1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ Release Notes
    5. Cortex XDR Release Information
    6. Features Introduced in Cortex XDR
    7. Features Introduced in 2022

    Features Introduced in 2022

    Learn more about Cortex XDR features introduced during 2022 by month and functional area.
    The following topics describe the Cortex XDR features introduced in 2022 by month.

    Features Releasing in May

    New features in the Cortex® XDR 3.3 release.
    The following table describes new features in the Cortex XDR 3.3 release. The release is divided into two deployments: May 15, 2022 and May 22, 2022.
    Feature
    Description
    Investigation and Response
    New Incident and Alert Severity
    To streamline the management of your incidents and alerts, Cortex XDR now enables you to define a new Critical severity type for your incidents and alerts.
    The Critical severity type is now visible in the Incident and Alert tables, IP Address/Hash Views, Detection Rules, and API calls. You can also search for Critical severity in the Quick Launcher.
    New XQL Configuration for Case Sensitivity
    (
    Requires a Cortex XDR Pro license
    )
    To make it easier for you to configure whether case sensitivity is applied across Cortex XDR in one central area, Cortex XDR now includes a new XQL Configuration section in the
    Settings
    Configurations
    General
    Server Settings
    . This section enables you to configure whether
    Case Sensitivity (case_sensitive)
     is applied throughout the application. This setting overwrites any other default configuration except for BIOCs, which will remain case insensitive no matter what this configuration is set to.
    Translate to XQL Enhancements
    (
    Requires a Cortex XDR Pro per TB license
    )
    To help you easily convert your existing Splunk queries to the Cortex XDR Query Language (XQL) syntax, Cortex XDR now includes additional enhancements to improve the overall user experience and supports more Splunk functions and stages that can be translated to XQL.
    New XQL Syntactic Sugar Available for JSON Functions
    (
    Requires a Cortex XDR Pro license
    )
    To make it easier for you to write your Cortex XDR Query Language (XQL) queries, Cortex XDR now enables using a syntactic sugar for the following JSON functions.
    • json_extract, using the following syntactic sugar format.
      <json_object_formatted_string> -> <field_path>{}
    • json_extract_array, using the following syntactic sugar format.
      <json_array_string> -> <field_path>[]
    • json_extract_scalar, using the following syntactic sugar format.
      <json_object_formatted_string> ->  <field_path>
    New XQL Operator and Functions Available
    (
    Requires a Cortex XDR Pro license
    )
    To expand your investigation capabilities, Cortex XDR Query Language (XQL) now supports using the following new operator and functions.
      • incidr
        ,
        not incidr
        —To search for an IP address or IP range using CIDR notation.
    • Functions
      • arraycreate—Returns an array based on the given parameters defined for the array elements.
      • arraymerge—Merges a number of arrays, including a number of arraymap() function arrays, into a single array.
      • object_create—Returns an object based on the given parameters defined for the key and value pairs.
    The new operator and functions can also be used in the [INGEST] section when creating Parsing Rules.
    Correlation Rule Alert Enrichment Based on User Defined Fields
    (
    Requires a Cortex XDR Pro license
    )
    To help you better manage the Alerts associated with your Correlation Rules, Cortex XDR enables you to enhance
    Alerts
     with user defined settings. When configuring an
    Action
     to generate an
    Alert
     for a Correlation Rule, you can now customize the following Alert Settings.
    • Alert Name
      —New field which can be customized using static or dynamic values.
    • Alert Source
      —New field which can be customized using static or dynamic values.
    • Severity
      —Cortex XDR-defined values now include
      Critical
      . In addition to Cortex XDR-defined values, you can now select user defined fields from inside the query.
    • Category
      —In addition to Cortex XDR-defined values, you can now select user defined fields from inside the query.
    Retrieve Endpoint Support File Enhancements
    To streamline the process of retrieving endpoint support files, Cortex XDR now allows you to download one or more endpoint support files to a Cortex XDR server, instead of locally, that can then be accessed by a secured link.
    Support files are stored by Cortex XDR for 30 days, however the secured link is valid for only 7 days. Following the 7 day period, in order to access the files you will need to generate a new link.
    Improvement in Searching Child or Common Schemas in MSSP and MTH XQL queries
    To improve Cortex XDR Query Language (XQL) query results, Cortex XDR has enhanced the
    XQL Search
    . Whensearching data in multiple MSSP and MTH tenants , XQL queries now return all child or common datasets with the same dataset name, even if the fields contain different data types or one of the datasets is missing some fields. In this case, Cortex XDR displays only the common fields.
    Search and Destroy action validates hash against VirusTotal and WildFire
    Cortex XDR validates the hash against VirusTotal and Wildfire, to provide additional context before initializing the File Destroy action.
    External Data Ingestion
    Data Collector Enhancements to Support Additional Log Formats for Data Ingestion
    (
    Requires a Cortex XDR Pro per TB license
    )
    To expand the current data ingestion capabilities for existing data collectors, Cortex XDR now supports the following additional log formats for the data collectors listed.
