Cortex XDR New Features for Feb 2020

New Public APIs for Endpoint and Agent Management*

FEATURE

DESCRIPTION

Incident Management

Incident Description Improvements

You can now edit the description for an incident and revert back to the Cortex XDR default description from the Incidents > View Incidents page. You can also search the Incidents table by the Incident description.

Incident Sources

You can now easily view and filter all the sources related to the alerts that make up a specific incident from Investigation > Incidents > Incident Sources.

Automatic Incident Resolve

To help you better manage and maintain your incidents, Cortex XDR automatically resolves incidents in which all allocated alerts were excluded. Instances resolved by Cortex XDR are displayed with a Resolved - Auto Resolve status in Investigation > Incidents > Status column.

Agent Management

Static Endpoint Group Creation from File

You can now easily populate a static endpoint group from a file containing endpoint IP addresses, hostnames, and/or aliases. Each endpoint must match a registered endpoint in Cortex XDR for inclusion in the endpoint group.

Policy Usage Count

You can now easily identify the relationship between security profiles and policy rules in Cortex XDR. From the Endpoints > Policy Management > Profiles page, you can view the number of policy rules (Usage Count) that consume a specific security profile in Cortex XDR. From a security profile that has one or more associated policy rules, you can also pivot to the list of policy rules that use the specific profile.

Endpoint Isolation Improvements

To better manage endpoint isolation, you can now do the following:

Isolate and cancel isolation on more than one endpoint at a time
View the date and time of when an endpoint was isolated in Endpoints > Endpoint Management > Isolation Date column
Easily track the status of an endpoint isolation from the Action Center and from the Endpoints > Endpoint Management page where the Endpoint Isolated column displays either Pending Isolation or Pending Isolation Cancelation.

Broker VMs Applet Activation

You can now activate the syslog collector and Windows event collector applets from Settings > Broker VM.

Alert Data Auto Upload

To enable continuous access to your alert data memory dump files, you can enable the Cortex XDR agent to automatically upload the files. To do this, you configure your upload preferences from Endpoints > Policy Management > Profiles > Forensics.

Management Features

New Cortex XDR Report and Dashboard Widgets

Cortex XDR introduces the following new widgets to help you better detect and visualize the status of endpoint alerts and incidents according to Cortex XDR actions, sources, and categories:

Data Usage Breakdown
Detection by Actions
Detection by Category
Detection by Source
Incidents by Status
Response Action Breakdown

In addition, you now have the option to change the graph view for widgets to display as either a bar graph or pie chart.

Email Notifications for Alerts

To help you stay informed with the alerts that matter to you most, you can now configure email notifications for all Cortex XDR alert sources directly from the Cortex XDR management console. To streamline alert notifications management, you can define one or more alert notification configurations from the Settings > Alert Notifications page. For each alert notification configuration, you can customize the alert filters, distribution list to use to send the notification, and frequency at which you want Cortex XDR to send the notification.

WildFire Report Visualization

You can easily view and download the WildFire analysis report associated with a file involved in an alert from the Causality View and from and Investigation > Incidents > View Incident page.

PDF Report Password Encryption

You can now better protect sensitive reports by adding a password. You can encrypt a report when defining the email distribution list for your report.

Global Improvements

Cortex XDR Access

To enable access to Palo Alto Networks GCS buckets in GCP, you now have to enable new URLs in your firewall.

Export Results to File

You can now export table results to a tab-separated values (TSV) file for many pages in Cortex XDR including Incidents, Endpoints, Alerts, Whitelist, and Blacklist.

You can also use filters to identify a subset of results and export only results that match your filter criteria.

Cortex XDR Analytics Enhancements

The following enhancements have been made:

Configure Windows Event Collector
Expose a Prometheus endpoint to monitor the Broker VM
Syslog collector now supports TCP protocol and port to log type mapping
Stability improvements

Public APIs

Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment.

The following API capabilities have been added:

Scan Endpoints
Cancel Endpoint Scan
Delete Endpoints
Get Endpoints
Get Policy
Get Device Violations
Quarantine File
Get Quarantine Status
Restore File
Retrieve Files
Whitelist Files
Blacklist Files

Enhancements for Existing Public APIs

The following improvements have been made to existing APIs:

Get Incidents - Supports filters description, incident_sources (Response returns hosts, usernames, incident_sources)
Get Extra Incident Data - Response returns hosts, usernames, incident_sources
Get All Endpoints - Supports filters hostname, username
Isolate and Unisolate Endpoints - Supports bulk endpoint isolate/unisolate

* - This information was adopted from Features Introduced in 2020 in our TechDocs.

Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

As always, we welcome all comments and feedback in the comments section below.

Stay Secure,
Kiwi out!

Cortex XDR New Features for February 2020

Cortex XDR New Features for February 2020

New Public APIs for Endpoint and Agent Management*

Incident Management

Agent Management

Management Features

Global Improvements

How AI is Transforming Cybersecurity: Highlights from Bay Area Ignite

New Advanced URL Filtering Category: Remote-Access

Introducing Web Proxy: Now Live on LIVEcommunity!

