PAN NGFW Alert Packet Data
API | To expand your alert investigation capabilities,
Cortex XDR now displays in the Get Alerts and Get Extra Incident Data APIs
response whether an PAN NGFW type alert contains a PCAP triggering packet. Using
the new Retrieve PCAP Packet API, you
can now retrieve a list of alert IDs and the associated PCAP data. |
Multitenants and MSSPs | |
Forensics Add-On Multitenant Management
Support Enhancements | To expand your Forensics MSSP functionality,
Cortex now allows you to view the following Forensics tables of
your child tenants:
|
Recommended For You
Recommended Videos
Recommended videos not found.