Cortex XDR Features Introduced in December 2019

Community Team Member

cortex 2.0.png

Palo Alto Networks has introduced new features in December 2019 for Cortex XDR 2.0 and Cortex XDR agent 7.0. Read about what has changed, what's new, and how it can help you keep your network secure. Got questions? Get answers on LIVEcommunity.

 

Cortex XDR Features Introduced in December

The following table describes the features released in December 2019 for Cortex XDR 2.0 and require Cortex XDR agent version 7.0.

 

FEATURE DESCRIPTION
Unified Interface for Cortex XDR and Traps Traps advanced endpoint protection capabilities are now available in Cortex XDR. With this integration, the Traps agent is now the Cortex XDR agent in 7.0 and later agent releases. Features that you used in Traps management service are now available in the Cortex XDR interface, which now includes a new Endpoints menu. In addition, Cortex XDR now provides the following new functionality for endpoint-related alerts:

 

  • Causality View for endpoint alerts that do not contain stitched data that show all related process and event information.
  • Detailed analysis of behavioral threat events in the Causality View.

 

As Traps transitions to management by Cortex XDR, some documentation and web interfaces may refer to the earlier name for Traps instead of the new name of Cortex XDR agent.

 

New Cortex XDR Licenses Cortex XDR is now available in three license types:

 

  • Cortex XDR Prevent – Enables endpoint protection functionality, including exploit prevention and malware protection with the ability to manage and configure endpoint and device control security policies.
  • Cortex XDR Pro Per Endpoint – Enables the same endpoint protection functionality as the Cortex XDR Prevent license with the added benefit of EDR data collection and log stitching with third-party alerts.
  • Cortex XDR Pro Per TB – Does not include endpoint protection functionality but enables analysis of firewall traffic logs from Palo Alto Networks or external firewall vendors, such as Check Point, Cisco, and Fortinet.

 

In addition, you can now view your license details such as license type and expiration from the menu in Cortex XDR.

 

Serverless Content Distribution (Windows only)

To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, the content update algorithm has been enhanced to enable agents on your LAN network to retrieve the new content version from other agents who have already retrieved it. Now, within the six-hour randomization window during which the Cortex XDR agent attempts to retrieve the new content version, it will query other agents twice—once within the first hour, and once again during the following five hours. If the agent did not retrieve the new content from other agents in both queries, it will retrieve it from Cortex XDR directly.

 

Peer-to-peer content distribution is enabled by default in the Agent Setting profile and requires that you enable UDP and TCP over port 33221 (you can later change the port number through the Agent Settings profile). Peer-to-peer content distribution might increase traffic on the organization’s LAN network. When a new agent is downloading content for the first time, it will be unprotected in the time in between activation and until it retrieves its first content from a peer agent (this may take up to 10 minutes). This applies to Windows endpoints and new VDI sessions.

 

Content Bandwidth Management

You can now configure the bandwidth you want to use to distribute content updates between Cortex XDR and all Cortex XDR agents. When you configure the bandwidth, you assign a value in Mbps. You can configure content bandwidth management from your Settings in Agent Configuration.

 

Device Control of USB-Connected Devices (Windows only) To protect Windows endpoints from loading malicious files from USB-connected removable devices (CD-ROM, disk drives, floppy disks and portable devices drives), Cortex XDR now provides Device Control. With Device Control, you can configure different policies to manage USB-connectivity on your endpoint. For example, you can:

 

  • Block all supported USB-connected devices
  • Temporarily block only some USB-connected device types
  • Block a USB-connected device type but whitelist a specific vendor or product from that list and allow it read/write permissions on the endpoint

To apply Device Control to your endpoints, define Device Control profiles according to the device types and configure Device Control policies that apply to your endpoints or endpoint groups.

 

Customized User Notifications

(Windows and Mac)

You can now customize the header and footer of user notifications that the Cortex XDR Agent displays when a security event occurs. You can override the default generic texts to provide your end users with localized messages, support contact info, textual instructions, and more. Customized headers are relevant to the following types of notifications:

 

  • Exploit/Malware events set to block
  • Restriction events set to block (Windows only)
  • Restriction events set to notify user (Windows only)

You can also customize the notification footer default text. Cortex XDR displays the same footer for all notification types.

 

Remote Investigation and Remediation with Live Terminal (Linux and Mac)

If an event requires further investigation and remediation, you can initiate a Live Terminal session to the remote Linux or Mac endpoint. This enables you to navigate and manage files in the file system, run Bash or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.

 

Retrieve File Response Action (Linux and Mac)

You can now initiate a response action to retrieve files from Linux and Mac endpoints with Cortex XDR directly. You can retrieve up to 20 files related to a security event (up to 200MB total). As part of the 20 files, you can retrieve additional files by supplying the file path. Outside of a security event, you can retrieve files from up to 10 different endpoints. To track the status of a file retrieval action, you can view the action from the Action Center. Cortex XDR retains retrieved files for up to one week.

