Palo Alto Networks released Cortex XDR 2.3. Read about the new features available in Cortex XDR 2.3, including Incident, Agent Management, and Global Improvements. See how these features can help keep your network secure.
| FEATURE | DESCRIPTION |
Incident Management |
|
| OS Actor Visibility and Investigation |
Cortex XDR now provides complete visibility into OS actors—processes that create a process on behalf of a different initiator. When Cortex XDR detects suspicious activity from an OS Actor, details about the process and activity are available with the alerts and from the Causality View. You can also use the Query Builder to search endpoint data for OS Actor attributes. |
| Causality View Enhancements for Devices | When you investigate an alert in the Causality View, Cortex XDR now displays information about any related CD-ROM and Removable media devices including Type, Vendor, Product, and Serial Number. |
Endpoint Prevention and Management |
|
| Script Execution (Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later) |
You can now run Python 3.7 scripts on your endpoints directly from Cortex XDR. Cortex XDR provides pre-canned scripts for common endpoint remediation and endpoint management actions. You can also write and upload your own Python scripts and code snippets into Cortex XDR. Cortex XDR enables you to manage, run, and track the script execution on the endpoints, as well as store and display the execution results per endpoint. To learn more about script execution, see Run Scripts on an Endpoint. |
| Full Visibility into the Cortex XDR Agent Operational Status (Cortex XDR agent 7.1 or later) |
From the Cortex XDR management console, you now have full visibility into the Cortex XDR agent operational status on the endpoint, which indicates whether the agent is providing protection according to its predefined security policies and profiles. By observing the operational status on the endpoint, you can identify when the agent suffers from a technical issue or misconfiguration that interferes with the agent’s protection capabilities or interaction with Cortex XDR and other applications. The Cortex XDR agent reports the operational status as follows:
You can monitor the operational status of your endpoints from the Endpoint Administration table. See Monitoring Agent Operational Status for the implications the operational status has on the endpoint. |
| Disk Encryption Using BitLocker (Windows only and with Cortex XDR agent 7.1 or later) |
Cortex XDR now provides visibility into Windows endpoints that encrypt their hard drives using BitLocker, the Microsoft Windows built-in encryption tool. To enable disk encryption visibility, you set Disk Encryption profiles and apply them to Policy rules on your Windows endpoints. Additionally, you can apply Disk Encryption profiles to your enforce the BitLocker encryption or decryption of the endpoint operating system disk.
To provide visibility and interoperability into the encrypted endpoints, Cortex XDR leverages the Microsoft Windows APIs for BitLocker. The Cortex XDR agent applies the Microsoft Windows BitLocker rules on the endpoint according to the Disk Encryption settings configured in the Cortex XDR management console.
|
| Host Firewall for Cortex XDR Agents (Windows only and with Cortex XDR agent 7.1 or later) |
To reduce the attack surface originating in network communications to and from the endpoint, you can now control all inbound and outbound communications on your Windows endpoints with the Cortex XDR Host Firewall. To use the host firewall, you set rules that allow or block the traffic on the endpoints and apply them to your endpoints using Cortex XDR policy rules. To fine tune the network communication configuration on the endpoint, you can apply host firewall rules according to the following:
To control inbound and outbound communication of your endpoints, Cortex XDR leverages the Microsoft Windows Filtering Platform APIs. The Cortex XDR agent applies the Microsoft Windows Filtering Platform rules on the endpoint according to the settings configured in the Cortex XDR management console.
|
| Automatic Agent Upgrades |
You can now ensure your Windows, Mac, and Linux endpoints are always up-to-date with the latest Cortex XDR agent release by enabling automatic agent upgrades. For increased flexibility, you can choose to apply automatic upgrades to major releases only, to minor releases only, or to both. You can set auto-upgrade for Cortex XDR agents running on Windows, Mac, and Linux endpoints in the Agent Settings Profile and apply it to a policy rule.