How AI is Transforming Cybersecurity: Highlights from Bay Area Ignite

Re: Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device

New Advanced URL Filtering Category: Remote-Access

Introducing Web Proxy: Now Live on LIVEcommunity!

Your Feedback Matters: Take Our Survey for a Chance to Win Prizes!

FEATURE	DESCRIPTION
Incident Management
Incident Description Improvements	You can now edit the description for an incident and revert back to the Cortex XDR default description from the Incidents > View Incidents page. You can also search the Incidents table by the Incident description.
Incident Sources	You can now easily view and filter all the sources related to the alerts that make up a specific incident from Investigation > Incidents > Incident Sources.
Automatic Incident Resolve	To help you better manage and maintain your incidents, Cortex XDR automatically resolves incidents in which all allocated alerts were excluded. Instances resolved by Cortex XDR are displayed with a Resolved - Auto Resolve status in Investigation > Incidents > Status column.
Agent Management
Static Endpoint Group Creation from File	You can now easily populate a static endpoint group from a file containing endpoint IP addresses, hostnames, and/or aliases. Each endpoint must match a registered endpoint in Cortex XDR for inclusion in the endpoint group.
Policy Usage Count	You can now easily identify the relationship between security profiles and policy rules in Cortex XDR. From the Endpoints > Policy Management > Profiles page, you can view the number of policy rules (Usage Count) that consume a specific security profile in Cortex XDR. From a security profile that has one or more associated policy rules, you can also pivot to the list of policy rules that use the specific profile.
Endpoint Isolation Improvements	To better manage endpoint isolation, you can now do the following: Isolate and cancel isolation on more than one endpoint at a time View the date and time of when an endpoint was isolated in Endpoints > Endpoint Management > Isolation Date column Easily track the status of an endpoint isolation from the Action Center and from the Endpoints > Endpoint Management page where the Endpoint Isolated column displays either Pending Isolation or Pending Isolation Cancelation.
Broker VMs Applet Activation	You can now activate the syslog collector and Windows event collector applets from Settings > Broker VM.
Alert Data Auto Upload	To enable continuous access to your alert data memory dump files, you can enable the Cortex XDR agent to automatically upload the files. To do this, you configure your upload preferences from Endpoints > Policy Management > Profiles > Forensics.
Management Features
New Cortex XDR Report and Dashboard Widgets	Cortex XDR introduces the following new widgets to help you better detect and visualize the status of endpoint alerts and incidents according to Cortex XDR actions, sources, and categories: Data Usage Breakdown Detection by Actions Detection by Category Detection by Source Incidents by Status Response Action Breakdown In addition, you now have the option to change the graph view for widgets to display as either a bar graph or pie chart.
Email Notifications for Alerts	To help you stay informed with the alerts that matter to you most, you can now configure email notifications for all Cortex XDR alert sources directly from the Cortex XDR management console. To streamline alert notifications management, you can define one or more alert notification configurations from the Settings > Alert Notifications page. For each alert notification configuration, you can customize the alert filters, distribution list to use to send the notification, and frequency at which you want Cortex XDR to send the notification.
WildFire Report Visualization	You can easily view and download the WildFire analysis report associated with a file involved in an alert from the Causality View and from and Investigation > Incidents > View Incident page.
PDF Report Password Encryption	You can now better protect sensitive reports by adding a password. You can encrypt a report when defining the email distribution list for your report.
Global Improvements
Cortex XDR Access	To enable access to Palo Alto Networks GCS buckets in GCP, you now have to enable new URLs in your firewall.
Export Results to File	You can now export table results to a tab-separated values (TSV) file for many pages in Cortex XDR including Incidents, Endpoints, Alerts, Whitelist, and Blacklist. You can also use filters to identify a subset of results and export only results that match your filter criteria.
Cortex XDR Analytics Enhancements	The following enhancements have been made: Configure Windows Event Collector Expose a Prometheus endpoint to monitor the Broker VM Syslog collector now supports TCP protocol and port to log type mapping Stability improvements
Public APIs	Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment. The following API capabilities have been added: Scan Endpoints Cancel Endpoint Scan Delete Endpoints Get Endpoints Get Policy Get Device Violations Quarantine File Get Quarantine Status Restore File Retrieve Files Whitelist Files Blacklist Files
Enhancements for Existing Public APIs	The following improvements have been made to existing APIs: Get Incidents - Supports filters description, incident_sources (Response returns hosts, usernames, incident_sources) Get Extra Incident Data - Response returns hosts, usernames, incident_sources Get All Endpoints - Supports filters hostname, username Isolate and Unisolate Endpoints - Supports bulk endpoint isolate/unisolate

Unlock your full community experience!

Cortex XDR New Features for February 2020

New Public APIs for Endpoint and Agent Management*

Incident Management

Agent Management

Management Features

Global Improvements