Hello there,
I just finished writing my updates for Cortex XDR Management 2.7 here.
Be sure to check those notes out for all of the details on the Management updates.
As far as the Agent is concerned, Cortex XDR Agent 7.3 has also had a lot of improvements and enhancements made to it.
Cortex XDR Agent 7.3
For Cortex XDR Agent 7.3, it has been broken down into 3 sections for each operating system: Windows, Mac and Linux.
|
FEATURE
|
DESCRIPTION
|
|---|---|
|
Remote Malicious Causality Chains Response
|
When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypt endpoint files—the agent can now block the IP address to close all existing communication and block new connections from this IP address to the endpoint.
You can view the list of all blocked IP addresses per endpoint from the Cortex XDR
Action Center, as well as unblock them to re-enable communication as appropriate. You set the action mode in your Malware Security profile where you can also add a specific and known safe IP address or IP address range to the IP addresses allow list. This capability is supported for network connections made in IPv4 only.
NOTE: When Cortex XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules.
|
|
Live Terminal Enhancements (Windows and Mac)
|
To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light
|
|
Enhanced Local Analysis Prevention
|
The Local Analysis module, which prevents the execution of malicious Portable Executables (PEs) and Office documents with macros, now includes a new rule-based static engine that provides an additional layer of protection. The new engine provides additional context to Cortex XDR alerts by matching the samples that are under agent examination to static rules that inspect multiple file attributes and features.
The Local Analysis rules are maintained by the Palo Alto Networks Research team and are updated through content updates. You cannot add, modify, or remove rules from the Local Analysis module.
|
|
Vulnerable Drivers Protection
|
Cortex XDR can now leverage the latest threat research to quickly deploy behavioral threat protection (BTP) rules that detect attempts to load vulnerable drivers. As with other BTP rules, Cortex XDR can deliver changes to vulnerable driver rules with content updates.
To configure vulnerable drivers protection, you must enable Behavioral Threat Protection and configure the
Action mode for vulnerable drivers protection as part of a Malware Security Profile.
By default, Cortex XDR blocks all identified attempts to run vulnerable drivers. If you change the default (Block), you can Report (and allow) vulnerable drivers or disable the module. If needed, you can also configure exceptions to allow specific drivers to run.
|
|
Device Control for VDI
|
Cortex XDR now extends Device Control policy for USB devices to include virtual desktop infrastructure (VDI). The Cortex XDR agent enforces the Device Control policy rules on USB devices after the end user logs on to the VDI instance. USB Devices that were connected prior to the agent enforcing the Device Control policy rules are not blocked after the fact.
Note the following limitations:
|
|
Extended Device Control to Read-Only Disk Drives (Windows and Mac)
(Requires a Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints)
|
You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.
|
|
FEATURE
|
DESCRIPTION
|
|---|---|
|
Network Isolation of Endpoints (macOS 10.15.4 and later)
|
Cortex XDR now extends the Network isolation response action to macOS endpoints. To prevent a compromised macOS endpoint from communicating, you can now isolate your endpoint to halt all network access on the endpoint except for traffic to Cortex XDR. After you isolate an endpoint, the Cortex XDR agent reports an Isolated check-in status and the endpoint remains isolated from the network until you cancel this isolation from Cortex XDR.
Note the following limitations:
|
|
Live Terminal Enhancements (Windows and Mac)
|
To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light
|
|
Extended Device Control to Read-Only Disk Drives (Windows and Mac)
(Requires a Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints)
|
You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.
|
|
Peer-to-Peer Content Distribution (Mac and Linux)
|
Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
|
|
Search and Destroy Malicious Files on Endpoints (macOS 10.15.4 and later)
(Requires a Cortex XDR Pro per Endpoint license and Host-Insights Add-on)
|
Cortex XDR now extends the File Search and Destroy response action to Mac endpoints. You can use search and destroy to take immediate action on known and suspected malicious files. You can search from Cortex XDR for a file by hash or path on endpoints and, after you identify the presence of the file, you can immediately destroy the file from any or all endpoints on which the file exists.
|
|
FEATURE
|
DESCRIPTION
|
|---|---|
|
Peer-to-Peer Content Distribution (Mac and Linux)
|
Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
|
|
Custom Agent Installation Directory
|
You can now install your Cortex XDR agent in a custom directory on the endpoint instead of using the default
./opt directory. To do this, set the custom path in a new installation variable --install-path=/<some/path>.
After you install the Cortex XDR to the custom path, all following upgrades and the removal of the agent from the endpoint are executed in the same location.
|
|
New Operating Systems Support
|
You can now install the Cortex XDR agent on Linux endpoints running Debian 10 or OpenSuse Leap 15.1. For all supported kernel versions, see the Latest kernel module version support.
|
* - All features have been reprinted from the Cortex® XDR™ Agent Release Notes
More Info
To get all of the details from the release notes for Cortex XDR Agent, including Changes to Default behavior, known and addressed issues, please see the full Cortex® XDR™ Agent Release Notes.
Please also do not forget about the LIVEcommunity Cortex XDR Technology page.
This is the one place that we have inside of the LIVEcommunity that is dedicated to Cortex XDR discussions, Videos, technical articles, customer articles and even more resources.
Please take a second and check it out, if you haven't already.
LIVEcommunity Cortex XDR Technology page
Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, and don't forget to subscribe to the LIVEcommunity Blog area.
As always, we welcome all comments and feedback in the comments section below.
Stay Secure,
Joe Delio
End of line
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 3 Likes | |
| 2 Likes | |
| 1 Like | |
| 1 Like | |
| 1 Like |
