Cortex XDR Agent 7.3 New Features

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L7 Applicator

Cortex_XDR_Agent_7.3_New_Features.png

Hello there,

I just finished writing my updates for Cortex XDR Management 2.7 here

 

Be sure to check those notes out for all of the details on the Management updates. 

As far as the Agent is concerned, Cortex XDR Agent 7.3 has also had a lot of improvements and enhancements made to it.

 

Cortex XDR Agent 7.3

For Cortex XDR Agent 7.3, it has been broken down into 3 sections for each operating system: Windows, Mac and Linux.

 

Please see the tables below detailing all of the new Features Introduced in Cortex XDR Agent 7.3 *

Windows Features
FEATURE
DESCRIPTION
Remote Malicious Causality Chains Response
When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypt endpoint files—the agent can now block the IP address to close all existing communication and block new connections from this IP address to the endpoint.
You can view the list of all blocked IP addresses per endpoint from the Cortex XDR 
Action Center, as well as unblock them to re-enable communication as appropriate. You set the action mode in your Malware Security profile where you can also add a specific and known safe IP address or IP address range to the IP addresses allow list. This capability is supported for network connections made in IPv4 only.
 
NOTE: When Cortex XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules.
Live Terminal Enhancements (Windows and Mac)
To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light  
 

cortex xdr live-terminal-indication.png

 on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress. Both settings are optional and you can configure them independently.
Enhanced Local Analysis Prevention
The Local Analysis module, which prevents the execution of malicious Portable Executables (PEs) and Office documents with macros, now includes a new rule-based static engine that provides an additional layer of protection. The new engine provides additional context to Cortex XDR alerts by matching the samples that are under agent examination to static rules that inspect multiple file attributes and features.
The Local Analysis rules are maintained by the Palo Alto Networks Research team and are updated through content updates. You cannot add, modify, or remove rules from the Local Analysis module.
Vulnerable Drivers Protection
Cortex XDR can now leverage the latest threat research to quickly deploy behavioral threat protection (BTP) rules that detect attempts to load vulnerable drivers. As with other BTP rules, Cortex XDR can deliver changes to vulnerable driver rules with content updates.
To configure vulnerable drivers protection, you must enable Behavioral Threat Protection and configure the 
Action mode for vulnerable drivers protection  as part of a Malware Security Profile.
By default, Cortex XDR blocks all identified attempts to run vulnerable drivers. If you change the default (Block), you can Report (and allow) vulnerable drivers or disable the module. If needed, you can also configure exceptions to allow specific drivers to run.
Device Control for VDI
Cortex XDR now extends Device Control policy for USB devices to include virtual desktop infrastructure (VDI). The Cortex XDR agent enforces the Device Control policy rules on USB devices after the end user logs on to the VDI instance. USB Devices that were connected prior to the agent enforcing the Device Control policy rules are not blocked after the fact.
 
Note the following limitations:
  • Virtual environments leverage different stacks that might not be subject to the Device Control policy rules that are enforced by the Cortex XDR agent and, therefore, could lead to USB devices that are allowed to connect to the VDI instance in contrast to the configured policy rules.
 
  • The Cortex XDR agent provides best-effort enforcement of the Device Control policy rules on VDI instances that are running on physical endpoints where a Cortex XDR agent is not deployed.
Extended Device Control to Read-Only Disk Drives (Windows and Mac)
(Requires a Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints)
You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.
 
Mac Features
FEATURE
DESCRIPTION
Network Isolation of Endpoints (macOS 10.15.4 and later)
Cortex XDR now extends the Network isolation response action to macOS endpoints. To prevent a compromised macOS endpoint from communicating, you can now isolate your endpoint to halt all network access on the endpoint except for traffic to Cortex XDR. After you isolate an endpoint, the Cortex XDR agent reports an Isolated check-in status and the endpoint remains isolated from the network until you cancel this isolation from Cortex XDR.
 
Note the following limitations:
  • If during isolation you need the Cortex XDR agent to communicate with an application or proxy, add the process to the Network Isolation Allow List Network Isolation Allow List.
 
  • To ensure that an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
Live Terminal Enhancements (Windows and Mac)
To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light 
 

cortex xdr live-terminal-indication.png

on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress. Both settings are optional and you can configure them independently.
Extended Device Control to Read-Only Disk Drives (Windows and Mac)
(Requires a Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints)
You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.
Peer-to-Peer Content Distribution (Mac and Linux)
Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
Search and Destroy Malicious Files on Endpoints (macOS 10.15.4 and later)
(Requires a Cortex XDR Pro per Endpoint license and Host-Insights Add-on)
Cortex XDR now extends the File Search and Destroy response action to Mac endpoints. You can use search and destroy to take immediate action on known and suspected malicious files. You can search from Cortex XDR for a file by hash or path on endpoints and, after you identify the presence of the file, you can immediately destroy the file from any or all endpoints on which the file exists.
 
Linux Features
FEATURE
DESCRIPTION
Peer-to-Peer Content Distribution (Mac and Linux)
Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
Custom Agent Installation Directory
You can now install your Cortex XDR agent in a custom directory on the endpoint instead of using the default 
./opt directory. To do this, set the custom path in a new installation variable --install-path=/<some/path>.
After you install the Cortex XDR to the custom path, all following upgrades and the removal of the agent from the endpoint are executed in the same location.
New Operating Systems Support
You can now install the Cortex XDR agent on Linux endpoints running Debian 10 or OpenSuse Leap 15.1. For all supported kernel versions, see the Latest kernel module version support.

* - All features have been reprinted from the Cortex® XDR™ Agent Release Notes 

 

More Info

To get all of the details from the release notes for Cortex XDR Agent, including Changes to Default behavior, known and addressed issues, please see the full Cortex® XDR™ Agent Release Notes

 

Please also do not forget about the LIVEcommunity Cortex XDR Technology page

 

This is the one place that we have inside of the LIVEcommunity that is dedicated to Cortex XDR discussions, Videos, technical articles, customer articles and even more resources. 

 

Please take a second and check it out, if you haven't already.

LIVEcommunity Cortex XDR Technology page

 

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, and don't forget to subscribe to the LIVEcommunity Blog area.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

  • 7583 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Labels