Palo Alto Networks just released new features in Cortex XDR for May 2020 that can help keep your network secure, including Investigation and Response improvements, Endpoint Prevention and Management improvements, and more.
There are many great features and enhancements in the Cortex XDR release for May 2020, including:
Investigation and Response improvements, Endpoint Prevention and Management improvements, Alert and Log Ingestion and Forwarding, Broker Service enhancements, MSSP, and Public API enhancements.
The following table describes the new features released in May 2020.
Investigation and Response
Threat Intelligence Management Integration
The IOC Rules table has been expanded to include information commonly found on IOCs retrieved from threat intelligence sources. These are:
A list of vendors that provided the indicator
The indicator's class (for example, Malware)
In addition, when you manually add a single indicator, you can now set its reputation and reliability.
Finally, the Source column in the IOC Rules table has been enhanced so that it can now indicate whether the IOC was inserted into Cortex XDR using a REST API.
Causality View Enhancements for Remote Procedure Call (RPC) Events (Requires a Cortex XDR Pro per TB License)
To expand your investigation capabilities, Cortex XDR now displays when an RPC protocol or code injection event were executed on another process from either a local or remote host.
To access more information about the injection events, in the Causality View, select
to view the events executed on behalf of either an IP address or process.
IP Address and Hash Views ( Requires a Cortex XDR Pro per TB License)
To streamline the investigation process and reduce the number of steps it takes to investigate and threat hunt artifacts, Cortex XDR now provides dedicated views for:
To help you collect and research information relating to artifacts, the IP View and Hash View automatically aggregate and display a summary of all the information Cortex XDR and threat intelligence reports have on the artifact. From the artifact view, you can also easily navigate to the corresponding incident, query, and filtered view of the Action Center to further inspect and initiate specific actions on the artifact. You can access the views from:
Right-click pivot menu
Keyboard shortcut Ctrl+Shift+E (Windows) or CMD+Shift+E (macOS)
New Alert Table Fields
The Alerts table has been enhanced with additional fields to help you filter and manage information.
Cortex XDR Alert Management
To allow for greater coverage of your incoming alerts, Cortex XDR now supports 2 million alerts per 4,000 agents or per 20 TB.
Incident Visibility in Blacklists and Whitelists
If during investigation of an incident, you whitelist or blacklist a file, Cortex XDR can now assign the incident ID to the file in the relevant list in the Action Center. This enables you and other administrators to easily identify the related incident when you return to the Action Center to investigate a whitelisted or blacklisted file. If the incident associated with the file is no longer relevant, you can easily change or clear the incident ID number.
IOC and BIOC Alert Investigation Enhancements
To improve the investigation workflow, you can now pivot from an IOC or BIOC rule to a filtered list of alerts triggered by the rule. From an IOC or BIOC rule, you can also pivot to a query of alerts triggered by the rule.
Alert to Incident Investigation Enhancements
To aid in alert investigation, Cortex XDR now displays the related incident ID in Alerts tables (excluding the Incident alert table). You can also easily pivot to the relevant incident and can filter the results by Incident ID.
Quick Launcher ( Requires a Cortex XDR Pro license)
You can now use the Quick Launcher as an in-context shortcut to quickly perform common investigation tasks, or initiate response actions from any place in the Cortex XDR app. Use the Quick Launcher to:
Search events for host, IP address, domain, and hash
Blacklist and whitelist processes by hash
Add domains or IP addresses to the EDL blocklist
Create a new IOC for an IP address, domain, hash, filename, or filepath
Isolate an endpoint
Open a terminal to a given endpoint
Initiate a malware scan on an endpoint
You can bring up the Quick Launcher using the Ctrl-Shift+X shortcut on Windows, CMD+Shift+X shortcut on macOS, or by clicking the Quick Launch icon in the top navigation menu. By highlighting a field value—such as an IP address or filename—from any page in the Cortex XDR management console, you can pre-populate a query in the Quick Launcher.
Native Search (Requires a Cortex XDR Pro license)
Cortex XDR introduces the new text-based Native Search. You can now build simple and complex text-based queries to search across all available logs and data in Cortex XDR. When you build a query, you enter one or more fields based on the log’s metadata hierarchy, the operator, and the field value. As you enter fields, the query provides autocompletion based on the known log fields. You can also use Regex in your queries. To build complex queries, add complex statements in parentheses using supported operators and string multiple statements together using either and OR or. Text-based queries also support wildcards with the exception of IP addresses and IP address ranges. Find examples on the New Features Page
Query Management Enhancement
You can now easily edit a query in the Query Center. This can be useful if you do not want to create a new query and instead want to modify the original. The option to Edit a query is available from the pivot menu for a query (Investigation > Query Center).
Endpoint Prevention and Management
Alert Data Retrieval Enhancements ( Cortex XDR agent 7.1 or later)
To improve the user experience and reduce unnecessary bandwidth consumption due to duplicate alert data retrieval actions—either by an automatic-upload or administrator-initiated action—Cortex XDR now verifies whether retrieval is already in progress. Now, when you try to retrieve data and an upload is already in progress, Cortex XDR displays a notification to alert you of the retrieval status. If the file is already available, Cortex XDR provides a download link for you to download it immediately.