    Improved Office 365 Data Collector
    (
    Requires a Cortex XDR Pro per TB license
    )
    To prevent email from building up in the compliance mailbox when collecting Microsoft Office 365 emails via Microsoft’s Graph API, Cortex XDR has improved the Office 365 data collector so that after the emails are ingested they are deleted from the compliance mailbox.
    Office 365 Data Collector Enhancements for Normalizing Azure AD Audit Logs
    (
    Requires a Cortex XDR Pro per TB license
    )
    To expand your investigation capabilities, you can configure Cortex XDR to normalize Azure AD audit logs when using an Office 365 data collector.
    Office 365 Data Collector Enhancements to include File Hash in Email Attachment Details
    (
    Requires a Cortex XDR Pro per TB license
    )
    To enhance the current data ingestion capabilities, Cortex XDR now includes the file hash in the attachment details when using an Office 365 data collector to ingest Microsoft Office 365 emails via Microsoft’s Graph API.
    New Google Workspace Data Collector
    (
    Requires a Cortex XDR Pro per TB license
    )
    Cortex XDR can now ingest logs and data from Google Workspace using a new data collector called Google Workspace for the following types of content.
    • Gmail
    • Admin Console
    • Google Chrome
    • Google Drive
    • User Accounts
    • Token
    • SAML
    • Login
    • Rules
    • Google Chat
    • Enterprise Groups
    To receive data, configure
    Settings
    Configurations
    Data Collection
    Collection Integrations
     for the
    Google Workspace
     data collector in Cortex XDR.
    As soon as Cortex XDR begins receiving logs, the app automatically creates an applicable dataset matching the content type for the data collected. This enables you to search the logs using XQL Search.
    New Palo Alto Networks IoT Security Data Collector
    (
    Requires a Cortex XDR Pro per TB license
    )
    Cortex XDR can now ingest Palo Alto Networks IoT Security solution alerts and assets directly using a new data collector called IOT Security via an API.
    Cortex XDR adds IOT Security alerts to the Cortex XDR Alerts table and groups them into Incidents. Cortex XDR also adds IOT Devices to the Cortex XDR Assets table.
    As soon as Cortex XDR begins collecting data, the app automatically creates a new dataset for devices only (
    panw_iot_security_devices_raw
    ). This enables you to initiate XQL Search queries and create Correlation Rules.
    Workday Data Collector Enhancements
    To expand your investigation and analytics capabilities, Cortex XDR now uses a structured schema when using the Workday data collector. To get the best Analytics results, use the fields from the recommended schema.
    XDR Collector Collection Enhancements
    (
    Requires a Cortex XDR Pro per TB license
    )
    To align the Cortex XDR Collectors data collection capabilities with the other data collectors available, Cortex XDR now supports all sections in the filebeat.yml configuration file, such as support for Filebeat fields and tags. As a result, this enables you to use
    fields
     to identify the product/vendor for the data collected by the XDR Collectors so the collected events go through the ingestion flow (Parsing Rules).
    Upgrade Filebeat Version to 7.17.1 for XDR Collectors
    (
    Requires a Cortex XDR Pro per TB license
    )
    Cortex XDR now supports using Filebeat version 7.17.1 when using XDR Collectors for On-premise Data Collection on Windows and Linux machines.
    New Support for Collecting JSON and Raw Multiline Logs
    (
    Requires a Cortex XDR Pro per TB license
    )
    To extend the current data collection capabilities for JSON and Raw logs, Cortex XDR now supports collecting multiline JSON and Raw logs using the following data collectors.
    Data Management
    Event Forwarding to External Storage
    To enable you to save your data in an external location, Cortex XDR now supports exporting logs using Event Forwarding.
    Cortex XDR added a new
    Event Forwarding
     section under
    Settings
    Configurations
    Data Management
     where you can activate your Event Forwarding licenses and specify the path and credentials of your external storage destination.
    • Event Forwarding GB
       exports parsed logs for XDR pro TB to an external SIEM for storage. This enables you to keep data in your own storage in addition to the XDR data layer, e.g. for compliance requirements and machine learning purposes.
    • Event Forwarding EP
       exports raw EDR data for XDR pro EP and XDR Cloud endpoints.
    Endpoint Protection
    Global Analytics Profiles
    (
    Cortex XDR agent 7.7 or a later release
    Cortex XDR now leverages aggregated and anonymized cross-tenant profiles to detect abnormal behavior allowing the detection of new behaviors across multiple tenants and catch new types of attacks that might not arise from a single tenant.
    Alerts raised by the cross-tenant profiles will be marked in the
    Alerts
     table as
    Global Analytics
     type alerts.
    Agent tokens maintained and managed by Cortex XDR
    (
    Cortex XDR agent 7.7.1 or a later release
    Cortex XDR now offers a solution to ease password management and its distribution. Cortex XDR maintains and manages tokens for each of the agents and can generate temporary tokens on demand.
    When performing an action on the agent that requires a password entry, all you need to do is retrieve the hash from the agent to get the token password from Cortex XDR for that agent.
    The token is automatically assigned to every endpoint and can be used to perform any action requiring a password on the agent. If needed, the admin can create a token for any endpoint or a group of endpoints with an expiration and use to manage those endpoints for the pre-defined period. The token can also be retrieved for an endpoint that lost connectivity to the server by extracting the token hash on the endpoint and retrieving the original token from that hash on the server.
    Endpoint Content Version Status Enhancement
    (
    Cortex XDR agent 7.7 or a later release
    To help you gain better visibility of your endpoint content versions, Cortex XDR now displays the following new field in the
    All Endpoints
     table
    Content Status
     and new widget
    Agent Content Status Breakdown
    .
    Displays the status of the content version on the relevant endpoint. Cortex XDR attempts to contact an endpoint and check the content version over a 7 day period. Only following this period can Cortex XDR display whether the endpoint content version is up to date or outdated.
    • Up to Date
       - The endpoint is running with the latest content version
    • Waiting for Update
       - Cortex XDR is in the process of updating the new content version. Depending on your bandwidth and network connection, updating the content version may take time.
    • Outdated
       - The endpoint is running on an outdated content version.
    • Offline
       - The endpoint is disconnected.
    Content Status is calculated every 30 minutes, therefore, there could be a delay of up to 30 minutes in displaying the data.
    New Endpoint Tagging
    (
    Cortex XDR agent 7.7.1 or a later release
    To streamline how you manage your endpoints, Cortex XDR now allows you to tag endpoints using the Cortex XDR management console and on the endpoint during installation and agent lifespan.
    Each endpoint can be assigned one or more dynamic tags you define allowing you flexibility with how you filter and group your endpoints.
    To easily track the tags associated with the endpoints, in the
    All Endpoints
     and
    Forensics
     tables, a new
    Endpoint Tags
     field displays how the tag was assigned to the endpoint; via the management console -
    Server
    , or installation and cytool arguments -
    Agent
    .
    CIS Benchmark Capabilities
    (
    Requires a Cortes XDR Cloud per Host License
    )
    To streamline and improve your incident investigation effort and time on Linux, Docker, and Kubernetes platforms, Cortex XDR now incorporates CIS Critical Security Controls to provide you with tools to prevent the next incident.
    In addition to vulnerabilities already presented at the asset level, Cortex XDR now displays compliance violation information and the context of suspicious resources. Using predefined Cortex XDR or customized endpoint regulation policies, you can now find and prioritize incidents that involve resources with a high-risk level, enabling you to present and investigate an accurate and prioritized incident response process.
    To track and manage security and compliance violations detected by Cortex XDR, a new
    Compliance Dashboard
     and
    Compliance Violation Table
     display the following aggregated data:
    • Compliance Rate
       - The compliance rate of the passed and failed checks.
    • Compliance Rate per Regulation
       - Breakdown of the compliance rate per regulation policy.
    • Most violated Compliance Checks
      - The compliance checks with the highest number of violated assets.
    • Top Violated Assets
       - Assets with the highest number of failed compliance checks.
    • Number of Violations by Severity
       - The sum of failed compliance checks by severity.
    • Number of Checks by Status
       - The sum of checks by status.
    Endpoint Log Collection
    (
    Cortex XDR agent 7.7.1 or a later release
    To help Cortex XDR better track your Cortex XDR agent stability, Cortex XDR can collect your agent logs to improve the agent stability.
    Collection of the logs is enabled by default and is recommended by Cortex XDR. You can choose to disable in
    Settings
    General
    Agent Configurations
    Cortex XDR Log Collection
    > section.
    Scope-Based Access Control (SBAC) for Endpoint Policies and Profiles
    (
    Cortex XDR agent 7.7.1 or a later release
    Cortex XDR now enables you to segment how you manage policies and profiles of endpoint groups.
    By default, all users have management access to endpoints in your tenant. However, after you (as an administrator) assign a management scope to a Cortex XDR user, the user is then able to create, edit, and remove policies and profiles specific only to the endpoint groups within that scope.
    New Block List Hash Capabilities
    (
    Cortex XDR agent 7.7.1 or a later release
    To streamline hash termination in your environment, Cortex XDR now allows you to define an optional setting to terminate hashes on the endpoint regardless of the malware profile settings.
    From the
    Action Center
    Block List
     page, select to
    Override Report mode
    .
    Export and Import of Endpoint Policies and Profiles
    (
    Cortex XDR agent 7.7.1 or a later release
    Cortex XDR now allows you from the Policy Management tables to export and import endpoint policies and profiles.
    Broker VM
    Version 16.0.45
    New Apache Kafka Collector in the Broker VM
    (
    Requires a Cortex XDR Pro per TB license
    )
    The broker VM now provides a new Apache Kafka Collector applet that enables you to monitor and collect events from a topic of an Apache Kafka server for self-managed on-premise configurations.
    After you activate the
    Kafka Collector
     applet, you can collect events as datasets (
    <Vendor>_<Product>_raw
    ) by defining the following.
    • Apache Kafka connection details including the Bootstrap Server List and Authentication Method.
    • Topics Collection configuration for the various Apache Kafka topics that you want to collect.
    New Support for Displaying Denied URLs Notification in the Local Agent Settings Applet of the Broker VM
    To help you easily troubleshoot connectivity issues for a Local Agent Settings applet on the Palo Alto Networks Broker VM, Cortex XDR now displays a list of
    Denied URLs
    . These URLs are displayed when you hover over the
    Local Agent Settings
     applet in the Broker VMs page to view the
    Connectivity Status
     in the
    APPS
     column of the table. As a result, in a situation where the
    Local Agent Settings
     applet is reported as activated with a failed connection, you can easily determine the URLs that need to be allowed in your network environment.
    New Dataset Fields Available for Broker VM
    (
    Requires a Cortex XDR Pro license
    )
    To expand your investigation capabilities, the following new fields are now available, where applicable, for any dataset and can be queried in XQL Search.
    • _broker_name
      —The
      _broker_name
       is taken from the
      Device Name
       configured for the Broker VM.
    • _log_source_file_name
      —The log file name that the event came from configured for the Broker VM applet.
    • _log_source_file_path
      —The file path to the log file that the event came from configured for the Broker VM applet.
    Broker VM XDR Console Enhancements
    To help you better manage your registered Broker VMs, Cortex XDR now enables you to configure the Broker VM SSL Certificates in the Cortex XDR Console. Previously, SSL certificates could only be configured by logging in to the Broker VM using the IP address.
    Broker VM Hardening
    To align the broker VM to the Center for Internet Security (CIS) guidelines, the broker VM has been hardened so it's now compatible with CIS level 2 hardening requirements.
    These changes are only supported through a fresh install of the broker VM starting from version 16.0 and are not supported with an upgrade.
    Forensics
    Search Collections added to Forensics add-on
    To enable the collection of forensically relevant search results, the Cortex XDR Forensics add-on now includes Search Collections by default. The current default Search Collections include the following.
    • Credential Harvesting
    • Process Execution
    • Lateral Movement
    • Persistence
    • Suspicious Indicators
    • Antivirus Events
    • Powershell Events
    • Network Events
    • Sysmon Events
    • Authentication Events
    New Wildfire Verdict field added to Forensics artifacts
    Cortex XDR has expanded its Forensics capabilities by displaying the WildFire verdict for the following Execution and Persistence type artifacts.
    • Prefetch
    • RecentFileCache
    • Shimcache
    • UserAssist
    • Drivers
    • Registry
    • Scheduled Tasks
    • Services
    • Startup Folders
    If there is a WildFire verdict, the relevant
    Verdict
     is displayed.
    • Unknown
    • Benign
    • Malware
    • Grayware
    Also, a link to the WildFire analysis report is available for review.
    Audit Logs
    New Management Audit Log Type
    To extend visibility to the management audit logs, a new log type called Security Settings was added with the following subtypes.
    • Change Session Expiration
    • Change Session's Approved Domains
    • Change Session's Approved CIDRs
    • Change User Expiration Settings
    API
    Improved Endpoint Visibility
    To help you better manage your endpoint content versions, Cortex XDR now displays in the
    Get Endpoint
    API response the following new fields:
    • Content Status Table Field
      Displays the status of the content version on the relevant endpoint. Cortex XDR attempts to contact an endpoint and check the content version over a 7 day period. Only following this period can Cortex XDR display whether the endpoint content version is up to date or outdated.
      • Up to Date
         - The endpoint is running with the latest content version
      • Waiting for Update
        - Cortex XDR is in the process of updating the new content version. Depending on your bandwidth and network connection, updating the content version may take time.
      • Outdated
         - The endpoint is running on an outdated content version.
      • Offline
         - The endpoint is disconnected.
        Content Status is calculated every 30 minutes, therefore, there could be a delay of up to 30 minutes in displaying the data.
    • operating_system
    • mac_address
    • assigned_prevention_policy
    • assigned_extensions_policy

    Features Releasing in February

    New features in the Cortex® XDR™ 3.2 release.
    The following table describes new features in the Cortex XDR 3.2 release. The release will be divided into two deployments: February 27, 2022 and March 6, 2022.
    Feature
    Description
    General
    Redesigned Cortex XDR Console
    To streamline the investigation of your Cortex XDR data, a redesigned console now showcases the Cortex XDR capabilities in a clear and efficient way using a new responsive sidebar navigation.
    The sidebar navigation allows you to easily find your way through the Cortex XDR investigation capabilities while providing greater real estate to display and assess your data.
    Cortex XDR Gateway Renaming
    To ensure a cohesive user experience, Cortex XDR Gateway has been renamed Cortex Gateway.
    In-App Cortex XDR Agent End-of-Life Notification
    Cortex XDR now displays a notification 90 days prior to agent version end-of-life (EOL). Tenants with active agents of the version will receive a notification in the Notification Center indicating an upcoming EOL. The same notification will appear again 30 days before the due date if additional agents with this version remain.
    In addition, in the
    Endpoint Administration
    table, endpoints with non-supported versions will be flagged with a red indicator.
    New Support to Display a Release Banner a Week before a Scheduled Release
    To help you prepare for a scheduled release and become familiar with the upcoming features, Cortex XDR now displays a
    New Release
     banner a week before a scheduled release. Starting from Cortex XDR version 3.3, the
    New Release
     banner will be displayed in the user interface a week before the scheduled release date. This banner will indicate the date, scheduled release time frame, version number, and provide a link to the
    Release Notes
    , where you can get more information about the upcoming features.
    New Support for Role-Based Access Control Managing User Groups Permissions
    To enable you to properly manage user groups permissions for a number of different system users in Cortex XDR, Cortex XDR now provides the following enhancements for managing user groups and group roles using role-based access control (RBAC).
    • A new User Groups page is now available for managing user groups in
      Configurations
      Access Management
      User Groups
      . You can perform the following tasks from this page.
      • Import a single existing group from Active Directory that you want to manage in Cortex XDR.
        This feature is only available if you enabled the Cloud Identity Engine in
        Configurations
        Integrations
        Cloud Identity Engine
        .
      • Create a new user group for a number of different system users or groups.
      • Save an existing group as a new group.
      • Edit a group.
      • Remove a group.
    • The Users page in
      Configurations
      Access Management
      Users
       contains the following enhancements for managing user groups and group roles.
      • A new right-click option on a user row is now available called
        Update User Role/Group
        , which enables you to perform the following.
        • Add a particular user to a group.
        • Set and manage a role for all these system users belonging to the same group at once.
        • Show Accumulated Permissions
           for the user(s) based on the
          Direct Role
           and
          Group Roles
           assigned to the user(s).
      • The
        Users
         table now contains the following new columns.
        • Groups
          : Lists the groups that a user belongs to, where any group imported from Active Directory has the letters
          AD
           added beside the group name.
        • Group Roles
          : Lists the different group roles based on the groups the user belongs to. When you hover over the group role, the group associated with this role is displayed.
    • The Permissions page of the
      Cortex Gateway
       (previously called
      Cortex XDR Gateway
      ) now includes the following enhancements.
      • A notification has been added indicating that
        Groups
         and
        Group Roles
         can only be configured in Cortex XDR in the
        Configurations
        Access Management
        User Groups
         page.
      • New columns for the
        Groups
         and
        Group Roles
         are now included in the table.
    • An improved user experience when creating a
      New Role
       in the
      Roles
       page, so it is easier to set permissions. The
      Create Role
       page has been updated with separate tabs for
      Components
       and
      Datasets
      . The Cortex XDR
      Components
       are now listed according to navigation screens and you can set permissions for each component to
      View
      ,
      View
       and
      Edit
      , or
      None
      , where some components have an additional actions level to define.
    New Critical Environment Cortex XDR Version
    Cortex XDR now allows you to define endpoints with Critical Environment Cortex XDR agent versions.
    Critical Environment Versions are designed for sensitive and highly regulated environments and do not contain all updates and content existing in the standard version. Therefore, it is recommended to restrict the use of these versions to the required minimum.
    Defining an endpoint with a Critical Environment agent version will require you to create and define the following:
    • Agent Configuration
    • Agent Installer
    • Upgrade and Auto-Upgrade Paths
    • Agent Settings
    To easily track the endpoints defined as Critical Environment, in the
    Endpoint Administration
     table, Cortex XDR displays a new
    Version Type
     field stating whether the endpoint is defined as a
    Standard
     or
    Critical Environment
     agent.
    Forensics
    Forensics Add-On Sub-domain Name Change
    When enrolling in the Forensics Add-On, users with Account Admin and Instance Admin permissions can now change the tenant subdomain:
    oldName.xdr.us.paloaltonetworks.com
     to
    newName.xdr.us.paloaltonetworks.com
    Investigation and Response
    New Personalized Cortex XDR Dashboard
    To help you better visualize and manage your incidents, tasks, and MTTR, Cortex XDR introduces a new predefined dashboard called My Dashboard with the following new widgets.
    • My Incidents
      —Displays the incidents assigned to the logged-in user.
    • My MTTR
      —Displays the Mean Time to Resolve (MTTR) incidents assigned to the logged-in user, compared to the defined Target MTTR.
    • My Open Incidents by Severity
      —Displays the number of open incidents assigned to the logged-in user over the last 30 days.
    • My Incidents Over Time
      —Displays the daily number of new and resolved incidents assigned to the logged-in user over the past 14 days.
    New Cloud Inventory Dashboard
    To help you better visualize and manage your assets on the cloud, Cortex XDR introduces a new predefined dashboard called Cloud Inventory Dashboard with the following new widgets.
    • Accounts by Cloud Provider
      —Displays the number of accounts held in each cloud provider.
    • Compute Instances Over Time
      —Displays the number of times a virtual machine instance is used over time.
    • Assets by Cloud Provider
      —Displays the number of assets stored in each cloud provider.
    • Assets by Type
      —Displays a breakdown of cloud assets by type.
    • Assets by Sub-Type
      —Displays a breakdown of cloud assets by sub-type.
