New Cortex XDR Features for April 2020

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Palo Alto Networks released Cortex XDR 2.3. Read about the new features available in Cortex XDR 2.3, including Incident, Agent Management, and Global Improvements. See how these features can help keep your network secure. 


Features Introduced in April 2020 (release 2.3)


NOTE: Features requiring Cortex XDR agent 7.1 are coming soon and will be available with the agent release.



Incident Management

OS Actor Visibility and Investigation

Cortex XDR now provides complete visibility into OS actors—processes that create a process on behalf of a different initiator.

When Cortex XDR detects suspicious activity from an OS Actor, details about the process and activity are available with the alerts and from the Causality View. You can also use the Query Builder to search endpoint data for OS Actor attributes.

Causality View Enhancements for Devices When you investigate an alert in the Causality View, Cortex XDR now displays information about any related CD-ROM and Removable media devices including Type, Vendor, Product, and Serial Number.

Endpoint Prevention and Management

Script Execution
(Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later)

You can now run Python 3.7 scripts on your endpoints directly from Cortex XDR. Cortex XDR provides pre-canned scripts for common endpoint remediation and endpoint management actions. You can also write and upload your own Python scripts and code snippets into Cortex XDR. Cortex XDR enables you to manage, run, and track the script execution on the endpoints, as well as store and display the execution results per endpoint.

To learn more about script execution, see Run Scripts on an Endpoint.

Full Visibility into the Cortex XDR Agent Operational Status
(Cortex XDR agent 7.1 or later)

From the Cortex XDR management console, you now have full visibility into the Cortex XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent suffers from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications. The Cortex XDR agent reports the operational status as follows:

  • Protected—Indicates that the Cortex XDR agent is running as configured and did not report any exceptions to Cortex XDR.
  • Partially protected—Indicates that the Cortex XDR agent reported Cortex XDR one or more exceptions.
  • Unprotected—Indicates that the Cortex XDR agent reported Cortex XDR exceptions about the Malware protection module, and Behavioral threat protection or Exploit modules.

You can monitor the operational status of your endpoints from the Endpoint Administration table. See Monitoring Agent Operational Status for the implications the operational status has on the endpoint.

Disk Encryption Using BitLocker
(Windows only and with Cortex XDR agent 7.1 or later)

Cortex XDR now provides visibility into Windows endpoints that encrypt their hard drives using BitLocker, the Microsoft Windows built-in encryption tool. To enable disk encryption visibility, you set Disk Encryption profiles and apply them to Policy rules on your Windows endpoints. Additionally, you can apply Disk Encryption profiles to your enforce the BitLocker encryption or decryption of the endpoint operating system disk.


To provide visibility and interoperability into the encrypted endpoints, Cortex XDR leverages the Microsoft Windows APIs for BitLocker. The Cortex XDR agent applies the Microsoft Windows BitLocker rules on the endpoint according to the Disk Encryption settings configured in the Cortex XDR management console.
Host Firewall for Cortex XDR Agents
(Windows only and with Cortex XDR agent 7.1 or later)

To reduce the attack surface originating in network communications to and from the endpoint, you can now control all inbound and outbound communications on your Windows endpoints with the Cortex XDR Host Firewall. To use the host firewall, you set rules that allow or block the traffic on the endpoints and apply them to your endpoints using Cortex XDR policy rules.

To fine tune the network communication configuration on the endpoint, you can apply host firewall rules according to the following:

  • The current network location of the device (inside or outside the network).
  • The direction of the communication on the device (inbound or outbound).
  • IP address or IP address ranges
  • Ports or port ranges
  • The communication protocol (ICMP, TCP, UCP, and ICMPv6).
  • Specific programs running on the endpoint.
To control inbound and outbound communication of your endpoints, Cortex XDR leverages the Microsoft Windows Filtering Platform APIs. The Cortex XDR agent applies the Microsoft Windows Filtering Platform rules on the endpoint according to the settings configured in the Cortex XDR management console.
Automatic Agent Upgrades

You can now ensure your Windows, Mac, and Linux endpoints are always up-to-date with the latest Cortex XDR agent release by enabling automatic agent upgrades. For increased flexibility, you can choose to apply automatic upgrades to major releases only, to minor releases only, or to both. You can set auto-upgrade for Cortex XDR agents running on Windows, Mac, and Linux endpoints in the Agent Settings Profile and apply it to a policy rule.


To configure automatic upgrades for your agents, see Add a New Agent Settings Profile..

Dormant Malware Scanning
(Mac only and with Cortex XDR agent 7.1 or later)
In addition to blocking the execution of malware, the Cortex XDR agent can now scan the system drives of your Mac endpoints for dormant malware that is not actively attempting to run. During a malware scan, the Cortex XDR agent leverages WildFire to examine mach-O files and system drives only. When a malicious file is detected, the Cortex XDR agent reports the malware to Cortex XDR so that you can manually take action to remove the malware before it attempts to harm the endpoint. While unsupported file types excluded from the scan, additional agent protection capabilities continue to monitor and evaluate those files.
Agent Installation through Package Manager
(Linux only and with Cortex XDR agent 7.1 or later)
You can now create Cortex XDR agent installation packages in .rpm or .deb formats, which are deployed on the endpoint using a Linux package manager. Additionally, you can choose to upgrade existing Cortex XDR agents using the new formats, even if they were installed or upgraded using the Shell installer previously.

For the detailed workflow, see Create an Agent Installation Package.

New Distribution Support
(Linux only and with Cortex XDR agent 7.1 or later)

You can now install the Cortex XDR agent on Linux endpoints running RHEL8, CentOS8, Oracle 8, SUSE 15, SUSE 15 SP1, and SUSE 11 SP4 distributions.


The Cortex XDR agent does not enforce injection-based protection modules (ROP Mitigation, SO Hijacking Protection, and Brute Force Protection) on 32-bit processes running on 64-bit SUSE 15 SP1 endpoints. All other exploit and malware protection modules work as expected.
EDR is supported only on SUSE 12 SP5, not all SUSE 12 versions.

Additionally, the Cortex XDR agent now supports the kernel module for SUSE 12.


For full compatibility information, see the Compatibility Matrix.

MAC Address Reporting
(Cortex XDR agent 7.1 or later)
To gain better visibility into endpoints in your network, the Cortex XDR agent now reports the endpoint MAC address and corresponding IP address to Cortex XDR. You can search and filter endpoints in Cortex XDR according to the MAC address, and can also use the Query Builder to search events by the reporting endpoint MAC address.
Endpoints Navigation Changes For improved navigation of endpoint features, the Cortex XDR management console now organizes the Endpoints menus as follows:



  • Endpoint Management—Includes endpoint administration, endpoint group management, and agent installation package management.
  • Policy Management—Now separated into two sections: Prevention/Security for managing your endpoint profiles, rules, and exceptions; and Compliance for managing your Device Control profiles, rules, and exceptions.
  • Device Control Violations—Quickly view behavior flagged by Cortex XDR agents as matching a Device Control policy rule.
Endpoint Group Name Portability When you apply endpoint policy rules to specific endpoint groups, Cortex XDR now uses the unique endpoint group ID for assignment instead of the name. This eliminates the need for you to update your policy rules after you change the name of an endpoint group.
Restricting Response Actions on the Endpoint If you want to prevent Cortex XDR from accessing your endpoint and performing invasive actions, you can permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint, execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. You disable these actions when you install the Cortex XDR agent on the endpoint. Disabling any of these actions is irreversible, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package on the endpoint.

Global Improvements


Broker VM Extended Application Support To ease the deployment of broker VM when using Azure and Hyper-V 2012 and later, you can now download a VDH image from the Cortex XDR management console when configuring your broker VM.
Cortex XDR Deployment Enhancements To simplify deployment of Cortex XDR, the list of required firewall URLs to enable has been consolidated. is now replacing the following URLs:

  • https://<xdr-tenant>
  • https://<xdr-tenant>
  • https://migration-<cortex-data-lake-tenant-ID>
  • https://migration-<cortex-data-lake-tenant-ID>
  • https://xdr-<region>-<cortex-data-lake-tenant-ID>
  • https://xdr-<region>-<cortex-data-lake-tenant-ID>

Public APIs


API Enhancements To improve and simplify the use of the public Cortex XDR APIs, the following enhancements have been made:
  • Request field filters is no longer mandatory for the following APIs:
    • Get Incidents
    • Get Endpoints
    • Get Device Violations
    • Get Audit Management Log
    • Get Audit Agent Report
  • Request either all or filtered results for:
    • Scan Endpoints
    • Cancel Scan Endpoints
    • Get Incidents
    • Get Endpoints
    • Get Device Violations
    • Get Audit Management Log
    • Get Audit Agent Report
  • Simplified request fields for:
    • Isolate Endpoints
    • Unisolate Endpoints
    • Delete Endpoints
    • Quarantine Files
    • Retrieve Files



Stay up to date and bookmark the TechDocs page on Cortex XDR Release Notes.


In addition to the new features listed above, Customers can also view Cortex XDR 2.3 new feature videos.



Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.


Stay Secure,
Kiwi out!

Register or Sign-in
Top Liked Authors