Palo Alto Networks released Cortex XDR 2.3. Read about the new features available in Cortex XDR 2.3, includingIncident,Agent Management, and Global Improvements. See how these features can help keep your network secure.
NOTE: Features requiring Cortex XDR agent 7.1 are coming soon and will be available with the agent release.
Incident Management
Cortex XDR now provides complete visibility into OS actors—processes that create a process on behalf of a different initiator.
When Cortex XDR detects suspicious activity from an OS Actor, details about the process and activity are available with the alerts and from the Causality View. You can also use the Query Builder to search endpoint data for OS Actor attributes.
Endpoint Prevention and Management
(Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later)
You can now run Python 3.7 scripts on your endpoints directly from Cortex XDR. Cortex XDR provides pre-canned scripts for common endpoint remediation and endpoint management actions. You can also write and upload your own Python scripts and code snippets into Cortex XDR. Cortex XDR enables you to manage, run, and track the script execution on the endpoints, as well as store and display the execution results per endpoint.
To learn more about script execution, see Run Scripts on an Endpoint.
(Cortex XDR agent 7.1 or later)
From the Cortex XDR management console, you now have full visibility into the Cortex XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent suffers from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications. The Cortex XDR agent reports the operational status as follows:
- Protected—Indicates that the Cortex XDR agent is running as configured and did not report any exceptions to Cortex XDR.
- Partially protected—Indicates that the Cortex XDR agent reported Cortex XDR one or more exceptions.
- Unprotected—Indicates that the Cortex XDR agent reported Cortex XDR exceptions about the Malware protection module, and Behavioral threat protection or Exploit modules.
You can monitor the operational status of your endpoints from the Endpoint Administration table. See Monitoring Agent Operational Status for the implications the operational status has on the endpoint.
(Windows only and with Cortex XDR agent 7.1 or later)
Cortex XDR now provides visibility into Windows endpoints that encrypt their hard drives using BitLocker, the Microsoft Windows built-in encryption tool. To enable disk encryption visibility, you set Disk Encryption profiles and apply them to Policy rules on your Windows endpoints. Additionally, you can apply Disk Encryption profiles to your enforce the BitLocker encryption or decryption of the endpoint operating system disk.
To provide visibility and interoperability into the encrypted endpoints, Cortex XDR leverages the Microsoft Windows APIs for BitLocker. The Cortex XDR agent applies the Microsoft Windows BitLocker rules on the endpoint according to the Disk Encryption settings configured in the Cortex XDR management console.
(Windows only and with Cortex XDR agent 7.1 or later)
To reduce the attack surface originating in network communications to and from the endpoint, you can now control all inbound and outbound communications on your Windows endpoints with the Cortex XDR Host Firewall. To use the host firewall, you set rules that allow or block the traffic on the endpoints and apply them to your endpoints using Cortex XDR policy rules.
To fine tune the network communication configuration on the endpoint, you can apply host firewall rules according to the following:
- The current network location of the device (inside or outside the network).
- The direction of the communication on the device (inbound or outbound).
- IP address or IP address ranges
- Ports or port ranges
- The communication protocol (ICMP, TCP, UCP, and ICMPv6).
- Specific programs running on the endpoint.
To control inbound and outbound communication of your endpoints, Cortex XDR leverages the Microsoft Windows Filtering Platform APIs. The Cortex XDR agent applies the Microsoft Windows Filtering Platform rules on the endpoint according to the settings configured in the Cortex XDR management console.
You can now ensure your Windows, Mac, and Linux endpoints are always up-to-date with the latest Cortex XDR agent release by enabling automatic agent upgrades. For increased flexibility, you can choose to apply automatic upgrades to major releases only, to minor releases only, or to both. You can set auto-upgrade for Cortex XDR agents running on Windows, Mac, and Linux endpoints in the Agent Settings Profile and apply it to a policy rule.
To configure automatic upgrades for your agents, see Add a New Agent Settings Profile..
(Mac only and with Cortex XDR agent 7.1 or later)
(Linux only and with Cortex XDR agent 7.1 or later)
For the detailed workflow, see Create an Agent Installation Package.
(Linux only and with Cortex XDR agent 7.1 or later)
You can now install the Cortex XDR agent on Linux endpoints running RHEL8, CentOS8, Oracle 8, SUSE 15, SUSE 15 SP1, and SUSE 11 SP4 distributions.
The Cortex XDR agent does not enforce injection-based protection modules (ROP Mitigation, SO Hijacking Protection, and Brute Force Protection) on 32-bit processes running on 64-bit SUSE 15 SP1 endpoints. All other exploit and malware protection modules work as expected.
EDR is supported only on SUSE 12 SP5, not all SUSE 12 versions.
Additionally, the Cortex XDR agent now supports the kernel module for SUSE 12.
For full compatibility information, see the Compatibility Matrix.
(Cortex XDR agent 7.1 or later)
- Endpoint Management—Includes endpoint administration, endpoint group management, and agent installation package management.
- Policy Management—Now separated into two sections: Prevention/Security for managing your endpoint profiles, rules, and exceptions; and Compliance for managing your Device Control profiles, rules, and exceptions.
- Device Control Violations—Quickly view behavior flagged by Cortex XDR agents as matching a Device Control policy rule.
Global Improvements
panw-xdr-evr-prod-us.storageapis.google.com is now replacing the following URLs:
- https://<xdr-tenant>-distributions.storage.googleapis.com
- https://<xdr-tenant>-agent-uploads.storage.googleapis.com
- https://migration-<cortex-data-lake-tenant-ID>-agent-uploads.storage.googleapis.com
- https://migration-<cortex-data-lake-tenant-ID>-distributions.storage.googleapis.com
- https://xdr-<region>-<cortex-data-lake-tenant-ID>-agent-uploads.storage.googleapis.com
- https://xdr-<region>-<cortex-data-lake-tenant-ID>-distributions.storage.googleapis.com
Public APIs
- Request field filters is no longer mandatory for the following APIs:
- Get Incidents
- Get Endpoints
- Get Device Violations
- Get Audit Management Log
- Get Audit Agent Report
- Request either all or filtered results for:
- Scan Endpoints
- Cancel Scan Endpoints
- Get Incidents
- Get Endpoints
- Get Device Violations
- Get Audit Management Log
- Get Audit Agent Report
- Simplified request fields for:
- Isolate Endpoints
- Unisolate Endpoints
- Delete Endpoints
- Quarantine Files
- Retrieve Files
Thanksfor taking time to read the blog.
If you enjoyed this, please hit theLike (thumbs up)button, don't forget tosubscribeto theLIVEcommunity Blog.