    • Assets by Geo Region
      —Displays a breakdown of assets in each geographic region.
    • Assets by Region
      —Displays a breakdown of assets in each region.
    • Assets by Responsive Port Number
      —Displays the number of exposed cloud assets by port number.
    • Responsive Assets Over Time
      —Displays the number of exposed cloud assets over time.
    New Alert Management Capabilities
    To help you better manage the Alerts associated with your incidents, Cortex XDR now allows you to perform the following actions on each alert:
    • View and update Alert Severity
    • View and update Alert Status
    In the
    Alerts Table
    , right-click an alert to now
    Change Severity
     and/or
    Change Status
     an alert.
    Any update made to an alert impacts the associated incident. An incident with
    all
     its associated alerts marked as resolved is automatically set to
    Auto-Resolved
    . Cortex XDR will continue to group Alerts to an Auto-Resolved Incident for up to 6 hours. In the case where an alert is triggered during this duration, Cortex XDR will re-open the Incident.
    To ensure consistency, when resolving an incident, you can now also select to
    Mark all alerts as resolved
    .
    To help you track the alert resolution status, Cortex XDR now displays in the Alerts Table a new
    Resolution Status
     field.
    Asset Management Enhancements
    To provide greater visibility of network assets and better align with other Cortex XDR offerings,
    Assets
    Asset Management
     has been renamed to
    Assets >
    Asset Inventory. In addition, the new
    All Assets
     page, previously called
    Assets
    , now enables you to toggle between the
    Legacy View
     of the page and the new
    Advanced View
    , which includes the following features.
    • You can view the data in a table format by accessing the new pages for
      All Assets
       and
      Specific Assets
      , including
      On-Prem Assets
       and
      Cloud Compute Instances
      .
    • The table columns provide newly structured data with updated filtering capabilities to improve your asset visibility.
    • When any row in a table is selected, a side panel on the right with greater details is displayed, where you can view additional data divided by sections. The section heading names and data displayed change depending on the source of the assets.
    The
    Legacy View
     in the
    Asset Inventory
     page will be deprecated in the upcoming Cortex XDR release.
    Asset Inventory Support in Quick Launcher
    To improve the search and investigative functionality of the Quick Launcher, the Quick Launcher now supports searching in other tables related to
    Asset Inventory
    , previously called
    Asset Management
    , so you can query for a specific Asset Name or IP address. In addition, 2 new actions are now available when searching for Asset Inventory data.
    • Change search to <host name of asset>
       to display additional actions related to that host. This option is only relevant when searching for an IP address that is connected to an asset.
    • Open in Asset Inventory
       is a new pivot available when the host name of an asset is selected.
    Correlation Rules Enhancement to Support Error Handling and Reporting
    (
    Requires a Cortex XDR Pro license
    )
    To help you easily identify and resolve Correlation Rules errors, Cortex XDR now includes error handling by providing the following error messages in the applicable scenarios.
    • Invalid query
    • Query timeout
    • Dependency correlation did not complete
    • Unknown error
    The Correlation Rules page indicates the error in the
    LAST EXECUTION
     column by displaying the last execution time in a red font and providing a description of the Correlation Rule Error when hovering over the field.
    In addition, a notification is displayed to indicate these Correlation Rules errors.
    New Support for Converting Splunk Queries to XQL Queries in XQL Search
    (
    Requires a Cortex XDR Pro license
    )
    To help you easily convert your existing Splunk queries to the Cortex XDR Query Language (XQL) syntax, Cortex XDR now includes in XQL Search a new toggle called Translate to XQL. When building your XQL query and this option is selected, both a
    SPL query
     field and
    XQL query
     field are displayed, so you can easily add a SPL query, which is converted to XQL in the
    XQL query
     field. This option is disabled by default, so only the XQL query field is displayed.
    New XQL Array Index Value Function
    (
    Requires a Cortex XDR Pro license
    )
    The Cortex XDR Query Language (XQL) now includes a new function called arrayindexof that enables you to return a value related to an array in one of the following ways.
    • Returns the 0-based index of a particular array element if a particular array is not empty and the specified condition using an
      @element
       is true. The format is
      arrayindexof(<array>, "@element"<operator*>"<array element>")
      *The
      <operator>
       can be any of the ones supported, such as
      =
       and
      !=
      .
    • Returns 0 if a particular array is not empty and the specified condition is true using the format.
      arrayindexof(<array>, <condition>)
      If the condition is not met, a NULL value is returned.
    New Support for using Contains and Not Contains Operators within Arrays in XQL
    (
    Requires a Cortex XDR Pro license
    )
    Cortex XDR Query Language (XQL) now supports using Contains and Not Contains operators within arrays.
    New Support for an Optional by Clause in a Comp Stage in XQL
    (
    Requires a Cortex XDR Pro license
    )
    Cortex XDR Query Language (XQL) now supports using an optional by clause in a comp stage, which was previously required.