Vulnerability Assessment and Application Inventory ( Cortex XDR agent 7.1 or later, Windows and Linux only)
You can now identify and quantify the security vulnerabilities on an endpoint directly from the Cortex XDR management console. Relying on the information from Cortex XDR, you can easily mitigate and patch these vulnerabilities on all endpoints in your organization. To provide you with a comprehensive understanding of the vulnerability severity, Cortex XDR retrieves the latest data for each CVE from the NIST National Vulnerability Database, including CVE severity and metrics. From Cortex XDR, you can view the vulnerabilities in your network by CVE or by endpoint. Additionally, Cortex XDR provides you with a list of all applications installed in your network, and indicates the CVEs only where they exist, providing you with a full application inventory of your network.
During the first few days of this feature roll-out and until Cortex XDR collects the application data from all endpoints in your network, you will see only partial information in Vulnerability Assessment and a system notification that indicates the data is still being collected. When Cortex XDR completes the data collection, it will stop displaying the system notification.
Interactive Script Execution ( Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later)
To run multiple scripts on a set scope of target endpoints, track the execution progress and view the results in real-time, you can now initiate scripts in Interactive Mode. For each script, Cortex XDR displays the execution progress status on all connected endpoints in the target scope, the script general information, and the execution results. You can launch Interactive Mode at the end of a new Execute Script action, or from the Action Center for already existing script executions. When you are working in Interactive Mode, you can select additional scripts and execute them directly, or add your code snippets using the built-in text editor.
Enhancements to Script Upload ( Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later)
When you upload a new script to the Scripts Library, you can now review and edit the script code during the upload process in the Cortex XDR text editor.
Visibility into Disabled Agent Capabilities (Cortex XDR agent 7.1 or later)
Cortex XDR now provides visibility into which response actions are disabled on the endpoint. You can view a list of the Disabled Capabilities per endpoint in Endpoint Administration: initiating a Live Terminal remote session on the endpoint, executing Python scripts on the endpoint, and retrieving files from the endpoint to Cortex XDR.
Alert and Log Ingestion and Forwarding
Okta and Azure Authentication Data Ingestion ( Requires a Cortex XDR Pro license)
Cortex XDR can now ingest authentication logs from Okta and Azure AD into authentication stories. An authentication story unites logs and data regardless of the information source (from an on-premise KDC or from a cloud-based authentication service) into a uniform schema. To search authentication stories, you can use the Query Builder or new text-based Native Search. To receive authentication logs from Okta and Azure AD, you configure the SaaS Log Collection settings in Cortex XDR.
Legacy Log Forwarding Format Support
If you previously used the Log Forwarding App to forward logs to an external syslog receiver or email, you can now use the legacy formats in Cortex XDR. To enable legacy formats, you add a Log Forwarding notification configuration and choose the Use Legacy Log Format option. For information on legacy formats, see Cortex XDR Log Formats.
Broker VM Remote Access Enhancements
To simplify and expand support of remote access to your broker VM, the broker now supports SSH with a public RSA Key Pair allowing you to easily generate your own key and grant access to your colleagues in addition to Cortex XDR support.
Broker VM Web Console Enhancements
To improve the registration process of your broker VM, you can now define the following configurations directly in the Broker VM web console:
To align access to your Cortex XDR logs, in addition to the Cortex XDR console, you can now collect and download logs from the broker VM web console.
Broker VM XDR Console Enhancements
To help you better manage your registered broker VMs, you can now:
Configure an Internal Network Subnet for your broker VM
Rename your broker VM
View the broker VM disc usage
Receive notifications about new broker VM versions and lost connections
Windows Event Collector Set Up Enhancements ( Requires Cortex XDR Pro per TB License)
To simplify the process of setting up the Windows Event Collector, you can now generate, activate, and download the required WEC certificates used to establish a connection with your Domain Controller during the setup process directly from the Cortex XDR console. To help you maintain your current WEC DC configurations, you can now migrate your existing WEC certificate from the Cortex XDR management console.
New Managed Threat Hunting Service
Cortex XDR now offers the new Managed Threat Hunting service as an add-on security service. To augment your security team, Managed Threat Hunting provides 24/7, year-round monitoring by Palo Alto Networks threat researchers and Unit 42 experts. The Managed Threat Hunting teams proactively safeguard your organization and provide threat reports for critical security incidents and impact reports for emerging threats that provide an analysis of exposure in your organization. In addition, the Managed Threat Hunting team can identify incidents and provide in-depth review of related threat reports. To use Cortex XDR Managed Threat Hunting, you must purchase a Managed Threat Hunting license and have a Cortex XDR Pro for Endpoint license with a minimum of 500 endpoints.
Cross-Tenant Queries for MSSPs
To enable managed security service providers (MSSPs) that use Cortex XDR to threat hunt and perform investigations quickly, you can now use the Query Builder to query across multiple child tenants. Cortex XDR provides the tenant query selector at the top of the Query Builder with the option to select one or more child tenants.
New APIs for Ingesting Threat Intelligence Feeds
Two new APIs are now available that can add one or more IOCs to Cortex XDR:
These APIs are intended for use with IOCs retrieved from threat intelligence sources. However, they can be used to insert an IOC obtained from any source so long as the request presents IOCs in a valid format.
Existing API Enhancements
To help you gain better visibility and control over which endpoints can be scanned, you can now filter Get Endpoints, Scan Endpoints, and Cancel Scan Endpoints APIs according to the scan status. To allow you to better filter hash files and process that have been whitelisted or blacklisted, you can now send the incident_id field when running the following APIs: