Cortex XDR - Analytics May 2019 Release

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Read Cortex XDR - Analytics new features for May 2019 to see what's new with Cortex XDR - Analytics. Find details of the new features and useful resources to up-to-date technical documentation. Got Questions? Get Answers on LIVEcommunity.

Cortex XDR.jpg


The month of May brings quite a few new features for Cortex XDR - Analytics. 


Here's a list of what's new for you in this release:


Mobile Endpoint Coverage Through GlobalProtect and GlobalProtect Cloud Service

  • The Cortex XDR™ – Analytics app can now detect threats on mobile endpoints that roam outside of your firewall-protected environment by examining GlobalProtect™ and GlobalProtect cloud service VPN traffic. After you identify the IP address pools of your mobile user, the app analyzes user VPN traffic and creates a Mobile VPN device type based on the username-associated traffic. The app raises the same alerts, as with a firewall-only deployment, and associates the alerts to a Mobile VPN device type.


New DNS Tunneling Alert

  • When the Cortex XDR – Analytics app detects unusual DNS queries or responses, the app can now raise the DNS Tunneling alert. DNS queries are a common function of internet traffic, but DNS traffic can also be used for communication between malware and a command-and-control server or used to exfiltrate data from your network.


New Alert for Returning Rare IP Access

  • Cortex XDR – Analytics can now raise the Recurring Rare IP Access alert when it identifies activity that is consistent with command and control activity. To identify this type of activity, the app analyzes recurring connections to external hosts to determine whether those connections are anomalous for endpoints within your network. The app can detect this behavior using either firewall or endpoint activity logs. For higher detection accuracy, you can also enable Enhanced Application logs on your firewalls.


Alerts for Endpoint Behavior


Additional Endpoint-Generated Alert Support

    • Failed Connections
    • Large Upload (Generic)
    • SMB/KRB Traffic from Non-Standard Process
    • High Connection RateThe app can now detect alerts, which previously required firewall logs, in Traps-only deployments without next-generation firewalls:
See Possible Cortex XDR – Analytics Alerts for all alerts by log source.


Make sure to check out the Cortex XDR - Analytics page to stay on top of all the new and previously released features!


-Kiwi out!

Register or Sign-in
Top Liked Authors