 

SO Hijacking Protection (Linux only)

Cortex XDR extends Exploit Protection on Linux endpoints to also protect endpoints from SO Hijacking attacks, where the attacker attempts to dynamically load libraries on Linux operating systems from unsecure locations to gain control of a process. Cortex XDR agent blocks this activity and raises a SO Hijacking Protection alert. The new SO Hijacking Exploit Protection module is automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile.

 

Extended Exploit Protection Coverage for Java Deserialization Exploits (Linux only)

Cortex XDR extends Exploit Protection on Linux endpoints to also detect Java deserialization exploits on Java-based servers. The new Exploit Protection module detects scenarios where suspicious input is attempting to execute malicious code during the Java objects deserialization process. Cortex XDR agent blocks this activity and raises a Suspicious Input Deserialization alert. You can create a Global Exception to whitelist a specific Java executable (jar, class) that you know to be benign directly from the Cortex XDR alert. The new Java Deserialization Exploit protection module is automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile.

 

Administrative Actions Center in Cortex XDR

You can now perform a wide variety of administrative actions on your endpoints and monitor them from the new Action Center in Cortex XDR. For example, you can isolate endpoints, whitelist files, or initiate a bulk action to upgrade your Cortex XDR agents. After you initiate an action, Cortex XDR displays the action status in detail, allowing you to closely monitor the affected endpoints and action progress.

 

Cortex XDR Support for Fortinet and Cisco Firewall Logs and Alerts

If you use Fortinet Fortigate or Cisco ASA firewalls in your network, you can now forward your firewall logs to Cortex XDR for analysis. This enables you to take advantage of Cortex XDR anomalous behavior detection and investigation capabilities. To begin analyzing your traffic logs, you set up a syslog collector and configure your firewalls to forward logs to the syslog collector. To provide seamless log ingestion, Cortex XDR automatically maps the fields in your traffic logs to the Cortex XDR log format. In addition, Cortex XDR can also include your firewall alerts in incidents for additional context.

 

Granular Role-Based Access Control (RBAC)

From the hub, you can now assign new granular Cortex XDR roles to Cortex XDR app users. Each of the new roles identifies select pages in the app that the user can view and select actions that the user can perform.

 

RBAC for APIs

To prevent unauthorized access to features and information in Cortex XDR, you can now assign roles for API key usage. This enables you to limit access to sensitive data when needed.

 

Public APIs for Endpoint and Agent Management Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment. The following API capabilities have been added:

 

  • Get Endpoints – Retrieve a list of endpoints
  • Isolate Endpoints –Isolate a specific endpoint
  • Unisolate Endpoints – Cancel an endpoints isolation
  • Get Distribution Version – Retrieve the installation package versions
  • Create Distributions – Create installation packages
  • Get Distribution Status – Retrieve the installation package statuses
  • Get Distribution URL – Retrieve the installation package URL
  • Get Audit Management Log – Retrieve a list of audit log details
  • Get Audit Agent Report – Retrieve a list of agent event report details

The APIs are supported in Cortex XDR Prevent and Cortex XDR Pro – Endpoint.

 

Customizable Dashboards

To instantly surface the information about your environment that matters to you most, you can now customize the default dashboard that displays when you log in to Cortex XDR. To create a dashboard, you can either use a predefined dashboard template as a starting place or you can create a new dashboard from scratch using the dashboard builder. Dashboards can be private or public. If you have multiple dashboards, you can select the one you want to be the default and can toggle to the others from the dashboard menu.

 

Reports

Run and customize reports containing a snapshot of statistics about your environment over a selected time period. You can generate reports from Cortex XDR on-demand or schedule them to run daily or weekly. You can use dashboards as the basis for a report template or customize your report with widgets from the widget library. When your report is ready, you can download it from the Reports page and also email reports to an email distribution of your choice.

 

OR Operator Support for Filters

You can now use the OR operator with filters to return results that match any specified filter criteria (instead of using the AND operator to return results that match all of the criteria). You can also use filter sets to group criteria. For example, (a AND b) OR (c AND d).

 

Dynamic Endpoint Group Creation Using Filters

You can now use an unlimited number of filters to define endpoint groups.

 

Active Directory Object Filtering

You can now filter endpoints in the Endpoints Management table by Active Directory (AD) Objects. To filter by an AD object, you must have Directory Sync Service paired to Cortex XDR.

 

 

Traps Agent is Now Cortex XDR Agent

In this release, the Traps agent is now the Cortex XDR agent and is supported by the Cortex XDR app. The following topics describe the new features introduced in Cortex XDR agent 7.0 releases, according to the different agent operating systems.

 

WINDOWS AGENT FEATURE DESCRIPTION
Serverless Content Distribution

To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, the content update algorithm has been enhanced to enable agents on your LAN network to retrieve the new content version from other agents who have already retrieved it. Now, within the six-hour randomization window during which the Cortex XDR agent attempts to retrieve the new content version, it will query other agents twice—once within the first hour, and once again during the following five hours. If the agent did not retrieve the new content from other agents in both queries, it will retrieve it from Cortex XDR directly.