    XQL Query Language Enhancements for Case Sensitivity
    (
    Requires a Cortex XDR Pro license
    )
    The Cortex XDR Query Language (XQL) is extended to support case_sensitive value queries in functions and stages, as opposed to this previously only being supported in filters. If you do not provide this stage in your query, the default behavior is true; case is considered when evaluating field values.
    This can impact your current query results, including Correlations and XQL based dashboards, as previously case was not considered when evaluating field values in functions and stages, and now case is considered by default.
    External Data Ingestion
    Data Collector Enhancements to Support Additional Log Formats for Data Ingestion
    (
    Requires a Cortex XDR Pro per TB license
    )
    To expand the current data ingestion capabilities for existing data collectors, Cortex XDR now supports the following additional log formats for the data collectors listed.
    New Microsoft Office 365 Data Collection
    (
    Requires a Cortex XDR Pro per TB license
    )
    Cortex XDR can now ingest the following logs and data from Microsoft Office 365 Management Activity API and Microsoft Graph API using a new data collector called Office 365.
    • Microsoft Office 365 audit events from Management Activity API.
    • Microsoft Office 365 emails via Microsoft’s Graph API.
    • Azure AD authentication and audit events from Microsoft Graph API. As a result, the previous
      Azure AD
       data collector has been integrated to this new
      Office 365
       data collector. To maintain backward compatibility, the previous data collector configuration is maintained and continues working as before.
    To receive data, configure
    Configurations
    Data Collection
    Collection Integrations
     settings for the Microsoft
    Office 365
     data collector in Cortex XDR.
    As soon as Cortex XDR begins receiving logs, the app automatically creates an applicable dataset matching the log type for the data collected. This enables you to search the logs using XQL Search.
    Support Filebeat Version 7.16 for Windows DHCP Collector
    (
    Requires a Cortex XDR Pro per TB license
    )
    Cortex XDR now supports using Elasticsearch Filebeat version 7.16 with the Windows DHCP Data Collector.
    New Dataset Fields Available for XDR Collectors
    (
    Requires a Cortex XDR Pro license
    )
    To expand your investigation capabilities, the following XDR Collector fields (where applicable) are available for any dataset and can be queried in XQL Search.
    • _log_source_file_name
      —Displays the file name from where the event originated.
    • _log_source_file_path
      —Displays the file path of the file from where the event originated.
    Data Management
    New Period Based Retention Policy
    (
    Requires new retention licenses
    )
    To enhance the data retention offerings, Cortex XDR now supports a new period based retention policy for the following retentions.
    • Hot Storage
      —Fully searchable storage, for investigation and threat hunting. Hot storage was always supported and is now referred to explicitly in the user interface and documentation as hot storage.
    • Cold Storage
      —Cheaper storage usually for long-term compliance needs with a limited search option. Cold storage is new for this release.
    To support these changes, the following updates have been implemented in the user interface.
    • XQL Search—Hot Storage queries are performed on a dataset using the format
      dataset = <dataset name>
      , while Cold Storage queries are performed using a new syntax
      cold_dataset = <dataset name>
      . You can also build a query that investigates data in both a
      cold_dataset
       and hot
      dataset
       in the same query.
    • Compute Units Usage Page: Any
      cold_dataset
       query consumes Compute Units (CU) based on your quota, which are also consumed by the XQL API. As a result, the previous
      Configurations
      Data Management
      XQL API Usage
       page has been renamed to
      Compute Units Usage
      . This page now displays both information related to your public APIs and Cold Storage.
      You can always increase the free tier of Compute Units provided by purchasing an add-on.
    • Query Center—This page now includes a new column called
      COMPUTE UNIT USAGE
       to display the Public APIs and Cold Storage usage. In addition, the previous
      COMPUTE UNIT USAGE
       column is now renamed to
      SIMULATE COMPUTE UNITS
       to display Hot Storage usage.
    • Dataset Management Page—Updated to reflect these changes.
    Note: The new New Period Based Retention Policy offerings require new licenses for v3.2.
    New Simulate View in the Parsing Rules Editor
    (
    Requires a Cortex XDR Pro per TB license
    )
    To improve the overall user experience and minimize user errors when creating Parsing Rules, Cortex XDR now includes a new Simulate view in the Parsing Rules editor. This view enables you to test your Parsing Rules on actual logs and validate their outputs. The editor includes the following sections.
    • A list of the current
      User defined rules
       on the left side of the window.
    • A table of the existing
      XQL Samples
       on the right side of the window, which contain sample logs listing the
      Vendor
      ,
      Product
      ,
      Raw_Log
      , and
      Sample Time
      . For each Vendor and Product, up to 5 different samples are available to choose from. From this list, you can select the logs used to simulate the rule.
    • Log Output
      displays a table of the relevant logs per dataset, including other columns, at the bottom of the window.
    New Support for using Parsing Rules in the Broker VM
    (
    Requires a Cortex XDR Pro per TB license
    )
    To help you avoid sending unnecessary data to the XDR server and reduce traffic, storage, and computing costs, Cortex XDR now supports using Parsing Rules to define the specific data captured by the broker VM in a new section called [COLLECT]. The
    [COLLECT]
     section is optional to configure, but once added this section runs before the
    [INGEST]
     section to enable data reduction and data manipulation at the broker VM. The
    [COLLECT]
     section uses the same syntax as the
    [INGEST]
     section and is configured in the same screen. It also follows the format as detailed in the following example.
    [COLLECT:vendor="Apache", product="ApacheServer", target_brokers = (bvm1, bvm2, bvm3), no_hit = drop]alter source_log = json_extract_scalar(_raw_log, "$.source") | filter source_log = "WebApp-Logs"| fields source_log, _raw_log;
    Parsing Rules Supports using an arrayfilter Function and iploc Stage Command
    (
    Requires a Cortex XDR Pro per TB license
    )
    To enhance the current Parsing Rules offerings in Cortex XDR, Cortex XDR now supports configuring the following new function and stage command in the INGEST section.
    • arrayfilter () function—Filters the results of an array in one of the following ways.
      • Returns the results when a certain condition is applied to the array.
      • Returns the results when a particular array is set to a specific array element.
    • iploc stage: Associates the IPv4 address of any field to a list of predefined attributes related to the geolocation.
    Endpoint Protection
    Enhanced Endpoint Cloud Metadata
    (
    Requires a Cortex XDR Pro license
    )
    To allow for greater flexibility when investigating your data, Cortex XDR now displays in the
    Endpoint Administration
     table the
    Cloud Instance Metadata
     field.
    The field provides IBM and Alibaba Cloud data reported by the endpoint.
    Agent Auto-Upgrade Delay
    To help better manage your agent auto-upgrades, Cortex XDR now allows you to define a
    Delayed Auto Upgrade Roll-out
    .
    In the Agent Settings, select whether to rollout an auto-upgrade immediately or define a delay period of 7-45 days from the agent release date.
    New Upgrade Agents Action Center Capabilities
    To help better manage your agent upgrades, Cortex XDR now allows you in the
    Action Center
     to track in the
    Status
     field which agent upgrade failed and directly create an Upgrade action for one or more of the failed agents.
    Broker VM
    Version 15.1.4
    New Support for Configuring the Broker VM as Proxy Server for another Broker VM
    To help you easily route all traffic between the Cortex XDR management server and Cortex XDR agents using the broker VM, it is now possible to designate the broker VM as a proxy server for another broker VM (i.e. chaining). Previously, the broker VM could only act as a proxy server for agents. This is now available to configure when logging in to the broker VM (
    https://<broker_vm_ip_address>/.
    ), and configuring the broker VM settings. In the Proxy Server section, when you set the
    Type
     to
    HTTP
     to route broker VM communication, you need to add the IP address and port number (set when activating the Agent Proxy) for the other broker VM registered in your tenant that you want to designate as a proxy for this broker VM.
    New Support to Improve the Right-Click Option for Generating New Logs in the Broker VM
    To clarify the difference between the two options available for creating and downloading logs under
    Broker Management
     in Cortex XDR, the right-click option previously called
    Download Latest Logs
     was renamed to Generate New Logs. This option regenerates the most up-to-date logs and downloads them once they are ready, as opposed to the other option called
    Download Logs (TIMESTAMP)
    , which downloads the logs from the last creation date reflected in the TIMESTAMP.
    New Support for Tail Mode Data Collection for the Files and Folder Collector in the Broker VM
    (
    Requires a Cortex XDR Pro per TB license
    )
    The broker VM’s Files and Folders Collector applet now supports collecting logs from files and folders in a network share for a Windows directory in tail mode, as opposed to only batch mode. When you configure the
    Files and Folders Collector
     applet, a new toggle button called
    Mode
     is now displayed when configuring the
    Files and Folders Settings
    . There are 2 modes available.
    • Tail
      —Continuously monitors files for new data (default).
    • Batch
      —Reads entire file and then renames/deletes uploaded files.
    For backward compatibility, any
    Files and Folders Collector
     applet previously configured before version 3.2 will have the
    Mode
     automatically set to
    Batch
    .
    API
    New Get Alert Timestamp Filter
    To expand your API capabilities, Cortex XDR now allows you to filter the
    Get Alerts
     API results according to the timestamp of when Cortex XDR created the alert using
    server_creation_time
    .
    New Retrieve PAN NGFW Alert Packet Data API
    To expand your alert investigation capabilities, Cortex XDR now displays in the
    Get Alerts
     and
    Get Extra Incident Data
     APIs response whether an PAN NGFW type alert contains a PCAP triggering packet.
    Using the new
    Retrieve PCAP Packet
     API, you can now retrieve a list of alert IDs and the associated PCAP data.
    Multitenants and MSSPs
    Forensics Add-On Multitenant Management Support Enhancements
    To expand your Forensics MSSP functionality, Cortex now allows you to view the following Forensics tables of your child tenants:
    • Forensics Search
    • Forensics Search Collections
    • Host Timelines
    • Process Execution
    • File Access
    • Persistence
    • Command History
    • Network
    • Remote Access
    • Triage All
    • File Listing
    • Registry Listing
    • Event Logs
    • Volatile

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo