Palo Alto Networks just released new features in Cortex XDR for May 2020 that can help keep your network secure, including Investigation and Response improvements, Endpoint Prevention and Management improvements, and more.
There are many great features and enhancements in the Cortex XDR release for May 2020, including:
The following table describes the new features released in May 2020.
| FEATURE | DESCRIPTION |
| Investigation and Response | |
| Threat Intelligence Management Integration |
The IOC Rules table has been expanded to include information commonly found on IOCs retrieved from threat intelligence sources. These are:
In addition, when you manually add a single indicator, you can now set its reputation and reliability.
Finally, the Source column in the IOC Rules table has been enhanced so that it can now indicate whether the IOC was inserted into Cortex XDR using a REST API. |
| Causality View Enhancements for Remote Procedure Call (RPC) Events (Requires a Cortex XDR Pro per TB License) |
To expand your investigation capabilities, Cortex XDR now displays when an RPC protocol or code injection event were executed on another process from either a local or remote host.
to view the events executed on behalf of either an IP address or process. |
| IP Address and Hash Views ( Requires a Cortex XDR Pro per TB License) |
To streamline the investigation process and reduce the number of steps it takes to investigate and threat hunt artifacts, Cortex XDR now provides dedicated views for: To help you collect and research information relating to artifacts, the IP View and Hash View automatically aggregate and display a summary of all the information Cortex XDR and threat intelligence reports have on the artifact. From the artifact view, you can also easily navigate to the corresponding incident, query, and filtered view of the Action Center to further inspect and initiate specific actions on the artifact. You can access the views from:
|
| New Alert Table Fields |
The Alerts table has been enhanced with additional fields to help you filter and manage information. |
| Cortex XDR Alert Management |
To allow for greater coverage of your incoming alerts, Cortex XDR now supports 2 million alerts per 4,000 agents or per 20 TB. |
| Incident Visibility in Blacklists and Whitelists |
If during investigation of an incident, you whitelist or blacklist a file, Cortex XDR can now assign the incident ID to the file in the relevant list in the Action Center. This enables you and other administrators to easily identify the related incident when you return to the Action Center to investigate a whitelisted or blacklisted file. If the incident associated with the file is no longer relevant, you can easily change or clear the incident ID number. |
| IOC and BIOC Alert Investigation Enhancements |
To improve the investigation workflow, you can now pivot from an IOC or BIOC rule to a filtered list of alerts triggered by the rule. From an IOC or BIOC rule, you can also pivot to a query of alerts triggered by the rule. |
| Alert to Incident Investigation Enhancements |
To aid in alert investigation, Cortex XDR now displays the related incident ID in Alerts tables (excluding the Incident alert table). You can also easily pivot to the relevant incident and can filter the results by Incident ID. |
| Quick Launcher ( Requires a Cortex XDR Pro license) |
You can now use the Quick Launcher as an in-context shortcut to quickly perform common investigation tasks, or initiate response actions from any place in the Cortex XDR app.
You can bring up the Quick Launcher using the Ctrl-Shift+X shortcut on Windows, CMD+Shift+X shortcut on macOS, or by clicking the Quick Launch icon in the top navigation menu. |
| Native Search (Requires a Cortex XDR Pro license) |
Cortex XDR introduces the new text-based Native Search. You can now build simple and complex text-based queries to search across all available logs and data in Cortex XDR. When you build a query, you enter one or more fields based on the log’s metadata hierarchy, the operator, and the field value. As you enter fields, the query provides autocompletion based on the known log fields. You can also use Regex in your queries. To build complex queries, add complex statements in parentheses using supported operators and string multiple statements together using either and OR or. Text-based queries also support wildcards with the exception of IP addresses and IP address ranges. |
| Query Management Enhancement | You can now easily edit a query in the Query Center. This can be useful if you do not want to create a new query and instead want to modify the original. The option to Edit a query is available from the pivot menu for a query (Investigation > Query Center). |
| Endpoint Prevention and Management | |
| Alert Data Retrieval Enhancements ( Cortex XDR agent 7.1 or later) |
To improve the user experience and reduce unnecessary bandwidth consumption due to duplicate alert data retrieval actions—either by an automatic-upload or administrator-initiated action—Cortex XDR now verifies whether retrieval is already in progress. Now, when you try to retrieve data and an upload is already in progress, Cortex XDR displays a notification to alert you of the retrieval status. If the file is already available, Cortex XDR provides a download link for you to download it immediately. |
| Vulnerability Assessment and Application Inventory ( Cortex XDR agent 7.1 or later, Windows and Linux only) |
You can now identify and quantify the security vulnerabilities on an endpoint directly from the Cortex XDR management console. Relying on the information from Cortex XDR, you can easily mitigate and patch these vulnerabilities on all endpoints in your organization. To provide you with a comprehensive understanding of the vulnerability severity, Cortex XDR retrieves the latest data for each CVE from the NIST National Vulnerability Database, including CVE severity and metrics. During the first few days of this feature roll-out and until Cortex XDR collects the application data from all endpoints in your network, you will see only partial information in Vulnerability Assessment and a system notification that indicates the data is still being collected. When Cortex XDR completes the data collection, it will stop displaying the system notification.
|
| Interactive Script Execution ( Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later) |
To run multiple scripts on a set scope of target endpoints, track the execution progress and view the results in real-time, you can now initiate scripts in Interactive Mode. For each script, Cortex XDR displays the execution progress status on all connected endpoints in the target scope, the script general information, and the execution results. You can launch Interactive Mode at the end of a new Execute Script action, or from the Action Center for already existing script executions. When you are working in Interactive Mode, you can select additional scripts and execute them directly, or add your code snippets using the built-in text editor. |
| Enhancements to Script Upload ( Requires a Cortex XDR Pro Per Endpoint license and Cortex XDR agent 7.1 or later) |
When you upload a new script to the Scripts Library, you can now review and edit the script code during the upload process in the Cortex XDR text editor. |
| Visibility into Disabled Agent Capabilities (Cortex XDR agent 7.1 or later) |
Cortex XDR now provides visibility into which response actions are disabled on the endpoint. You can view a list of the Disabled Capabilities per endpoint in Endpoint Administration: initiating a Live Terminal remote session on the endpoint, executing Python scripts on the endpoint, and retrieving files from the endpoint to Cortex XDR. |
| Alert and Log Ingestion and Forwarding | |
| Okta and Azure Authentication Data Ingestion ( Requires a Cortex XDR Pro license) |
Cortex XDR can now ingest authentication logs from Okta and Azure AD into authentication stories. An authentication story unites logs and data regardless of the information source (from an on-premise KDC or from a cloud-based authentication service) into a uniform schema. To search authentication stories, you can use the Query Builder or new text-based Native Search. |
| Legacy Log Forwarding Format Support |
If you previously used the Log Forwarding App to forward logs to an external syslog receiver or email, you can now use the legacy formats in Cortex XDR. To enable legacy formats, you add a Log Forwarding notification configuration and choose the Use Legacy Log Format option. For information on legacy formats, see Cortex XDR Log Formats. |
| Broker Service | |
| Broker VM Remote Access Enhancements |
To simplify and expand support of remote access to your broker VM, the broker now supports SSH with a public RSA Key Pair allowing you to easily generate your own key and grant access to your colleagues in addition to Cortex XDR support. |
| Broker VM Web Console Enhancements |
To improve the registration process of your broker VM, you can now define the following configurations directly in the Broker VM web console:
|
| Broker VM XDR Console Enhancements |
To help you better manage your registered broker VMs, you can now:
|
| Windows Event Collector Set Up Enhancements ( Requires Cortex XDR Pro per TB License) |
To simplify the process of setting up the Windows Event Collector, you can now generate, activate, and download the required WEC certificates used to establish a connection with your Domain Controller during the setup process directly from the Cortex XDR console. |
| MSSP | |
| New Managed Threat Hunting Service |
Cortex XDR now offers the new Managed Threat Hunting service as an add-on security service. To augment your security team, Managed Threat Hunting provides 24/7, year-round monitoring by Palo Alto Networks threat researchers and Unit 42 experts. The Managed Threat Hunting teams proactively safeguard your organization and provide threat reports for critical security incidents and impact reports for emerging threats that provide an analysis of exposure in your organization. In addition, the Managed Threat Hunting team can identify incidents and provide in-depth review of related threat reports. |
| Cross-Tenant Queries for MSSPs |
To enable managed security service providers (MSSPs) that use Cortex XDR to threat hunt and perform investigations quickly, you can now use the Query Builder to query across multiple child tenants. Cortex XDR provides the tenant query selector at the top of the Query Builder with the option to select one or more child tenants. |
| Public APIs | |
| New APIs for Ingesting Threat Intelligence Feeds |
Two new APIs are now available that can add one or more IOCs to Cortex XDR:
|
| Existing API Enhancements |
To help you gain better visibility and control over which endpoints can be scanned, you can now filter Get Endpoints, Scan Endpoints, and Cancel Scan Endpoints APIs according to the scan status. |
| Script APIs Enhancements |
To help you better understand the Get Script Metadata API response, Cortex XDR has aligned several response fields with how they are displayed in the Cortex XDR management console. |
Stay up to date and bookmark the TechDocs page on Cortex XDR Release Notes.
Thanks for taking time to read the blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.
Stay Secure,
Kiwi out!
