Cortex XDR Management 2.7 New Features

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L7 Applicator



Hello everyone,

For February 2021, the Cortex group has added many new features for Cortex XDR Management 2.7. So many in fact, that this blog is dedicated just to Cortex XDR Management. The new features for the Agent are listed in a separate blog post available here.


Cortex XDR Management 2.7

For Cortex XDR 2.7, there is a very long list of features that have been added. They are broken down into the following categories:

General, Investigation and Response, External Data Ingestion, Analytics, Asset Management, Endpoint Security and Management, Host Insights, Multitenants and MSSPs, Broker VM and API


There are too many for me to really talk about, but this is an extensive list with so many features to make your life easier working with Cortex XDR.


Grab a coffee and review the list below.


Features Introduced in February 2021 for the Cortex XDR 2.7 release. *
Extended Tab Viewing Options
The option to view results in the same or a new tab are now available in the pivot menus of the following tables:
  • Query Center—Open query results
  • Scheduled Queries —View executed queries
  • Endpoint Management —Open the related Asset View and related incidents of an endpoint
  • Asset Management—Open asset and agent details views
  • BIOC rules—Open the related rule query
In-App New Version Notification
Cortex XDR now displays a notification when you log in to your tenant following a Cortex XDR version upgrade. The notification displays the updated version number and lists selected new features available for your license type.
From the notification, you can choose to pivot to the Release Notes for more information or you can dismiss the notification and view at another time by navigating to User> What’s new  in the Cortex XDR management console.
Audit Logs SHA256 Value Enhancement
To improve your investigation capabilities, Cortex XDR now includes the SHA256 value in the Management Audit and Agent Audit logs for files that you restored and quarantined.
The Management Audit Log and Agent Audit Log Description field in the Cortex XDR management console and the Get Audit Agent Report and the Get Audit Management Log APIs now display the file  description in a new format:
  • Management Audit Logs
    • Restore quarantined file hash <full SHA256> on <endpoint name>
    • Quarantine <file path>, SHA256: <full SHA256> on <endpoint name>
  • Agent Audit Logs
    • Restored file <file path>, SHA256: <full SHA256> on <endpoint name>
    • Quarantined file <file path>, SHA256: <full SHA256> on <endpoint name>
Auto-Disable BIOC Rules Log Description Update in Audit Logs
The Auto-Disabled behavioral indicator of compromise (BIOC) rule Description field displayed in the Management Audit Log page and the Get Audit Management Log API now display the rule  description in a new format:
BIOC rule #<rule number> has been automatically disabled because it reached 10,000 matches in the last 24 hours. Rule name: <rule name>, severity: <severity>
Investigation and Response
XQL Query Language Enhancements
(Requires a Cortex XDR Pro license)
The Cortex XDR Query Language (XQL) is extended in the following ways:
  • You can now perform case-insensitive value searches (by default, field values are case sensitive when searched). To support this, you can now add the config stage to your queries.
New Datasets for XQL Search
(Requires a Cortex XDR Pro license)
Cortex XDR now enables you to query the following data using the Cortex XDR Query Language (XQL):
  • Next-generation firewall logs (available as a new dataset). These fields and data are identical to the log record information that is available using the Explore app.
  • Device control connect and disconnect events (added to the xdr_data dataset).
In addition, log records received from a security information and event management (SIEM) system are parsed into key-value pairs. Log record field values that are not identified as an integer, string, or timestamp are ingested as a JSON record.
Network Preset Name Change in XQL Search
(Requires a Cortex XDR Pro license)
The Network preset for XQL Search of EDR data is changed—it is now Agent Network. This is only a name change; this preset still provides the same network events sent from agents as before this change.
The Agent Network preset is not the same as the Network Story preset that provides stitched network events from different sources.
Additional XQL Search Pivot Functionality
(Requires a Cortex XDR Pro license)
