Cortex XDR v2.2 New Features

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

Palo Alto Networks releases Cortex XDR 2.2. Read about the new features available in Cortex XDR 2.2, including Incident, Agent Management, and Global Improvements. See how these features can help keep your network secure. Find answers on LIVEcommunity.




There were a lot of new features for Cortex XDR 2.2 introduced in March.


The following table describes the features released in March 2020.


Incident Management

Injection Events

You can now easily view more information about injector and injected processes directly from the Causality View and Query Center Results table without the need to navigate between tabs.

  • From the Causality View Events table, right-click a Process Injection row and Analyze the injector/injected process in a separate causality view.
  • In Query Center Results table of a Process Injection action type, right-click the row and select Analyze to view the causality view of either the Injector process or the Injected process.
Rule Visibility for BIOC and IOC Alerts You can now easily view the BIOC or IOC rules that generated alerts directly from the Alerts table without the need to open a new tab. In the Causality View of the alert or incident, right-click an alert row in the Events table and select View generating rule.
Windows Event Log Enhancements You can now run a query, investigate an event, and create BIOC rules for Windows Event Log data.
New Alert Table Fields The Alerts table has been enhanced with additional fields to help you filter and manage your alerts:
  • Firewall source zone, destination zone, and rule name
  • Operating system version
  • MITRE ATT&CK technique and MITRE ATT&CK tactic
  • Identifiers of the operating system entity that created the process that triggered the alert
Causality View Event Enhancements To enable easier navigation taking action more quickly during investigation within the Cortex XDR management console, Behavioral Threat Protection has been enhanced so that you can quickly whitelist, blacklist, terminate, and quarantine a process.

Agent Management

Alert Action Enhancements You can easily create a profile exception directly from the Alerts table without the need to open a new tab. If no Exception profile exists it will allow you to create a new exception.
Action Center Static Filters To help you filter relevant endpoints when initiating a new action, Cortex XDR now provides a static filter on the endpoints table that applies to the targets defined in your action. When navigating to Response Action Center +New Action, in the Target step, the Endpoints table displays only endpoints that are eligible for the action you want to perform.

Management Features

Device Control Configuration Enhancements You now have the ability to manually insert the Vendor and Product ID in hexadecimal code when you add a Device Control Profile.
MITRE ATT&CK Tagging for Alerts and BIOC Rules To help you better manage and get more insights into the types of Alerts and BIOC rules, you can now view the associated MITRE ATT&CK Technique and MITRE ATT&CK Tactic fields.
Auto-Disable of BIOC Rules To ensure your BIOC rules raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR now automatically disables any BIOC rules that reach 5000 or more hits over a 24 hour period. BIOC rules that trigger 5000 or more alerts can indicate that the BIOC rule is too general and that you should refine the rule configuration.

Global Improvements

Enhanced Network Visibility

To provide a more complete and comprehensive summary of processes and activity surrounding a security event, Cortex XDR now stitches together firewall network logs and raw endpoint data. Cortex XDR uses the stitched data to visually depict the source and destination of security processes and connections made over the network.

With enhanced network visibility, you can:

  • Run investigation queries based on stitched network and endpoint logs.
  • Create granular BIOC rules over raw network data and logs from Palo Alto Networks Next-Generation Firewalls.
  • Investigate network alerts in the new Network Causality View.
Granular Role-Based Access Control

To help you better manage user access permissions in Cortex XDR, RBAC configurations now separate what type of views and actions are permitted for each role.

Roles are defined in the hub and allow you to:

  • Assign predefined Cortex XDR Roles
  • Create and save new roles based on the granular permission
  • Edit role permissions (available for user-created roles)
  • Directly assign permissions to users without saving a role
In-App Configuration of Alert and Log Forwarding

To help you stay up-to-date and informed with alerts and logs that matter to you most, Cortex XDR now expands alert notifications to include management audit logs, agent audit logs, and dashboard reports. In addition to forwarding alerts to email accounts, you can now forward alerts to Syslog servers and Slack channels

  • Existing forwarding rules in the Log Forwarding App will be automatically migrated to the Cortex XDR in-app log forwarding in a “disabled” mode. To enable these rules, navigate to Notifications page.
  • Log Forwarding App for Cortex XDR alerts/logs will be shut down at the end of April. Make sure to enable the rules in Cortex XDR and review the new log formats.
Managed Security Improvements

Cortex XDR managed security allows Managed Security Services Providers (MSSP) to easily manage security on behalf of their clients. You can now:

  • Push profiles, BIOC rules, exclusions, and starred alerts
  • View alerts and incidents of child tenants
  • View causality cards and timelines of child tenants
  • Run investigation queries on child tenants
Cortex XDR License Notifications To keep you informed of updates made to your license and avoid service disruptions, Cortex XDR now displays a notification of changes made to your license when you log in. If any actions are required from you.
Broker VM Enhancements

To ease the deployment of Broker VM, the broker VM images are now available directly from the Cortex XDR console. The registration and configuration are managed through web consoles:

  • Broker web console—A web interface allowing you to configure and register the VM to the Cortex server without accessing the VM directly.
  • Cortex XDR management console—Manage your broker VM through the Cortex XDR console, such as track connectivity, edit configurations, and enable real-time monitoring.
Content Roll-out Control

To allow you better control of the security content in your environment, Cortex XDR now allows you to:

  • Halt security content updates
  • Delay security content updates for a defined number of days

The settings can be assigned to specific targets using the policy rules.

Public APIs

API Response Enhancements

When running the following APIs, the true response has been replaced with an action-_id field - {"reply": {"action_id": X}

New Public APIs for Endpoint and Agent Management

Using new Cortex XDR APIs, you can retrieve and manage incidents, endpoints, agents, and installation packages in your environment.

The following API capabilities have been added:


In addition to the new features listed above, Customers can also view Cortex XDR 2.2 new feature videos


Stay up to date and bookmark the TechDocs page on Cortex XDR Release Notes.




Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.


Stay Secure,
Kiwi out!

Register or Sign-in
Top Liked Authors