To configure automatic upgrades for your agents, see Add a New Agent Settings Profile.. |
| Dormant Malware Scanning (Mac only and with Cortex XDR agent 7.1 or later) |
In addition to blocking the execution of malware, the Cortex XDR agent can now scan the system drives of your Mac endpoints for dormant malware that is not actively attempting to run. During a malware scan, the Cortex XDR agent leverages WildFire to examine mach-O files and system drives only. When a malicious file is detected, the Cortex XDR agent reports the malware to Cortex XDR so that you can manually take action to remove the malware before it attempts to harm the endpoint. While unsupported file types excluded from the scan, additional agent protection capabilities continue to monitor and evaluate those files. |
| Agent Installation through Package Manager (Linux only and with Cortex XDR agent 7.1 or later) |
You can now create Cortex XDR agent installation packages in .rpm or .deb formats, which are deployed on the endpoint using a Linux package manager. Additionally, you can choose to upgrade existing Cortex XDR agents using the new formats, even if they were installed or upgraded using the Shell installer previously.
For the detailed workflow, see Create an Agent Installation Package. |
| New Distribution Support (Linux only and with Cortex XDR agent 7.1 or later) |
You can now install the Cortex XDR agent on Linux endpoints running RHEL8, CentOS8, Oracle 8, SUSE 15, SUSE 15 SP1, and SUSE 11 SP4 distributions.
The Cortex XDR agent does not enforce injection-based protection modules (ROP Mitigation, SO Hijacking Protection, and Brute Force Protection) on 32-bit processes running on 64-bit SUSE 15 SP1 endpoints. All other exploit and malware protection modules work as expected.
EDR is supported only on SUSE 12 SP5, not all SUSE 12 versions.
Additionally, the Cortex XDR agent now supports the kernel module for SUSE 12.
For full compatibility information, see the Compatibility Matrix. |
| MAC Address Reporting (Cortex XDR agent 7.1 or later) |
To gain better visibility into endpoints in your network, the Cortex XDR agent now reports the endpoint MAC address and corresponding IP address to Cortex XDR. You can search and filter endpoints in Cortex XDR according to the MAC address, and can also use the Query Builder to search events by the reporting endpoint MAC address. |
| Endpoints Navigation Changes | For improved navigation of endpoint features, the Cortex XDR management console now organizes the Endpoints menus as follows:
|
| Endpoint Group Name Portability | When you apply endpoint policy rules to specific endpoint groups, Cortex XDR now uses the unique endpoint group ID for assignment instead of the name. This eliminates the need for you to update your policy rules after you change the name of an endpoint group. |
| Restricting Response Actions on the Endpoint | If you want to prevent Cortex XDR from accessing your endpoint and performing invasive actions, you can permanently disable the option for Cortex XDR to perform all, or a combination, of the following actions on endpoints running a Cortex XDR agent: initiate a Live Terminal remote session on the endpoint, execute Python scripts on the endpoint, and retrieve files from the endpoint to Cortex XDR. You disable these actions when you install the Cortex XDR agent on the endpoint. Disabling any of these actions is irreversible, so if you later want to enable the action on the endpoint, you must uninstall the Cortex XDR agent and install a new package on the endpoint. |
Global Improvements |
|
| Broker VM Extended Application Support | To ease the deployment of broker VM when using Azure and Hyper-V 2012 and later, you can now download a VDH image from the Cortex XDR management console when configuring your broker VM. |
| Cortex XDR Deployment Enhancements | To simplify deployment of Cortex XDR, the list of required firewall URLs to enable has been consolidated.
panw-xdr-evr-prod-us.storageapis.google.com is now replacing the following URLs:
|
Public APIs |
|
| API Enhancements | To improve and simplify the use of the public Cortex XDR APIs, the following enhancements have been made:
|
Stay up to date and bookmark the TechDocs page on Cortex XDR Release Notes.
In addition to the new features listed above, Customers can also view Cortex XDR 2.3 new feature videos.
Thanks for taking time to read the blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.
Stay Secure,
Kiwi out!