To continue investigation, you can now pivot from XQL Search results to the Causality View and Timeline View. These options are supported for results that identify the following types of events: process (except for those with an event subtype of termination), network, file, registry, injection, load image, system calls, network stories, and Windows event logs.
Histograms for XQL Search Queries
(Requires a Cortex XDR Pro license)
Cortex XDR now automatically generates histograms for every field that is part of an XQL Search result. A histogram is a type of visualization of the results within a specific query. Histograms are similar to bar charts that show the distribution of values within a specific field across a result set. Each time you generate a new query, Cortex XDR will regenerate the histogram based on the updated result set.
NOTE: Histograms are not supported for JSON and array fields.
New Visualizations for Widgets Based on XQL Search Queries
(Requires a Cortex XDR Pro license)
To help you better view and visualize data based on XQL search queries, you can now view your XQL search results in three new modes:
  • Raw —Displays the raw format of the entity in the database.
  • JSON —Displays the entity with a key value distinction.
  • Tree —A dynamic view of the JSON hierarchy with the option to collapse and expand the different hierarchies.
Cortex XDR expanded the type of available widgets so that you can now display the search results using:
  • Pie charts —Includes options for full circle (default), donut, and semicircle charts.
  • Area graphs —Includes options for standard, stacked, and percentage graphs.
  • Bubble graphs —Includes options for standard, packed, and group packed graphs.
  • Scatter graphs
  • Single value totals
  • Gauge graphs —Includes options for radial, filler, and marker graphs.
  • Table —Displays the results table data.
To easily save a visualization after you create a widget, find the widget in the Widget Library.
New Cortex XDR Widget Library
To streamline widget visibility and management, Cortex XDR now enables you to search, view, and edit both your custom widgets and the Cortex XDR predefined widgets in the new Widget Library.
The library is a one-stop page where you can easily add or create widgets to your dashboards and reports to help you continuously monitor your XQL query results, logs, and data visually.
New Incident Management Page
To streamline the Investigation menu, a new Incident Management  page is now available. From this page, you can view starred incidents, manage scoring rules, and view incident exclusions.
Custom Incident Scoring Rules
(Requires a Cortex XDR Pro license)
To streamline the investigation process and better highlight incidents that are significant in your environment, Cortex XDR now enables you to define custom incident scoring rules that prioritize your incidents according to the needs of your organization.
Define scoring rules in the Cortex XDR management console on the Investigations > 
Incident Management  page. Each rule is based on a defined score, an Alert attribute, or the entity on which it occurred. When an alert matching the defined rule is raised, Cortex XDR adds the alert score to the total score of the incident. By default, the alert score is applied only to the first alert that matches the defined rule. Subsequent alerts for the same incident do not receive any score.
The incident score is displayed as a filterable Score field in the Incident table and as a tag in the Incident View.
Featured Alert Fields
(Requires a Cortex XDR Pro license)
To streamline the investigation process and better highlight alerts that are significant to you, Cortex XDR now enables you to label specific alert attributes as Featured Alert Fields.
Featured fields help you track alerts that involve a specific:
  • Host Name
  • User Name
  • IP Address
Label a field as Featured in Investigation > Incident Management > Feature Alert Fields
 and then filter and sort alerts containing the featured fields in the Alerts Table using the new table fields:
  • Contains Featured Host
  • Contains Featured User
  • Contains Featured IP Address
To easily locate alerts containing featured fields, alerts containing one or more of the featured fields are flagged in the Alert Name field with a Flag graphic 
IOC Rule Functionality Enhancements
(Requires a Cortex XDR Pro license)
To ensure your indicators of compromise (IOCs) rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR now automatically performs the following tasks:
  • Disables any IOC rules that reach 5,000 or more hits over a 24-hour period.
  • Creates a Rule Exception based on the Process SHA256 field for IOC rules that hit more than 100 endpoints over a 72-hour period.
Network Causality Event Timestamp Investigation
(Requires a Cortex XDR Pro license)
To help you investigate the time frame of security processes and connections made over your network, Cortex XDR now displays the network event timestamp in the Network Causality View.
When selecting the Network Appliance node in the Network Causality View, the event timestamp is now displayed in the Entity Data section of the card.
Enhanced Timestamp Investigation
To enhance your investigation capabilities, you can now narrow the Timestamp field results in the Cortex XDR tables by right-clicking to display rows that are 30 days before or 30 days after the selected field value.
Events Table Results Enhancements
The Events table (available from the Causality View and Timeline View) now includes the following enhancements:
  • The maximum number of related events increased from 10,000 to 100,000.
  • You can now export the related events to a tab-separated values (TSV) file.
  • The following fields are no longer displayed:
    • FILE > File Macro SHA256
    • INJECTION > Injection Type
Slack Notifications Enhancement
To help streamline investigations for alerts you receive on Slack, Cortex XDR now provides a link in Slack notifications to the alert details in Cortex XDR. If the alert is part of an Incident, the notification also includes the link to investigate the incident in Cortex XDR.
Hostname Visibility in Alerts
Hostname visibility in the Cortex XDR Alerts Table is now displayed according to the following guidelines:
  • When a hostname associated with an IP address is known in the Palo Alto Networks Next-Generation Firewalls alerts, Cortex XDR displays the hostname in the Host field.
  • When a hostname associated with an IP address is unknown in the Palo Alto Networks Next-Generation Firewalls and third-party source alerts, the Host field is blank and no longer displays the IP address. However, the IP address is still available in the Host IP  address field.
Native Search Deprecation
For queries on data in your Cortex XDR tenant, Cortex XDR provides query functions using the XQL Search that enable you to query the data, create widgets, and schedule queries, all of which supersede the Native Search.
The Native Search will remain available from the Query Builder only until the next release.
Remote Malicious Causality Chains Response (Windows)
(Requires Cortex XDR agent 7.3 or a later version)
When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypt endpoint files—the agent can now block the IP address to close all existing communication and block new connections from this IP address to the endpoint.
You can view the list of all blocked IP addresses per endpoint from the Cortex XDR 
Action Center, as well as unblock them to re-enable communication as appropriate. You set the action mode in your Malware Security profile where you can also add a specific and known safe IP address or IP address range to the IP addresses allow list. This capability is supported for network connections made in IPv4 only.
NOTE: When Cortex XDR blocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules.
Network Isolation of macOS Endpoints (macOS 10.15.4 and later)
(Requires Cortex XDR agent 7.3 or a later version)
Cortex XDR now extends the Network isolation response action to macOS endpoints. To prevent a compromised macOS endpoint from communicating, you can now isolate your endpoint to halt all network access on the endpoint except for traffic to Cortex XDR. After you isolate an endpoint, the Cortex XDR agent reports an Isolated check-in status and the endpoint remains isolated from the network until you cancel this isolation from Cortex XDR.
Note the following limitations:
  • If during isolation you need the Cortex XDR agent to communicate with an application or proxy, add the process to the Network Isolation Allow List Network Isolation Allow List.
  • To ensure that an endpoint remains in isolation, agent upgrades are not available for isolated endpoints.
Live Terminal Enhancements (Windows and Mac)
(Requires Cortex XDR agent 7.3 or a later version)
To improve the awareness and visibility of the endpoint end user, now when you initiate a Live Terminal session from Cortex XDR to the endpoint, you can prompt the end user to approve the connection request. Additionally, you can configure the Cortex XDR agent to display a blinking light