 

Peer-to-peer content distribution is enabled by default in the Agent Setting profile, and requires that you enable UDP and TCP over port 33221 (you can change this port number later on through the Agent Settings profile).

 

NOTE: Peer-to-peer content distribution might increase traffic on the organization’s LAN.

 

Device Control of USB-Connected Devices To protect Windows endpoints from loading malicious files from USB-connected removable devices (CD-ROM, disk drives, floppy disks and portable devices drives), Cortex XDR now provides Device Control. With Device Control, you can configure different policies to manage USB connectivity on your endpoint. For example, you can:

 

  • Block all supported USB-connected devices
  • Temporarily block only some USB-connected device types
  • Block a USB-connected device type but whitelist a specific vendor or product from that list and allow it read/write permissions on the endpoint

 

To apply Device Control to your endpoints, define Device Control profiles according to the device types and configure device control policies that apply to Cortex XDR endpoints or endpoint groups.

 

New Local Analysis Engine

For improved coverage and accuracy, the Cortex XDR local analysis engine on Windows endpoints now uses enhanced machine learning to analyze unknown executable and DLL files at the time of execution and loading.

 

Customized User Notifications You can now customize the header and footer of user notifications that the Cortex XDR Agent displays when a security event occurs. You can override the default generic texts to provide your end users with localized messages, support contact info, textual instructions, and more. Customized headers are relevant to the following types of notifications:

 

  • Exploit/Malware events set to block
  • Restriction events set to block
  • Restriction events set to notify user

 

You can also customize the notification footer default text. Cortex XDR displays the same footer for all notification types.

 

 

Features Introduced in Cortex XDR Agent 7.0 for Mac

 

MAC AGENT FEATURE DESCRIPTION
Customized User Notifications You can now customize the header and footer of user notifications that the Cortex XDR Agent displays when a security event occurs. You can override the default generic texts to provide your end users with localized messages, support contact info, textual instructions, and more. You can customize the following:

 

  • Notification header for Exploit/Malware events set to block
  • The notification footer, which applies to all notification types

 

Remote Investigation and Remediation with Live Terminal

If an event requires further investigation and remediation, you can initiate a Live Terminal session to the remote Mac endpoint. This enables you to navigate and manage files in the file system, run Bash or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.

 

Retrieve Files Response Action

You can now initiate a response action to retrieve files from Mac endpoints with Cortex XDR directly. You can retrieve up to 20 files related to a security event (up to 200MB total). As part of the 20 files, you can retrieve additional files by supplying the file path. Outside of a security event, you can retrieve files from up to 10 different endpoints. To track the status of a file retrieval action, you can view the action from the Action Center. Cortex XDR retains retrieved files for up to one week.

 

 

Features Introduced in Cortex XDR Agent 7.0 for Linux

 

FEATURE DESCRIPTION
Remote Investigation and Remediation with Live Terminal

If an event requires further investigation and remediation, you can initiate a Live Terminal session to the remote Linux endpoint. This enables you to navigate and manage files in the file system, run Bash or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.

 

Retrieve Files Response Action

You can now initiate a response action to retrieve files from Linux endpoints with Cortex XDR directly. You can retrieve up to 20 files related to a security event (up to 200MB total). As part of the 20 files, you can retrieve additional files by supplying the file path. Outside of a security event, you can retrieve files from up to 10 different endpoints. To track the status of a file retrieval action, you can view the action from the Action Center. Cortex XDR retains retrieved files for up to one week.

 

SO Hijacking Protection

Cortex XDR extends Exploit Protection on Linux endpoints to also protect endpoints from SO Hijacking attacks, where the attacker attempts to dynamically load libraries on Linux operating systems from unsecure locations to gain control of a process. Cortex XDR agent blocks this activity and raises a SO Hijacking Protection alert. The new SO Hijacking Exploit Protection module is automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile.

 

Extended Exploit Protection Coverage for Java Deserialization Exploits

Cortex XDR extends Exploit Protection on Linux endpoints to also detect Java deserialization exploits on Java-based servers. The new Exploit Protection module detects attempts to execute malicious code during the Java objects deserialization process. Cortex XDR agent blocks this activity and raises a Suspicious Input Deserialization alert. The new Java Deserialization Exploit Protection module is automatically activated when you enable Known Vulnerable Processes Protection in the Linux Exploit Security profile.

 

 

Features Introduced in Cortex XDR App for Android

 

FEATURE DESCRIPTION
Rebranded Android App The Traps app for Android is now Cortex XDR app 7.0 for Android ! The new app is supported with Cortex XDR Prevent, Cortex XDR Pro - Endpoint, and Traps management service. The new app sports a new skin that matches the Cortex XDR theme and provides the same malware prevention capabilities as the previous Traps app.

 

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Kiwi out !

1,054 Views
Ask Questions Get Answers Join the Live Community
Labels