cortex xdr live-terminal-indication.png

on the tray icon (or in the status bar for Mac endpoints) for the duration of the remote session to indicate to the end user that a live terminal session is in progress. Both settings are optional and you can configure them independently.

External Data Ingestion
PingFederate Log Ingestion
(Requires a Cortex XDR Pro per TB license)
Cortex XDR can now ingest logs from PingFederate. To receive logs, you must enable PingFederate to send logs in CEF format to the Syslog Collector that you set up on the broker VM.
As soon as Cortex XDR begins receiving logs, the app automatically creates a PingFederate XQL dataset
(ping_identity_pingfederate_raw) and enables you to search the logs using XQL Search. Log information from PingFederate is also visible, when relevant, in the xdr_data dataset and in the 
authentication_story  preset.
Amazon CloudWatch and AWS CloudTrail Log Ingestion
(Requires a Cortex XDR Pro per TB license)
Cortex XDR can now ingest Amazon CloudWatch and AWS CloudTrail Logs. To receive logs, configure 
SaaS Log Collection  settings for the vendor in Cortex XDR.
As soon as Cortex XDR begins receiving logs, the app automatically creates an Amazon AWS XQL dataset (amazon_aws_raw) and enables you to search the logs using XQL Search.
Elasticsearch Filebeat Log Ingestion
(Requires a Cortex XDR Pro per TB license)
When you use Elasticsearch Filebeat to log activity on your endpoints or servers, Cortex XDR can now ingest those file logs. To receive logs, configure the collection settings for Filebeat in Cortex XDR and the output settings in your Filebeat installations.
As soon as Cortex XDR begins receiving logs, Cortex XDR automatically creates a dataset for each collected vendor and product and makes logs available in XQL Search queries.
Google Kubernetes Engine (GKE) Log Ingestion
(Requires a Cortex XDR Pro per TB license)
As an alternative to setting up a GCP Pub/Sub, Cortex XDR can now ingest container logs from Google Kubernetes Engine (GKE) using Elasticsearch Filebeat. To receive logs, you must install Filebeat on your containers and enable SaaS Log Collection settings for Filebeat.
As soon as Cortex XDR begins receiving logs, the app automatically creates a GKE XQL dataset—using the product and vendor that you specify during Filebeat setup—and enables you to search the logs using XQL Search.
Extended Log Ingestion for Syslog in LEEF Format
(Requires a Cortex XDR Pro per TB license)
Cortex XDR extends log ingestion support to vendors sending LEEF over Syslog. As with log ingestion for CEF over Syslog, you can configure the protocol, the IP address and port, and the format settings for the syslog collector.
After Cortex XDR begins receiving logs from the third-party source, it automatically parses the logs in LEEF format and creates a dataset. Cortex XDR extracts the vendor and product name to identify the dataset as <vendor>_<product>_raw. You can then use XQL Search queries to view logs and create new BIOC rules.
Analytics BIOC Visibility and Management
(Requires a Cortex XDR Pro license)
If you have Analytics enabled, Cortex XDR now provides visibility into and enables management of your Analytics BIOC rules by pivoting from the BIOC Rules table to a dedicated page.
For each rule, Cortex XDR displays identifying information, such as name and ID, severity, rule activation status, and any relevant MITRE ATT&CK information. Cortex XDR also enables you to disable or enable Analytics BIOC rules as needed.
To view and manage Analytics BIOC rules, you must have the corresponding permissions enabled for your role.
Asset Management
Enhancements to Asset Management
(Requires a Cortex XDR Pro license)
Cortex XDR now displays also the MAC address vendor name, and the platform running on your managed and unmanaged assets.
Export Network Assets to File
(Requires a Cortex XDR Pro license)
You can now export your Asset Management table results to a tab-separated values (TSV) file.
Endpoint Security and Management
Flexible Agent License Revocation
(Requires a Cortex XDR Pro license)
To enable a flexible revocation policy for Cortex XDR agent licenses, you can now configure the number of days after which the license should be returned when an agent loses the connection to Cortex XDR. In addition, you can configure the number of days after which the agent and related data is removed from the Cortex XDR management console and database. For more information, see Cortex XDR Agent License Revocation.
Enhanced Local Analysis Prevention (Windows)
(Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version)
The Local Analysis module, which prevents the execution of malicious Portable Executables (PEs) and Office documents with macros, now includes a new rule-based static engine that provides an additional layer of protection. The new engine provides additional context to Cortex XDR alerts by matching the samples that are under agent examination to static rules that inspect multiple file attributes and features.
The Local Analysis rules are maintained by the Palo Alto Networks Research team and are updated through content updates. You cannot add, modify, or remove rules from the Local Analysis module.
Bulk Alias Edits for Endpoints
(Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license)
To enable you to quickly change the alias for multiple endpoints, you can now perform the action from the 
Endpoint Control  menu on the Endpoint Administration page.
Vulnerable Drivers Protection (Windows)
(Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license)
Cortex XDR can now leverage the latest threat research to quickly deploy behavioral threat protection (BTP) rules that detect attempts to load vulnerable drivers. As with other BTP rules, Cortex XDR can deliver changes to vulnerable driver rules with content updates.
To configure vulnerable drivers protection, you must enable Behavioral Threat Protection and configure the Action mode for vulnerable drivers protection  as part of a Malware Security Profile.
By default, Cortex XDR blocks all identified attempts to run vulnerable drivers. If you change the default
(Block), you can Report  (and allow) vulnerable drivers or disable the module.
Device Control for VDI (Windows)
(Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version)
Cortex XDR now extends Device Control for USB devices to include virtual desktop infrastructure (VDI). The Cortex XDR agent enforces the Device Control policy rules on USB devices after the end user logs on to the VDI instance. USB Devices that were connected prior to the agent enforcing the Device Control policy rules are not blocked after the fact.
Note the following limitations:
  • Virtual environments leverage different stacks that might not be subject to the Device Control policy rules that are enforced by the Cortex XDR agent and, therefore, could lead to USB devices that are allowed to connect to the VDI instance in contrast to the configured policy rules.
  • The Cortex XDR agent provides best-effort enforcement of the Device Control policy rules on VDI instances that are running on physical endpoints where a Cortex XDR agent is not deployed.
Extended Device Control to Read-Only Disk Drives (Windows and Mac)
(Requires a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.0 or a later version for Windows endpoints and Cortex XDR agent 7.2 or a later version for Mac endpoints)
You can now set a Device Control policy profile to allow disk drives to connect in read-only mode on the specified endpoints.
Peer-to-Peer Content Distribution (Mac and Linux)
(Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version)
Cortex XDR now extends peer-to-peer content distribution to Mac and Linux endpoints. To reduce bandwidth load when distributing content from Cortex XDR to the Cortex XDR agents, you can enable agents on your LAN network to retrieve the new content version from other agents that already retrieved it. Peer-to-peer content distribution is enabled by default in the Agent Settings Profile.
Custom Agent Installation Directory (Linux)
(Requires a Cortex XDR Prevent or a Cortex XDR Pro per Endpoint license and Cortex XDR agent 7.3 or a later version)
You can now install your Cortex XDR agent in a custom directory on Linux endpoints instead of using the default ./opt  directory. To do this, set the custom path in a new installation variable 
After you install the Cortex XDR to the custom path, all following upgrades and the removal of the agent from the endpoint are executed in the same location. For more information, see how to Install the Cortex XDR Agent for Linux.
New Operating Systems Support (Linux)
(Requires Cortex XDR agent 7.3 or a later version)
You can now install the Cortex XDR agent on Linux endpoints running Debian 10 or OpenSuse Leap 15.1. For all supported kernel versions, see the Latest kernel module version support.
Host Insights Add-on
Search and Destroy Malicious Files on Mac Endpoints (macOS 10.15.4 and later)
(Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.3 or a later version)
Cortex XDR now extends the File Search and Destroy response action to Mac endpoints. You can use search and destroy to take immediate action on known and suspected malicious files. You can search from Cortex XDR for a file by hash or path on endpoints and, after you identify the presence of the file, you can immediately destroy the file from any or all endpoints on which the file exists.
Host Insights Export to File
(Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.1 or a later version)
You can now export all the Cortex XDR host insights tables and respective asset views to a tab-separated values (TSV) file.
Vulnerability Management Name Change
(Requires a Cortex XDR Pro per Endpoint license, a Host-Insights Add-on, and Cortex XDR agent 7.1 or a later version)
To better reflect the feature usage, Vulnerability Management is renamed to Vulnerability Assessment.
Multitenants and MSSPs
Cross-Tenant XQL Queries for Multi-Tenancy
(Requires a Cortex XDR Pro license)
To enable multitenant management that uses XQL Query to view raw data that is stored in Cortex XDR, you can now execute XQL queries on a single child tenant or up to 100 child tenants simultaneously directly from your parent tenant XQL Search page.
When executing XQL queries on a single child tenant, Cortex XDR provides the parent tenant with autocompletion and validation capabilities to all datasets available on the child tenant.
When executing XQL queries on multiple child tenants simultaneously:
  • Autocomplete and validation are supported only on Cortex XDR dataset types, such as EDR data, Cortex XDR Alerts, and Palo Alto Networks New Generation Firewall Logs.
  • Queries are executed on each child tenant separately and return up to one million results split across the selected tenants. For example, an XQL query on 10 tenants returns a maximum of 100,000 results per tenant.
You can view, track, and investigate the query results and graphs for each child tenant in your XQL Search page results table or Query Center by filtering by child tenant.
Broker VM
(Version 11.1.1)
New Supported WEC Event Collection
(Requires a Cortex XDR Pro per TB license)
To expand the Broker VM data collection capabilities, in addition to the default WEC event IDs, you can now configure the Broker VM to collect all or specific Windows event types, such as DHCP, DNS, and IIS event types, directly from the Cortex XDR management console.
WEC Domain Controller Certificate Notifications
(Requires a Cortex XDR Pro per TB license)
To keep you informed of your WEC Domain Controller Certificate status and avoid service disruptions, Cortex XDR now displays a notification of the remaining time left on your license or whether your license is expired.
Approved Remote Terminal Command
When you connect to a broker VM remotely, Cortex XDR now allows you to perform the following privileged commands:
  • hostnamectl —Update a hostname.
  • edit_routes —Update static network routes.
New Featured Alert Fields APIs
(Requires a Cortex XDR Pro license)
To expand your API capabilities, Cortex XDR now provides the APIs to help you manage your featured alert fields. Using the following APIs you can delete and replace existing featured alert fields:
  • Replace Featured Hosts
  • Replace Featured Users
  • Replace Featured IP Addresses
  • Replace Featured Active Directory Groups
Enhanced Visibility of Incident Data
To help you gain greater visibility of requested API data when calling Get Incidents and Get Extra Incident Data APIs, the response section now includes the following Incident Scoring fields:
  • rule_based_score —The incident score calculated by the Incident Scoring Rules.
  • manual_score —The incident score updated manually by an Admin  user.
Enhanced Visibility of Alert Data
To help you gain greater visibility of Alerts that include Featured host name, username, or IP address, the Get Alerts API response now includes the following boolean type fields:
  • contains_featured_host —Either True  or False  depending on whether the alert contains a featured host name.
  • contains_featured_user —Either True or False depending on whether the alert contains a featured username.
  • contains_featured_ip —Either True or False depending on whether the alert contains a featured IP address.
Enhanced Insert Parsed Alerts Capabilities
To enable you to include additional information when running the Insert Parsed Alerts API, you can now send the action status taken on an alert (Reported or Blocked) using the action_status field.

* - All new features were reprinted from the Cortex XDR Release Notes


More Info

For even more information on all of the details included in the release notes for Cortex XDR, including all past features, Associated Software and Content Versions, and known issues, please visit the Cortex XDR Release Notes page.


Please also do not forget about the LIVEcommunity Cortex XDR Technology page

This is the one place that we have here on the LIVEcommunity that is dedicated to Cortex XDR discussions, Videos, technical articles, customer articles and even more resources.


Screen Shot 2021-02-02 at 5.29.26 PM.png

Please take a second and check it out if you haven't yet. 

LIVEcommunity Cortex XDR Technology page



Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog area.


As always, we welcome all comments and feedback in the comments section below.


Stay Secure,
Joe Delio
End of line

Register or Sign-in
Top Liked Authors